基于Windows日志的电子证据获取与分析方法研究

doi:10.3969/j.issn.1000-436x.2012.z2.016

Abstract

Abstract:

In order to collect logs in real time,two methods to acquire Windows logs in real time were proposed respectively according to the two types of log file formats.Based on acquiring logs,an approach for correlating log files with atomic attack functions was proposed.After the correlation,atomic attack functions can be analyzed instead of log files,which can greatly decrease the time of analysis.A time based log correlation and event reconstruction method was proposed to reconstruct the computer criminal scenarios.Experimental results show that log evidences can be acquired and the crime process can be reconstructed effectively.

Key words: computer forensics, Windows logs, acquisition, analysis, event reconstruction

Xiao-mei DONG,Xu-dong LIU,Xiao-hua LI,Ya-jie FEI. Study on electronic evidence acquisition and analysis method over Windows logs[J]. Journal on Communications, 2012, 33(Z2): 125-134.

Figures/Tables 15

References 11

[1]	SAHOO R K , OLINER A J , RISH I ,et al. Critical event prediction for proactive management in large scale computer clusters[A]. Proceedings of KDD 2003[C]. Washington,DC,USA, 2003. 426-435.
[2]	FU S , XU C . Exploring event correlation for event prediction in coalitions of clusters[A]. Proceedings of the International Conference for High Performance Computing,Networking,Storage,and Analysis[C]. Reno,USA, 2007. 1-12.
[3]	FU S , XU C . Quantifying temporal and spatial correlation of failure events for proactive management[A]. Proceedings of 26th IEEE International Symposium on Reliable Distributed Systems (SRDS2007)[C]. Beijing,China, 2007. 175-184.
[4]	SALFNER F , TSCHIRPKE S . Error log processing for accurate event prediction[A]. Proceedings of the USENIX Workshop on the Analysis of System Logs(WASL)[C]. San Diego,USA, 2008.
[5]	LOU J G , FU Q , WANG Y ,et al. Mining dependency in distributed systems through unstructured logs analysis[J]. ACM SIGOPS Operating Systems Review archive, 2010,44(1): 91-96.
[6]	OLINER A , STEARLEY J . What supercomputers say:a study of five system logs[A]. Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07)[C]. Edinburgh,UK, 2007. 575-584.
[7]	ROUILLARD J P . Real-time log file analysis using the simple event correlator (SEC)[A]. Proceedings of LISA '04:Eighteenth Systems Administration Conference[C]. Atlanta,USA, 2004. 233-150.
[8]	TANG D , IYER R K . Analysis and modeling of correlated failures in multicomputer systems[J]. IEEE Transactions on Computers, 1992,41(5): 567-577.
[9]	OLINER A J , AIKEN A , STEARLEY J . Alert Detection in Logs[A]. Proceedings of Eighth IEEE International Conference on Data Mining (ICDM'08)[C]. Pisa,Italy, 2008. 959-964.
[10]	张有东, 曾庆凯, 王建东 . 网络协同取证计算研究[J]. 计算机学报, 2010,33(3): 504-513. ZHANG Y D , ZENG Q K , WANG J D . Studies of network coordinative forensics computing[J]. Chinese Journal of Computers, 2010,33(3): 504-513.
[11]	伏晓, 石进, 谢立 . 用于自动证据分析的层次化入侵场景重构方法[J]. 软件学报, 2011,22(5): 996-1008. FU X , SHI J , XIE L . Layered intrusion scenario reconstruction method for automated evidence analysis[J]. Journal of Software, 2011,22(5): 996-1008.

Metrics

Recommended 0

No Suggested Reading articles found!

记录头	事件描述	附加数据
日期、时间、主体标识、计算机名、事件编号、事件来源、事件等级、事件类别	事件所描述的内容，取决于该事件的名称、对事件的说明、事件产生的原因、对该事件提供的建议	可选数据区，通常包括能用十六进制方式显示的二进制数，具体内容由相应的应用程序的记录格式来决定

日志	日志文件默认位置
系统日志	%systemroot%\system32\config\SysEvent.evt
应用日志	%systemroot%\system32\config\AppEvent.evt
安全日志	%systemroot%\system32\config\SecEvent.evt
DNS日志	%systemroot%\system32\config
文件目录日志	%systemroot%\system32\config
FTP日志	%systemroot%\system32\logfiles\msftpsvc1\
WWW日志	%systemroot%\system32\logfiles\w3svc1\
防火墙日志	%systemroot%\
Scheduler服务日志	%systemroot%\schedlgu.txt
…	…

API	功能
EventLog.Exists	判断指定的日志是否存在
EventLog.clear	把事件日志中的所有项全部清除
EventLog.CreateEventSource	建立一个能够将事件写入到日志中的事件源
EventLog.WriteEntry	将有关事件记录写入日志
EventLog.SourceExists	判断是否存在某个事件源
EventLog.GetEventLogs	获取某一个事件的日志数组
…	…

方法	功能
FileSystemWatcher	对FileSystemWatcher类初始化为对指定目录的指定文件类型进行监控
OnChanged	引发Changed事件，即目录文件发生改变时调用该方法
OnRenamed	引发Renamed事件，当文件目录或者文件重命名时调用该方法
OnDeleted	引发Deleted事件，当文件目录或者文件发生被删除时调用该方法
WaitForChanged	返回包含有关所发生更改的特定信息的结构
…	…

攻击类别	提取的相关原子攻击功能
目标探测	Ping扫描、端口扫描、操作系统识别
隐藏踪迹	修改日志、文件隐藏
预留后门	远程控制、特洛伊木马
权限提升	缓冲区溢出、字符串格式化
权限获取	口令破解、会话劫持
…	…

Study on electronic evidence acquisition and analysis method over Windows logs

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 15

References 11

Related Articles 15

Metrics

Recommended 0

[1]	Xiaoni DU, Xiangyu WANG, Lifang LIANG, Kaibin LI. Quantum cryptanalysis of lightweight block cipher Piccolo [J]. Journal on Communications, 2023, 44(6): 175-182.
[2]	Zijing JIANG, Qun DING. Nove lincidence matrix differential power analysis for resisting ghost peak [J]. Journal on Communications, 2023, 44(4): 38-49.
[3]	Shaoyu DU. Improved integral attack——random linear distinguish and key recovery attack [J]. Journal on Communications, 2023, 44(4): 145-153.
[4]	Wei LI, Chun LIU, Dawu GU, Wenqian SUN, Jianning GAO, Mengyang QIN. Statistical ineffective fault analysis of the lightweight authenticated cipher algorithm Saturnin-Short [J]. Journal on Communications, 2023, 44(4): 167-175.
[5]	Haiyan KANG, Molan LONG. Research on network attack analysis method based on attack graph of absorbing Markov chain [J]. Journal on Communications, 2023, 44(2): 122-135.
[6]	Shuai LIU, Jie GUAN, Bin HU, Sudong MA. Differential analysis of lightweight cipher algorithm ACE based on MILP [J]. Journal on Communications, 2023, 44(1): 39-48.
[7]	Zhengbin LIU, Yongqiang LI, Chaoxi ZHU. Fast algorithm to search for the minimum number of active S-boxes of block cipher [J]. Journal on Communications, 2023, 44(1): 118-128.
[8]	Chao XIA, Yaqi LIU, Qingxiao GUAN, Xin JIN, Yanshuo ZHANG, Shengwei XU. Steganalysis of JPEG images using non-linear residuals [J]. Journal on Communications, 2023, 44(1): 142-152.
[9]	Bin WANG, Lu REN, Xiaofan WANG, Yajuan CAO. Cooperative coevolution algorithm with covariance analysis for differential evolution [J]. Journal on Communications, 2023, 44(1): 189-199.
[10]	Ao LI, Cong FENG, Yutong NIU, Shibiao XU, Yingtao ZHANG, Guanglu SUN. Multiview clustering method for view-unaligned data [J]. Journal on Communications, 2022, 43(7): 143-152.
[11]	Tao LENG, Lijun CAI, Aimin YU, Ziyuan ZHU, Jian’gang MA, Chaofei LI, Ruicheng NIU, Dan MENG. Review of threat discovery and forensic analysis based on system provenance graph [J]. Journal on Communications, 2022, 43(7): 172-188.
[12]	Zhengyu ZHU, Yu LIN, Zixuan WANG, Kexian GONG, Pengfei CHEN, Zhongyong WANG, Jing LIANG. Fast blind detection of short-wave frequency hopping signal based on MeanShift [J]. Journal on Communications, 2022, 43(6): 200-210.
[13]	Xiaodan WANG, Jingtai LI, Yafei SONG. DDAC: a feature extraction method for model of image steganalysis based on convolutional neural network [J]. Journal on Communications, 2022, 43(5): 68-81.
[14]	Xiaofeng FENG, Jianfeng XU, Chuan HE. Dynamic generalized principal component analysis with applications to fault subspace modeling [J]. Journal on Communications, 2022, 43(5): 92-101.
[15]	Xiayu XIANG, Jiahui WANG, Zirui WANG, Shaoming DUAN, Hezhong PAN, Rongfei ZHUANG, Peiyi HAN, Chuanyi LIU. Generate medical synthetic data based on generative adversarial network [J]. Journal on Communications, 2022, 43(3): 211-224.