计算机入侵动态取证技术研究

计算机取证是打击计算机犯罪的有效手段,传统的计算机取证大多采用事后分析的静态取证技术,证据的采集不够及时、全面,经恢复的数据可能是已经被篡改,因而法律效力低。可以运用一种将计算机取证技术与入侵检测技术结合的入侵动态取证系统,动态收集识别入侵证据,及时分析、提取证据至证据库中保存。此系统采用认证、加密、隔离等安全手段,确保了证据在传送、保存过程中的真实性、准确性及不可篡改性,使其成为有效的法庭证据,实现了计算机取证的及时性、智能性。     

谈计算机取证

随着信息技术的发展,利用计算机系统作为犯罪工具或目标的案件越来越多。因此,电子证据也将成为越来越重要的证据。但对于这类证据的取得,即计算机犯罪取证,却是人们要面对的一个难题。计算机取证可按以下步骤进行:保护和勘查现场、确定和获取电子证据、分析和提取数据、归档并提交结果。     

网络取证系统的技术分析与模型实现

首先分析了网络取证的基本概念，然后介绍了网络取证系统的分析过程，最后提出和设计了一个分布式网络实时取证系统的实现模型。     

A RAM triage methodology for Hadoop HDFS forensics

This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured and forensic artefacts simulated upon it by deleting data originally stored in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project.     

Taxonomy of Challenges for Digital Forensics

Since its inception, over a decade ago, the field of digital forensics has faced numerous challenges. Despite different researchers and digital forensic practitioners having studied and analysed various known digital forensic challenges, as of 2013, there still exists a need for a formal classification of these challenges. This article therefore reviews existing research literature and highlights the various challenges that digital forensics has faced for the last 10 years. In conducting this research study, however, it was difficult for the authors to review all the existing research literature in the digital forensic domain; hence, sampling and randomization techniques were employed to facilitate the review of the gathered literature. Taxonomy of the various challenges is subsequently proposed in this paper based on our review of the literature. The taxonomy classifies the large number of digital forensic challenges into four well‐defined and easily understood categories. The proposed taxonomy can be useful, for example, in future developments of automated digital forensic tools by explicitly describing processes and procedures that focus on addressing specific challenges identified in this paper. However, it should also be noted that the purpose of this paper was not to propose any solutions to the individual challenges that digital forensics face, but to serve as a survey of the state of the art of the research area.     

File fragment encoding classification—An empirical approach

Over the past decade, a substantial effort has been put into developing methods to classify file fragments. Throughout, it has been an article of faith that data fragments, such as disk blocks, can be attributed to different file types. This work is an attempt to critically examine the underlying assumptions and compare them to empirically collected data. Specifically, we focus most of our effort on surveying several common compressed data formats, and show that the simplistic conceptual framework of prior work is at odds with the realities of actual data. We introduce a new tool, zsniff, which allows us to analyze deflate-encoded data, and we use it to perform an empirical survey of deflate-coded text, images, and executables. The results offer a conceptually new type of classification capabilities that cannot be achieved by other means.     

Development of Individuality in Children's Handwriting

Handwriting of children in early grades is studied from the viewpoint of quantitatively measuring the development of handwriting individuality. Handwriting samples of children, in grades 2–4, writing a paragraph of text in both handprinted and cursive, collected over a period of 3 years, were analyzed using two different approaches: (i) characteristics of the word “and” and (ii) entire paragraphs using an automated system. In the first approach, word characteristics were analyzed using statistical measures. In the second approach, pairs of paragraphs were compared. Both types of analysis, single word and complete writing, led to the same conclusions: (i) handwriting of each child remains relatively similar when handwriting has been just learnt and becomes markedly different from grades 3 to 4 and (ii) handwriting of different children becomes progressively more different from grades 2 to 4. The results provide strong support that handwriting becomes more individualistic with child development.     

Generating a Corpus of Mobile Forensic Images for Masquerading user Experimentation

The Periodic Mobile Forensics (PMF) system investigates user behavior on mobile devices. It applies forensic techniques to an enterprise mobile infrastructure, utilizing an on‐device agent named TractorBeam. The agent collects changed storage locations for later acquisition, reconstruction, and analysis. TractorBeam provides its data to an enterprise infrastructure that consists of a cloud‐based queuing service, relational database, and analytical framework for running forensic processes. During a 3‐month experiment with Purdue University, TractorBeam was utilized in a simulated operational setting across 34 users to evaluate techniques to identify masquerading users (i.e., users other than the intended device user). The research team surmises that all masqueraders are undesirable to an enterprise, even when a masquerader lacks malicious intent. The PMF system reconstructed 821 forensic images, extracted one million audit events, and accurately detected masqueraders. Evaluation revealed that developed methods reduced storage requirements 50‐fold. This paper describes the PMF architecture, performance of TractorBeam throughout the protocol, and results of the masquerading user analysis.     

The different types of reports produced in digital forensic investigations

The importance of ensuring the results of any digital forensic (DF) examination are effectively communicated cannot be understated. In most cases, this communication will be done via written report, yet despite this there is arguably limited best practice guidance available which is specific for this field in regards to report construction. Poor reporting practices in DF are likely to undermine the reliability of evidence provided across this field, where there is a need for formalised guidance regarding the requirements for effective DF report construction; this should not be a task left solely to each individual practitioner to determine without instruction. For this, the field of DF should look to the wider forensic community and the existing work in this area for support. In line with many other ‘traditional’ forensic science types, a DF practitioner can be commissioned to report in one of three ways - ‘technical’, ‘investigative’ or ‘evaluative’, where each reporting type maintains a specific purpose and interpretative-context, determined by the examination workflow undertaken by a practitioner following client instruction. This work draws upon guidance set out in fundamental forensic science reporting literature in order to describe each reporting type in turn, outlining their scope, content and construction requirements in an attempt to provide support for the DF field.