Computer Forensics Technology Research Based On Windows Log Security Protection

As the rapid development of computer technology, computer crimes are committed increasedly, which has been a widely concerned national problem. Learning from Tianjin Municipal Public Security Bureau, nowadays most of the domestic computer crimes are committed by operating the related computer directly. Traditional detectivism can not record what the criminal has done to the computer. Only the event logs triggerred by these operations can testify the criminality. The existed computer forensics technique just analyses the information remained in the computers after the crimes. But most of the information has been destroyed by the criminals in advance.In this paper, we presented a distributed computer forensics model based on protecting log evidences'security, which can avoid the lag of computer forensics. The part of this model installed on the suspect computers can duplicate the event logs immediately when they are generated and create their digital signatures and message digests which can interlink logs with MD5 and RSA. Another part of the model installed on a safe computer saves the logs transmitted through SSL in a database and uses validatation algorithms to verify the log evidences'authenticity and non-repudiation.Experiment studies showed that this model could collect logs timely and also ensure the evidences'veracity, creditability and efficiency.