大数据环境下电子证据采集:一个二维采集框架

Digital Evidence Collection in the Context of Big Data: A Twodimensional Acquisition Framework

电子证据采集是电子取证的关键步骤,关系到取证的效率和结果。传统的电子证据采集方法为电子取证的蓬勃发展奠定了基础,然而,大数据时代的到来给电子证据采集带来了新的问题和挑战。本文从大数据的内在特质出发,剖析电子证据采集当下面临的主要问题:证据数量庞大,证据来源多样,证据类型复杂,证据一致性难于保持,证据内在关联关系薄弱,采集无效数据过多等。鉴于此,本文提出了一个二维电子证据采集框架。该框架首先利用案例推理(Case-based Reasoning,CBR)对待采集的电子证据定位,以过往类似案例为经验,限定电子证据采集的位置;然后通过基于本体(Ontology)的专家知识库,借助本体描述,解决证据源多样问题,借助知识库推理机,挖掘出证据间关联关系,同时划定电子证据采集的内容。二者结合,从电子证据采集的位置和内容双重维度,最大程度地剔除了无关数据,提高了采集效率,减少了采集时间,避免了证据冲突,为电子取证后续工作的开展提供了高效、可靠的分析基础。

Digital evidence collection(DEC)is one of the most important steps for digital forensics,affecting the efficiency and final investigation results of the involved cases.Traditionally,DEC lays the foundation upon the emerging technologies of digital forensics.However,Big Data context brings new challenges to DEC because of the large quantity of evidence,diversity of evidence sources,complex evidence types,inconsistent evidence,poor internal relations among evidences and overmuch invalid data.Hence,this paper presents a two-dimensional framework for DEC.Firstly,the framework reuses the known experience from already-solved cases to orient the digital evidence with case-based reasoning approach.Secondly,with the assistance of the expertise knowledgebase built from ontology,the diverse evidence sources can be settled.Helped with the inference engine from the knowledgebase,the inner-relationship can be dug out among various evidence and delimit the evidence’content for collection.By combination of the two dimensions– the orientation and the content for DEC,the invalid data can be eliminated,the efficiency improved and the conflict avoided among evidence,thus providing an efficiency-high and solid analytic basis for the follow-up task.