Research On Electronic Evidence Acqicisition And Analysis Method Over Windows Logs

With the rapid development of Computer and Internet technology, Computer and Internet continuously spread to people’s work and life, from information research to online shopping, and from writing blog to chatting. Computer and Internet bring more and more for the convenience of the people at the same time, also become the powerful tool for computer, it bring great threatens to the whole community and security of the nation. Computer forensics is the technology and methods to extract the required electronic evidence, then deliver it to the court, it is a critical ways to fight against computer forensics. With the increase of the computer criminals, computer forensics is gradually becoming the focus of the research and attention.Log files keep the operations during the running of the computer system and application programs, these operations is the record of the criminal traces of the computer criminals, it is the important clues and resources in the course of the computer forensics. In order to make good use of logs to demonstrate to court as lawful evidence, there are two problems needed to be solved:First, collecting logs in time, then protecting the logs or storting them at other places. Second, it is demanded to find the criminal traces from large amount of logs for delivering these selected logs as legal evidence to the court.To solve the two problems above, two methods to acquire Windows logs in time are used. These two methods can not only get the logs which exist in system or stored in text mode, but also get main logs in Windows system. The way to associate the log files with atomic attack function on the basis of acquiring logs real-time, it is successful to transfer the analysis from logs to atomic attack function. And it can greatly decrease the time of analyzing logs. What’s more, a solution to event reconstruction is proposed, and in given condition, it can achieve to reconstruct the computer criminal scenario. At last, feasibility of the method mentioned above is demonstrated by experiment.