跳到主要內容

臺灣博碩士論文加值系統

(3.237.6.124) 您好!臺灣時間:2021/07/24 04:33
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:葉廣傑
研究生(外文):Yeh, Kuang-Chieh
論文名稱:主記憶體鑑識方法之研究
論文名稱(外文):Study on the Forensic Methods of Main Memory
指導教授:朱惠中朱惠中引用關係
指導教授(外文):Chu, Huei-Chung
口試委員:朱惠中周宣光黃履州
口試委員(外文):Chu, Huei-ChungChou, Shrane KoungHuang, Lu-Chou
口試日期:2012-07-16
學位類別:碩士
校院名稱:華梵大學
系所名稱:資訊管理學系碩士班
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2012
畢業學年度:100
語文別:中文
論文頁數:82
中文關鍵詞:數位鑑識主記憶體鑑識
外文關鍵詞:Digital ForensicMain Memory Forensic
相關次數:
  • 被引用被引用:1
  • 點閱點閱:418
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
隨者資訊科技的進步與資訊教育的普及,電腦犯罪案件亦不斷增加,而在網際網路蓬勃發展之下,數位證據除儲存於非揮發性儲存媒體外,亦會儲存於揮發性儲存媒體,如何從揮發性儲存媒體(特別是電腦的主記憶體)中擷取相關的數位證據,已成為鑑識人員主要的課題之一。
本研究將在Windows 7作業系統架構下,對主記憶體中數位證據之採證及分析方法進行深入探討,並整合相關數位鑑識工具,開發針對主記憶體中之數位證據自動採證及分析工具,再以案例來驗證該工具的可行性與有效性,期以該工具來補足單一數位鑑識工具之功能,以及減少鑑識人員針對主記憶體採證、分析時的操作步驟。

Along with the improvement of information technology and the popularization of IT education, the cybercrime cases are also on the increase. As the Internet enjoys a booming development, the digital evidences are not only stored in the non-volatile storage but also in the volatile storage ones. Consequently, it becomes an important subject for the forensic personnel to collect the digital evidences from the volatile storage medium especially in the main memory of computers.
This study deeply investigates the methods of collection and analysis for digital evidences in the main memory based on the structure of the Windows 7 operating system. It also develops the automate tools for digital evidences collection and analysis in the main memory by integrating all related digital forensic tools. Finally, the feasibility and effectiveness of the proposed tool are testified by case study. It is hoped to make up the functions of single digital forensic tool and reduce the operational procedures during the evidence collection and analysis of the main memory by forensic personnel.
摘要 Ⅰ
ABSTRACT Ⅱ
目錄 Ⅲ
表錄 Ⅴ
圖錄 Ⅵ
一、緒論 1
1.1 研究背景 2
1.2 研究動機與目的 4
1.3 研究架構與方法 5
1.4 研究範圍與限制 6
二、文獻探討 9
2.1 數位鑑識 9
2.1.1數位鑑識定義與原則 10
2.1.2數位鑑識之程序 12
2.2 數位證據 13
2.2.1數位證據之特性 13
2.2.2數位證據之種類 15
2.3 揮發性數位證據 17
2.3.1 揮發性數位證據之特性 17
2.3.2 揮發性數位證據之儲存位置 19
2.4 主記憶體鑑識方法 20
三、研究方法與工具架構 38
3.1研究工具所採用之主記憶體採證方法 38
3.2研究工具所採用之主記憶體分析方法 39
3.3自動化主記憶體鑑識工具開發 41
四、模擬案件實作 51
4.1案件一 51
4.1.1主記憶體鑑識實作 51
4.2案件二 53
4.2.1主記憶體鑑識實作 54
4.3分析與討論 55
五、結論與後續研究 63
5.1結論 63
5.2後續研究 64
參考文獻 66

中文部分
[1]王旭正、柯宏叡,資訊與網路安全 秘密通訊與數位鑑識新技法,博碩文化出版社,台北,民國九十五年三月,第588-589頁。
[2]林一德,「電子數位資料於證據法上之研究」,國立台灣大學法律研究所碩士論文,民國八十九年一月。
[3]林宜隆,「建構數位證據鑑識標準作業程序(DEFSOP)與案例實證之研究」,司法新聲,第101期,民國一百零一年一月。
[4]林宜隆,「網路釣魚之iPhone數位證據鑑識標準作業程序」,台灣電腦網路為機處理暨協調中心,電子報第6期,民國九十九年。
[5]邱獻民,「刑事數位證據同一性之攻擊與防禦」,東吳大學法律學系碩士論文,民國九十六年。
[6]馬林,資料重現-檔案系統原理精解與資料恢復最佳實踐,佳魁資訊,台北,民國九十八年,第99頁。
[7]楊鴻正,「我國資通安全鑑識科技能量規劃之研究」,中央警察大學資訊管理所碩士論文,民國九十二年。
[8]解名仁,最新計算機組織與結構,新文京開發出版股份有限公司,新北市,民國97年,第5頁。
[9]劉秋伶,「數位證據之刑事證據調查程序」,政治大學法律研究所碩士論文,民國九十九年。
[10]鄭進興、林敬皇、沈志昌、吳豐乾,「電腦鑑識工具之研究」,行政院國家科學委員會專題研究計畫,樹德科技大學資訊管理學系,民國九十二年。
[11]內政部警政署,「警政統計重要參考指標」,內政部警政署,民國一百零一年三月。
[12]錢世傑、錢世豐、劉嘉明、張绍斌,電腦鑑識與企業安全,文魁資訊,台北,民國九十三年,第3-4頁。

英文部分
[13]Ashcroft, J., Deborah, J., and Sarah, V., “Forensic Examination of Digital Evidence: A Guide for Law Enforcement,” U.S. Department of Justice, Rockville Maryland, 1994.
[14]Becher, M., Dornseif, M., and Klein ,C., “Firewire - All Your Memory are Belong to Us,” Proceedings of the Annual CanSecWest Applied Security Conference 2005, March 2005.
[15]Beebe, N., ”Digital Forensic Research: The Good the Bad and the Unaddressed,” IFIP Advances in Information and Communication Technology, pp. 17-36, September 2009.
[16]Boileau, A., “Hit By A Bus : Physical Access Attacks with Firewire” Security-Assessment.com, Auckland New Zealand, March 2006.
[17]Brezinski, D., Killalea, T., “Guidelines for Evidence Collection and Archiving,”, RFC3227, Network Working Group, Arlington Texas, February 2002.
[18]Cal, W., Joseph, A., Richard, N., and Larry, R., “Computer Forensics : Results of LiveResponse Inquiry VS. Memory Image Analysis,”, Software Engineering Institute CERT, Pittsburgh Pennsylvania, August 2008.
[19]Cameron, H., Eoghan, C., and James, M., Malware Forensics Investigating and Analyzing Malicious Code, Syngress, Burlington Vermont, 2009, pp.2, pp.122-129.
[20]Carrier, B., and Grand, J., “A Hardware-Based Memory Acquisition Procedure for Digital Investigations,” Digital Investigation Journal, Vol.1, pp.50-60, February 2004.
[21]Carvey, H., Windows Forensic Analysis DVD Toolkit, Second Edition, Syngress, Burlington Vermont, 2009, pp.2, pp.2-5, pp.13, pp.121.
[22]Casey, E., Digital Evidence and Computer Crime : Forensic Science, Computer and The Internet, Academic Press, Waltham Massachusetts, 2004, pp.13-15.
[23]Dolan-Gavitt, B., “Forensic Analysis of the Windows Registry in Memory,” Digital Investigation, Vol.5, pp. 26-32, September 2008.
[24]Dolan-Gavitt, B., “The VAD tree : A Process-eye View of Physical Memory,” Digital Investigation, Vol.4, pp. 62-64, September 2007.
[25]Endicott Popovsky, B., and Frincke, D., “Embedding Forensic Capabilities into Networks : Addressing Inefficiencies in Digital Forensics Investigations,” Information Assurance Workshop 2006 IEEE, pp. 133-139, June 2006.
[26]Farmer, D., and Vanema, W., Forensic Discovery, Addison Wesley, Boston Massachusetts, 2006, pp.6, pp.176.
[27]Halderman, A., Schoen, D., Heninger, N., Clarkson, W., Paul, W., Calandrino, A., Feldman, J., Appelbaum, J., and Felten, W., “Lest We Remember : Cold-Boot Attacks on Encryption Keys,” 2008 USENIX Security Symposium, San Jose, July 2008.
[28]Klein, T., “All your Private Keys are Belong to us - Extracting RSA Private Keys and Certificates from Process Memory,” NESO Security Labs, Germany, February 2006.
[29]Kleiman, D., Cardwell, K., Clinton, T., Cross, M., Gregg, M., Varsalone, J., and Wright, C., The Official CHFI Study Guide (Exam 312-49) : for Computer Hacking Forensic Investigator, Syngress, Burlington Vermont, 2007, pp.139, pp.145.
[30]Kruse, G., and Heiser, J., Computer Forensic : Incident Response Essentials, Addison Wesley, Boston Massachusetts, 2002, pp.2-8, 163-174.
[31]Kuchta, J., “Forensic Fieldwork: Experience Is the Best Teacher,” Information Systems Security, Vol.11, pp. 36-43, 2002.
[32]Maclean, N.,“Acquisition and Analysis of Windows Memory,” Forensic Informatics 2006, April 2006.
[33]Mukasey, B., Sedgwick, L., and Hagy, W., “Electronic Crime Scene Investigation : A Guide for First Responders, Second Edition,” U.S. Department of Justice, Rockville Maryland, 2001.
[34]Naja, D., “Live Memory Acquisition for Windows Operating Systems,”, Eastern Michigan University, Ypsilanti Michigan, 2008.
[35]Russinovich, M., Solomon, D., and Ionescu, A., Microsoft Windows Internals. 5th ed, Microsoft Press, Redmond Washington, 2009, pp.267, pp.637-638, pp.1134-1135.
[36]Schuster, A., ”Searching for Processes and Threads in Microsoft Windows Memory Dumps,” Digital Investigation, Vol.3, pp. 10-16, September 2006..
[37]Schuster, A., “Pool Allocations as an Information Source in Windows Memory Forensics,” Proceedings of the 2nd International Conference on IT Incident Management and IT Forensics, pp.104-115, July 2006.
[38]Stefan, Vo., and Felix, C,F., “A Survey of Main Memory Acquisition and Analysis Techniques for the Windows Operating System,” Digital Investigation, Vol.8, pp. 3-22, July 2011.
[39]Timothy, E., ”The Field Guide for Investigation Computer Crime,” Symantec Security, Cupertino, November 2010.

網路部分
[40]Access Date FTK Imager, April 2012,檢索日期2012/04/20 URL:http://accessdata.com
[41]Cygwin Foremost, August 2009,檢索日期2012/04/06 URL:http://www.dchee-seman.com/blog/post/foremost-windows
[42]Forensic Acquisition Utilities Data-Dumper, June 2011,檢索日期2012/04/22 URL:http://gmgsystemsinc.com/fau
[43]Fundamental Computer Investigation Guide for Windows, January 2007,檢索日期2012/05/13 URL:http://www.microsoft.com/en-us/download/details.aspx?id=23378
[44]Gunwin32 Sed , December 2010,檢索日期2012/04/06 URL:http://gnuwin32.sourceforge.net/packages/sed.htm
[45]IDA, February 2012,檢索日期2012/05/01 URL:http://www.hex-rays.com/
products/ida/index.shtml
[46]Microsoft Crash Dump, May 2011,檢索日期2012/04/06 URL:http://support.microsoft.com/kb/244139
[47]Microsoft Crash Dump by using the Keyboard, May 2011,檢索日期2012/04/20 URL:http://support.microsoft.com/kb/244139
[48]Microsoft Debugging Tools, April 2012,檢索日期2012/04/20 URL:http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx
[49]Microsoft Overview of Memory Dump, May 2012,檢索日期2012/06/06 URL:http://support.microsoft.com/kb/254649/en-us?fr=1
[50]Microsoft Sysinternals Pslist, April 2010,檢索日期2012/04/06 URL:http://technet.microsoft.com/en-us/sysinternals/bb896682
[51]Microsoft Sysinternals Strings, December 2011,檢索日期2012/04/06 URL: http://technet.microsoft.com/en-us/sysinternals/bb897439
[52]MoonSols Windows Memory Toolkit Windd32 , February 2011,檢索日期2012/04/06 URL:http://www.moonsols.com/windows-memory-toolkit
[53]MoonSols Windows Memory Toolkit Hibr2bin , February 2011,檢索日期2012/04/12 URL:http://www.moonsols.com/windows-memory-toolkit
[54]Msramdmp, March 2008,檢索日期2012/04/06 URL:http://www.mcgrew-security.com/tools/msramdmp
[55]Princeton Center for Information Technology Policy - Automatic Key-Finding , July 2008,檢索日期2012/05/02 URL:https://citp.princeton.edu/research/memory/code
[56]Schatz, B., Recent Developments in Volatile Memory Forensics, November 2007,檢索日期2012/05/22 URL:http://www.schatzforensic.com.au/presentations/BSchatz-CERT-CSD2007.pdf
[57]Ssdeep, May 2012,檢索日期2012/05/26 URL:http://ssdeep.sourceforge.net
[58]StatCounter Operating System Report, April 2012,檢索日期2012/04/13 URL:http://gs.statcounter.com/#os-ww-monthly-201103-201203
[59]TrueCrypt, February 2012,檢索日期2012/04/06 URL:http://www.truecrypt.org
[60]VMware, April 201,檢索日期2012/04/06 URL:http://www.vmware.com/support/ws55/doc/ws_learning_files_in_a_vm. html
[61]Volatility Framework, April 2012,檢索日期2012/04/06 URL:https://www.volatilesystems.com/default/volatility
[62]Volatility Framework Registry, April 2012,檢索日期2012/04/30 URL:https://code.google.com/p/volatility/wiki/CommandReference#Registry
[63]Volatility Framework Vol20AddressSpacesFirewire, June 2011,檢索日期2012/04/21 URL:http://code.google.com/p/volatility/wiki/Vol20AddressSpaces-Firewire
[64]Wikipedia Computer Memory, May 2012,檢索日期2012/05/22 URL:http://en.wikipedia.org/wiki/Computer_memory
[65]Wikipedia Digital Forensics, April 2012,檢索日期2012/04/06 URL:http://en.wikipedia.org/wiki/Digital_forensics
[66]Wikipedia GoogleTalk, March 2012,檢索日期2012/04/06 URL:http://en.wikipedia.org/wiki/Google_Talk
[67]Wikipedia HAMR, March 2012,檢索日期2012/04/14 URL: http://en.wiki-pedia.org/wiki/Heat-assisted_magnetic_recording
[68]Wikipedia Operating System, April 2012,檢索日期2012/04/12 URL:http://zh.wikipedia.org/wiki/Operating_system
[69]Wikipedia RAM, April 2012,檢索日期2012/04/30 URL:http://zh.wikipedia.org/wiki/RAM
[70]X-Way Forensics, April 2012,檢索日期2012/04/06 URL:http://www.x-ways.net/forensics/index-m.html

QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top