| With the developing of computer technology and the wide spread of computer network, computer crime becomes more serious and does great damage to national economy. Combating and preventing computer crime has becomes a thorny problem. Under such situation, computer forensic is created and quickly developed. Computer forensics is a cross subject of computer and law, it major researches that how to get the valid e-evidence from computers and related equipments and provide them to the court.Windows system is one of most comprehensive operation system in the world; besides the security of Windows system stands various aspects of trial. The Windows registry is a core database that stores configuration settings for operation system, a variety of hardware devices, and applications. The registry also contains a lot of evidences, so it becomes important clue and evidence source of commit computer crimes. Windows registry forensics confronts the primary problem: how to recovery the registry Hive from disk image, and how to valid store and analysis a mass of registry data.This dissertation presents a Windows registry forensic analysis process model through combining with the general model of computer forensic, it divides the forensic procedure into three phases: evidence collection, evidence analysis and evidence presentation. This study also aims at discussing the key technologies in the digital investigation.The highlights of this paper are as follows:(1) To present a process model for registry forensic. This model helps the investigator to obtain and analyze evidence systematically, and greatly reduce the time spent on manual operations.(2) Recovery of Hive files. Usually the Hive files are fragmented, but the common recovery software can't carve such fragmented files efficiently. Firstly this paper analyses the internal structure of Hive file and investigates the situation of Hive fragment, and presents the method combining N-gram with the internal structure to help to recovery the Hive files successfully. This method has high practicality and accuracy.(3) Use the correlation between the registry data to compress and store the registry data. Because of the redundancies of registry data, it is needed to compress such data. Compressed data will not be affected the efficiency of query.(4) Create the database to store registry data. Correlation analysis and keyword search to enhance the efficiency of evidence analysis. This study about Windows registry evidence based forensics technology not only provide systematic forensic model, reduce the human effort in traditional forensic process, but also enhance the persuasiveness of evidence based on the correlation analysis of different evidence. The most important, this study discusses potential key technologies in different forensic phases, and then strength the reality and flexibility of Windows registry forensic model. |
PDF Full Text Request