摘要： 恶意篡改文件的类型属性以掩盖文件真实结构达到诱骗用户访问、回避检测、隐藏数据等目的是计算机犯罪行为中最常用的手段。该文提出的一种基于统计特性识别文件类型的方法能有效识别被篡改的文件类型属性。依据同类型文件在多维空间中的统计特征值具有相似性的规律，给出了判断其相似性的基本假设，设计了基于欧几里德距离的球体模型及k-球体模型，同时根据文件统计特征值权重的加权欧几里德距离优化两种模型，解决了相似性判断的正确性和效率。

关键词: 计算机取证, 文件统计特征值, 球体模型, k-球体模型

Abstract: Malicious tampering with the type of document to conceal identity documents so as to entice users to visit real structure, avoiding detection and hiding data is the most common computer crime means. This paper presents a novel statistical method to identify document types, which recognizing effectively the attributes of the tampered document types. According to that the same type of documents are similar with the statistical features in multidimensional space, the basic assumption that judges this similarity is given, a model based on Euclidean distance spherical space toroidal model and k-spheroid space toroidal model are designed. Meanwhile, both models are optimized by the heavily weighted Euclidean distance based on the document statistics, and the correctness and efficiency of the similarities judgment are improved.

Key words: Computer forensics, Documentary statistical characteristic, Spherical space toroidal model, k-spheroid space toroidal model