摘要
用户对文件进行操作的过程中,系统会留存部分操作痕迹,其中的时间线索对还原涉案行为发生的顺序提供很大帮助。时间戳可能存在于文件$MFT属性、NTFS日志元数据和操作系统安全事件等位置。以Win10为例,分析Windows操作系统下文件的MFT10和30属性;结合NTFS的$Longfile、$UsnJml元数据以及日志文件Security.evtx中的安全事件;提取文件时间线索的存储方式、组织结构;研究各类线索之间的关联;结合实例提出在案件侦查取证中为保障证据真实性、关联性而分析文件时间线索的技术方法,为公安机关工作中快速准确地锁定嫌疑人的行为方式和时间提供帮助。
During the process of operating files,some operation traces would be retained by system,and the time clues may provide great help to restore the sequence of the behaviors involved.The timestamp may exist in the$MFT attribute,NTFS log metadata or operating system security events.Taking Win 10 as an example,combined with$Logfile,$UsnJrnl metadata of NTFS and the security events in Security.evtx,the MFT10 and MFT30 attributes of files in Windows system were analyzed.The storage mode and organizational structure of file time clues were extracted and the relationship between types of clues were investigated.In order to ensure the authenticity and relevance of evidence in case investigation and evidence collection,this research put forward the technical method for analyzing the file time clues,which can provide assistance for police to quickly and accurately lock the behavior mode and time of suspects.
作者
秦志红
QIN Zhihong(Department of Cyber Security,Henan Police College,Zhengzhou 450005,China)
出处
《中国人民公安大学学报(自然科学版)》
2022年第3期93-99,共7页
Journal of People’s Public Security University of China(Science and Technology)
基金
河南警察学院2021年科研项目(HNJY-2021-50)。
