| Today,Computer Science and Network Technology develop fast and are applied in broad areas.It not only accelerates the progress of society, but also pushes the development of economy,which helps to improve the life condition and work mode. However,they also offer space for new crime and artifices.Recently,various cases about computer crime increase with great harm for society.Although every country pays attention on the recovery technology of Access Control,Data Encryption and Intrusion Detection in Information Security areas, the artifices of computer crime upgrade too. Therefore, computer crime cannot be prevented only by network security technology, strong power from society and law is also needed. Computer Forensics is there to meet the requirement, the main goal of which is to collect electronic evidence, reconstruct crime scenes,and supply available evidence for litigation.Due to the characteristics of electronic evidence and its collection, the traditional way of collection can not sufficiently meet the demand in practical work, which brings new challenge for the domain of law and computer science to improve the Computer Forensics.In this thesis,it discusses the basic theory and technology of Computer Forensics,and also refers to the current international situation, problems and future directions of Computer Forensics.Meanwhile the aspects of how to get, save and analyze electronic evidences are discussed in detail.To solve realistic problems,one dynamic real time forensics system that is different from traditional forensics technology (afterwards, static) is realized.The system is a distributed networking forensics system,which is designed into five modules including evidence collection, evidence transition, evidence storage, evidence analysis and management and control. The thinking of Module Design makes it convenient to upgrade functions and technology for each module, and improve its performance.After research of the specialty of electronic evidence and progress of lawsuit,Collection and Save of Digital Evidence is definitely the core content of the Computer Forensics technology.And the adequacy, integrality and validity of collected electronic evidences are really meaningful to identify case and guarantee procedure of lawsuit.But the traditional forensics procedure usually happens after the crime activity, and electronic evidence is damageable,sophisticated,and imperceptible. Thus static forensics cannot serve well in integrality and continuity such as full evidence. Dynamic C/S model Computer Forensics System designing ideology is used to advance computer forensics and to solve the problems of time- efficiency and integrality.We first focus on how to realize Evidence Collection Module.Two crimes: one aims at Computer Information System and the other one uses computer and network as tools, are considered in this module.On one hand, we gather information in computer system.In design level,we obtain relevant evidences on target machines through forensics agents, mainly including log files, keyboard records,and locale evidences (network activities, records of file systemic operations and audit information). In detail, based on different network system situations and security levels, we hide forensics agents as system services that always work on each protected machine, periodically gather local electronic evidences, and transfer them to secure server and saving. On the other hand,we monitor and control convectional data (output and input) through network forensics machines.Many new technologies such as Intrusion Detection are referred, information-distilling of caught packet capture by using protocol analysis technology.Meanwhile,we use audit technology Clustering Algorithm,and Associated analysis in the procedure of distilling information.These captured network evidences not only come from information of network attacks,but also from information exchange between inside and outside of network (protect private legal information by using system management right in different levels). One important thing worthy to mention is that we should firstly cut off the connection of attacker in response from computer intrusion activities, so Honey-pot technology is used in design of the system– to beguile Decoy continuously attack Honey-pot and catch information and crime records of attacker throng redirect technology of network attack activity.Although Evidence Collection Module gives relevant electronic evidences which should be transferred to secure server through network. Network is an open environment through which any data may be intercepted, so one special transformation module should be designed– protecting electronic evidences from being monitored, modified and forged using encryption and checkout mechanism. In the thesis, we make private change to SHA512 Algorithm in Hash Algorithm based on existing encryption algorithms.We improve the anti-cracking ability to ensure that electronic evidences transfer to secure server safely and correctly.For stabilized running of the entire system, one management and control module should be also designed. The main tasks of this module include Authentication between forensics agents and secure server, distribution and recording of encryption and cryptogram, and,selection and modification and analysis of evidence source. Using this management and control module, forensics system administrator can manage running state of the entire system efficiently, and report when needed.Dynamic Computer Forensics System Based on Network referred in this thesis solves the bottleneck problem of traditional Computer Forensics. It successfully recuperates the disadvantage of losing evidence chain after computer crime happened, it also catches all latency evidences and transfers them to secure server to save and use in lawsuit.As a newly emerged science,Computer Forensics is not perfect on standards and flow. Furthermore,it contains multiple technologies and involves interdisciplinary study, which still needs to be researched more deeply. Our system also needs to be improved,such as more data source should be added in, data mining and Expert System technology should be used to advance analytical efficiency of network packet capture.These works are worthy more attempts to create a secure network environment, control crime, and serve society better in the future. |
PDF Full Text Request