| Computers are widely used in human production and life.With the continuous development of science and technology and society,people have become more and more inseparable from computers.While computers bring convenience to society,various types of cyber frauds and cyber thefts are emerging in endlessly,which is constantly threatening the security and development of society.These cybercriminals will more or less leave some crime-related data in the computer.For example,the personal information of criminal suspects,daily behavior information,criminal behavior information and attack trace information in the victim's computer,etc.These data are often hidden in the computer,but their storage methods and storage locations are complex and diverse.Therefore,professional forensic software tools are required to achieve legal forensics.Since the Windows operating system has long dominated the industry,this thesis will focus on the research of several key technologies of computer forensics under the Windows operating system environment.The main work and contributions are as follows:1.Aiming at the problem that data recovery results in computer forensics are prone to a large number of false positives,a data recovery method combining file construction and in-place file carving technology is proposed.According to different file types,it has its own unique storage structure and improves the insufficiency of in-place file carving technology.The method first uses a general framework to identify file types,and then screens and restores files based on the file structure.The comparison test with the existing engraving tools verifies that this method can effectively reduce the false alarm rate and improve the accuracy of file recovery.The in-place file carving method is the foundation of evidence intelligent search positioning and evidence analysis research.2.Aiming at the problem of a large number of useless document information in computers and the timeliness of forensics,a fast search method of near-sense information based on improved text similarity is proposed.The method includes two processes.It first uses information extraction to form a document information database to remove a lot of useless information;then according to the idea of pattern matching algorithm,combined with text similarity,to achieve search and analysis of synonymous text.Through the experiment on the computer document corpus,this paper confirms that the forensic text similarity search method is very fast and effective in helping to find valuable documents.3.Aiming at the problem of complicated type of computer evidence storage and large storage capacity,the next step is to implement a computer forensics software prototype system for Windows(XP,WIN7,WIN8 and WIN10)by combining the above data recovery and information search methods,which can provide a comprehensive professional inspection for information security management and security inspection.The function of the prototype system mainly includes functions such as system information extraction,file data recovery,and rapid search of approximate information.At the same time,during the entire evidence collection and analysis process,the evidence supervision function is added to ensure that the evidence is unchanged and legality of evidence collection. |
PDF Full Text Request