Research on Computer Forensics Technology
With the rapid development of computer and network technology, problems such as computer crime and network security have become more and more prominent and gradually attracted people's attention. The characteristics, principles and steps of computer forensics are introduced. Finally, two forensics technologies based on single machine and equipment and network are deeply studied.
Keywords: computer forensics data recovery encryption decryption honeypot network
With the rapid development of computer and network technology, computers and networks are playing an increasingly important role in human politics, economy, culture and national defense affairs, and problems such as computer crime and network security are becoming more and more prominent. Although a series of protective devices and measures, such as hardware firewall, intrusion detection system and network isolation, as well as security precautions such as authorization mechanism, access control mechanism, log mechanism and data backup, have been taken, the absolute security of the system cannot be guaranteed.
Computer forensics technology refers to the use of advanced technical means, in accordance with pre-set procedures, and in line with legal norms, to conduct a comprehensive inspection of computer software and hardware systems, and to discover, store, protect and analyze evidence related to computer crimes, as well as electronic evidence with sufficient credibility that can be accepted by the court. The purpose of computer forensics is to find out the intruder and explain or reproduce the whole invasion process.
First, the characteristics of computer forensics
Electronic evidence, like traditional evidence, must be credible, accurate, complete, convincing and in line with legal norms. In addition, electronic evidence has the following characteristics:
1. Digitize. Electronic evidence is different from traditional physical evidence, which can't be seen directly by the naked eye and must be combined with certain tools. Fundamentally speaking, the carriers of electronic evidence are all electronic components, and electronic evidence itself is just a binary information string combined in a special order.
2. Vulnerability. Computer data may change all the time. During the operation of the system, the data is constantly refreshed and rewritten, especially if the suspect has a certain computer level and carries out irreversible destructive operations on the traces of computer use, it is difficult to reproduce the scene. In addition, in the process of collecting electronic evidence, forensic personnel will inevitably open files and programs, which are likely to cause first-class damage to the scene.
3. Polymorphism. The polymorphism of electronic evidence means that electronic evidence can take many forms, such as data in printer buffer, sounds, videos, images and words on various computer storage media, historical records in network exchange and transmission equipment, etc. These different forms may become the types of evidence submitted. When accepting evidence, the court should not only consider whether the generation process and collection process of electronic evidence are reliable, but also ensure that electronic evidence has not been forged, tampered with or replaced.
4. Human-computer interaction. Computers are operated by people. Electronic evidence alone may not restore the whole criminal process, but it must be combined with human operation to form a complete record. In the process of collecting evidence and restoring the scene, it is possible to get twice the result with half the effort by considering people's thinking mode and behavior habits.
Second, the principles and steps of computer forensics
(A) the main principles of computer forensics
1. Principle of timeliness. Electronic evidence must be collected as soon as possible to ensure that it is not destroyed, and the evidence must be obtained in time.
2. Are you sure? A chain of evidence? The integrity of. Also known as evidence preservation, that is, when the evidence is formally submitted to the court, it must be able to explain any changes between the initial state of acquisition and the state that appears in the court, including the process of handing over, keeping, unpacking and loading and unloading the evidence.
3. Safety principle. If possible and feasible, it is best to make more than two copies of computer evidence, and the original evidence must be taken care of by a special person. The storage place must be far away from harsh environments such as strong magnetism, strong corrosion, high temperature, high pressure, dust and humidity to prevent evidence from being destroyed.
The whole process can be controlled. The whole process of inspection and evidence collection should be supervised. In the process of evidence transfer, storage, unpacking, loading and unloading, it must be completed by two or more people, and each link must be authentic and uninterrupted to prevent evidence from being intentionally destroyed.
(B) the main steps of computer forensics
1. Site survey
Exploration is mainly to obtain physical evidence. First of all, we should protect the computer system. If the target computer is still connected to the network, we should disconnect the network immediately to avoid data being destroyed remotely. If the target computer is still on, it cannot be shut down immediately. Keeping in working condition is conducive to obtaining evidence. For example, some data may remain in the memory buffer, which is often the last important evidence that criminals miss. If the equipment needs to be dismantled or moved, it must be photographed and archived to facilitate the restoration of the crime scene in the future.
2. Access to electronic evidence
Include static data acquisition and dynamic data acquisition. Static data includes existing normal files, deleted files, hidden files and encrypted files. And temporary files or hidden files that should be used to the maximum extent by the system or application. Dynamic data includes computer registers, caches, routing tables, task processes, network connections and their ports. Dynamic data must be collected quickly and carefully. If you are not careful, it may be replaced by new operations and file overwrites.
3. Protect the integrity and originality of evidence
In the process of obtaining evidence, attention should be paid to taking measures to protect the evidence, and all kinds of extracted data should be copied and backed up. The extracted physical equipment, such as storage devices such as CD-ROMs and hard disks, network devices such as routers and switches, and peripheral devices such as printers, must be photographed and photographed by special personnel during the moving and dismantling process, and then sealed. For the extracted electronic information, MD5, SHA and other hash algorithms should be used to protect and verify its integrity. Any of the above operations must be signed by two or more people at the same time.
4. Analyze and submit the results
This is the key and core of computer forensics. Print the comprehensive analysis results of the target computer system, including a list of all relevant files and the found file data, and then give the analysis conclusions, including the overall situation of the system, the found file structure, data, author information and other suspicious information found in the investigation. After making all kinds of marks and records, they will be formally submitted to the judicial organs in the form of evidence and in accordance with legal procedures.
Third, computer forensics related technologies
Computer forensics involves a wide range of technologies, covering almost all fields of information security. From the source of evidence, computer forensics technology can be roughly divided into two categories: computer forensics technology based on single machine and equipment and computer forensics technology based on network.
(1) Forensic Technology Based on Single Device
1. data recovery technology
Data recovery technology is mainly used to recover electronic evidence of disk erasure deleted or formatted by users. For the deletion operation, only the storage location corresponding to the file is marked, and the disk space information occupied by the file still exists without being rewritten by a new file, which seems to be gone by ordinary users, but in fact, the data can be recovered by recovering the file mark. For formatting operations, it only initializes various tables of the file system, without actually manipulating the data itself. By rebuilding the partition table and boot information, the deleted data can be recovered. Experiments show that with the help of data recovery tools, technicians can recover the data that has been overwritten for 7 times.
2. Encryption and decryption technology
Usually, criminals will encrypt relevant evidence. For forensic personnel, it is necessary to decrypt the encrypted data in order to make the original information become effective electronic evidence. Password cracking techniques and methods used in computer forensics mainly include password analysis, password cracking, password search, password extraction and password recovery.
3. Data filtering and data mining technology
The data obtained by computer forensics may be text, pictures, audio or video. These types of files may hide criminal information, and criminals can embed information into these types of files through steganography. If criminals combine encryption technology to process information and then embed it into files, it will be very difficult to recover the original information, which requires the development of better data mining tools to correctly screen out the required electronic evidence.
Network-based forensics technology
Network-based forensics technology is a technology that uses the network to track and locate criminals or obtain evidence through network communication data, including the following technologies:
1.IP address and MAC address acquisition and identification technology
Use the ping command to send a request to the target host and listen to the ICMP reply, so that you can judge whether the target host is online, and then use other advanced commands to continue the in-depth inspection. You can also use the IP scanning tool to obtain IP, or use the reverse query method of DNS to obtain IP address, or you can obtain IP through the support of Internet service provider ISP.
The MAC address belongs to the hardware level, and the conversion between IP address and MAC is realized by looking up the ARP table of the address resolution protocol. Of course, MAC, like IP address, may be modified, so it was once flooded. ARP cheating? Trojan horse achieves its goal by modifying IP address or MAC.
2. Network IO system forensics technology
That is, the network input and output system, using netstat command to track the suspect, you can get the domain name and MAC address of the suspect's computer. The most representative intrusion detection technology is IDS, which is divided into detecting specific events and detecting mode changes. Its greatest help to obtain evidence is that it can provide logging or recording function, which can be used to monitor and record criminal acts.
3. E-mail forensics technology
E-mail uses simple application protocols and text storage and forwarding. The header information contains the path between the sender and the receiver. Evidence can be obtained by analyzing the head path. The key is to know where the mail information is stored in the mail protocol. For POP3 protocol, we must visit the workstation to get the header information. Mail sent based on HTTP protocol is generally stored on the mail server. The mail service of Microsoft operating system usually adopts SMTP protocol. Hackers can easily insert any information, including forged source address and destination address, into the message header information using SMTP protocol. The main way to track emails is to ask ISP for help or use special tools such as NetScanTools.
4. Honeypot network forensics technology
Honeypot refers to false sensitive data, which can be network, computer or background service, or false passwords and databases. Honeypot network is a network system composed of many honeypots that can collect and exchange information. Through data control, data capture and data collection, researchers control and analyze attacks in honeypot networks. The key technologies of honeypot network include network deception, attack capture, data control, attack analysis and feature extraction, early warning and defense technology. At present, the active honeypot system is widely used, which can provide corresponding deception service according to the attacker's attack purpose, delay the time of the intruder in the honeypot, so as to obtain more information and take targeted measures to ensure the security of the system.
References:
[1] Lu Xiying. Analysis of computer forensics technology [J], Fujian Computer, 2008(3).
[2] Liu Ling. On static forensics and dynamic forensics [J], Computer and Modernization, 2009(6).
Did you get a look at him? Computer forensics technical paper? People still see:
1. Research paper on computer crime and collection technology
2.Android mobile phone forensics technical paper
3. Computer security graduation thesis
4. Computer security papers
5. Computer security model