The Testing And Analysis Of Live Computer Forensics Tool

Computer live forensics technology is an effective mean to combat computer crime, the pros and cons of live forensics tool is directly related to the validity of evidence in court, and would have a great impact on the detection of cases. In response to this situation, this paper tests and analyzes the computer live forensics tools.This paper first introduces the status of the development of computer forensics and the basic situation of the popular four-line forensics tools, points out the difficulties faced by live forensic investigation and the need of testing the live forensics tools.But with the development of Trojan horse based on kernel-mode, virus and other data hiding techniques, the data that are obtained by live forensics tools maybe have been modified by Trojan horse. This paper focuses on the hidden technology of rootkit, lays the foundation for testing and analysis of test results.The investigation flow of live computer forensics has a huge impact on the result. In the course of the investigation, it might make the results appear significant deviations due to different design logic and evidence collection operations. This article summarizes the basic principle of the live forensics investigation process and the good career habits that investigators should have. Based on volatile nature of electronic evidence, this paper proposes the general process for computer live forensic investigation, and makes it as the criteria of the investigation flow of live computer forensics.The impact on the memory that is caused by the implementation of tools must be a part of the test. But in many cases, the popular method of analysis based on a string has many problems. This article designs and develops KPCR-based memory analysis tool, it can get the process information, thread information, DLL information that called by process, the file information, driver information from the Windows system's memory image file. In order to verifies the correctness of the hard disk string search function of EnCase, this article designs and develops hard string search tool. It can search arbitrary string from hard dirve under the file system of FAT32 or NTFS, support for three sets of character including unicode, GB2312 and Big5, and do some simple data recovery.Based on the basic principles of computer live forensic investigation and general process, this paper presents the test indicator for computer live forensics tools, and three live forensics tools (FRED, IRCR, and WFT) are tested from ten aspects. Test is conducted in a virtual machine that installs four versions of the operating system (Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP2, and Windows vista SP1). Test uses six kinds of publicly available Rootkit Trojan horse to test the correctness of the results of forensics tools, and uses the memory analysis tool to analyze the state of the memory. This paper compares and studies the test result, points out the advantages and disadvantages of the various tools, and concludes the test conclusions. This paper tests hard disk string search function of EnCase and verifies the correctness under the different file systems and different sets of character. In the end, this paper analyzes the reason of these problems that .are caused in the process of computer live forensics, and proposes a new method for live forensics.