基于CSP的进程行为取证方法研究.PDF

29 6 ( ) Vo.l 29 No. 6 2009 12 JournalofNanjingUniversity ofPosts andTeleco unications(NaturalScience) Dec. 2009 CSP 1, 2 1, 2 1, 2 孙国梓 ,俞 超 , 陈丹伟 1. , 210003 2. , 210046 :针对取证过程中所获取的进程异常行为, 提出进程行为事件重建犯罪过程的 法该 法使用 CSP(通信 顺序进程)理论来形式化描述具有威胁乃至破坏性的进程操作及进程间的通信,根据系统保存的进程行为记录建 立进程通信状态模型, 使用基于路径搜索的进程行为解释算法分析模型内所有可能的进程通信序列, 形成进程通 信行为规则, 在排除不符合规则的通信序列的基础上, 找到能够形成合理证据链的通信序列通过案例分析进行 了证据的形式化及 CSP建模,给出了进程行为的具体分析解释和原型系统,验证该 法的可行性和有效性 :计算机取证; CSP; 进程行为;通信序列 : TP309 :A : 167325439(2009)0620048206 Research on ForensicM ethodsof theProcessBehavior Based on CSP 1, 2 1, 2 1, 2 SUN Guo2zi , YU Chao , CHEN Dan2wei 1. Institute ofCo puterTechnology, NanjingUniversity ofPostsand Teleco unications, Nanjing 210003, China 2. College ofCo puter, NanjingUniversity ofPostsand Teleco unications, Nanjing 210046, China bstract: For the abnor alprocessbehaviors got in digital forensic process, the paper gives a ethod of reconstructing the cri e processwith the process events. In the ethod, it firstly for ally describes dan2 gerousprocess operations and process co unicationsby CSP theory, and builds a co unication state odel ofprocessusing the process records in syste to get the process co unication rules, then finds the co unication sequencewhich can for reasonable evidence link after analyzing allpossible co u2 nication sequences in the odelwith interpretation algorith based onpath search and excluding co u2 nication sequences out ofrules. In the last, the paper gives a specific analysis and explanation ofprocess behaviorsby for alizing evidences and constructing CS