Windows注册表取证分析技术研究

杭州电子科技大学硕士学位论文Windows注册表取证分析技术研究姓名：汤振华申请学位级别：硕士专业：计算机软件与理论指导教师：丁宏20091201IWindowsWindowsWindowsWindowsHiveWindowsWindows(1)Windows(2)HiveHiveHiveHiveN-Gram(3)(4)WindowsWindowsIIABSTRACTWiththedevelopingofcomputertechnologyandthewidespreadofcomputernetwork,computercrimebecomesmoreseriousanddoesgreatdamagetonationaleconomy.Combatingandpreventingcomputercrimehasbecomesathornyproblem.Undersuchsituation,computerforensiciscreatedandquicklydeveloped.Computerforensicsisacrosssubjectofcomputerandlaw,itmajorresearchesthathowtogetthevalide-evidencefromcomputersandrelatedequipmentsandprovidethemtothecourt.Windowssystemisoneofmostcomprehensiveoperationsystemintheworld;besidesthesecurityofWindowssystemstandsvariousaspectsoftrial.TheWindowsregistryisacoredatabasethatstoresconfigurationsettingsforoperationsystem,avarietyofhardwaredevices,andapplications.Theregistryalsocontainsalotofevidences,soitbecomesimportantclueandevidencesourceofcommitcomputercrimes.Windowsregistryforensicsconfrontstheprimaryproblem:howtorecoverytheregistryHivefromdiskimage,andhowtovalidstoreandanalysisamassofregistrydata.ThisdissertationpresentsaWindowsregistryforensicanalysisprocessmodelthroughcombiningwiththegeneralmodelofcomputerforensic,itdividestheforensicprocedureintothreephases:evidencecollection,evidenceanalysisandevidencepresentation.Thisstudyalsoaimsatdiscussingthekeytechnologiesinthedigitalinvestigation.Thehighlightsofthispaperareasfollows:(1)Topresentaprocessmodelforregistryforensic.Thismodelhelpstheinvestigatortoobtainandanalyzeevidencesystematically,andgreatlyreducethetimespentonmanualoperations.(2)RecoveryofHivefiles.UsuallytheHivefilesarefragmented,butthecommonrecoverysoftwarecan’tcarvesuchfragmentedfilesefficiently.FirstlythispaperanalysestheinternalstructureofHivefileandinvestigatesthesituationofHivefragment,andpresentsthemethodcombiningN-gramwiththeinternalstructuretohelptorecoverytheHivefilessuccessfully.Thismethodhashighpracticalityandaccuracy.(3)Usethecorrelationbetweentheregistrydatatocompressandstoretheregistrydata.Becauseoftheredundanciesofregistrydata,itisneededtocompresssuchdata.Compresseddatawillnotbeaffectedtheefficiencyofquery.(4)Createthedatabasetostoreregistrydata.Correlationanalysisandkeywordsearchtoenhancetheefficiencyofevidenceanalysis.IIIThisstudyaboutWindowsregistryevidencebasedforensicstechnologynotonlyprovidesystematicforensicmodel,reducethehumaneffortintraditionalforensicprocess,butalsoenhancethepersuasivenessofevidencebasedonthecorrelationanalysisofdifferentevidence.Themostimportant,thisstudydiscussespotentialkeytechnologiesindifferentforensicphases,andthenstrengththerealityandflexibilityofWindowsregistryforensicmodel.Keywords:ComputerForensic,Registry,FileRecovery,Computercrime111.12009129McAfee1[1]NetApplicationsWindows2009289.37%[2]20097CNZZ[3]WindowsXP94%WindowsVista4%Windows70.25%WindowsWindowsDoSDDosWindows1.1.1[4](1)(2)(3)21.1.2[5](1)(2)WindowsWindowsWindowsWindows()3[6]Windows1.2WindowsWindowsHive(1)(2)WindowsHive(3)(4)Windows1.3WindowsWindowsHiveWindowsHive422.13[7](1)(2)(3)(4)(5)Hash[8]SlackBit2.152.1WindowsWindowsWinHexWindowsddimgWinHexwhxHDCloneCD/DVDµnOSWindowsHDCloneCD/DVD6NetBIOSARPMD5HiveHivemRegistry[9]XMLWordPDF2.21984FBICART[10]1991InternationalAssociationofComputerSpecialists[11]199832[12]DigitalComputerEvidenceDigitalAudioandVideoEvidence(1)Encase[13]GuidanceWindowsLinuxMACOS(2)ForensicToolkitFTK[14]DataTexEngineeringWindowsFTKFTKFTK7(3)WinHex[15]X-WaysWindows16IT(4)FlightServer[16]VogonMacUnix(5)EasyRecovery[17]OntrackE-mail4192004HarlanCarvey[18]Windows2006P.Craiger[19]2007RichMurpheyWindows[20][21]2001IOCEInternationalOrganizationonComputerEvidence[22]SWGDE[23]IOCEDFRWSDigitalForensicsResearchWorkshopNickMikus[24]2005JPEGPDFHTMLForemostSimsonL.Garfinkel[25]2007Hive[26]2004[27]20098ChinaComputerForensicsConference[28]2002[29]2003[30]2005[31]2.3WindowsMicrosoftWindows98WindowsCEWindowsNTWindows2000WindowsWindows3.xMS-DOSAutoexec.batConfig.sysini[32]WindowsWindowsWindowsWindows2005HarlanCarvey[33]2006VivienneMee[34]2007TimothyMorgan[35]HiveHiveHive2008JolantaThomassen[36]2008BrendanDolan-Gavitt[37]WindowsHive1999RussinovichWindowsNT9[38]JolantaThomassenHiveHive2006[39]2.4RegRipper[40]HarlanCarveyPerlHiveRegLookup[41]TimothyMorganCLinuxWindowsNTHiveRegLookup-recoverHiveWindowsRegistryRecovery[42]WindowsHiveRegedit.exeRegedt32.exe256Regedit.exe[43]HiveEncaseFTKWindowsHiveWindowsEasyRecoveryForemost[44]Scalpel[45]falsepositivesHiveHiveHiveHiveHiveHiveHive10FBI200380G2006250G[46]WindowsEncaseWindows113Windows3.1Windows9x/MEWindowsCEWindowsNT/2000/XP/2003Windows3.xMS-DOSiniautoexec.batconfig.sysWindowsXP3.1.1Windowsregedit.exeWindowsXPHKEY_LOCAL_MACHINEHKLMHKEY_USERSHKUWindowsXPHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_LOCAL_MACHINEHKEY_CURRENT_USERHKCUHKEY_USERS[47]3.1“”“”3.1HKEY_CLASSES_ROOTHKLM\SOFTWARE\ClassesHKCU\Software\ClassesHKEY_CURRENT_USERHKU/SIDSIDSIDHKEY_CURRENT_CONFIGHKLM\SYSTEM\CurrentControlSet\HardwareProfiles\CurrentHKEY_USERS.DEFAULTSIDSID_CLASSESHKEY_LOCAL_MACHINEHA