Digital evidence obtaining system based on Linux environment

Abstract

The invention discloses a digital evidence obtaining system based on a Linux environment. The system is composed of a host operation trace investigation module, a network operation trace investigation module, a log information investigation module, a memory information investigation module and an evidence fixing module. The host operation trace investigation module comprises a basic operation investigation function and an application information investigation function. The network operation trace investigation module comprises the basic operation investigation function, a network cache investigation function and a network application state investigation function. The log information investigation module comprises a log file analysis and storage function and a keyword search module. The memory information investigation module dumps a memory through adoption of an fmem tool and realizes memory information investigation through combination of a system tool. The evidence fixing module carries out hash processing on an original evidence file and a processed database file. According to the system, workloads of an evidence obtaining investigator are effectively reduced, concepts of evidence obtaining tool engineering and evidence fixing are introduced, and an evidence obtainer is prevented from illegally modifying an evidence file.

Description

technical field [0001] The invention belongs to the field of digital forensics, relates to computer crime forensics under the Linux operating system, and specifically relates to a digital forensics system based on the Linux environment. technical background [0002] Digital forensics (computer crime forensics), also known as computer forensics, refers to the computer as a crime scene, the use of advanced identification technology, forensic dissection of computer crimes, search and confirmation of criminals and their criminal evidence, and based on this File a lawsuit. It is mainly to identify, preserve, collect, analyze and present electronic evidence, so as to reveal criminal acts or negligence related to digital products. Digital forensics technology applies computer investigation and analysis techniques to the determination and acquisition of potential and legally valid electronic evidence. They are also aimed at hackers and intrusions, and the purpose is to ensure the s...

AI Technical Summary

Problems solved by technology

[0004] At present, there are a small number of forensics tools available for Linux in the market, such as FTK, Volatility, etc., but most of them are transplanted from the Windows system and cannot be fully qualified for the forensics work in the Linux environment. It can be used to mirror and analyze the disk, and Volatility can only be used for the analysis of memory mirroring

In real life, evidence extraction in a single direction often cannot meet the support of judicial usability. At the same time, the use of these tools requires relatively high skills for operators. At the same time, it cannot guarantee that the extracted evidence is synchronized and effective. As a result, in the case of computer crimes against the Linux operating system, the forensics work is often unable to be carried out effectively, resulting in the lag of the forensics work or the serious loss of effective evidence.

At present, the biggest difficulty in digital forensics for the Linux operating system is: (1) whether the operating system itself provides readable digital evidence; (2) what digital evidence can be obtained from the Linux operating system; (3) where to obtain it from the system Digital evidence; (4) How to make the obtained digital evidence recognized by the law, that is, to ensure the judicial availability of digital evidence; (5) How to ensure that the extracted digital evidence is not maliciously modified by the forensic personnel; (6) How to reduce the forensics investigators Difficult to operate, yet able to carry out effective evidence collection

Images