Research And Design Of Computer Forensics Based On Malicious Code Analysis

With the development of science and technology and the extensive application of the Internet and the popularization, people in the study, work and life benefited from the enormous convenience of the application of technological development and information network.But also confronted with unprecedented threats of network security. In recent years, Internet-based crime has been on the rise and the crime events of using a computer or computer-targeted is more and more.It brings great threat to the whole country and society. The computer crime has become the countries in the judiciary need to be addressed a major problem. How can combat and curb this crime and resolve computer security problems faced by the current research focus, so computer forensics technology has emerged.Computer forensics is in computer crime case investigation and analysis of the technology, which is an important means of combating computer crime and computer system security. But the current computer forensics evidence just a simple lookup, which is need a large number of artificial participation and can not identify the potential association between the evidence.Combining with the data mining technology in large data processing advantages, according to characteristics of electronic evidence of the malicious code, this paper presents the FP-Growth-based weighted frequent pattern mining algorithm.First, Analying the import table of malicious code samples, and the API call sequence statistics as FP-Growth algorithm weighted basis, so that different API calling sequence have different weights, the increase of these sequences to generate association rules the possibility, eventually generating rule base. After comparison analysis the FP-Growth algorithm, the improved algorithm of computer evidence analysis with higher accuracy. Secondly, in order to obtain evidence of malicious code behavior, also designed the malware forensics system carries on the dynamic forensics analysis, by monitoring the malicious code processes, registry, file recording and port number to record its behavior, and generates the forensics report. Finally, specific examples were verified the feasibility of the method and the effect of the host.