作为计算机犯罪侦查中重要的证据与线索来源,用户行为信息在揭示犯罪分子操作细节方面发挥着重要作用,内存注册表中的特定表键对应着特定的用户行为。注册表内存结构与磁盘结构差异较大,特别是在巢室索引转译方面存在明显不同。在详细分析内存注册表数据结构基础上,文章着重说明巢室索引地址转译技术,归纳总结与用户操作行为密切相关的注册表表键,并以实例说明基于内存注册表信息解析用户行为的步骤方法。电子数据取证实践证明,所述方法准确、高效。%As important evidences and clue sources in computer crime investigation, the information of user activity plays an important role in the aspect of revealing detail of offender’s operation. The specifc keys of registry in memory are related to specifc user activity. The structures of registry in memory are different from in disk, especially in the aspect of cell index translation. Based on analysis of data structure for registry in memory, this paper introduces the technology of cell index translation in detail. Summarizes the keys closely related to user activity, and illustrates the method of analysis of user activity based on registry in memory with real case. The method is proved to be accurate and effcient in real work of digital investigation.
展开▼
