电子证据取证流程监管系统研究与实现

电子证据作为一种新的证据形式,逐渐成为新的诉讼证据之一。电子数据取证技术（Digital Forensic Technologies）的研究主要集中在证据查找、恢复及数据分析等方面,而对取证过程本身的合法性、真实性、完整性没有得到监控。本文在对取证步骤和过程研究基础上,模拟社会审计工作,设计了一个电子数据取证鉴定流程监管系统,以解决电子证据在获取、传输、保存、分析过程中证据连续性（chain of custody）问题。     

电子证据取证流程监管系统研究与实现

电子证据作为一种新的证据形式,逐渐成为新的诉讼证据之一.电子数据取证技术(Digital Forensic Technologies)的研究主要集中在证据查找、恢复及数据分析等方面,而对取证过程本身的合法性、真实性、完整性没有得到监控.本文在对取证步骤和过程研究基础上,模拟社会审计工作,设计了一个电子数据取证鉴定流程监管系统,以解决电子证据在获取、传输、保存、分析过程中证据连续性(chain of custody)问题.     

基于TensorFlow的恶意代码片段自动取证检测算法

针对数字犯罪事件调查,在复杂、异构及底层的海量证据数据中恶意代码片段识别难的问题,通过分析TensorFlow深度学习模型结构及其特性,提出一种基于TensorFlow的恶意代码片段检测算法框架;通过分析深度学习算法训练流程及其机制,提出一种基于反向梯度训练的算法;为解决不同设备、不同文件系统的证据源中恶意代码片段特征提取问题,提出一种基于存储介质底层的二进制特征预处理算法;为进行反向传播训练,设计并实现了一个代码片段数据集制作算法。实验结果表明,基于TensorFlow的恶意代码片段检测算法针对不同存储介质以及证据存储容器中恶意代码片段的自动取证检测,综合评价指标F₁达到 0.922,并且和 CloudStrike、Comodo、FireEye 等杀毒引擎相比,该算法在处理底层代码片段数据方面具有绝对优势。     

数字取证的三维过程模型

在强调取证人员重要性的基础上,根据电子证据来源的不同,提出了一个三维过程模型,针对不同的案件中涉及的不同证据来源,可以采用不同的证据收集方案,扩大了数字取证模型的使用范围,同时实现了证据的自动收集和分析功能,及知识的重复使用功能,并在调查分析阶段对证据可靠性放大算法进行了改进,提高了证据的可靠性和工作效率。     

电子数据证据收集系统的研究与保护

随着计算机犯罪的不断增加,电子数据取证技术（digital forensic technology）越来越受到人们的重视．电子数据证据不同于传统的犯罪证据,它们更加容易消失和被破坏,为了获得完整可信的电子数据证据,提出应在敏感主机中预先安装设置电子数据证据收集系统（digital evidence collecting system．DECS）,用来收集系统中的相关证据．由于DECS的某些模块往往存在于被攻击系统之中,提出使用安全隔离环境是保护电子数据证据收集机制有效的方法,并设计了一个安全保护机制——I-LOMAC．     

基于磁盘碎片熵值特征的文件雕刻算法研究

为获取受损存储介质或者有意隐藏在存储介质中的数字证据,设计一种文档碎片熵值特征提取算法,以区分不同文件类型文档碎片的熵值范围。在该算法的基础上,结合文件在存储介质中的存储位置特性,设计碎片文件雕刻框架,提出基于碎片熵值特征的文件雕刻算法。实验结果表明,与现有雕刻算法相比,该算法能够更有效地雕刻存储介质中的碎片文件。     

一种数字取证完整性方案

设计了一种数字取证的完整性方案,该方案使用SHA算法生成取证信息的摘要值,将摘要值和本地系统时间作为取证信息的验证数据,采用秘密共享机制将验证数据进行秘密分割,从而使方案除了可以完成完整性验证,也具有容错性。     

An Approach for Validation of Digital Anti-Forensic Evidence

ABSTRACT

e-crime is increasing and e-criminals are becoming better at masking their activities. The task of forensic data analysis is becoming more difficult and a systematic approach towards evidence validation is necessary. With no standard validation framework, the skills and interpretation of forensic examiners are unchecked. Standard practices in forensics have emerged in recent years, but none has addressed the development of a model of valid digital evidence. Various security and forensic models exist, but they do not address the validity of the digital evidence collected. Research has addressed the issues of validation and verification of forensic software tools but failed to address the validation of forensic evidence. The forensic evidence collected using forensic software tools can be questioned using an anti-forensic approach. The research presented in this paper is not intended to question the skills of forensic examiners in using forensic software tools but rather to guide forensic examiners to look at evidence in an anti-forensic way. This paper proposes a formal procedure to validate evidence of computer crime.     

Windows driver memory analysis: A reverse engineering methodology

In a digital forensics examination, the capture and analysis of volatile data provides significant information on the state of the computer at the time of seizure. Memory analysis is a premier method of discovering volatile digital forensic information. While much work has been done in extracting forensic artifacts from Windows kernel structures, less focus has been paid to extracting information from Windows drivers. There are two reasons for this: (1) source code for one version of the Windows kernel (but not associated drivers) is available for educational use and (2) drivers are generally called asynchronously and contain no exported functions. Therefore, finding the handful of driver functions of interest out of the thousands of candidates makes reverse code engineering problematic at best. Developing a methodology to minimize the effort of analyzing these drivers, finding the functions of interest, and extracting the data structures of interest is highly desirable. This paper provides two contributions. First, it describes a general methodology for reverse code engineering of Windows drivers memory structures. Second it applies the methodology to tcpip.sys, a Windows driver that controls network connectivity. The result is the extraction from tcpip.sys of the data structures needed to determine current network connections and listeners from the 32 and 64 bit versions of Windows Vista and Windows 7.Manipulation (DKOM), tcpip.sys, Windows 7, Windows Vista. 2000 MSC: 60, 490.     

基于异构多核SoC器件的相控阵探伤仪设计

基于TI公司的异构多核数字信号处理SoC芯片C66AK2H06完成一款PE超声相控阵探伤仪的算法处理及软件部分的设计.设计着重围绕新系统架构中的软件架构、算法组成、多核并行计算、核间通信、片间通信、共享内存和多层内存分配等展开,并对算法处理性能、实时性性能等方面的关键指标进行优化.研究结果表明采用C66AK2H06实现...     

存储器中易失性用户大数据并行处理控制系统

传统的并行处理控制系统在处理存储器中易失性用户大数据时,对CPU的利用率很低,导致处理控制工作精密度差。为了解决此问题,设计了一种新的大数据并行处理控制系统,分别对系统的硬件和软件进行设计,分析了控制系统中各组件的结构关系,重点设计了系统总线、中央处理器;软件部分分为打开文件、更新文件、监测运行、数据连接四步。为了检测系统的可行性,与传统并行处理控制系统进行实验对比,结果显示,设计的并行处理控制系统能够充足的利用系统CPU,精确地处理存储器中易失性用户大数据。该系统具有超强的工作能力,值得推广使用。     

应用模糊综合评判法进行电子证据确定性的评判研究

文章在分析国内外对电子证据确定性认定的基础上,从电子证据生命周期的角度提出并介绍了电子证据确定性指标体系方案,从技术层面分析了模糊多层次综合评判算法,并列举了相关算法和模型,采用模糊综合评判法对电子证据确定性进行了评判研究,实现了对电子证据的确定性的定量研究.     

云计算支持下的协作式数字取证技术

为解决网络环境下电子证据分散、取证分析效率低、协作难度大等问题,在分析计算机犯罪特点以及当前数字取证所面临的相关问题基础上,针对数字取证与分析的协同需求,设计了一种具有正循环反馈机制的云计算支持下的协作式数字取证模型,并详细论述了其设计思想和体系架构.最后,研究了模型的系统实现方法、电子证据云存储调度策略、基于封锁机制的并发分析任务调度.实验表明,协作式数字取证技术可有效提高数字取证工作效率和分析结果的准确性.     

社交网络取证初探

社交网络是人类借用计算技术和信息技术进行信息交流、建立人际交互关系等社会活动的一种新型工具,已成为社会计算中研究社会软件的核心课题之一。社交网页取证旨在对用户信息进行证据获取、固定、分析和展示,提供直接、有效、客观、公正的第三方依据。在互联网飞速发展的背景下,社交网页取证面临着用户信息多样、内容动态(实时)变化、海量、交互和图片内容是否可信的挑战,已成为社交网络和社会计算中舆情分析、情感计算、社交网络关系的内容分析以及个人、群体和社会性行为分析的一个重要难题。针对社交网页取证问题,以新浪微博为例,设计了一套取证解决方案,对用户发表的信息、人脸图片、位置信息进行固定,依靠网页取证方法来认证信息的可信性。同时,利用信息可视化展示手段和辅助分析来应对在海量社交网页数据背景下的计算机取证工作。     

基于Unity的数字化车间改进资源动态调度算法

针对基于Unity引擎的车间仿真系统加载过程中内存占用大,导致系统在运行时存在卡顿、不流畅的现象,从模型资源加载角度设计一种资源动态调度算法.首先通过四叉树算法将场景递归的分割成多个叶子节点进行存储,然后结合资源动态调度算法以摄像机位置为中心对周边节点的资源进行预设实例化和预设销毁完成内存的管理.最后根据Unity的内存管理机制,设计并实现了对场景资源的动态调度和内存优化,实验结果表明资源动态管理算法有效控制某时刻内存中加载的数据量相对稳定降低了IO总量,避免了漫游移动时造成的内存颠簸,使系统的运行更加流畅.     

基于Windows 平台的动态取证系统

针对目前一些动态取证模型的不足,在分布式网络取证模型的基础上设计了一个基于Windows平台的动态取证系统,能够实现网络中的计算机作为作案目标和作案工具双重角色时的取证,具有实时获取多种数据源、取证过程隐秘、取证分析算法可扩展等特点。介绍了动态取证系统中各功能模块设计,并阐述了系统设计中涉及到的关键技术,最后通过模拟测试表明该系统能够在Windows网络下实现动态取证。     

System construction for comprehensive industrial ecosystem oriented networked collaborative manufacturing platform (NCMP) based on three chains

In industrial manufacturing, with the deep integration and development of advanced digital technologies such as industrial big data, industrial Internet and industrial artificial intelligence with manufacturing industry, the manufacturing model is gradually developing and evolving from the direction of networking, platform, integration, collaboration and ecology. Therefore, for industrial manufacturing process, the research of construction of comprehensive industrial ecosystem oriented Networked Collaborative Manufacturing Platform (NCMP) system is great industrial application value by integrating network characteristics, platform elements, integrated mechanism, collaborative model and ecological format. In this paper, the system model of NCMP is constructed from four perspectives, including network perspective, collaborative manufacturing perspective, platform perspective, and industrial ecosystem perspective. Then, a system framework of NCMP based on three chains (manufacturing chain, value chain, and industrial chain) is proposed. Three collaborative subsystems of NCMP (vertical collaboration subsystem from multi perspective, horizontal collaboration subsystem from multi process, end to end collaboration subsystem from multi operator) are constructed. At last, a comprehensive system construction for NCMP in automobile industry is giving. The research results show that the most important elements to construct NCMP are purchasing department collaboration, demand department collaboration, design collaboration, data integration between enterprises and factories, etc.     

A heuristic for maximizing investigation effectiveness of digital forensic cases involving multiple investigators

Digital forensic investigation refers to the use of science and technology in the process of investigating a crime scene so as to maximize the effectiveness of proving the perpetrator has committed crime in a court of law. Evidences are considered to be the building block of any crime scene investigation (CSI) procedure including those involving cyber crimes. Selecting the right set of evidence and assigning the appropriate investigator for the selected evidence is vital in time critical forensic cases, in which results have to be finalized within a specified time deadline. Not doing this may lead to the scope creep problem, which is a significant issue in digital forensics. Therefore, major challenges with respect to digital forensic investigation are to determine the right set of evidences to be assigned to each of the available multiple investigators and allocate appropriate investigation time for the selected evidences to maximize the effectiveness of the investigation effort. A mixed integer linear programming (MILP) model is developed to analyze and solve the problem of evidence selection and resource allocation in a digital crime scene investigation. In view of the problem being NP-hard, a heuristic algorithm with polynomially bounded computational complexity is proposed to solve the problem. Results of extensive computational experiments to empirically evaluate its effectiveness to find an optimal or near-optimal solution are reported. Finally, this paper concludes with a summary of findings and some fruitful directions for future research.     

多协议仲裁加解密读写CPU内存的IP核设计

传统优先级反转或固定优先级仲裁方式会降低CPU(central processing unit)访存效率,且无法对内存数据进行保护。为此,设计一种能够仲裁控制多协议对CPU内存单元进行高效加解密读写的数字IP(intellectual property)。将同步电路与握手协议结合,实现两种协议间的跨时钟域处理;对多协议间的高效仲裁进行研究,提出饱和仲裁算法;设计以地址为种子的伪随机加密算法,完成对内存读写数据的加解密操作;设计自定义的访存协议,完成对内存的直接存取。仿真和流片结果表明,设计能很好调度多接口协议访存,防止CPU内存单元内的数据被非法破解。     

数字化相控阵天线测试方法及测试系统设计

伴随着雷达技术的飞速发展,数字化相控阵天线开始广泛运用于各种相控阵雷达当中;由于数字化相控阵天线的工作原理与传统模拟相控阵天线差异极大,测试方法也发生了根本性的改变,原有的基于普通微波仪表的天线测试系统无法再对数字化相控阵天线进行测试,必须设计新型的数字化相控阵天线测试系统;文章首先介绍了数字化相控阵天线自身的工作原理和测试方法,随后提出了新型数字化相控阵天线测试系统的具体软硬件设计方案,实际应用表明数字化相控阵天线测试系统可以满足各种数字化相控阵天线的测试要求。