SHANG Shi-ze,KONG Xiang-wei,YOU Xin-gang

DOI: https://doi.org/10.3969/j.issn.1671-1122.2015.04.011

2015-01-01

Abstract:The examination of forged and altered document is an important part in judicial expertise. The traditional examination methods need professional testers and devices, the disadvantages include high cost, long testing time, damage on the documents, etc. In recent years, the digital passive lossless forensics on forged and altered document has been developed which only uses scanner and computer. In this paper, we first introduce the life-cycle of document and its forging and altering methods. Then, we summarize the passive lossless forensics on forged and altered document, and describe the technologies on device identiifcation, copy paper identiifcation and authenticity detection, respectively. We give a detailed description on the characteristics introduced by devices and altering methods, and their forensics methods. Finally, we describe the questions and challenges on digital passive lossless forensics on documents.

Chen Yanjiao,Yi Renping

2009-01-01

Abstract:There is a very important and realistic significance to adjust to the new situation and discuss the path to the implementation of the function of financial audit immune system on the background that the whole world is facing the financial crisis and the banking business in China is on the transition from separating operation to mixed operation.This paper generalizes the financial audit proclamations after the audit proclamation system was applied in 2003, summarizes achievements in implementation of the function of immune system, and also tries to find some shortages on auditing object, auditing content, auditing aim, auditing level and etc.These drawbacks will become obstacles to the development of the function of financial audit immune system.Therefore, this paper designs a trinity to develop the function of financial audit immune system including law, technology, and human resources.

Lin Chen,Zhitang Li,Cuixia Gao,Yingshu Liu

DOI: https://doi.org/10.1109/CIT.2009.108

2009-01-01

Abstract:As an important part of computer forensics, network forensics particularly places emphasis on dynamic network information collection and proactive defense. Most forensics systems based on intrusion detection or honeypot rarely emphasize the availability of actual servers. In addition, few of them discussed the occasion of dynamic forensics particularly. The work presented in this paper is based on an idea to assist dynamic forensics with intrusion tolerance and deception technology to enhance the availability of server system and gather more useful evidences on a proper occasion. A mechanism of dynamic forensics based on intrusion forensics is proposed and is modeled with finite state machine. The workflow is described. A semi Markov process based on the embedded Markov chain of the states transition model is built and described. Finally, the forensics capability and server availability are analysis. According to the numerical analysis result, the security performance and forensics capability of the forensics system are enhanced to a certain degree.

陈琳,李之棠,高翠霞

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.11.015

2009-01-01

Computer Science

Abstract:With the development of intrusion and computer crime technologies,dynamic forensics is becoming more and more important.Dynamic forensics based on intrusion detection and honeypot technologies has great advantage in real-time performance,whereas these methods are defective in overcoming the difficulty of evidence and system reliability,and hard to seize the opportunity of investigation.A self-adaptive mechanwasm was proposed which used intrusion detection system as forensics trigger and shadow honeypot was used to verify the suspicious attack,observe and analyze the attack activities further more to gather key evidences.And then the finite state machine model of this mechanism was illuminated and key technologies such as shadow honeypot,state transition opportunity and evidence security storage method were described.The dynamic forensics system with this mechanism can tolerate intrusion in a certain degree and get the investigation process under control.Moreover,the amount of unnecessary evidences can be reduced obviously.

徐辉,潘爱民

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.11.052

2004-01-01

Abstract:An enhanced security auditing mechanism for Linux is proposed.This mechanism is based on loadable kernel mo-(dule) and provides system level and application level auditing functions.System audit generates an audit record for every security sensitive system call.Application level audit abandons the traditional auditing fashion that auditing system completely depends on applications writing log file in user space.Instead,applications and system kernel will generate audit record coordinately.Examples are given for intrusion detection with this mechanism.

QIAN Qin,DONG Bu-yun,TANG Zhe,FU Xiao,MAO Bing

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.08.058

2014-01-01

Abstract:Traditional methods of memory acquisition focus on the persistent data of disk or hard disk in the attacked computers. However,as the growing use of encryption routines or rapidly increasing storage capabilities of hard drives,it is very difficult to get data in time with the original method that is meant for persistent data. So in the field of computer forensics,people start to change the data source and focus on the volatile information in RAM. This paper specifically describes the prevailing methods of memory acquisition and analysis and the process of memory forensics. It explains the characteristics of each method and gives the advantage and disadvantage of them. In the end,it concludes all these methods and gives some suggestions of the future of computer forensics.

HUANG Jia-shun,ZHAO Xin-yu,LUO Shun,QIU Wei-dong

DOI: https://doi.org/10.3969/j.issn.1009-8054.2013.02.032

2013-01-01

Abstract:The computer system check marks and forensics is the process,by certain techniques and methods,to collect all kinds of information in the target computer as clues and evidence. The analysis and interpretation of USN journal on NTFS file system could be used in computer crime investigation and forensic,and the research on computer crime investigation technologies is helpful to acquisition of crime clues and evidence in USN journal. Meanwhile some examples and explanations are also given in this paper.

LIU Jia,ZI Xiaochao,PAN Li,LI Jianhua

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.12.018

2005-01-01

Abstract:This paper discusses how to develop the audit module for secure operating system based on the Linux kernel. This audit subsystem cancollect all the core-level information by mounting audit points in the kernel, and provide secure audit management with automate analysis fromremote terminal through website.

Runqing Yang,Xutong Chen,Haitao Xu,Yueqiang Cheng,Chunlin Xiong,Linqi Ruan,Mohammad Kavousi,Zhenyuan Li,Liheng Xu,Yan Chen

DOI: https://doi.org/10.1109/TDSC.2020.3032570

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Remote Access Trojan (RAT) attacks have become an extensively prevailing and serious threat to enterprise security. A forensic system targeting RAT attacks is needed to record and reconstruct fine-grained semantic behaviors of RATs. However, existing forensic systems suffer from various issues such as intrusive instrumentation, nontrivial recording overhead, and RAT behavior blindness. In this art...

刘武,任萍,段海新,向晓林

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.11.041

2004-01-01

Abstract:Computer forensics are now attracted by researchers and developers abroad,but studied little in our nation,and the products of computer forensics are primarily those based on host.Discuss the definition and target of authorship analysis in software forensics,explain how to extract characters of authorship analysis in detail.Finally we give a forensic analysis model MBSFAM.

Mao Ye

DOI: https://doi.org/10.48550/arXiv.2104.08699

2021-04-18

Hardware Architecture

Abstract:With emerging non-volatile memories entering the mainstream market, several operating systems start to incorporate new changes and optimizations. One major OS support is the direct-access for files, which enables efficient access for files hosted in byte-addressable NVM systems. With DAX-enabled filesystems, files can be accessed directly similar to memory with typical load/store operations. Despite its efficiency, the frequently used system call of direct access is troublesome for system auditing. File system auditing is mandatory and widely used because auditing logs can help detect anomalies, suspicious file accesses, or be used as an evidence in digital forensics. However, the frequent and long-time usage of direct access call blinds the operating system or file system from tracking process operations to shared files after the initial page faults. This might results in imprecise casualty analysis and leads to false conclusion for attack detection. To remedy the tension between enabling fine-grained file system auditing and leveraging the performance of NVM-hosted file systems, we propose a novel hardware-assisted auditing scheme, FOX. FOX enables file system auditing through lightweight hardware-software changes which can monitor every read or write event for mapped files on NVM. Additionally, we propose the optimized schemes, that enable auditing flexibility for selected files/memory range. By prototyping FOX on a full system simulator, Gem5, we observe a relatively small reduced throughput and an acceptable extra writes compared to our baseline. Compared to other instrumentation-based software schemes, our scheme is low-overhead and secure.

Rongrong Huang,Jiwu Shu,Da Xiao,Kang Chen

2009-01-01

Journal of Computer Research and Development

Abstract:Network file systems facilitate data sharing but also introduce new vulnerabilities.Audit logs that trace the changes of file system data to prevent fraudulent manipulation of data have great value in evaluating system security.Current systems cannot satisfy the requirement of users because they fail to ensure the security of audit logs.The powerful insider adversary can modify the audit logs covertly to erase evidence of illegal modification directly via device drivers.A data integrity protection method is presented for network file systems based on secure audit logs.Every file and directory has an authenticator to ensure the integrity of data.All changes to data are traced and the corresponding audit logs are generated.At a later time,an auditor may verify the data of a file according to the authenticators and audit logs.A trusted hardware is introduced to manage audit key and to enable the generation and trustworthiness of authenticators and audit logs.A prototype of Nfsd-log is implemented based on the NFS server in Linux and its performance iS evaluated. SSH-build benchmark test shows that the total time overhead of Nfsd-log only increase by 9.2% comparing with original NFS server.

Yilin Yuan,Jianbiao Zhang,Wanshan Xu,Zheng Li

DOI: https://doi.org/10.1002/cpe.6735

2021-12-09

Concurrency and Computation: Practice and Experience

Abstract:With the popularity of cloud computing, cloud storage technology has also been widely used. Among them, data integrity verification is a hot research topic. At present, the realization of public auditing has become the development trend of integrity verification. Most existing public auditing schemes rarely consider some indispensable functions at the same time. Thus, in this article, we propose a comprehensive public auditing scheme (PDBPA) that can simultaneously support data privacy protection, data dynamics, and multi‐user batch auditing. To guarantee privacy protection during the audit process, our PDBPA design a new method of constructing audit proof, which combines random masking techniques and bilinear properties of bilinear pairing. Not only can it ensure that TPA performs audits correctly, but it can also prevent it from exploring the user's sensitive data. In addition, by utilizing the modified dynamic hash table, which is a novel and small two‐dimensional data structure, data dynamics can be effectively achieved. Furthermore, we provide a detailed process for the third‐party auditors to perform batch audits for multiple users. Moreover, we give the detailed and rigorous security analysis in defending against forgery attack, replace attack, and replay attack. Performance evaluations demonstrate that our PDBPA scheme is effective and feasible.

Zhuo Chen,Hong Wang

DOI: https://doi.org/10.1155/2022/5854105

IF: 1.43

2022-03-23

Mathematical Problems in Engineering

Abstract:With the rapid development of science and technology, modeling technology involves more and more fields and the data objects studied are more and more abstract. Based on the Internet plus complex discrete dynamic modeling technology, this paper studies the auditing and control of computerized accounting computerization. In order to maintain the steady state of the discrete dynamic system, the lifting method boosting, least square method, gradient boost, and LS-Ensem algorithm are added in the modeling process. Then, in order to improve the data recognition ability of the system, the recognition algorithm is added. The results show that the complex discrete dynamic system composed of the above algorithms is different from the ordinary system and can be better suitable for small-scale data. It also improves the stability of the whole system and then improves the accuracy of the model. Compared with ordinary discrete systems, the complex discrete dynamic systems studied in this paper can better overcome external factors and avoid errors. The system can quickly analyze and process the data that need statistics and has good application value.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Meng-Chieh Lee,Yue Zhao,Aluna Wang,Pierre Jinghong Liang,Leman Akoglu,Vincent S. Tseng,Christos Faloutsos

DOI: https://doi.org/10.48550/arXiv.2011.00447

2020-11-01

Abstract:How can we spot money laundering in large-scale graph-like accounting datasets? How to identify the most suspicious period in a time-evolving accounting graph? What kind of accounts and events should practitioners prioritize under time constraints? To tackle these crucial challenges in accounting and auditing tasks, we propose a flexible system called AutoAudit, which can be valuable for auditors and risk management professionals. To sum up, there are four major advantages of the proposed system: (a) "Smurfing" Detection, spots nearly 100% of injected money laundering transactions automatically in real-world datasets. (b) Attention Routing, attends to the most suspicious part of time-evolving graphs and provides an intuitive interpretation. (c) Insight Discovery, identifies similar month-pair patterns proved by "success stories" and patterns following Power Laws in log-logistic scales. (d) Scalability and Generality, ensures AutoAudit scales linearly and can be easily extended to other real-world graph datasets. Experiments on various real-world datasets illustrate the effectiveness of our method. To facilitate reproducibility and accessibility, we make the code, figure, and results public at <a class="link-external link-https" href="https://github.com/mengchillee/AutoAudit" rel="external noopener nofollow">this https URL</a>.

Social and Information Networks

LIN Guo-yuan,HUANG Hao

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.27.042

2006-01-01

Abstract:In this article,we analyze the condition of computer forensics and point out dynamic forensics is its trend. After reasoning the feasibility of adopting IDS into dynamic forensics,a dynamic forensics system model is presented and expounded in detail.Since it is the combo of IDS and justice parsing technique,it will be instructive for the dynamic forensics of computer crime.

Zheng Tu,Xu An Wang,Weidong Du,Zexi Wang,Ming Lv

DOI: https://doi.org/10.1016/j.jksuci.2023.01.021

IF: 9.006

2023-02-08

Journal of King Saud University - Computer and Information Sciences

Abstract:The security of the data in the cloud server suffers great challenges, and how to ensure the integrity of the outsourced data in the cloud servers is a problem that should be solved. Cloud data auditing technique is such a solution , which allows to check data integrity without retrieving them from the cloud. In case single-copy data may be violated by malicious attackers, Zhang et al. proposed a multi-copy cloud data auditing scheme MCAM in 2020. However, in their scheme, an attacker can forge the evidence for integrity verification only by exploiting public information and the cloud server can compromise the integrity verification even it does not store any data. In this paper, we identify these security flaws in MCAM and design a new evidence verification algorithm to fix them. Then, we propose a multi-copy cloud data auditing scheme based on our evidence verification algorithm and MCAM. In security analysis, we prove that our multi-copy cloud data auditing scheme can fix the security flaws of MCAM. Thus, our scheme is more secure than MCAM. In performance analysis, we show that our scheme is more communication efficient than MCAM. Finally, we point out one potential application of our scheme.

computer science, information systems

Tiantian Zhu,Jiayu Wang,Linqi Ruan,Chunlin Xiong,Jinkai Yu,Yaosheng Li,Yan Chen,Mingqi Lv,Tieming Chen

DOI: https://doi.org/10.1109/tifs.2021.3076288

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The damage caused by Advanced Persistent Threat (APT) attacks to governments and large enterprises is gradually escalating. Once an attack event is detected, forensic analysis will use the dependencies between system audit logs to rapidly locate intrusion points and determine the impact of the attacks. Due to the high persistence of APT attacks, huge amounts of data will be stored to meet the needs of forensic analysis, which not only brings great storage overhead, but also sharply increases the computing costs. To compact data without affecting forensic analysis, several methods have been proposed. However, in real-world scenarios, we meet the problems of weak cross-platform capability, large data processing overhead, and poor real-time performance, rendering existing data compaction methods difficult to meet the usability and universality requirements jointly. To overcome these difficulties, this paper proposes a general, efficient, and real-time data compaction method at the system log level; it does not involve internal analysis of the program or depend on the specific operating system type, and it includes two strategies: 1) data compaction of maintaining global semantics (GS), which determines and deletes redundant events that do not affect global dependencies, and 2) data compaction based on suspicious semantics (SS). Given that the purpose of forensic analysis is to restore the attack chain, SS performs context analysis on the remaining events from GS and further deletes the parts that are not related to the attack. The results of the real-world experiments show that the compaction ratios of our method to system events are as high as $4.36\times $ to $13.18\times $ and $7.86\times $ to $26.99\times $ on GS and SS, respectively, which is better than state-of-the-art studies.

Ye Yao

DOI: https://doi.org/10.48550/arXiv.1802.02308

2018-02-07

Abstract:The annotation of video tampering dataset is a boring task that takes a lot of manpower and financial resources. At present, there is no published literature which is capable to improve the annotation efficiency of forged videos. We presented a computer-aided annotation method for video tampering dataset in this paper. This annotation method can be utilized to label the frames of forged video sequences. By means of comparing the original video frames with the forged video frames, we can locate the position and the trajectory of the forged areas of the forged video frames. Then, we select several key points on the temporal domain according to the trajectory of the forged areas, and mark the forged area of the forged frames in the key point with a mouse. Finally, we use the linear prediction algorithm based on the coordinates of the key positions in the temporal domain to generate the annotation information of forged areas in other video frames which without manually labeled. If the bounding box generated by the computer-aided algorithm deviates from the actual location of the forged area, we can use the mouse to change the position of the bounding box during the preview period. This method combines the manual annotation with computer-aided annotation. It solves the problems of the inaccuracy of annotation by computer-aided as well as the low efficiency of annotation manually, and meet the needs of annotation for an enormous amount of forged videos in the research of video passive forensics.

Multimedia

Rob J Meijer

DOI: https://doi.org/10.13140/RG.2.2.35426.53440

2017-03-02

Abstract:In this dissertation the feasibility of creating a page-cache efficient storage- and messaging solution with integrity geared access control for a scalable forensic framework is researched. The Open Computer Forensics Architecture (OCFA),a lab-side scalable computer forensics framework, introduced the concept of a message passing concurrency based forensic framework. Since then, the amount of per-investigation data to be processed in a lab environment has continued to grow significantly while available RAM and CPU processing power combined with prohibitive cost and limited capacity of SSD solutions have shifted processing from being largely CPU constrained to being much more IO constrained. OCFA suffered from several page-cache-miss related performance issues that have grown more significant as a result of this shift. In the light of anti-forensics and general issues related to process integrity, OCFA did not leverage the power of its message passing based design to address integrity concerns. The main purpose of this dissertation is to analyze and evaluate a number of page-cache friendly technologies that could contribute to the creation of a computer forensics lab-geared scalable message-passing-concurrency based forensic framework with a significantly reduced quantity of page-cache-miss induced spurious IO operations, taking into account integrity related issues. Provenance logs from historic investigations conducted using the Open Computer Forensics Architecture were thoroughly analyzed in this study, during which several bottlenecks and design flaws in OCFA were identified. A number of strategies were devised to address these bottlenecks in future computer forensic frameworks. Finally, the most prominently page-cache related strategies were consolidated with access-control measures into a user-space file-system and low-level API prototype.

Cryptography and Security