Research On Security Issues And Forensic Reasoning Of Computer Forensics

Computer forensics is an important method for solving civil dispute and fighting against computer crime, and also a way to realize information assurance. It plays a more and more important role in maintaining social stability and law order.The security and reliability of computer forensics face special challenges. First of all, digital evidence is inherently vulnerable, and it is easy to be modified while it is very difficult to discover the modifications. In the process of gathering and preserving digital evidence, there are many kinds of threats, such as evidence destroying, medium error and specific data forging. Secondly, mass data occurred in many cases is a difficult challenge for computer forensics, which is the contradiction between the demand of fine-grained evidence preservation and mass hash data. Furthermore, with the development of anti-forensics technologies, the security of digital evidence acquisition and identification methods and tools becomes a new difficult problem. At the same time, the reliability of analysis conclusion of computer forensics is doubted occasionally.In this dissertation, we summarize the research results of theories and methods about computer forensics at first. Then, in order to improve the security and reliability of computer forensics, the fine-grained data integrity theory is studied to support the fine-grained digital evidence preservation. It is helpful for assuring the fidelity, integrity and security of digital evidence. Secure method of digital evidence acquisition and identification, and the formal forensics reasoning method are also studied. The main contributions of this dissertation are recapitulated as follows:First of all, to satisfy the demand of fine-grained data integrity check in computer forensics and solve the issue of mass hash data, a fine-grained data integrity check method is proposed based on the combinatorial coding theory。It is named as integrity indication coding (ⅡC). Check matrix is used to express the check relationship of hashes and data.ⅡC could accomplish fine-grained data integrity check using less hash data via cross hash checking. It is suitable for fine-grained digital evidence preservation. Traditional integrity check schemes can be taken as the particular cases of IIC without cross hash checking. The measurement of code gain is also designed to guide the choosing of right code and parameters for real application. Fine-grained data integrity check method could mitigate the disastrous effect of some random errors or intentional forging modification. In case of a portion of evidence data or file is corrupted, it could isolate the damage efficiently and accurately, so the intact remainder will be still usable.Thereafter, based on fine-grained data integrity check method, combinatorial one error integrity indication code (CleⅡC), hypercube one error integrity indication code (HleⅡC) and Galois field multi-error integrity indication code (GFIIC) are proposed respectively. Concurrent computing model and rehash computing model are used to accelerate the hash computing process, and improve the efficiency of fine-grained data integrity checking.Combinatorial one error integrity indication code has very high hash compression ratio. Hypercube one error integrity indication code has high compression ratio and low base error amplification ratio. By setting any positive integer as the hypercube's order, HleⅡC is able to deal with different scale of data objects efficiently.GFIIC can indicate multiple errors accurately with high compression ratio and low error amplification ratio, and it provides a scalable scheme for different applications with several parameters. GFIIC has a modular hash check structure. In a d dimension vector space over GF(q), one more error can be indicated by adding q rows d-1 columns hashes every time. At the same time, all hashes of GFIIC and HleⅡC can be divided into several groups, and each group can indicate the integrity of all data independently. So it has the capability of preserving hash data separately and making fine-grained data integrity check method useful in digital evidence preservation.Next, an improved resilient and quick context triggered piecewise hash algorithm with key is proposed. Context triggered piecewise hashing technique is suitable for indentifying or filtering evidence, which is based on the bit stream characteristic of data. Facing the threat of anti-forensics technology, the vulnerability of context triggered piecewise hashing is analyzed and then an improved resilient and quick algorithm with key, named secure and quick hash checksum (Sksum), is proposed. By using variable parameters in the context triggered piecewise hashing, the algorithm will produce a different file signature for a file with a different key. It will be more difficult for attackers to obtain the key or the parameter combination of a file signature so as to attack the file signature by guessing keys or comparing file signatures. Sksum can generate a file signature with one more hash signature in the same or faster speed compared to the original algorithm. The performance analysis and experiment results show that the different parameter combinations of different keys are independent, and there are a huge amount of choices for parameter combinations. The algorithm can deal with forging, file splitting and merging, specific file position modification attack, and its security performance is improved obviously.Finally, a timed Mealy finite state machine model with multiple reasoning strategies is proposed to overcome the disadvantage of Gladyshev's finite state machine model. It can express the evidence of system input, output and inner state with time attribute at the same time. It is suitable for the digital evidence formalization and case modeling. Case study and experiment result show that the general model with reasoning strategies is feasible and adaptable.