Windows下计算机取证工具的研究与实现-电子与通信工程专业论文.docxVIP

万方数据 万方数据 摘要 计算机取证是电子取证研究中的一项非常重要的内容，也是当前国内电子取 证研究中的核心内容。本文针对 Windows 操作系统下的计算机取证问题，从取证 途径、取证分析和抗反取证三个方面进行了深入研究，并在此基础上开发了一套 专门的计算机取证工具。本文的研究工作如下： 针对 Windows 系统下的取证途径问题，本文首先分析了 Windows 操作系统的 若干特性，并在此基础上给出了 Windows 系统中获取取证点的三个途径。然后解 决在此基础上衍生出的权限限制问题和高权限限制下的秘密信息访问问题。 对于取证分析问题，本文着重分析了 Webkit 内核的代表 Chrome 浏览器，指 出可以将反映待取证者的网络活动的信息加以搜集，并从文件系统上指出这些信 息的组织方式，最终解决这些以 SQLIte 数据文件形式储存信息的解析问题。 在与反取证手段对抗方面，本文从文件系统的角度，提出了从文件系统的操 作上解决反取证者的文件处理手段，进而分析 Windows 下常用的 NTFS 文件系统， 解析各种处理手段对于文件系统的影响和应对方式。 最后，基于前述的研究工作，开发了一套取证软件，具有 Windows 下的完整 取证功能，能够在一定程度上抗反取证手段，并生成可读性较高的检查报告，测 试分析结果表明：该软件能够正常完成对于计算机的预期取证检查目标。 关键词：计算机取证，取证途径，取证分析，抗反取证 ABSTRACT Computer forensics is one of the most important element of the electronic evidence research,and the core content of electronic evidence both here and abroad.Considering the computer forensic issue in Windows operating system,this paper have a deep research on the means of forensis、forensic analysis and anti-anti-forensic,and then develops a specialized computer forensic tool.Contents of the paper are as follows: In view of the problem of forensic means in Windows operating system,first of all,this paper analyzes some features of the Windows and proposes three ways of forensic point in Windowson the basis of it.Then it solves the derivative right limit issue and the problem of access to confidential information from high-privilege restrictions. In the forensic analysis process,it analyzes Chrome browser in Webkit core,and points out the information,which reflect user activity in the network,should be collected.Then it reveals the organization format of the data and solves the analysis problems of the data in SQLite database file format. In the confrontation of the anti-forensics,from the angle of file system,this paper propose the way to deal with the file disposal in anti-forensicas and analyze the popular NTFS file system in Windows,then resolves the effect on file system by those file disposal. In the end,on the basis of the above resear