CN106385358A - Method for checking and evidence collection aiming at E-mail data packet - Google Patents
Method for checking and evidence collection aiming at E-mail data packet Download PDFInfo
- Publication number
- CN106385358A CN106385358A CN201610804777.2A CN201610804777A CN106385358A CN 106385358 A CN106385358 A CN 106385358A CN 201610804777 A CN201610804777 A CN 201610804777A CN 106385358 A CN106385358 A CN 106385358A
- Authority
- CN
- China
- Prior art keywords
- data
- bag
- packet
- content
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/42—Mailbox-related aspects, e.g. synchronisation of mailboxes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/308—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The present invention discloses a method for checking and evidence collection aiming at an E-mail data packet. The method comprises the following steps: S1: grabbing the E-mail data packet through a general grabbing tool; S2: performing TCP protocol analysis and constructing a logic conversation data packet; S3: performing E-mail data packet grabbing and splicing; and S4: performing analysis of the E-mail data packet. The method for checking and evidence collection aiming at the E-mail data packet can perform analysis of three general E-mail protocol data packets consisting of the POP3, IMAP and SMTP, is high in compatibility and can obtain all the content of the E-mail sent by the intranet so as to effectively avoid and track the loss caused by sending the internal secret files through the E-mail.
Description
Technical field
The present invention relates to field of information security technology, carry out verifying evidence obtaining for e-mail data bag particularly to a kind of
Method.
Background technology
In the higher enterprise of some security requirements or group, the supervision of the Internet transmission content be one highly important
Secrecy means.Meanwhile, it is also enterprise or group's internal control to the management of internal staff internet service condition
One major tasks.The mode currently passed through is to prevent the networking operation of part secrecy-involved apparatus and connecing of movable storage device completely
Enter, the product of Some Enterprises can be carried out only by being blocked to JICQ or to the content of the web site accessing
Record and filtration.
Email is using one of more extensive internet communication means, but makes a general survey of current various product and technology,
All Email is not monitored, but only relating computer is carried out with suspension or limits mail transmission.This not only makes
Workflow becomes complex, largely have impact on the normal work having demand to E-mail receiver/send, also simultaneously simultaneously
Unresolved private network Inner email verifies the demand with monitoring.Currently existing various product all cannot solve in internal network
Email management and control and the demand verified.
Content of the invention
The present invention is directed to the defect of prior art, there is provided a kind of side carrying out verification evidence obtaining for e-mail data bag
Method, can effectively solve the problem that the problem that above-mentioned prior art exists.
Compared with prior art it is an advantage of the current invention that:Can be to conventional tri- kinds of mails of POP3, IMAP and SMTP
The packet of agreement is parsed, and compatibility is high, obtains the Email all the elements sending in Intranet, effectively prevents and follow the trail of
Because Email sends the loss that internal confidential file brings.
Specific embodiment
For making the objects, technical solutions and advantages of the present invention become more apparent, by the following examples, the present invention is done into
One step describes in detail.
A kind of method carrying out for e-mail data bag verifying evidence obtaining, comprises the following steps:
S1:By general packet catcher, e-mail data bag is captured;
S2:Transmission Control Protocol is analyzed and is built with the dialogue data bag of logic;
S3:The crawl of mail data bag and splicing;
S4:Mail data Packet analyzing.
The detailed step of described S1 is as follows:
S11:Using Wireshark or any other packet catcher, mail network packet is captured
S12:Judge to filter the packet grabbing according to port;
If other side's Service-Port is 25 ports, form that the packet producing is engaged in the dialogue arranges, as to be resolved
Smtp protocol packet;
If other side's Service-Port is 110 ports, form that the packet producing is engaged in the dialogue arranges, as to be resolved
POP3 protocol data bag;
If other side's Service-Port is 143 ports, form that the packet producing is engaged in the dialogue arranges, as to be resolved
IMAP protocol packet.
The detailed step of described S2 is as follows:
S21:Session tokens classification and ordination according to packet;
A TCP bag foremost part is the head description section of this bag.Head description section includes three regions, MAC header, IPV4
Head and TCP header;Skip the MAC header of 14 byte of fixed length first, what the 15th byte represented is version and the length of IPV4 head
Degree.
For example 15 hexadecimal datas are the v4 versions that the agreement that 45,4 expressions use is agreement here, 5 expression ipv4
The length of head is 5*4=20byte.
According to the ipv4 head length obtaining here, you can obtain the position of TCP header;In TCP header region, exist SEQ and
Two parameters of ACK, the 5th in head is to 8byte and 9 to 11byte respectively.
SEQ parameter and ACK parameter are actually a long numeral, for identifying session.If there are another data
The ACK of bag is equal with the SEQ of notebook data bag, then can confirm that this two packets belong to same session, and same session
In with SEQ little to big order sorting data bag;
Numerous packets during TCP communication can be organized into dialogic operation in this way.
S22:Logical order according to the sequential orders session of IPV4 in packet;
In same session, unidirectional packet might have multiple, and each bag has a fixing order, but crawl
Order might not identical it is therefore desirable to arrange to the order of one-way data bag in dialogue so that later stage splicing mail
Data or monitoring communication data.
Each tcp data bag all contains a unique sequence number in its IPV4 head, and this sequence number is by taking ipv4
5th byte of head region start-up portion starts, and takes the data of 2byte length.One shape data of Serial No..
The data of such as this 2byte length is " 62EB ", represents that this bag is 25323 for the numbering in the unidirectional sequence of session
Bag.
This sequence number is unidirectional increase in a session, increases by 1 every time.Arranged successively according to the order that this sequence is ascending
Row, it is clear to arrange the logical order of the packet in certain direction in session.
S3:Mail data bag splices;
According to the arrangement to packet in S22 step, we can obtain a unidirectional packet chain arranging.Right
Take the packet from other side 110 and 143 ports in reception agreement POP3 and IMAP, SMTP is taken and is sent to other side 25 port
Bag.Following step will capture to mail according to different agreement.
If POP3 mail, crawl step is as follows:
S311:Skip continuous mail head's description;
Mail head is obtained, the packet on traversal chain, runs into "+OK m n 0x0D0x0A ", record m in order
With the value of n, m is the number of mail in mailbox.N is the mail total size in mailbox;Continue travel through backward, often run into form be "+
The data of OK mail size octets 0x0D 0x0A ", then m subtract 1, traverse always m be 0, be represented as file head-tail;
S312:Mail complete packet captures;
Ergodic data bag chain is continued in the position terminated from file header;When running into "+OK mail size octets0x0D 0x0A "
During the data of structure, from the first row start recording of next packet and splice mail bag;With newline " 0x0D 0x0A " it is
Row end of identification parses packet line by line, and when running into " boundary=" mail splits feature " " structure, record mail segmentation is special
Levy;Continue traversal down, until running into " -- mail splits feature -- ", be that mail is integrally over;By the postal recorded
Part overall data bag is put into temporary in mail bag array.
If IMAP mail, crawl step is as follows:
S321:Define mail data structure;
Here define a mail data structure, for depositing some necessary informations of mail.
This structure comprises a mail threads numbering, a mail head region, and a mail body describes region, a mail
Volume data region.
S322:Packet chain is traveled through, when running into " * mail sum EXISTS " structure, takes mail total with integer
The value of number, and a mail bag array is built according to the size of this value.
S323:Next travel through the packet chain receiving from other side 143 port, when running into " * mail serial number
FETCH (UID mail piece identifier " and ended up with 0x0D 0x0A (newline) row when,
Judge that mail bag array position corresponding with mail serial number whether there is data, if there is not execution S324,
If there is execution S325.
S324:From descending start recording mail head, until running into " 0x0D 0x0A " ending, terminate record and data is write
Enter mail head region, and packet is put into the correspondence position in mail bag array;Continue traversal down, if in the absence of one
Packet then terminates to travel through, otherwise rebound S323.
S325:Continue traversal down, if finding to have " * mail serial number FETCH (UID mail piece identifier BODY [" beginning
Structure then execute S326;
If finding the structure having " * mail serial number FETCH (UID mail piece identifier BODYSTRUCTURE " to start, hold
Row S327;
S326:Take out respective mail bag from mail data bag array, from the beginning of the ending in data of mail body region, add
Two newlines " 0x0D 0x0A " start recording include that " (UID's * mail serial number FETCH mail piece identifier BODY [" exists
Interior data, until running into ") 0x0D 0x0A " terminate record, the data of record is put into the mail structure of S321 definition
Data of mail body region, and mail bag is put back to mail bag array position corresponding with mail serial number, execute S328;
S327:Fetch data after " 0x0D 0x0A ", until running into newline 0x0D 0x0A, remove last ") ",
The mail body data of record being put into the mail structure of 421 definition describes region, and by mail bag put back to mail bag array with
The corresponding position of mail serial number, executes S328;
S328:If determining whether, next line has, and executes S325;If, not executing S329;
S329:Judge whether to travel through full number according to bag chain;There is no then rebound S323;Complete then terminating traversal execution
S330;
S330:Filter the packet only comprising head.
If SMTP mail, first packet chain is traveled through, run into " MAIL FROM:" form data, continue downwards
Traversal " DATA 0x0D 0x0A ";Start, from next line, the data that nonreturn recording receives after traversing, and monitor and receive
Packet, until one-way coversation terminates or run into " 0x0D 0x0A0x0D 0x0A " feature to terminate, data record is got off to put
Enter in mail bag chain;It is performed repeatedly until that all packets are traversed to complete.
S4:Mail data Packet analyzing, identical with SMTP both protocol mail structures including two methods POP3, content is complete
Whole, can be completed by traversal mail data bag chain and according to flag bit acquisition data with analytic uniform resolving;IMAP protocol
Need individually to parse;
POP3 and SMTP mail analytic method is as follows:
S411:Addressee, sender and list resolution of making a copy for
According to the data of S3 crawl, by row parsing, with " From in mail bag:" row that starts, From:Closely follow addressee afterwards
List, separates addressee according to ", ";With " To in mail bag:" row that starts, closely follow senders list afterwards;In mail bag
With feature " Cc:" after the row that starts immediately following list of making a copy for;
If addressee or sender or list of making a copy for are initiateed with " " " ", the part wrapped up is the pet name, afterwards "<>" bag
The part wrapped up in is email address;If not " to initiate, to be directly mailbox.
The use of pet name part "?" it is separated into five regions;Two Areas are character set, and the 3rd region is coding
Mode, the 4th region is specific coded data.
If the 3rd region is B, reduce character code using base64;If the 3rd region is Q, use
Quoted-printable reduces character code, finally parses character using the coded set of Two Areas.
S412:Theme parses;
Traversal is with " Subject:" row that starts, data afterwards is the theme;Main part use "?" it is separated into five areas
Domain;Two Areas are character set, and the 3rd region is coded system, and the 4th region is specific coded data;If
3rd region is B, then reduce character code using base64;If the 3rd region is Q, using quoted-printable
Reduction character code, finally parses character using the coded set of Two Areas.
S413:Time obtains;
Traversal is with " Date:" row that starts, Date:It is the concrete time afterwards, concrete form is " EEE, d MMM yyyy HH:
mm:Ss Z ", i.e. week, day month year Hour Minute Second time zone;
For example:Date:Sun,17Jul 2016 19:22:39+0800(CST).
S414:Mail Contents parse
Obtain feature " Content-Type:" after data, with ";" terminate;Contenttype meets the matchmaker that MIME specifies
Body type standard.Then record in ensuing " boundary=" " " " " character that wraps up, this character is as whole mail
Separate identifier;It is designated as BoundaryA.
S415:Intercept mail body partial data
Traversal down packet, when there is " -- " before running into BoundaryA, start recording mail data, Zhi Daoyu
Terminate when all having " -- " to before and after BoundaryA to record, the as partial data of mail body.
S416:The mixed type of parsing mail body
S4161:All there is Content-Type row, if its represented content is multipart/ in each mail body
Mixed or multipart/report or multipart/alternative or multipart/related, then mean this
Section mail body or data field can be divided into multiple subdomains being in same rank.Then take " Boundary=" " thereafter
In " " " character that wraps up, be designated as BoundaryBx;X is positive integer, is initially 0, runs into new Boundary then x+1 in parsing;
S4162:Traversal down packet, when there is " -- " before running into BoundaryBx, start recording mail data,
Terminate when all having " -- " before and after running into BoundaryBx to record;
S4163:The mail data domain that traversal obtains, when there is " -- " before running into BoundaryBx, starts to split from descending
Data, exists " -- " before running into next BoundaryBx, preserves a upper fragment data, the new number of start recording
According to until data field traversal terminates.
S417:In mail body, non-mixed categorical data obtains
Non-mixed categorical data is necessarily wrapped around in mixed type, and the data field of each mixed type is if not new
Mixed type is exactly fundamental type.Next the situation of fundamental type is parsed.
S4171:Text filed
If the value that content-type gets is text/*, charset behind:Obtain character set afterwards,
Content-Transfer-Encoding is obtained after 0x0D 0x0A:Coded system afterwards.And obtain in ensuing a line
All the elements, and True Data is obtained according to coded set and character set.
S4172:Binary object region
If the type that Content-Type gets is " application/octet-stream ", continues acquisition and connect down
" charset " coming, and the filename of binary object is got according to " name ";According to " Content-Transfer-
Encoding " obtains coded system;If whether be next two " 0x0D0x0A " forms, if not then start monitoring being if judging
No is " Content-Disposition:Attachment " character string;If so, then prove this region object be Downloadable
Content, it can be assumed that be annex;Next a line is the beginning of concrete data, records all data;
S4173:Other mime types
If other types;Obtain " conttent-type " first, then according to " Content-Transfer-
Encoding " obtains coded system;If not being next two " 0x0D 0x0A ", start to monitor whether to be Content-
Disposition:Attachment character string;If so, then prove this region object be Downloadable content, it can be assumed that being
Annex.Next a line is the beginning of concrete data.
IMAP mail parses;
By the step in above 42, a mail bag array can be obtained, this step will parse to each mail bag.
Take out the data of mail head's part from mail bag, then to the recipient list of mail, sender, row of making a copy for
Table, theme, outbox time are obtained.
S51:Mail body structure elucidation;
Take out mail body structure description part respectively from mail bag, and according to feature " () ", it is grouped;This is retouched
Stating part is a nested structure, should be therefore the process of a circular recursion parsing;The part of each bracket parcel represents
A part for mail, wherein can include simple data description it is also possible to include nested blended data description;
The data structure of the mail body capturing can be got by this step.This Structure Understanding can be one
Tree construction.
S52:Data of mail body parses;
The data of mail body structure being obtained according to S51, can get part even complete from the mail data getting
Portion's data.
Traversal data of mail body part.The first trip * mail serial number FETCH (part that in UID m BODY [], [] wraps up
Represent data of mail body is which part of mail.Here the content in bracket group divides so several situations:
S521:RFC822
This represents that next line starts until the data of ending is the complete content of mail;Obtain feature " Content-
Type:" after data, with ";" terminate;Contenttype meets the media type standards that MIME specifies.Then record next
" boundary=" " in " " " character that wraps up, this character is as the separation identifier of whole mail;It is designated as BoundaryA;
Start value from mail data part, you can parse the complete content of mail;
S522:Shaped digital
Such as BODY [1], this represents that ensuing data is all data of the Part I in data of mail body structure.
If this partial data is blended data, content-type according to described in data of mail body structure, charset,
The parameters such as Content-Transfer-Encoding, boundary, cooperation nested parts analytic method parses to it.As
Fruit is type of foundation data, then directly according to the description in mail data structure, according to content-type, charset,
The parameters such as Content-Transfer-Encoding obtain to it.
S523:Trifle numbering form
Such as BODY [12], the data that next this kind of expression gets is the Part I in data of mail body structure
The content of second subdivision.Hereafter analysis mode is consistent with S522.
S524:Sky, i.e. []
When run in bracket group sleazy when, generally followed by one group angle brackets<>, now mean to connect
The data got off is preview data, and its represented content is not complete data content.This partial data may be always residual
Scarce it is also possible in follow-up polishing.Need to carry out specially treated for this kind of data:
The outermost boundary of mail (being designated as boundaryN here) first according to record in head, with " --
BoundaryN " is that mark is split to mail body.Run into next " -- boundaryN ", start recording Part II.When
Run into next 0x0D 0x0A+OK or arrive data end, terminate traversal, and abandon the data of last part.
S53:Thereafter according to acquired mail data structure, extreme saturation mail structure tree in order, and from top to bottom
Fetch data.
Those of ordinary skill in the art will be appreciated that, embodiment described here is to aid in reader and understands this
Bright implementation is it should be understood that protection scope of the present invention is not limited to such special statement and embodiment.Ability
The those of ordinary skill in domain can according to these technology disclosed by the invention enlightenment make various without departing from the present invention essence its
Its various concrete deformation and combination, these deformation and combination are still within the scope of the present invention.
Claims (8)
1. a kind of for e-mail data bag carry out verify evidence obtaining method it is characterised in that comprising the following steps:
S1:By general packet catcher, e-mail data bag is captured;
S2:Transmission Control Protocol is analyzed and is built with the dialogue data bag of logic;
S3:The crawl of mail data bag and splicing;
S4:Mail data Packet analyzing.
2. according to claim 1 a kind of for e-mail data bag carry out verify evidence obtaining method it is characterised in that
The detailed step of described S1 is as follows:
S11:Using packet catcher, mail network packet is captured;
S12:Judge to filter the packet grabbing according to port;
If other side's Service-Port is 25 ports, form that the packet producing is engaged in the dialogue arranges, as to be resolved
Smtp protocol packet;
If other side's Service-Port is 110 ports, form that the packet producing is engaged in the dialogue arranges, as to be resolved
POP3 protocol data bag;
If other side's Service-Port is 143 ports, form that the packet producing is engaged in the dialogue arranges, as to be resolved
IMAP protocol packet.
3. according to claim 2 a kind of for e-mail data bag carry out verify evidence obtaining method it is characterised in that
The detailed step of S2 is as follows:
S21:Packet data session classification and ordination;Calculate the length of IPV4 in packet, be TCP header after IPV4 data volume, in TCP
Head starts 5 to 8byte and 9 to 11byte data and obtains two parameters of SEQ and ACK;ACK according to previous packet with
The equal rule of the SEQ of a packet is classifying and to sort afterwards;
S22:According to the logical order of the sequential orders session of IPV4 in packet, obtain a unidirectional data arranging
Bag chain.
4. according to claim 3 a kind of for e-mail data bag carry out verify evidence obtaining method it is characterised in that
If POP3 mail in S3, crawl step is as follows:
S311:Mail head is obtained, the packet on traversal chain, runs into "+OK m n 0x0D0x0A ", record m in order
With the value of n, m is the number of mail in mailbox.N is the mail total size in mailbox;Continue travel through backward, often run into form be "+
The data of OK mail size octets 0x0D 0x0A ", then m subtract 1, traverse always m be 0, be represented as file head-tail;
S312:Ergodic data bag chain is continued in the position terminated from file header;When running into "+OK mail size octets0x0D
During the data of 0x0A " structure, from the first row start recording of next packet and splice mail bag;With newline " 0x0D
0x0A " parses packet line by line for row end of identification, records postal when running into " boundary=" mail splits feature " " structure
Part splits feature;Continue traversal down, until running into " -- mail splits feature -- ", be that mail is integrally over;To record
The mail overall data bag getting off is put into temporary in mail bag array.
5. according to claim 3 a kind of for e-mail data bag carry out verify evidence obtaining method it is characterised in that
If IMAP mail in S3, crawl step is as follows:
S321:Define mail data structure;Including mail threads numbering, mail head region, mail body, region, mail body number are described
According to region;
S322:Ergodic data bag chain, when running into " * mail sum EXISTS " structure, takes the value of mail sum with integer, and root
Size according to this value builds a mail bag array;
S323:Continue traversal down packet chain, be " * mail serial number FETCH (UID mail piece identifier " when running into form
And ended up with " 0x0D 0x0A " data when, judge that mail bag array position corresponding with mail serial number whether there is number
According to if not existing, execution S324, if having execution S325;
S324:From descending start recording mail head, until running into " 0x0D 0x0A " ending, terminate to record and write data into postal
Part head region, and packet is put into the correspondence position in mail bag array;Continue traversal down, if in the absence of a data
Bag then terminates to travel through, otherwise rebound S323.
S325:Continue traversal down, if finding there is " the * mail serial number FETCH (knot that UID mail piece identifier BODY [" starts
Structure then executes S326;
If finding the structure having " * mail serial number FETCH (UID mail piece identifier BODYSTRUCTURE " to start, execute
S327;
S326:Take out respective mail bag from mail data bag array, from the beginning of the ending in data of mail body region, add two
Newline " 0x0D 0x0A " start recording is include " * mail serial number FETCH is (including UID mail piece identifier BODY ["
Data, until running into ") 0x0D 0x0A " terminate record, the data of record is put into the mail of the mail structure of S321 definition
Volume data region, and mail bag is put back to mail bag array position corresponding with mail serial number, execute S328;
S327:Fetch data after " 0x0D 0x0A ", until running into newline 0x0D 0x0A, remove last ") ", will remember
The mail body of the mail structure that the data of record puts into 421 definition describes region, and mail bag is put back to mail bag array and mail
The corresponding position of serial number, executes S328;
S328:If determining whether, next line has, and executes S325;If, not executing S329;
S329:Judge whether to travel through full number according to bag chain;There is no then rebound S323;Complete then terminating traversal execution S330;
S330:Filter the packet only comprising head.
6. according to claim 3 a kind of for e-mail data bag carry out verify evidence obtaining method it is characterised in that
If SMTP mail in S3, crawl step is as follows:
First packet chain is traveled through, run into " MAIL FROM:" form data, continue traversal down " DATA 0x0D
0x0A”;Start, from next line, the data that nonreturn recording receives after traversing, and monitor the packet receiving, Zhi Daodan
To conversation end or run into " 0x0D 0x0A 0x0D 0x0A " feature and terminate, data record is got off to put in mail bag chain;Weight
Multiple execution completes until all packets are traversed.
7. a kind of method carrying out for e-mail data bag verifying evidence obtaining according to claim 4 or 6, its feature exists
In S4, POP3 and SMTP mail analytic method is as follows:
S411:Addressee, sender and list resolution of making a copy for;
According to the data of S3 crawl, by row parsing, with " From in mail bag:" row that starts, From:Closely follow addressee afterwards to arrange
Table, separates addressee according to ", ";With " To in mail bag:" row that starts, closely follow senders list afterwards;With spy in mail bag
Levy " Cc:" after the row that starts immediately following list of making a copy for;
If addressee or sender or list of making a copy for are initiateed with " " " ", the part wrapped up is the pet name, afterwards "<>" wrap up
Part is email address;If not " to initiate, to be directly mailbox;
The use of pet name part "?" it is separated into five regions;Two Areas are character set, and the 3rd region is coding staff
Formula, the 4th region is specific coded data;
If the 3rd region is B, reduce character code using base64;If the 3rd region is Q, using quoted-
Printable reduces character code, finally parses character using the coded set of Two Areas;
S412:Theme parses;
Traversal is with " Subject:" row that starts, data afterwards is the theme;Main part use "?" it is separated into five regions;
Two Areas are character set, and the 3rd region is coded system, and the 4th region is specific coded data;If the 3rd
Individual region is B, then reduce character code using base64;If the 3rd region is Q, reduced using quoted-printable
Character code, finally parses character using the coded set of Two Areas;
S413:Time obtains;
Traversal is with " Date:" row that starts, Date:It is the concrete time afterwards, concrete form is " EEE, d MMM yyyy HH:mm:
ss Z”;
S414:Mail Contents parse
Obtain feature " Content-Type:" after data, with ";" terminate;Record " boundary=" " after this data
In " " " character that wraps up;It is designated as BoundaryA;
S415:Intercept mail body partial data
Traversal down packet, when there is " -- " before running into BoundaryA, start recording mail data, until running into
Terminate when all having " -- " before and after BoundaryA to record;
S416:The mixed type of parsing mail body, step is as follows:
S4161:Traversal Content-Type row, if its represented content is multipart/mixed or multipart/
Report or multipart/alternative or multipart/related, then take in " Boundary=" " thereafter " " "
The character of parcel, is designated as BoundaryBx;X is positive integer, is initially 0, runs into new Boundary then x+1 in parsing;
S4162:Traversal down packet, when there is " -- " before running into BoundaryBx, start recording mail data, until
Terminate when all having " -- " before and after running into BoundaryBx to record;
S4163:The mail data domain that traversal obtains, when there is " -- " before running into BoundaryBx, from descending beginning partition data,
Exist " -- " before running into next BoundaryBx, the upper fragment data of preservation, the new data of start recording, until
Data field traversal terminates;
S417:In mail body, non-mixed categorical data obtains;
S4171:Text filed acquisition;
If the value that content-type gets is text/*, " charset behind:" obtain character set afterwards, in " 0x0D
0x0A " obtains " Content-Transfer-Encoding afterwards:" after coded system.And obtain institute in ensuing a line
There is content, and True Data is obtained according to coded set and character set;
S4172:Binary object region obtains;
If the type that Content-Type gets is " application/octet-stream ", continue acquisition ensuing
" charset ", and the filename of binary object is got according to " name ";According to " Content-Transfer-
Encoding " obtains coded system;If whether be next two " 0x0D0x0A " forms, if not then start monitoring being if judging
No is " Content-Disposition:Attachment " character string;If so, then prove this region object be Downloadable
Content, it can be assumed that be annex;Next a line is the beginning of concrete data, records concrete data;
S4173:Other mime types;
If other types;Obtain " conttent-type " first, then according to " Content-Transfer-Encoding "
Obtain coded system;If not being next two " 0x0D 0x0A ", start to monitor whether to be Content-Disposition:
Attachment character string;If so, then prove this region object be Downloadable content, it can be assumed that be annex;Next
A line is the beginning of concrete data, records concrete data.
8. according to claim 5 a kind of for e-mail data bag carry out verify evidence obtaining method it is characterised in that
In S4, IMAP mail is parsed by the data that the mail bag array of S322 takes out mail head's part, and method is as follows:
S51:Mail body structure elucidation;
Take out mail body structure description part respectively from mail bag, and according to feature " () ", it is grouped;This describes portion
Dividing is a nested structure, should be therefore the process of a circular recursion parsing;The part of each bracket parcel represents mail
A part, wherein can include simple data description it is also possible to include nested blended data description;
S52:Data of mail body parses;
The data of mail body structure being obtained according to S51, travels through data of mail body part first trip " * mail serial number FETCH (UID
In m BODY [] [] " part wrapped up represents data of mail body is which part of mail;Divide several situations as follows:
S521:If RFC822;
This represents that next line starts until the data of ending is the complete content of mail;Obtain feature " Content-Type:”
Data afterwards, with ";" terminate;Contenttype meets the media type standards that MIME specifies.Then record ensuing
In " boundary=" " " " " character that wraps up, this character is as the separation identifier of whole mail;It is designated as BoundaryA;From
Mail data part starts value, you can parse the complete content of mail;
S522:If shaped digital;
Content-type, charset, Content-Transfer-Encoding according to described in data of mail body structure,
Boundary parameter, cooperation nested parts analytic method parses to it.If type of foundation data, then directly according to postal
Description in part data structure, according to content-type, charset, Content-Transfer-Encoding parameter to it
Obtained;
S523:If trifle numbering form
The content of second subdivision of the Part I in the data of mail body structure getting, analysis mode hereafter with
S522 is consistent;
S524:If empty, i.e. [];
When run in bracket group sleazy when, generally followed by one group angle brackets<>, represented content is complete
Whole.This partial data may be always incompleteness it is also possible in follow-up polishing.Need to carry out specially treated for this kind of data:
According to the mail outermost " boundary " of record in head, it is designated as boundaryN, with " -- boundaryN " for mark
Mail body is split.Run into next " -- boundaryN ", start recording Part II;When running into next " 0x0D
0x0A+OK " or arrive data end, terminates traversal, and abandons the data of last part;
S53:According to acquired mail data structure, travel through in order, and fetch data from top to bottom.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610804777.2A CN106385358A (en) | 2016-09-06 | 2016-09-06 | Method for checking and evidence collection aiming at E-mail data packet |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610804777.2A CN106385358A (en) | 2016-09-06 | 2016-09-06 | Method for checking and evidence collection aiming at E-mail data packet |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106385358A true CN106385358A (en) | 2017-02-08 |
Family
ID=57938032
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610804777.2A Pending CN106385358A (en) | 2016-09-06 | 2016-09-06 | Method for checking and evidence collection aiming at E-mail data packet |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106385358A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107888483A (en) * | 2017-11-23 | 2018-04-06 | 上海勋立信息科技有限公司 | A kind of Email content batch joining method and device |
CN109213987A (en) * | 2018-11-13 | 2019-01-15 | 国家海洋局第海洋研究所 | A kind of ice buoy satellite data processing method |
CN109688043A (en) * | 2017-10-19 | 2019-04-26 | 中国科学院信息工程研究所 | A kind of IMAP protocol multi-link association analytic method and system |
CN109802883A (en) * | 2018-12-27 | 2019-05-24 | 南京信息职业技术学院 | A kind of e-mail transmission method and its system |
CN110380953A (en) * | 2019-06-27 | 2019-10-25 | 中国航空工业集团公司雷华电子技术研究所 | A kind of data structure and its sending, receiving method of mail |
CN110692079A (en) * | 2017-04-20 | 2020-01-14 | 亚历山大·瓦尔瓦连科 | Open freight market simulation system and open freight market display method |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1561076A (en) * | 2004-02-24 | 2005-01-05 | 中兴通讯股份有限公司 | Mobile lettergram gateway system and mobile lettergram service implementing method based on the system |
CN1889584A (en) * | 2006-07-19 | 2007-01-03 | 中国科学院计算技术研究所 | Abstract application layer business behaviour playback method based on template |
US20110161433A1 (en) * | 2009-12-30 | 2011-06-30 | Jie Liu | Apparatuses and methods for identifying email and email servers |
CN105743876A (en) * | 2015-08-28 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | Method and system for discovering targeted attack based on email source data |
-
2016
- 2016-09-06 CN CN201610804777.2A patent/CN106385358A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1561076A (en) * | 2004-02-24 | 2005-01-05 | 中兴通讯股份有限公司 | Mobile lettergram gateway system and mobile lettergram service implementing method based on the system |
CN1889584A (en) * | 2006-07-19 | 2007-01-03 | 中国科学院计算技术研究所 | Abstract application layer business behaviour playback method based on template |
US20110161433A1 (en) * | 2009-12-30 | 2011-06-30 | Jie Liu | Apparatuses and methods for identifying email and email servers |
CN105743876A (en) * | 2015-08-28 | 2016-07-06 | 哈尔滨安天科技股份有限公司 | Method and system for discovering targeted attack based on email source data |
Non-Patent Citations (7)
Title |
---|
SD.TEAM: "wireshark电子邮件抓包分析", 《SD.TEAM-博客园》 * |
刘嘉勇等: ""E-mail 监听系统的设计与实现"", 《四川大学学报(自然科学版)》 * |
海涛: "《计算机网络通信技术》", 30 September 2015 * |
甘胜玉: "网络内容分析与还原系统的设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
老实小时: "wireshark抓包分析pop3和smtp协议", 《百度文库》 * |
谭毓安: "《网络攻击防护编码设计 应对黑客实战》", 31 December 2002 * |
陈韬伟,车文刚,张海洲: "邮件系统中的smtp认证机构", 《昆明理工大学学报》 * |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110692079A (en) * | 2017-04-20 | 2020-01-14 | 亚历山大·瓦尔瓦连科 | Open freight market simulation system and open freight market display method |
CN110692079B (en) * | 2017-04-20 | 2023-12-26 | 亚历山大·瓦尔瓦连科 | Open freight market simulation system and open freight market display method |
CN109688043A (en) * | 2017-10-19 | 2019-04-26 | 中国科学院信息工程研究所 | A kind of IMAP protocol multi-link association analytic method and system |
CN109688043B (en) * | 2017-10-19 | 2020-05-22 | 中国科学院信息工程研究所 | IMAP protocol multi-link association analysis method and system |
CN107888483A (en) * | 2017-11-23 | 2018-04-06 | 上海勋立信息科技有限公司 | A kind of Email content batch joining method and device |
CN109213987A (en) * | 2018-11-13 | 2019-01-15 | 国家海洋局第海洋研究所 | A kind of ice buoy satellite data processing method |
CN109213987B (en) * | 2018-11-13 | 2023-05-19 | 自然资源部第一海洋研究所 | Ice buoy satellite data processing method |
CN109802883A (en) * | 2018-12-27 | 2019-05-24 | 南京信息职业技术学院 | A kind of e-mail transmission method and its system |
CN109802883B (en) * | 2018-12-27 | 2021-07-30 | 南京信息职业技术学院 | Mail transmission method and system thereof |
CN110380953A (en) * | 2019-06-27 | 2019-10-25 | 中国航空工业集团公司雷华电子技术研究所 | A kind of data structure and its sending, receiving method of mail |
CN110380953B (en) * | 2019-06-27 | 2021-10-22 | 中国航空工业集团公司雷华电子技术研究所 | Method for sending and receiving mail |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106385358A (en) | Method for checking and evidence collection aiming at E-mail data packet | |
EP2609720B1 (en) | Method and apparatus for filtering streaming data | |
CN102594625A (en) | White data filter method and system in APT (Advanced Persistent Threat) intelligent detection and analysis platform | |
CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
CN103139315A (en) | Application layer protocol analysis method suitable for home gateway | |
CN104618132B (en) | A kind of application program recognition rule generation method and device | |
CN102315974A (en) | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows | |
CN103841096A (en) | Intrusion detection method with matching algorithm automatically adjusted | |
CN102164053A (en) | Network fault detection system | |
US20130304753A1 (en) | Method and apparatus for concurrent filtering of multiple components of streaming data | |
CN104317601B (en) | A kind of file interface development approach and system | |
CN102257786A (en) | Adaptation system for a legal interception in different communication networks | |
CN109818970A (en) | A kind of data processing method and device | |
CN106203916A (en) | A kind of distributed pickup code generating method | |
CN108011805A (en) | Method, apparatus, intermediate server and the car networking system of message screening | |
WO2012024760A1 (en) | Method and apparatus for employing rules to filter streaming | |
CN105260168B (en) | Log-output method and device | |
CN106506541A (en) | The method and apparatus for generating network white list | |
CN107171879A (en) | A kind of detection method and device of online charging interface message | |
CN107766737A (en) | A kind of database audit method | |
CN106131093A (en) | A kind of method carrying out verifying evidence obtaining for email login information | |
CN105871573A (en) | Method and device for analyzing and filtering message | |
CN107104981B (en) | Content auditing system based on active defense mechanism and content auditing method thereof | |
CN111988343B (en) | System and method for remotely setting rules and monitoring industrial network intrusion | |
CN105429779B (en) | A kind of network service data automatic identification system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 641000 Sichuan province Neijiang City Songshan Road No. 253 Applicant after: Sichuan Miwu Traceless Science and Technology Co., Ltd. Address before: 641000 Sichuan province Neijiang City Songshan Road No. 253 Applicant before: SICHUAN MWH INFORMATION SAFETY TECHNOLOGY CO., LTD. |
|
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170208 |