| The computer forensic is an important tool in battling with the computer crime. The traditional static forensic is mainly employed to collect digital evidences after the intrusion has happened,so it's difficult to collect the evidences entirely in time, and the recovered files may has been modified. Being this method, the digital evidences have low power in law, and it would be a hard work to analysis and extract the digital evidence from the huge data. This is an urgent need for network forensics technology.For the purpose accelerating the standardization of network forensics,this paper puts forward are vised model of network forensics and a formalized method of proving the reliability of network forensics.This paper gives analysis about various kinds of hot issues, new solutions and technological trends in the study of network forensics. According to common practice, the needs of network forensics, network forensics model were designed to guide the process of the current network forensics, network forensics theory and methodology to promote the gradual maturity.This paper provides a network forensics model. The network forensics model uses the online and offline data collection, to ensure that the integrity of network data access. The paper firstly introduces basic concepts of network forensics, such as network crime, the current situation of network forensics and the rule of network forensics and so on. In contrast to the model based on the evidence at this stage, it is designed the network forensics model, and gives a specific description and comparison with other models.Of particular importance in network forensics is the requirement to successfully narrow the potentially large search space often presented to investigators of such crimes and to effectively find out the potential evidence scattered in data entries. A solution is proposed to apply the traditional criminal profiling method to digital evidence analysis research, a new forensics method is presented, "suspect characteristic computer activity information database". This method points out a new direction for analyzing massive data, narrowing analyzing scope and seeking electronic evidence. At last, it focuses on the module of network data acquisition, evidence analysis, and intrusion detection implementation based on the model of network forensics. It is designed that a program of capture the network packet with Windows, and base on the packet capturing, combine protocol analysis with pattern matching to analyze the digital evidence. The experiment's result shows that the packet capture moudel can capture the data package of data link layer and the protocol analysis moudel can decoding part of protocol such as ARP, IP, ICMP, TCP, UDP and so on.The research about network forensics in our country is in the initial stage now. The principal research of this paper is helpful to the exploration of network forensic methods and to the construction of useful network forensic system. |
PDF Full Text Request