| With the explosive growth of Internet, the behavior of network attack occurs more and more times. Moreover, with the reinforcement of security and defense measures, the means of attack is changing. The technologies utilized by evil hackers have not only ARP deception, scripting attack, Trojan injection and so on, but the advance technology such as super worms, convert attacks is beginning to emerge, which makes network security become a prominent problem. During the study of network security, a series of security products appears such as firewalls, IDS, VPN. While, the application of security products is mostly only a passive defense, which can't effectively combat malicious attacker. Therefore computer forensics becomes very important, which can obtain the conduct of illegal attack and achieve complete reconstruction through it. These can be accurate and effective fight against evil hackers.Computer forensics is composed by system forensics and network forensics. This thesis focuses on former, which proposed an overall framework of system forensics combined with the current hot pots of forensics technology. This thesis importantly analyzes three sub-modules as follows: data recovery technology module, registry forensics and analysis module and network event acts analysis module. At the aspect of Data Recovery, based on the FAT file system, this thesis designed two algorithms as follows: the continuous storage data recovery algorithm and the discrete storage data recovery. Based on the NTFS file system, this paper proposes an algorithm of reconstructing on the deleted directories tree and an algorithm of continuous and discrete data recovery. At the aspect of registry forensics, this paper gives all registry keys which are possible includes implied evidence. At the aspect of network event acts forensics, this thesis focuses on the cache files named"index.dat", which is protected by operating system. This paper analysis on the structure of this file and dig out of all records contains internet activity. Tests show that this system is feasible and can accurately recurrence all acts happened on the target machine. |
PDF Full Text Request