本文介绍了一种新的用户事件重建方法,通过展示如何生成和实施基于签名的分析技术,从系统尸检中收集的低级别痕迹推断出高层次用户行为。传统数字取证分析和由此产生的推断被审视,然后证明这种从低级痕迹到高级事件的自然推断过程可以使用签名匹配技术进行编码。作为概念验证,为三个流行的Windows程序创建并应用了简单的签名。
摘要:
This paper introduces a novel approach to user event reconstruction by showing the practicality of generating and implementing signature-based analysis methods to reconstruct high-level user actions from a collection of low-level traces found during a post-mortem forensic analysis of a system. Traditional forensic analysis and the inferences an investigator normally makes when given digital evidence, are examined. It is then demonstrated that this natural process of inferring high-level events from low-level traces may be encoded using signature-matching techniques. Simple signatures using the defined method are created and applied for three popular Windows-based programs as a proof of concept.
展开
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
