Research And Implementation Of Electronic Forensic Oriented Data Acquisition Methods

Recent years, with the extensive application of computer and network in our life and work, high-tech crimes are becoming increasingly rampant. Criminals would try their best to delete digital evidence which can testify their crime. So how to find adequate, reliable and legal digital evidence through computer forensics to fight against crime has become a hot-spot problem.Computer forensics as a complex area, involves a great number of technologies. Data recovery technology, files content searching technology and system residual data acquisition technology are hot spots in current research of computer forensics. Compare with the foreign countries, our country has a lot to do to improve our technologies of computer forensics. However, technologies of computer forensics abroad are always non-public, so this paper has done a deep research on current hot technologies of computer forensics and respectively realized them. These research and realization will provide a good reference for the follow-up study of the technologies of computer forensics. At the same time, this paper has improved correlation algorithms of data acquisition methods, from the comparison of the results, it can be proved these algorithms effectively optimize the electronic forensic oriented data acquisition methods.Through the analysis of the storage structure of file system, this paper has done a deep research on the data recovery method of FAT32 file system and NTFS file system. In the data recovery method of FAT32 file system, this papaer improved the first cluster location algorithm, through a specific example it can be proved the modified algorithm can locate the address of the first cluster more accurately. In the research of hard disk files content searching method, based on Lucene this paper has done an analysis and design on the overall data flow of the method. Besides, based on the basic results sorting algorithm of Lucene, considering the position of the key word factor and the size of file content factor, this paper has mentioned an improved results sorting algorithm. The improved algorithm has made the document ranking of results more reasonable for users. Then this paper has done a deep research on the system memory data acquisition method and network traces acquisition method as well.Finally, based on the research of electronic forensic oriented data acquisition methods, this paper has respectively designed and realized the above-mentioned methods. From the results and the analysis of realization, the research and the realization have achieved the requirement of electronic forensic oriented data acquisition methods.