参考文献
[1] 伏 晓. 入侵取证中的自动证据分析技术研究[D]. 南京: 南京大学, 2011.
[2] 伏 晓, 石 进, 谢 立. 用于自动证据分析的层次化入侵场景重构方法[J]. 软件学报, 2011, 22(5): 996-1008.
[3] Bogen A C, Dampier D A. Unifying Computer Forensics Modeling Approaches——A Software Engineering Perspec- tive[C]//Proc. of the 1st International Workshop on Systematic Approaches to Digital Forensic Engineering. [S. l.]: IEEE Press, 2005: 27-39.
[4] Herrer?as J, Gómez R. Log Analysis Towards an Automated Forensic Diagnosis System[C]//Proc. of International Conference on Availability, Reliability and Security. [S. l.]: IEEE Press, 2010: 659-664.
[5] Arasteh A R, Debbabi M, Sakha A, et al. Analyzing Multiple Logs for Forensic Evidence[J]. Digital Investigation, 2007, 4: 82-91.
[6] Morgan T D. Recovering Deleted Data From the Windows Registry[J]. Digital Investigation, 2008, 5: 33-41.
[7] Mee V, Tryfonas T, Sutherland I. The Windows Registry as a Forensic Artefact: Illustrating Evidence Collection for Internet Usage[J]. Digital Investigation, 2006, 3: 166-173.
[8] Khan M N A, Chatwin C R, Young R C D. A Framework for Post-event Timeline Reconstruction Using Neural Networks[J]. Digital Investigation, 2007, 4: 146-157.
[9] 丁丽萍, 周博文, 王永吉. 基于安全操作系统的电子证据获取与存取[J]. 软件学报, 2007, 18(7): 1715-1729.
[10] Rutkowska J. Beyond the CPU: Defeating Hardware Based RAM Acquisition[EB/OL]. (2007-05-31). http://www.docin. com/p-23650823.html.
[11] Libster E, Kornblum J D. A Proposal for an Integrated Memory Acquisition Mechanism[J]. ACM SIGOPS Operating Systems Review, 2008, 42(3): 14-20.
[12] Schatz B. BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software[J]. Digital Investigation, 2007, 4: 126-134.
[13] Russinovich M E, Solomon D A, Ionescu A. Microsoft Windows Internals[M]. 5th ed. [S. l.]: Microsoft Press, 2009.
[14] Smith J E, Nair R. The Architecture of Virtual Machines[J]. Computer, 2005, 38(5): 32-38.
[15] Schuster A. Searching for Processes and Threads in Microsoft Windows Memory Dumps[J]. Digital Investigation, 2006, 3: 10-16.
[16] Walters A A, Petroni N L. Volatools: Integrating Volatile Memory Forensics into the Digital Investigation Process[EB/OL]. (2007-02-28). http://www.blackhat.com/presentations/bh-
dc-07/Walters/Paper/bh-dc-07-Walters-WP.pdf.
[17] Dolan G B, Srivastava A, Traynor P, et al. Robust Signatures for Kernel Data Structures[C]//Proc. of the 16th Conference on Computer and Communications Security. [S. l.]: ACM Press, 2009.
[18] Zhang Ruichao, Wang Lianhai, Zhang Shuhui. Windows Memory Analysis Based on KPCR[C]//Proc. of the 5th International Conference on Information Assurance and Security. [S. l.]: IEEE Press, 2009.
[19] Dolan G B. The VAD Tree: A Process-eye View of Physical Memory[J]. Digital Investigation, 2007, 4: 62-64.
[20] Stevens R M, Casey E. Extracting Windows Command Line Details from Physical Memory[J]. Digital Investigation, 2010, 7: 57-63.
[21] Willassen S Y. Timestamp Evidence Correlation by Model Based Clock Hypothesis Testing[C]//Proc. of the 1st International Conference on Forensic Applications and Techniques in Telecommunications, Information and Multimedia. [S. l.]: ACM Press, 2008.
[22] Tang Maolin, Fidge C. Reconstruction of Falsified Computer Logs for Digital Forensics Investigations[C]//Proc. of the 8th Australasian Conference on Information Security. Sydeny, Australia: Australian Computer Society, 2010.
[23] Schatz B, Mohay G, Clark A. A Correlation Method for Establishing Provenance of Timestamps in Digital Evidence[J]. Digital Investigation, 2006, 3: 98-107.
[24] Stallard T, Levitt K. Automated Analysis for Digital Forensic Science: Semantic Integrity Checking[C]//Proc. of the 19th Annual Computer Security Applications Conference. [S. l.]: IEEE Press, 2003: 160-167.
[25] Case A, Cristina A, Marziale L, et al. FACE: Automated Digital Evidence Discovery and Correlation[J]. Digital Investigation, 2008, 5: 65-75.
[26] Zhu Yuandong, James J, Gladyshev P. A Comparative Methodology for the Reconstruction of Digital Events Using Windows Restore Points[J]. Digital Investigation, 2009, 6: 8-15.
[27] Zhu Yuandong, Gladyshev P, James J. Using shellbag Information to Reconstruct User Activities[J]. Digital Investigation, 2009, 6: 69-77.
[28] James J, Gladyshev P, Zhu Yuandong. Signature Based Detection of User Events for Postmortem Forensic Analysis[J]. Digital Forensics and Cyber Crime, 2011, 53: 96-109.
[29] Carrier B. A Hypothesis-based Approach to Digital Forensic Investigations[D]. West Lafayette, USA: Purdue University, 2006.
[30] Carrier B, Spafford E H. An Event-based Digital Forensic Investigation Framework[C]//Proc. of Digital Forensic Research Workshop. Baltimore, USA: [s. n.], 2004.
[31] Carrier B D, Spafford E H. Categories of Digital Investigation Analysis Techniques Based on the Computer History Model[J]. Digital Investigation, 2006, 3: 121-130.
[32] Arnes A, Haas P, Vigna G, et al. Digital Forensic Recon Struction and the Virtual Security Testbed Vise[C]//Proc. of the 3rd International Conference on Detection of Intrusions and Malware & Vulnerability Assessment. Berlin, Germany: Springer-Verlag, 2006: 144-163.
[33] James J, Gladyshev P, Abdullah M T, et al. Analysis of Evidence Using Formal Event Reconstruction[EB/OL]. (2010-11-25). http://dblp.uni-trier.de/db/conf/icdf2c/icdf2c2009. html#JamesGAZ09.
[34] Hankins R, Uehara T, Liu Jigang. A Turing Machine-based Model for Computer Forensic Reconstruction[C]//Proc. of the 3rd IEEE International Conference on Secure Software Integration and Reliability Improvement. [S. l.]: IEEE Press, 2009: 289-290.
[35] Lee J T, Choi H K, Kim K J. Gathering and Storage Technique Implementation of Volatility Memory Data for Real-forensic[C]//Proc. of the 4th International Conference on Computer Sciences and Convergence Information Technology. [S. l.]: IEEE Press, 2009: 1076-1079.
[36] 伏 晓, 蔡圣闻, 谢 立. 网络安全管理技术研究[J]. 计算机科学, 2009, 36(2): 15-19.
[37] Ayers D. A Second Generation Computer Forensic Analysis System[J]. Digital Investigation, 2009, 6: 34-42.
编辑 顾逸斐 |