Collection Research And Implementation Of Evidence Based On The Linux System

As the development of computer science and information technology, people benefit greatly from the application of information technology, but also face a growing number of computer crime activities. At present, most powerful computers adopt Linux as their operating systems, so it is necessary to study forensics methods and key technologies based on Linux to meet the requirements of reducing computer crime activities.First, the basic model and overall framework figure of forensic model are presented, the forensic architecture is divied into five modules, consists of evidence collection module which is especially researched, data preservation module, evidence analysis module, evidence submission module and evidence supervision module.Second, this thesis research the problem of detect and collect rootkit evidence From the intrusion means used by kernel rootkit, the design method and realize procedure is proposed.Then from several aspects including file pattern match, pattern string search, user login log, hidden process, hidden ports and ifpromisc netcard, the detection and collection of user rootkit is realized.The result of detection and collection experiments is displayed. Again, static evidence collection is researched from the different parts of invasion track, invasion trace, attack targets, attack methods, hidden invasion .Suspicious files, log files, user privileges sensitive files, hidden files, and some linux system configuration file is essential to static evidence collection.Finally, the system is divided into four layers: image layer, file system layer , application layer and interface layer.By using hierarchical principle, it not only improve efficiency of development, but also reduce difficulty of system testing.Image layer solve the problem of getting Ext partion data of compormised computer.Filesystem layer realize the file access operation.Application layer solve several problems including formatted log ouput,hidden files search,suid files resident in current partition and so on.Interface layer use socket listen and parse the http connection requests from client to achieve interaction with client's browser.The test results of function requirements show that its original goal has been achieved.