云计算环境中面向取证的现场迁移技术研究
发布时间:2018-10-20 14:13
【摘要】:云计算的特点是整合计算资源,在保持低成本的状态下提供良好的计算服务质量,企业和个人用户都能通过云计算的海量信息库来实现信息的自由分享。虽然云计算平台可以给广大用户提供高效服务,但是不法分子也可以在此平台上进行违法活动,取证技术是有效发现、证实违法行为的必要手段。但是传统以文件为基础的取证方式已经不适应云计算的服务模式,云计算环境主要由大量的分布式异构虚拟计算资源构成,这些复杂的结构给计算机取证工作的开展带来巨大的挑战。为了适应这些取证环境的变化,实现在云计算环境下进行取证工作成为一个重要的课题。 系统虚拟化技术和数据迁移技术的运用让云计算环境下进行取证工作成为可能。云计算环境下还缺乏可用的取证模型,通过对云计算取证的建模,将云计算平台视为由多个虚拟机构成的系统,其上运行的虚拟机实例可以作为取证分析对象。为了获取取证分析对象,利用了现场迁移技术,在虚拟化软件层对虚拟机实例进行信息保全,保证迁移的镜像文件的内容完整性和一致性。为了在本地化系统中加载虚拟机镜像文件进行取证分析,利用单独划分的临时镜像文件分区作为镜像文件和本地化系统之间的信息交换场所,可以正确加载虚拟机镜像文件,实现云计算环境下的现场取证工作。 为此,首先提出了一种新的云计算环境下的计算机取证模型——云计算取证模型,该模型定义了云计算环境下的工作层次,通过场景描述和过程组件的划分,刻画了完整的取证机制。通过对云计算取证模型的完整性和强隔离性的证明,可以将虚拟机镜像文件作为取证的对象进行分析,进而实现云计算环境下的计算机取证过程。 其次,在云计算平台中通过对虚拟化软件层的控制,利用其状态转换,提出了一种虚拟机镜像文件的迁移方法。通过对虚拟化软件层迁移状态时的上层虚拟机的进程标识,内存映射,网络连接情况信息和文件系统信息进行保存和重构设计,可以完整的保存虚拟机的整个系统状态,并通过本地化镜像加载,将虚拟机镜像整个从云计算平台迁移到本地取证环境中进行分析,实现云计算平台下电子证据的获取。 再次,由于迁移出来的虚拟机镜像文件需要在本地化加载,才能进一步进行取证分析,据此提出了一种临时镜像磁盘的加载方法。为了使镜像文件可以正常在本地环境下加载,设计了一个非文件系统分配的临时磁盘分区作为镜像文件系统和本地设备的操作系统之间信息交互的场所,以保持两个系统在硬件配置和服务的一致性,使虚拟机镜像文件正确加载。 最后,为方便查找分析和管理取证的对象文件,提出了一种针对涉案取证镜像文件的数据库管理结构。通过上述方法的研究,实现了云计算环境下取证工作。
[Abstract]:Cloud computing is characterized by integrating computing resources and providing good computing quality of service under the condition of low cost. Enterprises and individual users can share information freely through the massive information base of cloud computing. Although cloud computing platform can provide efficient service to users, illegal elements can also engage in illegal activities on this platform. Forensics technology is a necessary means to effectively find and prove illegal behavior. However, the traditional documentation-based forensics is no longer suitable for the cloud computing service model. Cloud computing environment is mainly composed of a large number of distributed heterogeneous virtual computing resources. These complex structures pose great challenges to the development of computer forensics. In order to adapt to these changes in the forensics environment, it becomes an important issue to implement forensic work in cloud computing environment. The application of system virtualization technology and data migration technology makes forensic work possible in cloud computing environment. In the cloud computing environment, there is still a lack of available forensics model. Through the modeling of cloud computing forensics, the cloud computing platform is regarded as a system composed of multiple virtual machines, and the instance of virtual machine running on it can be used as the object of forensic analysis. In order to obtain the object of forensic analysis, the virtual machine instance is preserved in the virtualization software layer by using the field migration technology to ensure the integrity and consistency of the migrated image file. In order to load virtual machine image file in localization system for forensic analysis, using separate temporary image file partition as information exchange place between mirror file and localization system, the virtual machine image file can be loaded correctly. To realize the field forensics in cloud computing environment. For this reason, a new computer forensics model in cloud computing environment, cloud computing forensics model, is proposed. The model defines the working level in cloud computing environment, and through the description of scene and the division of process components. The complete mechanism of evidence collection is described. By proving the integrity and strong isolation of the cloud computing forensics model, the virtual machine image file can be analyzed as the object of evidence collection, and then the computer forensics process in the cloud computing environment can be realized. Secondly, by controlling the virtualization software layer and using its state transformation, a migration method of virtual machine mirror file is proposed in the cloud computing platform. By saving and reconstructing the process identification, memory mapping, network connection information and file system information of the upper virtual machine during the migration of the virtualization software layer, the whole system state of the virtual machine can be completely saved. Through localized image loading, the virtual machine image is migrated from cloud computing platform to local forensics environment for analysis, and the acquisition of electronic evidence under cloud computing platform is realized. Thirdly, because the migrated virtual machine image files need to be loaded locally, a method of loading temporary mirror disk is proposed. In order to enable the image file to load normally in the local environment, a temporary disk partition allocated by the non-file system is designed as a place for information exchange between the mirror file system and the operating system of the local device. In order to maintain the consistency of hardware configuration and service between the two systems, the virtual machine image file is loaded correctly. Finally, in order to find, analyze and manage the object files of evidence, a database management structure is proposed. Through the research of the above methods, evidence collection in cloud computing environment is realized.
【学位授予单位】:华中科技大学
【学位级别】:博士
【学位授予年份】:2011
【分类号】:TP393.08;D918.2
本文编号:2283415
[Abstract]:Cloud computing is characterized by integrating computing resources and providing good computing quality of service under the condition of low cost. Enterprises and individual users can share information freely through the massive information base of cloud computing. Although cloud computing platform can provide efficient service to users, illegal elements can also engage in illegal activities on this platform. Forensics technology is a necessary means to effectively find and prove illegal behavior. However, the traditional documentation-based forensics is no longer suitable for the cloud computing service model. Cloud computing environment is mainly composed of a large number of distributed heterogeneous virtual computing resources. These complex structures pose great challenges to the development of computer forensics. In order to adapt to these changes in the forensics environment, it becomes an important issue to implement forensic work in cloud computing environment. The application of system virtualization technology and data migration technology makes forensic work possible in cloud computing environment. In the cloud computing environment, there is still a lack of available forensics model. Through the modeling of cloud computing forensics, the cloud computing platform is regarded as a system composed of multiple virtual machines, and the instance of virtual machine running on it can be used as the object of forensic analysis. In order to obtain the object of forensic analysis, the virtual machine instance is preserved in the virtualization software layer by using the field migration technology to ensure the integrity and consistency of the migrated image file. In order to load virtual machine image file in localization system for forensic analysis, using separate temporary image file partition as information exchange place between mirror file and localization system, the virtual machine image file can be loaded correctly. To realize the field forensics in cloud computing environment. For this reason, a new computer forensics model in cloud computing environment, cloud computing forensics model, is proposed. The model defines the working level in cloud computing environment, and through the description of scene and the division of process components. The complete mechanism of evidence collection is described. By proving the integrity and strong isolation of the cloud computing forensics model, the virtual machine image file can be analyzed as the object of evidence collection, and then the computer forensics process in the cloud computing environment can be realized. Secondly, by controlling the virtualization software layer and using its state transformation, a migration method of virtual machine mirror file is proposed in the cloud computing platform. By saving and reconstructing the process identification, memory mapping, network connection information and file system information of the upper virtual machine during the migration of the virtualization software layer, the whole system state of the virtual machine can be completely saved. Through localized image loading, the virtual machine image is migrated from cloud computing platform to local forensics environment for analysis, and the acquisition of electronic evidence under cloud computing platform is realized. Thirdly, because the migrated virtual machine image files need to be loaded locally, a method of loading temporary mirror disk is proposed. In order to enable the image file to load normally in the local environment, a temporary disk partition allocated by the non-file system is designed as a place for information exchange between the mirror file system and the operating system of the local device. In order to maintain the consistency of hardware configuration and service between the two systems, the virtual machine image file is loaded correctly. Finally, in order to find, analyze and manage the object files of evidence, a database management structure is proposed. Through the research of the above methods, evidence collection in cloud computing environment is realized.
【学位授予单位】:华中科技大学
【学位级别】:博士
【学位授予年份】:2011
【分类号】:TP393.08;D918.2
【引证文献】
相关期刊论文 前5条
1 单彬;;云计算环境下计算机侦查取证问题研究[J];电子制作;2015年09期
2 何晓行;王剑虹;;云计算环境下的取证问题研究[J];计算机科学;2012年09期
3 王冬梅;薛永献;;云计算应用对计算机取证技术的挑战和对策[J];信息通信;2014年06期
4 张海玉;;云平台下数字图书馆的安全策略研究[J];图书馆学研究;2013年03期
5 谢亚龙;丁丽萍;林渝淇;赵晓柯;;ICFF:一种IaaS模式下的云取证框架[J];通信学报;2013年05期
相关硕士学位论文 前2条
1 侯佳佳;企业私有云及分布式存储技术在RS10中的研究及应用[D];机械科学研究总院;2013年
2 杜艳玲;混合云存储环境下海洋大数据的布局及迁移算法研究[D];上海海洋大学;2014年
,本文编号:2283415
本文链接:https://www.wllwen.com/shekelunwen/gongan/2283415.html
