基于Windows日志安全保护的计算机取证技术研究-计算机应用技术专业论文.docxVIP

中文摘要随着计算机技术的飞速发展，计算机犯罪率也以惊人的速度增长，逐渐成为 中文摘要 随着计算机技术的飞速发展，计算机犯罪率也以惊人的速度增长，逐渐成为 人们普遍关心的国际性问题。 从公安部获悉，目前我国计算机犯罪大多是罪犯对涉案计算机的现场直接操 作，而非远程操作。犯罪现场安装的闭路电视监控系统只能证明罪犯在某一时段 来过犯罪现场，并对计算机进行了某种操作，但无法证明罪犯对计算机具体进行 了何种操作。如果能取得罪犯在此时间段内对主机操作所产生的日志，并当作有 效证据提交给法庭，便能将犯罪者绳之以法。传统计算机取证技术所分析的信息 是案发后从涉案计算机中提取的，而这些信息，很有可能是已被作案者破坏过的。 本文提出了一种基于Windows日志安全保护的计算机取证模型，可以克服 传统计算机取证技术的滞后性。本模型采用分布式结构，驻留在被取证机上的进 程将事件日志在产生的同时提取出来，并使用MD5和RSA算法生成日志信息的 数字签名和能证明日志相互关联关系的消息摘要，通过SSL协议将日志信息安 全传输到另一台用于保存日志的取证机上，使用数据库实现日志的保存，并能够 通过验证算法证明日志证掘的原始性和真实性，从而保证了日志证据的安全性和 抗否认性。通过原型系统的试验，证明本模型能够及时地获取日志信息，并通过 多种安全加密技术保证了日志的准确性、可信性和有效性。 关键词：计算机取证，日志保护，加密，数字签名，消息摘要，身份认证 AB AB STRACT As the rapid development of computer technology,computer crimes are committed increasedly,which has been a widely concerned national problem． Learning from Tianjin Municipal Public Security Bureau，nowadays most of the domestic computer CI面IleS are committed by operating the related computer directly． Traditional detectivism can not record what the criminal has done to the computer． Only the event logs triggerted by these operations can testify the criminality．The existed computer forensics technique just analyses the information remained in the computers after the crimes．But most of the information has been destroyed by the criminals in advalice． In this paper,we presented a distributed computer forensics model based on protecting log evidences’secudty’which Call avoid the lag of computer forensics．The part of this model installed on the suspect computers can duplicate the event logs immediately when they are generated and create their digital signatures and message digests which can interlink logs with MD5 and RSA．Another part of the model installed Oil a safe computer saves the logs transmitted through SSL in database and uses validatation algorithms to verify the log evidences’authenticity and non-repudiation． Experiment studies showed that this model could collect logs timely and also ensure the evidences’veracity,creditability and