中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
计算机取证方法关键问题研究
作者: 孙波
答辩日期: 2004
专业: 计算机软件与理论
授予单位: 中国科学院软件研究所
授予地点: 中国科学院软件研究所
学位: 博士
关键词: 电子数据证据 ; 完整性 ; 真实性 ; 计算机取证过程 ; 取证环境 ; 隔离环境 ; 计算机犯罪异常行为
其他题名: Research on Key Aspects of Computer Forensic Methods
摘要: 本文针对日益严重的计算机犯罪,对计算机取证方法中存在的几个关键问题进行了研究,取得了以下五个方面的主要成果:第一、提出了奠基时期、初步发展时期和理论完善时期的阶段划分方法。本文比较系统地对计算机取证研究的基本思想、技术和方法的形成和发展过程进行了全面的分析,给出了计算机取证研究演化进程的一个全景视图,为全面认识计算机取证技术的发展水平,把握计算机取证研究的正确发展方向建立了一定的基础。第二、本文结合软件工程中需求分析和组件的思想提出了基于需求的计算机取证过程模型。此模型提供了一个更为有效和抽象的计算机取证过程框架,它不限定哪类取证调查环境应该提供哪些取证过程,所有这些,由产品的用户、开发人员或其它第三方在实际应用中根据实际需要来确定,这为描述不断变化的复杂现实应用环境中的安全需求提供了灵活性,也使得研究制定统一的计算机取证过程标准成为可能,同时开放性的模型框架为将其它领域中的实用方法(如传统取证中的方法)结合进来铺垫了道路。第三、本文提出预先设置电子数据证据收集系统(Disital Evidellce Collecting System,简称DECS),用来构造计算机取证收集环境,从而保证最大限度地获取电子数据证据。第四、DEcs的保护是保证电子数据证据完整性(integritv)和真实性(fidelity)的关键问题。本文提出,安全隔离环境是用于保护DECS的有效方法。为了构造安全隔离环境,作者将访问控制机制引入了DECS的保护功能中:以LOMAC为基础,设计并实现了一种新的保护机制—I-LOMAC。通过实验测算,这种新的访问控制机制不但为DECS提供了较为完备的安全隔离环境,而且对整个系统性能影响较小。第五、在计算机取证调查中不但由于大量计算机取证数据的存在,而且由于异常行为往往隐藏在分散的数据之中,使得调查人员很难获得潜在的数字犯罪证据。本文将传统犯罪取证研究中的犯罪轮廓构建技术的基本思想和方法应用于计算机犯罪证据分析的研究中,提出电子数据证据犯罪行为轮廓(Criminal Behavior Profilingln Disital Evidence,简称CB-PIDE)分析方法。此方法可以在大量的取证数据中确立重点调查取证范围、挖掘潜在的异常行为。通过在实际环境中对CB-PDE分析方法的应用效果进行的测算表明,CB-PIDE分析方法可有效地缩小取证调查范围,挖掘潜在的异常行为,从而帮助调查人员确立调查策略、集中现有资源,有效地对可疑目标进行调查。总之,本文的研究成果为进一步探讨计算机取证基本方法,从而构建实用有效的计算机取证系统建立了基础。
英文摘要: Research regarding digital forensic technology has become more active with the recent increases in illegal accesses to computer system. Key fundamentals in digital forensic technologies are very important for it's progress. Some key fundamental questions on the basic method have been researched in the dissertation. As a result, five principal achievements have been obtained. First, a classification method that divides the progress course of digital forensics into foundation period, primary developing period and basic theory perfecting period is proposed. The originating and developing procedure of the fundamental concepts, technologies and methods of digital forensics is analyzed systematically at the first time. A comprehensive perspective of the evolution process of digital forensics is presented, which lays the ground for the overall knowledge of the state of the art of digital forensics. Second, the most important part in computer key fundamentals is the development of a methodology in digital forensics. This paper explores the development of the digital forensics process, compare and contrast several forensics methodologies, and finally proposes an abstract model of the digital forensic procedure, named requirement based computer forensics process. This model attempts to address some of the shortcomings of previous methodologies, and provides the following advantages: a consistent and standardized framework for digital forensic tool development; a mechanism for applying the framework to future digital technologies; and, the potential for incorporating non-digital electronic technologies within the abstraction. Third, Digital Evidence is easy to be modified and erased. In order to collect the evidence with integrity and fidelity, digital forensics environment is proposed to maximize an environment's ability to collect credible digital evidence. Digital Evidence Collecting System, which is set in the target system in advance, is conducted for that purpose. Fourth, without considering the security of forensic mechanisms themselves, the digital evidence can't be protected completely. Based on the analysis of relative researches, secure area is proposed to protect forensic mechanisms from attacking. A mechanism called I-LOMAC has been designed and implemented to evaluate this method. The results demonstrate the advantage in protecting the forensic mechanisms. Fifth, of particular importance in digital forensics is the requirement to successfully narrow the potentially large search space often presented to investigators of such crimes and to effectively find out the potential evidence scattered in data entries. A solution is proposed to apply the traditional criminal profiling method to digital evidence analysis research. Based on association rule data mining technique, a method called CB-PIDE was designed. This method can focus on the investigating space and dig out the potential abnormal behavior. Results obtained with CB-PIDE have identified irregularities in CB-PIDE. In summary, the principal achievements of this paper are helpful to the exploration of computer forensic methods and to the construction of useful computer forensic system.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/5960
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
LW013941.pdf(2011KB)----限制开放-- 联系获取全文

Recommended Citation:
孙波. 计算机取证方法关键问题研究[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2004-01-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[孙波]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[孙波]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace