Research And Application Of Multi-Source Log Analysis Technology In Computer Forensics

Computer crime is a high-tech crime.As for sentencing and convicting this criminal behavior,the judiciary needs reasonable digital evidences.Compared with traditional evidence,digital evidence has very different methods of forensics and analysis.In order to restore the computer crime process and effectively use of digital evidence to combat computer crimes,computer forensics analysis technology research has become a hot issue at home and abroad.Log which records the behavior and operation status of each device in the network is an important data source for computer forensics.This paper studies multiple correlation analysis method of multi-source logs for computer forensics in detail.To reduce the probability of missing scenes,we require to obtain logs from different data sources for forensics analysis.Reconstructing computer crime scenarios and explaining the criminal process is based on attribute similarity and causality,and then provide effective digital evidence for the computer crime trial.The main research work of this paper is as follows:(1)Complete computer forensics process with multiple correlation analysis methods.Firstly,a preliminary correlation analysis is performed on the multi-source log based on attribute similarity,and logs with the same or similar attributes are aggregated into the same crime scene.After the first associate,the logs are divided into multiple crime scenarios.Then,according to the state information of system,to find the corresponding scene and perform the second correlation analysis based on causality in this scenario to analyze the deeper logical relationship from the logs.(2)According to the causal correlation analysis proposed by PengNing,we improved the algorithm.A reverse causal correlation algorithm that satisfies the digital evidence identification standard is proposed.Starting from the final state of the victim host,the last stage attack event that caused the state is found according to the causal correlation,by that analogy,to trace the entire computer crime process.At the same time,to combine the legal provisions with the binding of digital evidences,and exclude the associated path that can not be used as the evidences.Through the process,we can achieve computer crime scenarios reconstruction.(3)Feasibility verification of the improved causal association algorithm was performed using the DARPA network attack test data set.Experiments show that the improved algorithm greatly simplifies the complexity of the original algorithm and improves the efficiency of computer crime scene correlation.In addition,through the multi-source log data of Beijing Jiaotong University,the application of the multi-association analysis described in this paper in the actual forensics process is carried out.The results show that the multi-correlation analysis can greatly reduce the size of the input data in the crime scene reconstruction process besides reducing unnecessary evidence associations.By comparing multi-source log forensics with single source log forensics,it is proved that multi-source log forensics can effectively avoid the omission of crime scenes.