| Nowadays, computer is revolutionizing our life, making quickeradvancement and more convenience possible. However, it also bringsunexpected negative impact. With the artifices of computer crimecontinuously upgrading, defended technology of network security, such asAntivirus Software, Firewall and Intrusion Detection System, can't be veryeffective. Because they are unable to overcome the same defect that theprotected object system may be infected by virus, hacker and trojan.Moreover, the loss brought by intrusion could not be made up throughapproach of law. Under such application background, computer forensics,which analyzes and gets the evidence about the crimes happened incomputer system and computer networks, began to develop rapidly. Thus,the loss caused by the intrusion can be avoided. And the criminals can alsobe cautioned and deterred simultaneously.The evidence is the key and soul of the case which decides the fate ofthe case, so as the computer criminals. New electronic evidence emergedwith the development of computer forensics theory. It is distinguished fromany other types of traditional evidence because of its high accuracy,frangibility and multiformity.Each device produces logs to record its behavior or events, so that theadministrator can check the reasons of errors or the trace left by attacker.Therefore, the logs become an important source of electronic evidence incomputer forensics. However, characteristics of log is extremelyinconvenient as electronic evidence. It contains five aspects: diversity andrelevance, weak of readability, poor reliability, large volume of data anddifficult obtaining.In this thesis, basic theories and techniques of computer forensics arediscussed, as well as the principles and current problems are mentioned.Meanwhile, the log's characteristics are further studied. Five essential aspects that must be solved so as to make logs become electronic evidenceare emphasized, including are diversity and relevance, weak of readability,poor reliability, large volume of data and difficult obtaining characteristic.The existing log system can record log's information comprehensively,however, its objective doesn't aim at computer forensics and it doesn'tpossess authentication mechanism. Therefore, the recorded logs don't haveLaw Effect and they can't become legal evidence either. The existingsoftware of computer forensics may also get Logs, but it mainly disk-copyand analyzes on the information which left after crime. The information maybe broken by intruders who possess anti-forensics technology.Considering the mentioned question above, a computer forensics modelbased on Windows log is proposed in this thesis through the further researchon the aspects of computer forensics, electronic evidence and log, etc. It is akind of dynamic model forensics, which focuses on the protection of log.The system is divided into three modules: log access module, protectionmodule of log integrity, storage and reconstruction module of log. Logaccess module uses the method to extract log information from monitoredmainframe at runtime, so the problem of forensics posteriority can be wellsolved. Protection module of log integrity presents a method to protect theintegrity of forensics information, which makes the protection be strict viadigital signature and secure hash algorithm, so as to ensure that loginformation becomes the eligibility of electronic forensics. Storage andreconstruction module of log uses the method of IDA(Information DispersalArithmetic) which can tolerate the destructive activities from attackers. Inother words, if the destructive activities are in the tolerance scope of thealgorithm, the initial log information can be recovered by the algorithm.In log access module, the log files of application, system and securityare circularly monitored. In this case, the new log can be accessed when itgenerates. The intruders can't destroy the evidence even they modified anddeleted the logs after intrusion. It makes up the deficiency of post-event investigation.In the protection module of log integrity, the logs are indeed accessedfrom the monitored mainframe by the method of creating digital signaturefor log. Meanwhile, the association relation is created among logs, so as tofind if the logs are deleted or lost in verification. Notably, the feasibilitythe logs are transmitted to monitor mainframe by SSL in security isdiscussed. In the whole process, it protects the consistency and ensures theevidence qualification of logs.In storage and reconstruction module of log, the slicing process whenthe log records are stored is as follows: The log records are respectivelydispersed into n shares by information dispersal arithmetic in the monitormainframe. In order to ensure the integrity verification when the shares arereconstructed, the share and the hash values of all shares are sent secure logserver. And the reconstruction process when the log records are analyzed isas follows: the monitor mainframe requests shares from m log servers, thenthe monitor mainframe can reconstruct the log records throughcorresponding information in m(m |
PDF Full Text Request