计算机取证的安全性及取证推理研究

发布时间：2018-05-14 01:04

本文选题：计算机取证 + 数据完整性　；参考：《西南交通大学》2009年博士论文

【摘要】： 计算机取证是解决争议和打击计算机犯罪的重要手段,是实现信息安全保障的一个重要方面,在保持社会稳定和维护法律秩序方面具有重要作用。计算机取证的安全性、可靠性面临特殊的挑战：首先,电子证据的脆弱性导致了证据容易被修改且修改后不易被发现,电子证据在收集过程中和获得之后都面临着证据毁坏、介质错误、特定数据伪造等各种威胁：其次,大量案例涉及的海量数据信息使得对电子证据的固定面临着细粒度的完整性检验需求与Hash数据量大之间的矛盾；同时,反取证威胁使得电子证据获取工具的安全成为新的问题,计算机取证分析结论的可靠性也不断受到质疑。本文在分析计算机取证领域国内外研究现状和存在问题的基础上,以加强计算机取证的安全性、可靠性为目标,研究了细粒度数据完整性检验理论以支持细粒度电子证据固定,从而支持电子证据的真实性、完整性；研究电子证据获取方法的安全性和可靠的形式化取证推理方法。归纳起来,本文的主要研究工作和创新内容表现在以下几个方面：首先,针对计算机取证的细粒度数据完整性检验需求及海量数据导致的Hash大数据量问题,基于组合编码原理提出了细粒度数据完整性检验方法,称为完整性指示编码。完整性指示编码使用监督矩阵表示Hash和数据对象之间的监督关系,通过适当的交叉检验,在保持Hash检验安全性不变的前提下,可用较少的Hash数据实现细粒度数据完整性检验。该方法适用于细粒度电子证据固定。几种传统的完整性检验方案均是完整性指示编码的无交叉检验特例。设计了一种编码收益度量指标作为选择不同编码及进行参数设置的依据。采用细粒度数据完整性检验方案可以对少数错误进行准确和高效的隔离,从而减轻因偶然错误或少量篡改而导致的整体数据失效的灾难性影响。其次,依据细粒度数据完整性检验方法,分别构造了组合单错完整性指示码、超方体单错完整性指示码以及有限域多错完整性指示码等三种编码；采用并发计算和再Hash计算两种方式加速Hash生成过程,提高了细粒度数据完整性检验效率。组合单错完整性指示码在单错条件下可实现对Hash数据的大幅度压缩。超方体单错完整性指示码在单错条件下具有高压缩率、较低错误放大率,并可通过选取任意自然数作为超方体的阶,以高效率的组合方式处理各种不同规模的数据对象。有限域多错完整性指示码能准确指示多个错误,在低出错率条件下具有较高的压缩率、低错误放大率,并可通过灵活设置码参数来满足不同的实际需要。有限域多错完整性指示码具有模块化的Hash结构,对于有限域GF(q)上的d维向量空间,每增加(d-1)组共(d-1)q个Hash即可多指示一个错。超方体单错完整性指示码和有限域多错完整性指示码的Hash具有平行的分组关系,单独一组Hash即可独立指示所有数据的完整性,为Hash数据的多方分离存储提供了条件,增强了细粒度数据完整性检验方法在电子证据固定等应用中的实用性。随后,针对反取证威胁,分析了一种典型的基于数据底层特征的证据识别方法——上下文触发分片Hash算法的脆弱性,提出了带密钥的上下文触发分片Hash'快速算法。通过在上下文触发分片Hash算法及其传统Hash算法中引入可变参数,由不同密钥生成不同的文件指纹,增加了攻击者通过猜测密钥或比较文件指纹来获得密钥或参数组合进而攻击文件指纹的难度。改进算法在多生成一个Hash指纹的情况下和原算法的速度相当或更快,而且可以在更大程度上找到相似的文件。算法性能分析及实验结果表明由不同密钥生成的参数组之间有较好的独立性,且参数组选择空间大,可较好地抵抗伪造、文件分割与合并、特定位置修改等针对性攻击,安全性得到明显提高。最后,针对现有有限状态自动机模型的不足,提出了通用的Mealy型时间有限状态自动机模型及其正向、双向等推理策略。该模型可同时表达系统输入、输出、内部运行状态等多方面的证据及其时间属性,有利于电子证据的形式化表示和案例建模。案例分析和实验结果表明了该通用模型及其推理策略的有效性。
[Abstract]:Computer forensics is an important means for solving disputes and combating computer crime. It is an important aspect to ensure the security of information security. It plays an important role in maintaining social stability and maintaining legal order. The security and reliability of computer forensics face special challenges: first, the vulnerability of electronic evidence leads to easy evidence. Modified and modified, it is not easy to be found. Electronic evidence is faced with various threats such as evidence destruction, media error, and specific data forgery after the collection of electronic evidence. Secondly, mass data information involved in a large number of cases makes the need for fine-grained integrity inspection of electronic evidence and the large amount of Hash data. At the same time, the threat of anti forensics makes the security of electronic evidence acquisition tools a new problem, and the reliability of the conclusion of computer forensics is also being questioned.
On the basis of analyzing the current research status and existing problems in the field of computer forensics, in order to strengthen the security and reliability of computer forensics, this paper studies the theory of fine-grained data integrity test to support the fine-grained electronic evidence fixation, so as to support the authenticity and integrity of electronic evidence, and to study the acquisition side of electronic evidence. The main research and innovative contents of this paper are as follows:
First, in view of the requirement for the integrity inspection of the fine-grained data of computer forensics and the large amount of data caused by massive data, a method of fine-grained data integrity testing is proposed based on the principle of combinatorial coding, called integrity indicator code. The integrity indicator code uses supervisory matrix to express the supervisory relationship between Hash and data objects. With appropriate cross tests, fine-grained data integrity tests can be implemented with less Hash data on the premise of keeping the security of Hash test unchanged. This method is suitable for fine-grained electronic evidence fixation. Several traditional integrity testing schemes are no cross testing exceptions for integrity indicator coding. A coding benefit is designed. The metric index is the basis for selecting different codes and setting parameters. A fine-grained data integrity test scheme can be used to isolate a few errors accurately and efficiently, thus reducing the catastrophic effect of the overall data failure due to accidental errors or minor tampering.
Secondly, according to the method of fine-grained data integrity test, three kinds of coding are constructed, including the integrity indicator code, the super square error integrity indicator code and the finite field multiple error integrity indicator code, and the Hash generation process is accelerated by concurrency calculation and Hash calculation, and the test efficiency of the fine-grained data integrity is improved. Rate.
Combined single error integrity indicator can achieve large compression of Hash data under single error condition. The supersquare error integrity indicator has high compression rate and low error magnification under single error condition, and can be used as the order of supersquare by selecting any natural number, and processing the data of various sizes in a high efficiency combination way. The finite field multiple error integrity indicator code can accurately indicate multiple errors, have high compression rate and low error magnification under low error rate, and can satisfy different actual needs by setting the code parameters flexibly. The finite field multiple error integrity indicator has a modular Hash structure and D dimension vector space on the limited domain GF (Q). In the meantime, each additional (D-1) group (D-1) Q Hash can indicate a mistake more. The Hash of the hypercube single error integrity indicator and the finite field multiple error integrity indicator has parallel packet relations. A single set of Hash can independently indicate the integrity of all data, provide the conditions for the multiparty separation storage of the Hash data, and enhance the fine-grained data. The practicability of the integrity test method in the application of electronic evidence fixation.
Then, in view of the threat of anti forensics, the fragility of a typical evidence recognition method based on the underlying data based on the context triggered piecewise Hash is analyzed, and a context triggered Hash'fast algorithm with a key is proposed. By introducing variable parameters in the context triggered Hash algorithm and its traditional Hash algorithm, it is not possible. Different file fingerprints with key generation increase the difficulty for attackers to obtain key or parameter combinations by guessing keys or comparing file fingerprints to attack file fingerprints. The improved algorithm is quite or faster in the case of generating a Hash fingerprint with the original algorithm, and can find similar files to a greater extent. The algorithm performance analysis and experimental results show that the parameter groups generated by different keys have better independence, and the selection space of the parameter groups is large, which can better resist forgery, file segmentation and merger, specific location modification and other targeted attacks, and the security is greatly improved.
Finally, in view of the shortcomings of the existing finite state automata model, a general Mealy type time finite state automaton model and its forward and two-way reasoning strategy are proposed. The model can simultaneously express the evidence and time attributes of the system input, output, internal running state and so on, which is beneficial to the formal representation and case of electronic evidence. Example analysis and experimental results show the effectiveness of the general model and its reasoning strategy.

【学位授予单位】：西南交通大学
【学位级别】：博士
【学位授予年份】：2009
【分类号】：D918.91

【引证文献】