一种支持犯罪重现的按需取证技术

删除或更新信息，请邮件至freekaoyan#163.com(#换成@)

清华大学辅仁网/2017-07-07

一种支持犯罪重现的按需取证技术

田志宏¹,姜伟²,张宏莉¹

2. 北京工业大学计算机学院, 北京 100124
3. 国防科技大学计算机学院, 长沙 410073

On-demand forensics to support crime scene reconstruction

Zhihong TIAN¹,Wei JIANG²,Hongli ZHANG¹

1. School of Computer Science and Technology, Harbin Institute of Technology, Harbin 150001, China
2. College of Computer Science, Beijing University of Technology, Beijing 100124, China
3. School of Computer, National University of Defense Technology, Changsha 410073, China

摘要:

HTML
输出: BibTeX | EndNote (RIS) 背景资料

文章导读

摘要基于实时取证的思想,提出了一种支持犯罪重现的按需取证技术—DFR2(on-demand forensic technology support for rollback recovery)。基于按需取证概念, DFR2缩小了处理范围、缩短了取证时间,基于对象依赖技术的多源证据推理融合算法,提取出完整的攻击流程,提高了证据关联性。此外,还将犯罪重现引入计算机取证领域,有效地解决了电子证据证明力不足的问题。实验分析结果表明: 与当前主流的取证方法Snare相比, DFR2不仅支持按需取证、犯罪重现等功能,且在进行系统调用劫持过程中的平均性能开销降低约5%左右。

关键词 ：入侵取证,犯罪重现,电子证据,按需取证

Abstract：A system, DFR2 (on-demand forensic technology support for rollback recovery), is developed to obtain on demand real-time evidence from crimes to support rollback recovery. The Linux based system for obtaining evidence uses different methods and objects which are logically based on their different environments to narrow down the range of treatments, to shorten the investigations and evidence acquisition, and to improve the effectiveness of the evidence. The system also supports rollback recovery of the file system data to minimize intrusion losses. Compared with existing method Snare, the results have improved function and performance with reducing 5% cost during robbing process.

Key words：intrusion forensic crime rebuilding electronic evidence on-demand forensics

收稿日期: 2013-12-01 出版日期: 2015-04-16

ZTFLH:

基金资助:国家 “八六三” 高技术资助项目 (2012AA012506, 2012AA012502, 2012AA012901)

引用本文:

田志宏, 姜伟, 张宏莉. 一种支持犯罪重现的按需取证技术[J]. 清华大学学报（自然科学版）, 2014, 54(1): 20-28.
Zhihong TIAN, Wei JIANG, Hongli ZHANG. On-demand forensics to support crime scene reconstruction. Journal of Tsinghua University(Science and Technology), 2014, 54(1): 20-28.

链接本文:

http://jst.tsinghuajournals.com/CN/或 http://jst.tsinghuajournals.com/CN/Y2014/V54/I1/20

图表:

取证系统	安全性	多源融合	犯罪重现	按需取证	可扩展性
Snare	Ö	×	×	×	×
Forensix	×	×	Ö	×	Ö
Backtracker	×	×	×	×	×
SeFos	Ö	×	×	Ö	×
DFR2	Ö	Ö	Ö	Ö	Ö

各取证系统功能比较结果

DFR2的体系架构图

DFR2的取证需求实例

对象依赖关系转换图

图操作过程示意

跳板攻击多源证据融合流程

犯罪重现操作示意图

犯罪重现实例示意图

DoS攻击证据图

系统调用延迟时间对比

CPU占用率对比

内存占用率对比

参考文献:

[1]	孙国梓, 耿伟明. 基于可信概率的电子数据取证有效性模型 [J]. 计算机学报, 2011, 34(7): 1262-1274. SUN Guozi, GENG Weiming. One validity model of digital data forensics based on trusted probability[J]. Chinese Journal of Computers, 2011, 34(7): 1262-1274. (in Chinese)
[2]	Steve B. EnCase Forensic [Z/OL]. (2013-11-20), http://www.encase.com/products/Pages/encase-forensic/overview.aspx.
[3]	Farmer D, Venema W. The coroner's toolkit (TCT) [Z/OL]. (2002-03-12), http://www.fish2.com.
[4]	New Technologies Inc. NTI [Z/OL]. (2007-11-01), http://www.forensics-intl.com/.
[5]	Schneier B. Forensic Toolkit [Z/OL]. (2011-03-21), http://www.accessdata.com/.
[6]	Dunlap G W, King S T, Cinar S, et al.ReVirt: Enabling intrusion analysis through virtual-machine logging and replay [C] // Proceedings of the 2002 Symposium on Operating Systems Design and Implementation. Piscataway, USA: IEEE Press, 2002: 98-103.
[7]	King S T, Chen P M. Backtracking intrusions[J]. ACM Transactions on Computer Systems, 2005, 23(1): 51-76.
[8]	Jerome F, Radu S. Digital forensics in VoIP networks [C] // Proceedings of the IEEE International Workshop on Information Forensics and Security. Seattle, USA: IEEE Press, 2010: 1-6.
[9]	Zhu Y W. Snare: A strong security scheme for network-attached storage [C] // Proceedings of the 22nd International Symposium on Reliable Distributed Systems. Tucson, USA, 2003: 74-79.
[10]	Goel A, Feng W, Maier D, et al.Forensix: A robust, high-performance reconstruction system [C] // Proceedings of the 25th International Conference on Distributed Computing Systems Workshops. Columbus, USA, 2005: 6-10.
[11]	Sander K. Linux intrusion detection system [Z/OL]. (2003-05-19), http://www.lids.org/.
[12]	Natarajan M, Sumanth R. Tools and techniques for network forensics[J]. International Journal of Network Security & Its Applications, 2009, 7(2): 274-318.
[13]	丁丽萍, 周博文, 王永吉. 基于安全操作系统的电子证据获取与存储[J]. 软件学报, 2007, 18(7): 1715-1729. DING Liping, ZHOU Bowen, WANG Yongji. Capture and storage of digital evidence based on security operating system[J]. Journal of Software, 2007, 18(7): 1715-1729. (in Chinese)
[14]	孙波, 孙玉芳. 电子数据证据收集系统的研究与保护[J]. 计算机研究与发展, 2005, 42(8): 1422-1426. SUN Bo, SUN Yufang. Research and protection of the digital evidence collecting system[J]. Journal of Computer Research and Development, 2005, 42(8): 1422-1426. (in Chinese)
[15]	伏晓, 石进, 谢立. 用于自动证据分析的层次化入侵场景重构方法[J]. 软件学报, 2011, 22(5): 996-1008. FU Xiao, SHI Jin, XIE Li. Layered intrusion scenario reconstruction method for automated evidence analysis[J]. Journal of Software, 2011, 22(5): 996-1008. (in Chinese)

[1]	王振波, 张君, 罗孙一鸣. 喷水法成型纤维网增强水泥基板材抗弯性能[J]. 清华大学学报（自然科学版）, 2014, 54(5): 551-555.
[2]	梁洪亮, 阳晓宇, 董钰, 张普含, 刘书昌. 并行化智能模糊测试[J]. 清华大学学报（自然科学版）, 2014, 54(1): 14-19.
[3]	李京哲, 梁彬, 游伟, 王鹏, 石文昌. 基于控制依赖分析的Android远程控制类恶意软件检测[J]. 清华大学学报（自然科学版）, 2014, 54(1): 8-13.
[4]	韩心慧, 肖祥全, 张建宇, 刘丙双, 张缘. 基于社交关系的DHT网络Sybil攻击防御[J]. 清华大学学报（自然科学版）, 2014, 54(1): 1-7.