基于Windows日志的计算机取证研究
摘要
近年来,计算机犯罪手段不断升级,单靠网络安全防御技术打击计算机犯罪不可能非常有效。因为被保护的目标系统仍然有可能被入侵,所带来的损失无法通过法律途径进行弥补,因此需要发挥法律的强大威力来对付计算机犯罪,计算机取证正是在这种形势下产生和发展起来的。
打击计算机犯罪的关键是具有法律效力的电子证据。日志是目前计算机取证中重要的电子证据来源。传统的计算机取证技术所分析的信息是案发后提取的,很有可能是已被作案者破坏的。
针对以上问题,本文提出了基于Windows日志的计算机取证模型。采用实时提取被监控主机的日志信息,解决取证的滞后性问题。提出取证信息完整保护方法,该方法通过数字签名技术和安全散列算法对取证信息的完整性进行严格的保护,以确保日志信息成为电子证据的资格。论述了使用SSL协议将日志信息安全传输到监控机上的可行性。在日志信息的存储上采用信息分散算法(IDA),将日志信息分散在n台日志服务器上存储。取证分析时利用任意m(mNowadays, computer is revolutionizing our life, making quickeradvancement and more convenience possible. However, it also bringsunexpected negative impact. With the artifices of computer crimecontinuously upgrading, defended technology of network security, such asAntivirus Software, Firewall and Intrusion Detection System, can’t be veryeffective. Because they are unable to overcome the same defect that theprotected object system may be infected by virus, hacker and trojan.Moreover, the loss brought by intrusion could not be made up throughapproach of law. Under such application background, computer forensics,which analyzes and gets the evidence about the crimes happened incomputer system and computer networks, began to develop rapidly. Thus,the loss caused by the intrusion can be avoided. And the criminals can alsobe cautioned and deterred simultaneously.
The evidence is the key and soul of the case which decides the fate ofthe case, so as the computer criminals. New electronic evidence emergedwith the development of computer forensics theory. It is distinguished fromany other types of traditional evidence because of its high accuracy,frangibility and multiformity.
Each device produces logs to record its behavior or events, so that theadministrator can check the reasons of errors or the trace left by attacker.Therefore, the logs become an important source of electronic evidence incomputer forensics. However, characteristics of log is extremelyinconvenient as electronic evidence. It contains five aspects: diversity andrelevance, weak of readability, poor reliability, large volume of data anddifficult obtaining.
In this thesis, basic theories and techniques of computer forensics arediscussed, as well as the principles and current problems are mentioned.Meanwhile, the log’s characteristics are further studied. Five essential aspects that must be solved so as to make logs become electronic evidenceare emphasized, including are diversity and relevance, weak of readability,poor reliability, large volume of data and difficult obtaining characteristic.
The existing log system can record log’s information comprehensively,however, its objective doesn’t aim at computer forensics and it doesn’tpossess authentication mechanism. Therefore, the recorded logs don’t haveLaw Effect and they can’t become legal evidence either. The existingsoftware of computer forensics may also get Logs, but it mainly disk-copyand analyzes on the information which left after crime. The information maybe broken by intruders who possess anti-forensics technology.
Considering the mentioned question above, a computer forensics modelbased on Windows log is proposed in this thesis through the further researchon the aspects of computer forensics, electronic evidence and log, etc. It is akind of dynamic model forensics, which focuses on the protection of log.The system is divided into three modules: log access module, protectionmodule of log integrity, storage and reconstruction module of log. Logaccess module uses the method to extract log information from monitoredmainframe at runtime, so the problem of forensics posteriority can be wellsolved. Protection module of log integrity presents a method to protect theintegrity of forensics information, which makes the protection be strict viadigital signature and secure hash algorithm, so as to ensure that loginformation becomes the eligibility of electronic forensics. Storage andreconstruction module of log uses the method of IDA(Information DispersalArithmetic) which can tolerate the destructive activities from attackers. Inother words, if the destructive activities are in the tolerance scope of thealgorithm, the initial log information can be recovered by the algorithm.
In log access module, the log files of application, system and securityare circularly monitored. In this case, the new log can be accessed when itgenerates. The intruders can’t destroy the evidence even they modified anddeleted the logs after intrusion. It makes up the deficiency of post-event investigation.
In the protection module of log integrity, the logs are indeed accessedfrom the monitored mainframe by the method of creating digital signaturefor log. Meanwhile, the association relation is created among logs, so as tofind if the logs are deleted or lost in verification. Notably, the feasibilitythe logs are transmitted to monitor mainframe by SSL in security isdiscussed. In the whole process, it protects the consistency and ensures theevidence qualification of logs.
In storage and reconstruction module of log, the slicing process whenthe log records are stored is as follows: The log records are respectivelydispersed into n shares by information dispersal arithmetic in the monitormainframe. In order to ensure the integrity verification when the shares arereconstructed, the share and the hash values of all shares are sent secure logserver. And the reconstruction process when the log records are analyzed isas follows: the monitor mainframe requests shares from m log servers, thenthe monitor mainframe can reconstruct the log records throughcorresponding information in m(m In conclusion, a computer forensics model based on Windows log isproposed in this thesis. It solves the security and integrity when the logs aretransferred and stored. The logs are protected by the way of real-timesending to the remote. The method ensures the credibility, accuracy andintegrity of the logs as electronic evidence. The work lays the foundation forthe obtainment of electronic evidence and detecting of computer criminalcases.
打击计算机犯罪的关键是具有法律效力的电子证据。日志是目前计算机取证中重要的电子证据来源。传统的计算机取证技术所分析的信息是案发后提取的,很有可能是已被作案者破坏的。
针对以上问题,本文提出了基于Windows日志的计算机取证模型。采用实时提取被监控主机的日志信息,解决取证的滞后性问题。提出取证信息完整保护方法,该方法通过数字签名技术和安全散列算法对取证信息的完整性进行严格的保护,以确保日志信息成为电子证据的资格。论述了使用SSL协议将日志信息安全传输到监控机上的可行性。在日志信息的存储上采用信息分散算法(IDA),将日志信息分散在n台日志服务器上存储。取证分析时利用任意m(m
The evidence is the key and soul of the case which decides the fate ofthe case, so as the computer criminals. New electronic evidence emergedwith the development of computer forensics theory. It is distinguished fromany other types of traditional evidence because of its high accuracy,frangibility and multiformity.
Each device produces logs to record its behavior or events, so that theadministrator can check the reasons of errors or the trace left by attacker.Therefore, the logs become an important source of electronic evidence incomputer forensics. However, characteristics of log is extremelyinconvenient as electronic evidence. It contains five aspects: diversity andrelevance, weak of readability, poor reliability, large volume of data anddifficult obtaining.
In this thesis, basic theories and techniques of computer forensics arediscussed, as well as the principles and current problems are mentioned.Meanwhile, the log’s characteristics are further studied. Five essential aspects that must be solved so as to make logs become electronic evidenceare emphasized, including are diversity and relevance, weak of readability,poor reliability, large volume of data and difficult obtaining characteristic.
The existing log system can record log’s information comprehensively,however, its objective doesn’t aim at computer forensics and it doesn’tpossess authentication mechanism. Therefore, the recorded logs don’t haveLaw Effect and they can’t become legal evidence either. The existingsoftware of computer forensics may also get Logs, but it mainly disk-copyand analyzes on the information which left after crime. The information maybe broken by intruders who possess anti-forensics technology.
Considering the mentioned question above, a computer forensics modelbased on Windows log is proposed in this thesis through the further researchon the aspects of computer forensics, electronic evidence and log, etc. It is akind of dynamic model forensics, which focuses on the protection of log.The system is divided into three modules: log access module, protectionmodule of log integrity, storage and reconstruction module of log. Logaccess module uses the method to extract log information from monitoredmainframe at runtime, so the problem of forensics posteriority can be wellsolved. Protection module of log integrity presents a method to protect theintegrity of forensics information, which makes the protection be strict viadigital signature and secure hash algorithm, so as to ensure that loginformation becomes the eligibility of electronic forensics. Storage andreconstruction module of log uses the method of IDA(Information DispersalArithmetic) which can tolerate the destructive activities from attackers. Inother words, if the destructive activities are in the tolerance scope of thealgorithm, the initial log information can be recovered by the algorithm.
In log access module, the log files of application, system and securityare circularly monitored. In this case, the new log can be accessed when itgenerates. The intruders can’t destroy the evidence even they modified anddeleted the logs after intrusion. It makes up the deficiency of post-event investigation.
In the protection module of log integrity, the logs are indeed accessedfrom the monitored mainframe by the method of creating digital signaturefor log. Meanwhile, the association relation is created among logs, so as tofind if the logs are deleted or lost in verification. Notably, the feasibilitythe logs are transmitted to monitor mainframe by SSL in security isdiscussed. In the whole process, it protects the consistency and ensures theevidence qualification of logs.
In storage and reconstruction module of log, the slicing process whenthe log records are stored is as follows: The log records are respectivelydispersed into n shares by information dispersal arithmetic in the monitormainframe. In order to ensure the integrity verification when the shares arereconstructed, the share and the hash values of all shares are sent secure logserver. And the reconstruction process when the log records are analyzed isas follows: the monitor mainframe requests shares from m log servers, thenthe monitor mainframe can reconstruct the log records throughcorresponding information in m(m
引文
[1] Culley. Computer forensics past, present and future. InformationSecurityTechnicalReport,Vol.8No.2,2003,pp.32-36.
[2] H.Wolfe.Evidenceanalysis.Computers&Security,Vol.22No.4,2003,pp.289-291.
[3] Dr.Henry B.Wolfe. Computer forensics. Computers & Security, Vol.22No.1,2003,pp.26-28.
[4] 王军. 网络犯罪侦查中证据体系的建立. 网络安全技术与应用,2003年第34卷第10期,pp.26-28.
[5] 陈龙, 麦永浩等. 计算机取证技术. 武汉大学出版社. 2007 年 3 月.pp.1-10,52-60,100-110.
[6] 张越今. 网络安全与计算机犯罪勘查技术学. 清华大学出版社,2003年9月第1版,pp.98-115.
[7] Lee Garber. Computer Forensics: High-Tech Law Enforcement. IEEESecurity,Vol.34No.1,2001.
[8] Judd Robbins. An Explanation of Computer Forensics.http://computerforensics.net/forensics.htm.
[9] NewTechnologies,Inc.http://www.forensics-intl.com.
[10]SANSInstitute.http://www.sans.org.
[11]王宝会, 王大印, 范开菊. 计算机信息安全教程. 电子工业出版社,2006年1月,pp.317-326.
[12]Gary Palmer. A Road Map for Digital Forensic Research. TechnicalReportDTRT0010-01,DFRWS,November2001,pp.15-20.
[13]林小东, 刘心松. 文件系统中日志技术的研究. 计算机应用,1998年第 18 卷第 1 期.pp.28-29.
[14]廖晨光. 计算机犯罪的探讨. 第十三届全国计算健全技术交流会论文集, 中国计算机学会,pp.171-176.
[15]丁丽萍, 王永吉. 计算机取证相关法律技术问题研究. 软件学报,2005年第16卷第2期,pp.260-275.
[16]杨卫国. 电子证据作为刑事证据的若干问题. 网络安全技术与应用,2003年第34卷第10期,pp.29-31.
[17]赵小敏. 基于日志的计算机取证技术的研究及系统设计与实现. 浙江工业大学,2002 年 12 月,pp.15-26.
[18]崔国华, 侯澄志, 洪帆. 审计日志的关联规则挖掘. 华中科技大学学报(自然科学版),2002 年 9 月第 30 卷第 9 期,pp.28-30.
[19]刘必雄, 魏连, 许榕生. 一种基于日志关联的网络攻击追踪系统模型. 重庆科技学院学报(自然科学版), 2007 年 12 月第 9 卷第 4 期,pp.81-84.
[20]王听忠, 王辉, 武新梅. 基于协同推荐的web日志预处理过程. 微计算机信息,2006 年第 22 卷第 03 期,pp.150-152.
[21]刘必雄, 许榕生. 基于XML的综合日志预处理模型设计. 莆田学院学报,2007 年 10 月第 14 卷第 05 期,pp.65-69.
[22]吴英, 谢广军, 刘璟. 对等结构的分布式存储系统设计与研究. 计算机工程与应用,2006 年 04 期,pp.135-137.
[23]Bashaw C. . Computer forensics in today’s investigative process. In:Proceedings of the 15th FIRST Conference on Computer SecurityIncidentHandling&Response,Ottawa,Canada,2003,pp.123-130.
[24]Lidz E. L. . Network forensics. In: Proceedings of the 15th FIRSTConference on Computer Security Incident Handling & Response,Ottawa,Canada,2003,pp.175-181.
[25]Reith Mark, Carr Clint, Gunsch Gregg. An Examination of DigitalForensicModels. International Journal ofDigital Evidence,Vol.1No.3,2002,pp.12-23.
[26]Reis M A, Geus P L. Standardization of computer forensic protocolsand procedures. In: Proc of 14th FIRST Conference on ComputerSecurityIncidentHandling&Response,Hawaii,USA,2002.
[27]黄强, 沈昌祥等. 基于可信计算的保密和完整性统一安全策略. 计算机工程与应用,2006 年第 10 期,pp.15-18.
[28]R.L. Rivest, A. Shamir, L. Adleman. A method for obtaining digitalsignaturesandpublic-keycryptosystems.CommunicationsoftheACM,Vol.21No.2,1978,pp.120-126.
[29]PeterThorsteinson, G.GnanaArun Ganesh, 梁志敏等译..NET安全性与密码术. 清华大学出版社,2004 年 8 月第 1 版.
[30]Rabin M. Efficient dispersal of information for security, load balancingandfault-tolerance.JournaloftheACM,Vol.36No.2,1989,pp.335-348.
[2] H.Wolfe.Evidenceanalysis.Computers&Security,Vol.22No.4,2003,pp.289-291.
[3] Dr.Henry B.Wolfe. Computer forensics. Computers & Security, Vol.22No.1,2003,pp.26-28.
[4] 王军. 网络犯罪侦查中证据体系的建立. 网络安全技术与应用,2003年第34卷第10期,pp.26-28.
[5] 陈龙, 麦永浩等. 计算机取证技术. 武汉大学出版社. 2007 年 3 月.pp.1-10,52-60,100-110.
[6] 张越今. 网络安全与计算机犯罪勘查技术学. 清华大学出版社,2003年9月第1版,pp.98-115.
[7] Lee Garber. Computer Forensics: High-Tech Law Enforcement. IEEESecurity,Vol.34No.1,2001.
[8] Judd Robbins. An Explanation of Computer Forensics.http://computerforensics.net/forensics.htm.
[9] NewTechnologies,Inc.http://www.forensics-intl.com.
[10]SANSInstitute.http://www.sans.org.
[11]王宝会, 王大印, 范开菊. 计算机信息安全教程. 电子工业出版社,2006年1月,pp.317-326.
[12]Gary Palmer. A Road Map for Digital Forensic Research. TechnicalReportDTRT0010-01,DFRWS,November2001,pp.15-20.
[13]林小东, 刘心松. 文件系统中日志技术的研究. 计算机应用,1998年第 18 卷第 1 期.pp.28-29.
[14]廖晨光. 计算机犯罪的探讨. 第十三届全国计算健全技术交流会论文集, 中国计算机学会,pp.171-176.
[15]丁丽萍, 王永吉. 计算机取证相关法律技术问题研究. 软件学报,2005年第16卷第2期,pp.260-275.
[16]杨卫国. 电子证据作为刑事证据的若干问题. 网络安全技术与应用,2003年第34卷第10期,pp.29-31.
[17]赵小敏. 基于日志的计算机取证技术的研究及系统设计与实现. 浙江工业大学,2002 年 12 月,pp.15-26.
[18]崔国华, 侯澄志, 洪帆. 审计日志的关联规则挖掘. 华中科技大学学报(自然科学版),2002 年 9 月第 30 卷第 9 期,pp.28-30.
[19]刘必雄, 魏连, 许榕生. 一种基于日志关联的网络攻击追踪系统模型. 重庆科技学院学报(自然科学版), 2007 年 12 月第 9 卷第 4 期,pp.81-84.
[20]王听忠, 王辉, 武新梅. 基于协同推荐的web日志预处理过程. 微计算机信息,2006 年第 22 卷第 03 期,pp.150-152.
[21]刘必雄, 许榕生. 基于XML的综合日志预处理模型设计. 莆田学院学报,2007 年 10 月第 14 卷第 05 期,pp.65-69.
[22]吴英, 谢广军, 刘璟. 对等结构的分布式存储系统设计与研究. 计算机工程与应用,2006 年 04 期,pp.135-137.
[23]Bashaw C. . Computer forensics in today’s investigative process. In:Proceedings of the 15th FIRST Conference on Computer SecurityIncidentHandling&Response,Ottawa,Canada,2003,pp.123-130.
[24]Lidz E. L. . Network forensics. In: Proceedings of the 15th FIRSTConference on Computer Security Incident Handling & Response,Ottawa,Canada,2003,pp.175-181.
[25]Reith Mark, Carr Clint, Gunsch Gregg. An Examination of DigitalForensicModels. International Journal ofDigital Evidence,Vol.1No.3,2002,pp.12-23.
[26]Reis M A, Geus P L. Standardization of computer forensic protocolsand procedures. In: Proc of 14th FIRST Conference on ComputerSecurityIncidentHandling&Response,Hawaii,USA,2002.
[27]黄强, 沈昌祥等. 基于可信计算的保密和完整性统一安全策略. 计算机工程与应用,2006 年第 10 期,pp.15-18.
[28]R.L. Rivest, A. Shamir, L. Adleman. A method for obtaining digitalsignaturesandpublic-keycryptosystems.CommunicationsoftheACM,Vol.21No.2,1978,pp.120-126.
[29]PeterThorsteinson, G.GnanaArun Ganesh, 梁志敏等译..NET安全性与密码术. 清华大学出版社,2004 年 8 月第 1 版.
[30]Rabin M. Efficient dispersal of information for security, load balancingandfault-tolerance.JournaloftheACM,Vol.36No.2,1989,pp.335-348.