| The computer forensics is one of the most effective techniques to combat cybercrime.It’s purpose is to extract evidence from the computer that the criminals left.So the criminals are brought to justice.Therefore,the Computer forensics technology plays an important role in combating computer crime.Through the study of the traditional computer forensics technology,this paper presents a new model of forensic evidence.It contains the hard disk forensics and memory forensics.In order to get the file information and recover the files that the criminals deleted,the paper analyzes traditional MBR partition and GPT partition.In addition,this paper presents a algorithm of the partition based on EasySafe driver.The memory forensics can get all the information about processes and modules.Since windows7 and later operating system can’t access physical memory data,this paper presents a method based on kernel driver to read memory data.In addition,the software can get the user’s behavior by intercepting keyboard message.At present,the person must be on the scene to get evidence.The data is likely to be ineffective if the scene is not protected.This paper presents a remote forensics based on the Trojan.First,the program is injected into the system process.In order to hide itself,the program connects to the network in contrast.The program avoids being killed by using the three-thread technology.Thus,the person can get the evidence anywhere.Experimental results show that the algorithm can effectively and remotely extract evidence. |
PDF Full Text Request