微信服务号

微信订阅号

2025-4-16- 17
Home > Archive>Volume 18, Issue 7, 2007 >1715-1729
PDF HTML XML Export Cite reminder
Capture and Storage of Digital Evidence Based on Security Operating System
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [42]
    • |
  • Related [20]
    • |
  • Cited by [1]
    • | |
  • Comments
    Abstract:

    In this paper, a kind of security operating system with the mechanism of real-time forensics (called SeFOS) is presented, the general architecture of SeFOS is described, the model of its forensics behaviors is analyzed with some formal method descriptions, and the method of completely collecting and safely storing for the digital evidences is presented. The forensics model of SeFOS is inside the kernel and the evidences are obtainted from system processes, system calls, resources assigning inside the kernel and network data. Finally, a simulated experiment is designed to validate the efficiency of SeFOS.

    Reference
    [1]Sarmoria CG,Chapin SJ.Monitoring access to shared memory-mapped files.In:Proc.of the 2005 Digital Forensics Research Workshop (DFRWS).New Orleans,2005.http://www.dfrws.org/2005
    [2]Betz C.DFRWS 2005 challenge report.2005.http://www.dfrws.org/2005/challenge/ChrisBetz-DFRWSChallengeOverview.html
    [3]Ding LP,Wang YJ.Study on multi-dimension computer forensics model.NetInfo Security,2005,58(10):73-74 (in Chinese with English abstract).
    [4]Eckstein K,Jahnke M.Data hiding in journaling file systems.In:Proc.of the 2005 Digital Forensic Research Workshop (DFRWS).New Orleans,2005.http://www.dfrws.org/2005
    [5]Wang W,Daniels TE.Network forensics analysis with evidence graphs (demo proposal).In:Proc.of the 2005 Digital Forensic Research Workshop (DFRWS).New Orleans,2005.http://www.dfrws.org/2005
    [6]Roesch M.Snort-Lightweight intrusion detection for networks.In:Proc.of the 13th USENIX Conf.System Administration (LISA'99).Seattle:USENIX Association,1999.229-238.http://www.usenix.org/events/lisa99/full_papers/roesch/roesch.pdf
    [7]Baliga A,Gupta N,Kaufman L,Mekaraj P,Tjang A,Xu WY.Network monitoring and forensics.http://www.research.rutgers.edu/ ~aratib/presentations/forensics_paper.pdf
    [8]Guide to SNARE for windows.http://www.intersectalliance.com/resources/Guide_to_SNARE_for_Windows.pdf
    [9]Goel A,Feng WC,Maier D,Feng WC,Walpole J.Forensix:A robust,high-performance reconstruction system.2005.http://www.eecg.toronto.edu/~ashvin/publications/sdcs-2005.pdf
    [10]Dunlap GW,King ST,Cinar S,Basrai MA,Chen PM.ReVirt:Enabling intrusion analysis through virtual-machine logging and replay.In:Proc.of the 2002 Symp.on Operating Systems Design and Implementation (OSDI).2002.http://www.eecs.umich.edu/ ~kingst/ revirt.pdf
    [11]Garfinkel T,Rosenblum M.A virtual machine introspection based architecture for intrusion detection.In:Proc.of the 2003 Network and Distributed System Security Symp.(NDSS).2003.http://suif.stanford.edu/papers/vmi-ndss03.pdf
    [12]Liang HL.Research on enforecement of secure operating system supporting multiple security policy[Ph.D.Thesis].Beijing:Institute of Software,the Chinese Academy of Sciences,2002 (in Chinese with English abstract).
    [13]The adoption standard of evidences (in Chinese with English abstract).http://www.flgw.cn/lunwen/law/200512/24983.html
    [14]Ding LP,Wang YJ.Study on relevant Issues about law enforcement and computer forensics.Journal of Software,2005,16(2):260-275 (in Chinese with English abstract).http://www.jos.org.cn/1000-9825/16/260.htm
    [15]He YZ,Li L,Feng DG.A generic audit policy model on multilevel secure DBMS.Journal of Software,2005,16(10):1774-1783 (in Chinese with English abstract).http://www.jos.org.cn/1000-9825/16/1774.htm
    [16]Abrial JR,Wrote; Qiu ZY,Trans.The B-Book:Assigning Programs to Meanings.Publishing House of Electronics Industry,2004 (in Chinese).
    [17]Alexandrov AD,Ibel M,Schauser KE,Scheiman CJ.Ufo:A personal global file system based on user-level extensions to the operating system.ACM Trans.on Computer Systems,1998,16(3):207-233.
    [18]Mao DC.Linux Kernel Code Analysis.Hangzhou:Zhejiang University Press,2001 (in Chinese).
    [19]Shi JQ,Fang BX,Hu MZ,Li B.Linux system call hijacking:Technical principles,application and detection.Computer Engineering and Application,2003,32:167-170 (in Chinese with English abstract).
    [20]Chen H.The design and performance of security audit system[MS.Thesis].Beijing:Institute of Software,the Chinese Academy of Sciences,2004 (in Chinese with English abstract).
    [21]Sun B,Sun YF,Zhang XF,Liang B.Research and protection of the digital evidence collecting system.Journal of Computer Research and Development,2005,42(8):1422-1426 (in Chinese with English abstract).
    [22]Cheng BQ,Yin BL.Dynamic expansion embed OS.Mini-Micro Systems,2003,24(2):216-217 (in Chinese with English abstract).
    [23]Bershad BN.Extensibility,safety and performance in the SPIN operating system.In:Proc.of the 15th ACM Symp.on Operating Systems Principles.1995.http://portal.acm.org/citation.cfm?id=224077&coll=Portal&dl=GUIDE&CFID=25040769&CFTOKEN= 96584822#
    [24]Li Y.How to monitor and protect the security processes under Linux.2005 (in Chinese with English abstract).http://www.gbunix.com/print.php?articleid=1299
    [25]Xing CL,Qing SH,Li LP.The design and implementation of an encrypted file system for Linux.Computer Engineering and Application,2005,17:101-104 (in Chinese with English abstract).
    [26]Schneier B,Kelsey J.Secure audit logs to support computer forensics.ACM Trans.on Information and System Security,1999,2(2):159-176.
    [27]Turner P.Unification of digital evidence from disparate sources (digital evidence bags).In:Proc.of the 2005 Digital Forensics Research Workshop (DFRWS).New Orleans,2005.http://www.dfrws.org
    [28]Zhang XF.Security audit and audit-based intrusion detection[Ph.D.Thesis].Beijing:Institute of Software,the Chinese Academy of Sciences,2004 (in Chinese with English abstract).
    [3]丁丽萍,王永吉.多维计算机取证模型研究.信息网络安全,2005,58(10):73-74.
    [12]梁洪亮.支持多安全政策的安全操作系统的研究和实现[博士学位论文].北京:中国科学院软件研究所,2002.
    [13]证据的采用标准.http://www.flgw.cn/lunwen/law/200512/24983.html
    [14]丁丽萍,王永吉.计算机取证的相关法律技术问题研究.软件学报,2005,16(2):260-275.http://www.jos.org.cn/1000-9825/16/ 260.htm
    [15]何永忠,李斓,冯登国.多级安全DBMS的通用审计策略模型.软件学报,2005,16(10):1774-1783.http://www.jos.org.cn/1000-9825/ 16/1774.htm
    [16]Abrial JR,著;裘宗燕,译.B 方法.北京:电子工业出版社,2004.
    [18]毛德操.Linux内核情景分析.杭州:浙江大学出版社,2001.
    [19]石金桥,方滨兴,胡名曾,李斌.Linux系统调用劫持:技术原理、应用及检测.计算机工程与应用,2003,32:167-170.
    [20]陈慧.安全审计系统的设计与实现[硕士学位论文].北京:中国科学院软件研究所,2004.
    [21]孙波,孙玉芳.电子数据证据收集系统的研究与保护.计算机研究与发展,2005,42(8):1422-1426.
    [22]程步奇,尹宝林.可动态扩展的嵌入式操作系统.小型微型计算机系统,2003,24(2):216-217.
    [24]李洋.如何监控和保护Linux下进程的安全.2005.http://www.gbunix.com/print.php?articleid=1299
    [25]邢常亮,卿斯汉,李丽萍.一个基于Linux的加密文件系统的设计与实现.计算机工程与应用,2005,17:101-104.
    [28]张相峰.安全审计与基于审计的入侵检测[博士学位论文].北京:中国科学院软件研究所,2004.
    Comments
    Comments
    分享到微博
    Submit
Get Citation

丁丽萍,周博文,王永吉.基于安全操作系统的电子证据获取与存储.软件学报,2007,18(7):1715-1729

Copy
Share
Article Metrics
  • Abstract:4725
  • PDF: 6446
  • HTML: 0
  • Cited by: 0
History
  • Received:February 24,2006
  • Revised:June 07,2006
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2035319Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063