摘要
在电子取证中,办公文档是重要的证据资料。以取证实践总结了办公文档取证调查的经验。针对国内情况,从缓存机制、文档元数据、用户对文档操作的痕迹、文档文件的数据恢复以及建立时间线的分析方法等进行了系统的介绍,同时涵盖了各个版本的Microsoft Office和WPS两套办公软件以及Windows XP、Windows Vista/7/8等主流操作系统。同时兼顾了离线取证和开机取证,并介绍了各种相关取证工具。
In the process of digital forensics,office docs are always regarded as a important source of evidence. In consideration of the situation of China's Mainland, this thesis summarized the ways of office docs forensics on the basis of practical forensics experience, which would be systematically introduced from aspects such as the cache mechanism of office software, meta-data of documents, user trace on a document operation, the background document of the printer, the method of office docs recovery etc. Those ways differ from each other according to the various versions of Microsoft Office, WPS, and operation system, all of which have been covered in this thesis. Besides, both offline forensics and live forensics were discussed,along with a brief introduction of relative tools for computer forensics.
出处
《计算机科学》
CSCD
北大核心
2014年第B10期95-99,113,共6页
Computer Science
基金
本文受湖北省教育厅科学研究项目:云计算环境下仿真计算机取证关键技术研究(B20128201),公安部应用创新项目:多功能跨平台电子取证系统研究(2013YYCXHB030),电子数据取证湖北省协同创新中心(数字取证技术),湖北省教育厅教育科学“十二五”规划2014年度项目资助.
