Research On Dynamic Computer Forensics Under Open Network Evironment

With the development of computer science and the popularization of Internet, network security has become an issue of great concern. Due to the special nature of open network environment, computer forensics has lots of difficulties, such as uncertainty of suspects, unsureness of criminality action and high technical abilities of criminal. It is obvious that the traditional evidence-gathering techniques are not suitable for the demands of the information age and open network environment any more. It is urgent to establish and improve the method of computer forensics.To address the problem of computer forensics under open network environment, the domestic and overseas related research works were studied, and then the limitation of existing methods and tools were analyzed. Around how to dynamicly gather and analyze electronic evidence under open network environment, an in-depth research on dynamic computer forensics was conducted.After researching the current theories and technologies on computer forensics and analyzing the limitations of existing methods and tools, a Trojan horse Based Dynamic Forensic System (TBDFS) was proposed to address the problem of computer forensics under the open environment of Internet. Through a rootkit trojan horse like method, TBDFS has a more efficient way on evidence collection than traditional forensics methods under the environment of Internet.Based on the research of windows rootkit technical, the key issues of TBDFS was disussed, mainly on the aspects such as real-time monitoring, self-hidden, distributed information gathering, misuse detection, flexible strategy control, evidence protection, data analysis and so on. A hierarchical and plug-in architecture was applied to the TBDFS system so that it will have the flexibility to be upgraded and extended in a"plug and play"way. The main modules of the TBDFS prototype system was also analyzed and designed in detail.Using C, C++ programming languages, Microsoft Visual C++ 6.0 and Windows Driver Development Kit 2003 development environment, the prototype system of TBDFS was implemented. The prototype system was tested with two personal computers on the Internet which run on Windows XP operating system. The testing result shows that it's suitable for gathering and analyzing evidence under open network environment and can serve as anonymous crime reporters. TBDFS provides a new method to solve the the evidence collection and criminal investigation under open network environment, and also a possible way for the judge to get more evidences to make fair judgments.