Liang Hu,Kuo Tang,Guangkun Shi, Nurbol,Kuo Zhao

DOI: https://doi.org/10.1109/ICICTA.2009.729

2009-01-01

Abstract:With the increasing development of information technology, the computer crime problem is getting even serious. However traditional computer forensic that employs the static investigation after security events has inherent limitations. The authenticity, effectiveness and timeliness of the evidence are difficult to meet real needs. In order to solve the existing problems which static forensics technology has, this paper presents the design and implementation of DDCFS: a distributed dynamic computer forensics system based on network. Comparing with the traditional tools of the forensic system, it employs the work of gathering evidences of criminal actions before they occur or just they are ongoing, which avoid the evidence chain lose caused by traditional static forensic. It can improve the efficiency of the work of gathering evidences; enhance data integrity and timeliness of evidences. This paper describes the architecture, function and forensic procedure of DDCFS, and the implementation of the core module.

XU Xiao-qin,GONG Jian,ZHOU Peng

DOI: https://doi.org/10.3969/j.issn.1673-629x.2005.05.046

2005-01-01

Abstract:With the development of Web,the quantities of computer crimes are increasing and computer forensics is becoming more and more important.Computer forensics is divided into post-event investigation and real-time investigation.In the early days,network security tools were used in network forensics.But it is limited and the data that they produced can't be regarded as the evidence in the legal meaning.Network forensics system has made up these deficiencies in real-time investigation.It involves capturing,recording,analyzing and reconstructing network audit trails.The paper discusses the network forensics system and a detailed comparison has been made to these tools.

Lin Chen,Zhitang Li,Cuixia Gao,Yingshu Liu

DOI: https://doi.org/10.1109/CIT.2009.108

2009-01-01

Abstract:As an important part of computer forensics, network forensics particularly places emphasis on dynamic network information collection and proactive defense. Most forensics systems based on intrusion detection or honeypot rarely emphasize the availability of actual servers. In addition, few of them discussed the occasion of dynamic forensics particularly. The work presented in this paper is based on an idea to assist dynamic forensics with intrusion tolerance and deception technology to enhance the availability of server system and gather more useful evidences on a proper occasion. A mechanism of dynamic forensics based on intrusion forensics is proposed and is modeled with finite state machine. The workflow is described. A semi Markov process based on the embedded Markov chain of the states transition model is built and described. Finally, the forensics capability and server availability are analysis. According to the numerical analysis result, the security performance and forensics capability of the forensics system are enhanced to a certain degree.

陈琳,李之棠,高翠霞

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.11.015

2009-01-01

Computer Science

Abstract:With the development of intrusion and computer crime technologies,dynamic forensics is becoming more and more important.Dynamic forensics based on intrusion detection and honeypot technologies has great advantage in real-time performance,whereas these methods are defective in overcoming the difficulty of evidence and system reliability,and hard to seize the opportunity of investigation.A self-adaptive mechanwasm was proposed which used intrusion detection system as forensics trigger and shadow honeypot was used to verify the suspicious attack,observe and analyze the attack activities further more to gather key evidences.And then the finite state machine model of this mechanism was illuminated and key technologies such as shadow honeypot,state transition opportunity and evidence security storage method were described.The dynamic forensics system with this mechanism can tolerate intrusion in a certain degree and get the investigation process under control.Moreover,the amount of unnecessary evidences can be reduced obviously.

Liu Jianjun,Chen Guangxuan

DOI: https://doi.org/10.3969/j.issn.1009-6833.2013.05.004

2013-01-01

Abstract:With the emergence of a large number of criminal cases involving digital evidence,its value rising.but the understanding of digital evidence is not clear,not uniform.digital forensic is a very strong discipline closed to legal practice,the development of its system depends on many applications of computer,at the same time must meet the requirements of legal system itself,and be able to deal with all kinds of complicated case.This paper combed through the hierarchical structure of digital forensics technology,to collect evidence is explored on the whole,and a detailed analysis of the various elements of electronic evidence.

Tala Tafazzoli,Elham Salahi,Hossein Gharaee

DOI: https://doi.org/10.48550/arXiv.1508.01890

2015-08-08

Cryptography and Security

Abstract:Cybercrime is increasing at a faster pace and sometimes causes billions of dollars of business- losses so investigating attackers after commitment is of utmost importance and become one of the main concerns of network managers. Network forensics as the process of Collecting, identifying, extracting and analyzing data and systematically monitoring traffic of network is one of the main requirements in detection and tracking of criminals. In this paper, we propose an architecture for network forensic system. Our proposed architecture consists of five main components: collection and indexing, database management, analysis component, SOC communication component and the database. The main difference between our proposed architecture and other systems is in analysis component. This component is composed of four parts: Analysis and investigation subsystem, Reporting subsystem, Alert and visualization subsystem and the malware analysis subsystem. The most important differentiating factors of the proposed system with existing systems are: clustering and ranking of malware, dynamic analysis of malware, collecting and analysis of network flows and anomalous behaviour analysis.

Tian Zhihong,Jiang Wei,Li Yang,Dong Lan

DOI: https://doi.org/10.1109/CC.2014.6880464

2014-01-01

Abstract:Network intrusion forensics is an important extension to present security infrastructure, and is becoming the focus of forensics research field. However, comparison with sophisticated multi-stage attacks and volume of sensor data, current practices in network forensic analysis are to manually examine, an error prone, labor-intensive and time consuming process. To solve these problems, in this paper we propose a digital evidence fusion method for network forensics with Dempster-Shafer theory that can detect efficiently computer crime in networked environments, and fuse digital evidence from different sources such as hosts and sub-networks automatically. In the end, we evaluate the method on well-known KDD Cup 1999 dataset. The results prove our method is very effective for real-time network forensics, and can provide comprehensible messages for a forensic investigators.

W Ren,H Jin

DOI: https://doi.org/10.1109/aina.2005.164

2005-01-01

Abstract:Network forensics is a new approach for the network security, because the firewall and IDS cannot always stop and discover the misuse in the network. Once the system is compromised, the forensics and investigation always after the attacks and lose some useful instant evidence. The integrated analysis of the log and audit system and network traffic can lead to an efficient navigation of the traffic. The current network forensics approaches only focus on the network traffic capture and traffic replay, which always result in the performance bottleneck or forensics analysis difficulties. However, the adaptive capture without lose the potential sensitive traffic and real time investigation are seldom discussed. In this paper, we discuss the frameworks of distributed agent-based real time network intrusion forensics system, which is deployed in local area network environment. Some novel approaches for network forensics are discussed for the first time, such as network forensics server, network forensics database, network forensics agents, forensics data integration and active real time network forensic.

Tian Zhihong,Jiang Wei,Li Yang

DOI: https://doi.org/10.1109/cc.2015.7084411

2015-01-01

Abstract:Network forensics is a security infrastructure, and becomes the research focus of forensic investigation. However many challenges still exist in conducting network forensics: network has produced large amounts of data; the comprehensibility of evidence extracting from collected data; the efficiency of evidence analysis methods, etc. To solve these problems, in this paper we develop a network intrusion forensics system based on transductive scheme that can detect and analyze efficiently computer crime in networked environments, and extract digital evidence automatically. At the end of the paper, we evaluate our method on a series of experiments on KDD Cup 1999 dataset. The results demonstrate that our methods are actually effective for real-time network forensics, and can provide comprehensible aid for a forensic expert.

Yao Wei,Sha Jing,Cai Liming,Jin Bo

2010-01-01

Abstract:Since the usual procedure of electronic media forensic is too complicated and lack of efficiency,this paper suggests to design and implement a platform for digital forensics.The platform is a combination of data mirroring,identification and analysis of digital evidence and case management.The HD duplicator can preserve mirror of multiple electronic media at one time and write them into RAID by high-speed storage area network(SAN).With these mirroring files hosted in SAN,the workstation of identification can realize data recovery,data identification,and virtual media analysis.Meanwhile,we can also effectively manage the computer forensic cases.The system is proved to be good utility which can rapidly improve the level of automation and work efficiency for digital forensics.

LIU Zai-Qiang,LIN Dong-Dai,FENG Deng-Guo

DOI: https://doi.org/10.1360/jos182635

2007-01-01

Journal of Software

Abstract:Network forensics is an important extension to present security infrastructure,and is becoming the research focus of forensic investigators and network security researchers.However many challenges still exist in conducting network forensics:The sheer amount of data generated by the network;the comprehensibility of evidences extracted from collected data;the efficiency of evidence analysis methods,etc.Against above challenges,by taking the advantage of both the great learning capability and the comprehensibility of the analyzed results of decision tree technology and fuzzy logic,the researcher develops a fuzzy decision tree based network forensics system to aid an investigator in analyzing computer crime in network environments and automatically extract digital evidence.At the end of the paper,the experimental comparison results between our proposed method and other popular methods are presented.Experimental results show that the system can classify most kinds of events (91.16% correct classification rate on average),provide analyzed and comprehensible information for a forensic expert and automate or semi-automate the process of forensic analysis.

Zhou Jie,Wu Jiangjiang,Wang Zhiying,Ren Jiangchun

DOI: https://doi.org/10.1109/anthology.2013.6784874

2013-01-01

Abstract:With the rapid development of information technology, computer crimes become very serious. However, traditional computer forensic has inherent limitations. Any modification, edit, removal, or cover, whether are caused by external force or human factors of electronic evidence, are difficult to distinguish technically. To solve these problems, we have implemented a computer forensic system based on multi-leveled marks mining to mine the marks as wide as possible, as soon as possible, and to fix evidence information supporting anti-repudiation. This paper describes the architecture and key technology of the computer forensic system in detail, as well as system implementation and experimental analysis.

黄艳,方勇,蒋磊,刘亮

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.07.075

2012-01-01

Abstract:In order to achieve a security system of in-advance defense, in-progress detection, and afterward extraction of the trace, an overall design framework of security protection in combination of dynamic hybrid honeypot and real-time computer trace extraction is proposed, and the security policies are continuously optimized by audit module. Meanwhile, by the agent of trace extraction and network data collector, the evidences are collected in real time, and the collected data is sent to the server and analyzer for the extraction of crime evidence.

赵倩,曹天杰,耿涛

DOI: https://doi.org/10.3969/j.issn.1671-0428.2008.08.020

IF: 5.105

2008-01-01

Computers & Security

Abstract:With the development of information technology, more and more computer crimes occur. It has been the focus that people pay attention to how to use computer forensics collect electronic evidence to punish the crime. The paper mainly introduced the concept, principle and process of computer forensics, also introduced some common tools especially Encase.

Lin Chen,Zhitang Li,Cuixia Gao,Lan Liu

DOI: https://doi.org/10.1109/ispa.2009.66

2009-01-01

Abstract:With the development of intrusion technologies, dynamic forensics is becoming more and more important. Dynamic forensics using IDS or honeypot are all based on a common hypothesis that the system is still in a reliable working situation and collected evidences are believable even if the system is suffered from intrusion. In fact, the system has already transferred into an insecurity and unreliable state, it is uncertain that whether the intrusion detectors and investigators could run as normal and whether the obtained evidences are credible. Although intrusion tolerance has been applied in many areas of security for years, few researches are referred to network forensics. The work presented in this paper is based on an idea to integrate Intrusion tolerance into dynamic forensics to make the system under control, ensure the reliability of evidences and aim to gather more useful evidences for investigation. A mechanism of dynamic forensics based on intrusion forensics is proposed. This paper introduces the architecture of the model which uses IDS as tolerance and forensics trigger and honeypot as shadow server, the finite state machine model is described to specify the mechanism, and then two cases are analyzed to illuminate the mechanism.

CHEN Zuyi,GONG Jian,XU Xiaoqin

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.05.056

2005-01-01

Abstract:This paper introduces the state-of-art of computer forensics toolkits with the evidence collecting tools being emphasized. These tools are compared, and their development trends are prospected.

Qin-Ying Lin,Xiao-Lin Gui,De-Qin Shi,Xiao-Ping Wang

2015-01-01

Abstract:"Security, controllability, high efficiency" are becoming the increasingly significant issue on the development of the network. Study on security defending method in the intranet is becoming more and more popular currently. In this paper, a key resources forensics -based network security surveillance system are designed, implemented and tested The results show that this system has such advantages as requesting less system resource, easy to control and excellent expansibility. It has a very good future to be applied in government, business, military and other confidential agency.

Yadong,Qing Li,Donghui,Weihao Hu,Yuqi,Zhun Fan,Xindong,Kan Wu

2014-01-01

Abstract:Cyber-crimes are growing rapidly,so it is important to obtain the digital evidence on the web page.Usually,people can examine the browser history on the client side and data files on the server side,but both of them have shortcomings in real criminal investigation.To overcome the weakness,this paper designs a web page forensic scheme to snapshot the pages from web servers with the help of web spider.Also,it designs several steps to improve the trustworthiness of these pages.All the pages will be dumped in local database which can be presented as reliable evidence on the court.

LIN Guo-yuan,HUANG Hao

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.27.042

2006-01-01

Abstract:In this article,we analyze the condition of computer forensics and point out dynamic forensics is its trend. After reasoning the feasibility of adopting IDS into dynamic forensics,a dynamic forensics system model is presented and expounded in detail.Since it is the combo of IDS and justice parsing technique,it will be instructive for the dynamic forensics of computer crime.

Wen Hui,Hao Yin,Chuang Lin

DOI: https://doi.org/10.1145/1631081.1631089

2009-01-01

Abstract:ABSTRACTIncreasing amount of illegal videos transmitted via Internet has aroused the need to develop digital video forensic systems for deterring and prosecuting digital crimes. Thus in this paper, we propose a digital forensics service platform for online videos, with the goal of revealing illegal videos and preventing them from spreading over the Internet. Different from previous systems, it a) detects more types of digital crimes; b) processes an enormous amount of video data in real time; c) pays more attention to end-user experience. For capturing legal evidence, a special technique - video fingerprinting - is employed. We present a hybrid fingerprint and improve the related algorithms in important ways. To solve dynamic resource scheduling and load balancing problems, the platform is built upon Content Distribution Networks (CDNs). As far as we know, the proposed platform is the first large-scale digital forensics service platform for online videos. It has been deployed and used in practice for detecting thousands of videos under the real web environment. The results of performance evaluation using data obtained from these real-world deployments demonstrate the feasibility of the platform.