AU2020290622A1 - Method and system for digital evidence fixing and network forensics on basis of memory forensics and blockchain - Google Patents
Method and system for digital evidence fixing and network forensics on basis of memory forensics and blockchain Download PDFInfo
- Publication number
- AU2020290622A1 AU2020290622A1 AU2020290622A AU2020290622A AU2020290622A1 AU 2020290622 A1 AU2020290622 A1 AU 2020290622A1 AU 2020290622 A AU2020290622 A AU 2020290622A AU 2020290622 A AU2020290622 A AU 2020290622A AU 2020290622 A1 AU2020290622 A1 AU 2020290622A1
- Authority
- AU
- Australia
- Prior art keywords
- memory
- blockchain
- forensics
- digital evidence
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title claims abstract description 94
- 238000005516 engineering process Methods 0.000 claims description 38
- 238000012795 verification Methods 0.000 claims description 12
- 239000000284 extract Substances 0.000 claims description 9
- 230000008569 process Effects 0.000 description 23
- 230000006870 function Effects 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000000644 propagated effect Effects 0.000 description 6
- 238000004590 computer program Methods 0.000 description 4
- 239000013307 optical fiber Substances 0.000 description 4
- 238000012550 audit Methods 0.000 description 3
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 2
- 229910052802 copper Inorganic materials 0.000 description 2
- 239000010949 copper Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000001052 transient effect Effects 0.000 description 2
- 201000004569 Blindness Diseases 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/18—Legal services
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Tourism & Hospitality (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Economics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Technology Law (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- Human Resources & Organizations (AREA)
- Marketing (AREA)
- Primary Health Care (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Abstract
A method and system for digital evidence fixing and network forensics on the basis of memory forensics and a blockchain. The method comprises: a digital evidence fixing terminal downloading a credible forensic tool by means of a blockchain network (S101); verifying the legitimacy of executable codes of the forensic tool (S102); running the forensic tool to obtain digital data, generating an operation log, acquiring computer memory information by using the memory forensics technique and performing evidence fixing (S103); generating a hash value and uploading the same to the blockchain network, and receiving a returned corresponding blockchain address (S104); sending the address to a judicial expertise unit terminal; the judicial expertise unit terminal receiving the blockchain address sent by the digital evidence fixing terminal (S201); querying to obtain information on the blockchain and verifying the legitimacy thereof (S202); analyzing the memory information by using the memory forensics technique, extracting a system state when the digital evidence is obtained and verifying the consistency thereof (S203); determining, by using the memory analysis, whether the forensic tool has been hooked or injected when running, and verifying the reliability of the operating environment thereof (S204); and generating a judicial expertise report (S205).
Description
The present disclosure belongs to the field of digital forensics technologies, and relates to a method and a system for digital evidence fixing and network forensics based on memory forensics and blockchain.
The description in this section merely provides background information related to the present disclosure and does not necessarily constitute the related art. While bringing convenience to the way people work and live, the modem information technology inevitably causes various negative problems. In particular, various types of crimes triggered by the use of the Internet and information are increasing year by year. Incidents such as theft of state secrets, disclosure of personal privacy, theft of online banking passwords, online fraud, hacking have emerged one after another, and the associated criminal, civil, and administrative cases or disputes have also increased significantly. To meet the needs of litigation for such cases or disputes, computer forensics (digital forensics) came into being. Computer forensics is a process of identifying, storing, analyzing, and submitting digital evidence in a manner consistent with laws and regulations using principles and methods in related disciplines such as computers, communications, and electronics. Computer forensics has been developed for more than ten years since its inception in China, and in actual work, has been recognized by government law enforcement agencies, legal practitioners, and law enforcement personnel. In the business field, more and more businesses begin to pay attention to the application of the computer forensics technology to internal enterprise investigations and IT audits. It can be said that the computer forensics technology is a rapidly developing research field with good application prospects. Especially after the legal status of "electronic data" was independently stipulated in the new Criminal Procedure Law in 2012, the importance of the computer forensics technology became more prominent. An object that computer forensics needs to obtain is electronic data. An important feature of digital evidence, which is different from other physical evidence, is its vulnerability, which is mainly manifested in two aspects: on the one hand, because electronic data is stored in magnetic media or electronic components, and due to some of the characteristics of these media, the electronic data is prone to be artificially damaged, there are very strict restrictions on the preservation of evidence materials; on the other hand, electronic data can be easily modified or deleted, and such an operation often cannot be completely recovered. Even if being recovered, it will have a great impact on the evidence validity of the data. Digital evidence can only be recognized by the court by following a legal process and proving its authenticity, especially under a live forensics manner (Live Forensics is to obtain electronic data stored in a memory, a disk and other storage media of a target computer without shutting down the target computer or an electronic device, and analyze and present the electronic data). However, the inventor discovered during a research and development process that as a result of the ever-changing data and status on various types of networks, it is very difficult to prove the authenticity of the digital evidence obtained. Simultaneously, there are also problems such as DNS spoofing and untrustworthiness of forensics personnel, so now these pieces of evidence are collected only by professional digital evidence judicial appraisal agencies and notary agencies. FIG. 1 shows a routine network digital forensics process. Because electronic data is prone to be tampered with, a process of collecting and fixing evidence in a routine forensics process needs to be carried out by a third-party agency (judicial appraisal agency). From collecting evidence (step 1) to fixing evidence by the judicial appraisal agency (step 3), a user needs to negotiate with the judicial appraisal agency to sign an appraisal agreement, and entrust the judicial appraisal agency to conduct judicial appraisal (step 2), and the judicial appraisal agency performs judicial appraisal based on the fixed digital evidence (step 4), and issues a judicial appraisal report to the user (step 5). In the above-mentioned process, a process from step 1 to step 3 generally takes at least a few days. Because data on the Internet or on various online APPs is constantly changing, when the judicial appraisal agency fixes digital evidence, the data has already changed a lot, delaying forensics time. In addition, when a judicial appraisal agency was entrusted to fix evidence, because of the lack of communication with a lawyer or the court at that time, evidence requirements were not very clear, and consequently there is often a certain degree of blindness when entrusting a judicial appraisal agency to conduct judicial appraisal, which may waste a certain amount of time and money. In summary, because evidence is not collected in time, a conventional network digital forensics process brings about practical problems such as desired data being deleted, and consequently a more credible method is needed to solve a current forensics problem.
In view of the shortcomings of the related art, one or more embodiments of the present disclosure provide a method and a system for digital evidence fixing and network forensics based on memory forensics and blockchain, where a computer is used to obtain electronic data on webpages and various types of network APPs online, and a memory forensics technology, a blockchain technology, and special forensic tools are used to ensure the credibility of a source and a process of obtaining electronic data, so that the collected digital evidence is difficult to tamper with. According to an aspect of one or more embodiments of the present disclosure, a method for digital evidence fixing based on memory forensics and blockchain is provided. The method for digital evidence fixing based on memory forensics and blockchain includes: downloading a credible forensic tool through a blockchain network; interacting with the blockchain network to verify legitimacy of an execution code of the forensic tool; running the forensic tool, obtaining electronic data, generating an operation log, obtaining computer memory information by using a memory forensics technology, and fixing evidence; and respectively generating hash values of the electronic data, the operation log, and the memory information, uploading the hash values to the blockchain network, and receiving a corresponding blockchain address returned. Further, in the method, the verifying legitimacy of an execution code of the forensic tool is to verify that the execution code of the forensic tool is not modified. Further, the method further includes: sending, when collected digital evidence needs to be appraised, the digital evidence, the memory information and the corresponding blockchain address to a judicial appraisal agency terminal. According to an aspect of one or more embodiments of the present disclosure, a computer-readable storage medium is provided. The computer-readable storage medium stores a plurality of instructions, where the instructions are adapted to be loaded and executed by a processor of an electronic device to perform the method for digital evidence fixing based on memory forensics and blockchain. According to an aspect of one or more embodiments of the present disclosure, an electronic device is provided. The electronic device includes a processor and a computer-readable storage medium, where the processor is configured to implement instructions, the computer-readable storage medium is configured to store the instructions, and the instructions are adapted to be loaded and executed by the processor to perform the method for digital evidence fixing based on memory forensics and blockchain. According to an aspect of one or more embodiments of the present disclosure, a terminal for digital evidence fixing based on memory forensics and blockchain is provided. The terminal for digital evidence fixing based on memory forensics and blockchain, based on the method for digital evidence fixing based on memory forensics and blockchain, includes: a forensic tool downloading module, configured to download a credible forensic tool through a blockchain network; a legitimacy verifying module, configured to interact with the blockchain network to verify legitimacy of an execution code of the forensic tool; an evidence fixing module, configured to run the forensic tool, obtain electronic data, generate an operation log, obtain computer memory information by using a memory forensics technology, and fix evidence; and a blockchain uploading module, configured to respectively generate hash values of the electronic data, the operation log, and the memory information, upload the hash values to the blockchain network, and receive a corresponding blockchain address returned. Further, the terminal for digital evidence fixing further includes a communication module, configured to send, when collected digital evidence needs to be appraised, the digital evidence, the memory information and the corresponding blockchain address to a judicial appraisal agency terminal. According to an aspect of one or more embodiments of the present disclosure, a method for network forensics based on memory forensics and blockchain is provided. The method for network forensics based on memory forensics and blockchain is implemented in a judicial appraisal agency terminal, including: receiving a blockchain address sent by a terminal for digital evidence fixing; querying information on blockchain according to the blockchain address, and verifying legitimacy of electronic data, an operation log, and memory information; analyzing the memory information by using a memory forensics technology after verification succeeds, extracting a system state when digital evidence is collected, and verifying consistency of the system state with the digital evidence and the operation log; verifying, by using memory analysis, whether a forensic tool is hooked or injected when running, and verifying reliability of an operating environment of the forensic tool; and generating a judicial appraisal report. Further, the verifying legitimacy of electronic data, an operation log, and memory information is to verify that the electronic data, the operation log, and the memory information is not modified. Further, the method further includes: sending the judicial appraisal report to a user terminal. According to an aspect of one or more embodiments of the present disclosure, a computer-readable storage medium is provided. The computer-readable storage medium stores a plurality of instructions, where the instructions are adapted to be loaded and executed by a processor of an electronic device to perform the method for network forensics based on memory forensics and blockchain. According to an aspect of one or more embodiments of the present disclosure, an electronic device is provided. The electronic device includes a processor and a computer-readable storage medium, where the processor is configured to implement instructions, the computer-readable storage medium is configured to store the instructions, and the instructions are adapted to be loaded and executed by the processor to perform the method for network forensics based on memory forensics and blockchain. According to an aspect of one or more embodiments of the present disclosure, a terminal for network forensics based on memory forensics and blockchain is provided. The terminal for network forensics based on memory forensics and blockchain, based on the method for network forensics based on memory forensics and blockchain, includes: a blockchain address receiving module, configured to receive a blockchain address sent by a terminal for digital evidence fixing; a legitimacy verifying module, configured to query information on blockchain according to the blockchain address, and verify legitimacy of electronic data, an operation log, and memory information; a first authentication module, configured to analyze the memory information by using a memory forensics technology after verification succeeds, extract a system state when digital evidence is collected, and verify consistency of the system state with the digital evidence and the operation log; a second authentication module, configured to verify, by using memory analysis, whether a forensic tool is hooked or injected when running, and verify reliability of an operating environment of the forensic tool; and a report generating module, configured to generate a judicial appraisal report. Further, the terminal for network forensics further includes a communication module, configured to send the judicial appraisal report to a user terminal. According to an aspect of one or more embodiments of the present disclosure, a method for network forensics based on memory forensics and blockchain is provided. The method for network forensics based on memory forensics and blockchain is implemented in a system for network forensics, including: downloading, by a terminal for digital evidence fixing, a credible forensic tool through a blockchain network; interacting with the blockchain network to verify legitimacy of an execution code of the forensic tool; running the forensic tool, obtaining electronic data, generating an operation log, obtaining computer memory information by using a memory forensics technology, and fixing evidence; respectively generating hash values of the electronic data, the operation log, and the memory information, uploading the hash values to the blockchain network, and receiving a corresponding blockchain address returned; and sending, when collected digital evidence needs to be appraised, the digital evidence, the memory information and the corresponding blockchain address to a judicial appraisal agency terminal; and receiving, by the judicial appraisal agency terminal, a blockchain address sent by a terminal for digital evidence fixing; querying information on blockchain according to the blockchain address, and verifying legitimacy of electronic data, an operation log, and memory information; analyzing the memory information by using a memory forensics technology after verification succeeds, extracting a system state when digital evidence is collected, and verifying consistency of the system state with the digital evidence and the operation log; verifying, by using memory analysis, whether a forensic tool is hooked or injected when running, and verifying reliability of an operating environment of the forensic tool; and generating a judicial appraisal report. According to an aspect of one or more embodiments of the present disclosure, a system for network forensics based on memory forensics and blockchain is provided. The system for network forensics based on memory forensics and blockchain, based on the method for network forensics based on memory forensics and blockchain, includes: a terminal for digital evidence fixing and a judicial appraisal agency terminal; the terminal for digital evidence fixing is configured to download a credible forensic tool through a blockchain network; interact with the blockchain network to verify legitimacy of an execution code of the forensic tool; run the forensic tool, obtain electronic data, generate an operation log, obtain computer memory information by using a memory forensics technology, and fix evidence; respectively generate hash values of the electronic data, the operation log, and the memory information, upload the hash values to the blockchain network, and receive a corresponding blockchain address returned; and send, when collected digital evidence needs to be appraised, the digital evidence, the memory information and the corresponding blockchain address to the judicial appraisal agency terminal; and the judicial appraisal agency terminal is configured to receive a blockchain address sent by a terminal for digital evidence fixing; query information on blockchain according to the blockchain address, and verify legitimacy of electronic data, an operation log, and memory information; analyze the memory information by using a memory forensics technology after verification succeeds, extract a system state when digital evidence is collected, and verify consistency of the system state with the digital evidence and the operation log; verify, by using memory analysis, whether a forensic tool is hooked or injected when running, and verify reliability of an operating environment of the forensic tool; and generate a judicial appraisal report. Beneficial effects of the present disclosure are as follows: A method and a system for digital evidence fixing and network forensics based on memory forensics and blockchain are provided by the present disclosure, where through a method for digital evidence fixing based on memory forensics and blockchain, the digital evidence is fixed in front to avoid a problem of delaying forensics time; a memory forensics technology, a blockchain technology, and special forensic tools are used to ensure the credibility of a source and a process of obtaining electronic data, making the collected digital evidence difficult to tamper with, and the collected evidence easier to be accepted by the court.
The accompanying drawings constituting a part of this application are used for providing further understanding for this application. Exemplary embodiments of this application and descriptions thereof are used for explaining this application and do not constitute any inappropriate limitation to this application. FIG. 1 is a schematic diagram of a routine law enforcement and forensics process; FIG. 2 is a flowchart of a method for digital evidence fixing based on memory forensics and blockchain according to one or more embodiments; FIG. 3 is a schematic diagram of a law enforcement and forensics process according to one or more embodiments; FIG. 4 is a flowchart of a method for network forensics based on memory forensics and blockchain according to one or more embodiments; and FIG. 5 is a flowchart of another method for network forensics based on memory forensics and blockchain according to one or more embodiments.
The following clearly and completely describes the technical solutions in one or more embodiments of the present disclosure with reference to the accompanying drawings in one or more embodiments of the present disclosure. Apparently, the described embodiments are merely some of the embodiments of the present invention rather than all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on one or more embodiments of the present disclosure without creative efforts shall fall within the protection scope of the present invention. It should be noted that the following detailed descriptions are all exemplary and are intended to provide a further understanding of this application. Unless otherwise specified, all technical and scientific terms used in this embodiment have the same meaning as commonly understood by a person of ordinary skill in the art to which this application belongs. It should be noted that terms used herein are only for describing specific implementations and are not intended to limit exemplary implementations according to this application. As used herein, the singular form is intended to include the plural form, unless the context clearly indicates otherwise. In addition, it should further be understood that terms "comprise" and/or "include" used in this specification indicate that there are features, steps, operations, devices, components, and/or combinations thereof. It should be noted that architectures, functions, and operations of possible implementations of methods and systems according to various embodiments of this application are illustrated in the flowcharts and the block diagrams of the accompanying drawings. It should be noted that each box in a flowchart or a block diagram may represent a module, a program segment, or a part of code. The module, the program segment, or the part of code includes one or more executable instructions used for implementing designated logic functions in various embodiments. It should also be noted that in some implementations used as substitutes, functions annotated in boxes may alternatively occur in a sequence different from that annotated in an accompanying drawing. For example, two successive blocks may be basically performed in parallel, or they may be performed in an opposite order sometimes, depending on the functions involved. It should also be noted that each block in the block diagrams and/or the flowcharts, and a combination of blocks in the block diagrams and/or the flowcharts may be implemented using a dedicated hardware-based system for executing specified functions or actions, or may be implemented using a combination of dedicated hardware and computer instructions. The embodiments in the present disclosure and features in the embodiments may be combined with each other without conflicts, and the present disclosure will be further described below with reference to the accompanying drawings and embodiments. Embodiment 1 According to an aspect of one or more embodiments of the present disclosure, a method for digital evidence fixing and network forensics based on memory forensics and blockchain is provided. As shown in FIG. 2, according to an aspect of one or more embodiments of the present disclosure, a method for digital evidence fixing based on memory forensics and blockchain is provided. The method for digital evidence fixing based on memory forensics and blockchain includes: S101: Download a credible forensic tool through a blockchain network. S102: Interact with the blockchain network to verify legitimacy of an execution code of the forensic tool. S103: Run the forensic tool, obtain electronic data, generate an operation log, obtain computer memory information by using a memory forensics technology, and fix evidence. S104: Respectively generate hash values of the electronic data, the operation log, and the memory information, upload the hash values to the blockchain network, and receive a corresponding blockchain address returned. In step Si01 of this embodiment, a special forensic tool is downloaded from the blockchain network; a credible dedicated forensic tool is downloaded from the blockchain network on a computer, and the forensic tools are run. Each of the forensic tools provided in the present disclosure is an existing computer forensic tool, and may be, but is not limited to, a common forensic tool such as Tcpdump, Argus, NFR, Tcpwrapper, Sniffers, Honeypot, Tripwires, Network monitor, disk mirroring, webpage fixing, or memory acquisition/analysis in a process of computer forensics. In step S102 of this embodiment, the forensic tool interacts with the blockchain before running, and the verifying legitimacy of an execution code of the forensic tool is to verify that the execution code of the forensic tool is not modified. In steps S103 and S104 of this embodiment, specific steps include: obtaining webpage information and electronic data of various types of APPs by using the forensic tool, fixing evidence, generating audit logs for each operation and an operating result, generating hash values for the fixed evidence and logs by using a hash function, and uploading the hash values/the fixed evidence/the audit logs to the blockchain network according to forensic requirements. While performing the following steps, a memory forensics technology is used to obtain computer memory information, fix evidence, and upload the hash value of the memory information to the blockchain network. Memory Forensics: It is to acquire and analyze temporary data stored in a physical memory of a computer and related smart devices when running, and extract valuable data. A memory is a region where an operating system and various software exchange data, where data is volatile, and the data usually disappears immediately after shutting down. In this embodiment, a method for memory forensics of a Windows/Linux system previously applied by the applicant is used to obtain and analyze computer memory information. Specifically, in step S103 of this embodiment, the forensic tool is run, 1) running a webpage fixing forensic tool to obtain information about webpages or various types of APPs, various types of operating environment information and other digital evidence; 2) running any forensic tool to generate an operation log for an acquisition process; and 3) running a memory acquisition forensic tool to obtain computer memory mirroring information. In step S104 of this embodiment, the forensic tool generates, by using the hash function, hash values for the acquired digital evidence, operation log, and memory mirroring information, and uploads the hash value of the evidence, the operation log and the hash value of the operation log, and the hash value of the memory mirroring information to the blockchain. The blockchain returns the blockchain address to the forensic tool. Further, the method further includes: sending, when collected digital evidence needs to be appraised, the digital evidence, the memory information and the corresponding blockchain address to a judicial appraisal agency terminal. In one or more embodiments of the present disclosure, if a user needs the evidence, the fixed evidence is provided to the judicial appraisal agency, and the judicial appraisal agency conducts judicial appraisal based on digital evidence and information of the blockchain: using the memory forensics technology to ensure that a system is not illegally invaded during a process of collecting evidence, excluding other behaviors that may affect the authenticity of the evidence, and using the blockchain technology to ensure that data in an entire process is not modified. The judicial appraisal agency issues a judicial appraisal report based on an appraisal result. As shown in FIG. 3, In one or more embodiments of the present disclosure, "a link of fixing evidence" in a forensics process of network data is turned from a job that needs to be done by a third-party agency into a job that can be done any individual or organization, that is, from an original process of "searching for digital evidence-entrusting a third party to provide forensic fixing services and appraisal services-fixing evidence by a third party-conducting judicial appraisal by a third party and issuing a judicial appraisal report" into "searching for digital evidence-evidence fixing service-entrusting a third party to conduct judicial appraisal-conducting judicial appraisal by a third party and issuing a judicial appraisal report". In one or more embodiments of the present disclosure, a problem of delaying forensics time is avoided. Because a current method for network data forensics is not credible, evidence can only be fixed by a judicial appraisal agency or a notary agency. Because business entrustment (including price negotiation, and sealing by two parties), business arrangement, evidence fixing and other stages need to be carried out from discovering digital evidence to entrusting a third-party agency to fix evidence, which takes a period of time, and rapid changes in data stored on websites and social APPs often cause the data to be collected to be modified in forensics, the required evidence cannot be collected. Cost is saved. Because evidence fixing can be performed by any individual or organization, and no third-party agency is required, it is obvious that a large amount of evidence fixing cost is saved. An obtaining method is more credible, making the collected evidence easier to be accepted by the court.
Embodiment 2 According to an aspect of one or more embodiments of the present disclosure, a computer-readable storage medium is provided. The computer-readable storage medium stores a plurality of instructions, where the instructions are adapted to be loaded and executed by a processor of an electronic device to perform the method for digital evidence fixing based on memory forensics and blockchain. Embodiment 3 According to an aspect of one or more embodiments of the present disclosure, an electronic device is provided. The electronic device includes a processor and a computer-readable storage medium, where the processor is configured to implement instructions, the computer-readable storage medium is configured to store the instructions, and the instructions are adapted to be loaded and executed by the processor to perform the method for digital evidence fixing based on memory forensics and blockchain. These computer-executable instructions, when run on a device, cause the device to perform the method or process described according to the various embodiments in the present disclosure. In this embodiment, a computer program product may include a computer-readable storage medium, storing computer-readable program instructions used for performing the aspects of the present disclosure. The computer-readable storage medium may be a physical device that can retain and store an instruction used by an instruction-executing device. The computer-readable storage medium may be, for example, but is not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any appropriate combination of the above. In a more specific example (a non-exhaustive list), the computer-readable storage medium includes a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a static random access memory (SRAM), a portable compact disk read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanical coding device such as a punched card or protrusion in a groove in which instructions are stored, and any appropriate combination of the above. The computer-readable storage medium as used herein is not explained as a transient signal itself, such as a radio wave or other electromagnetic waves propagated freely, an electromagnetic wave propagated through a waveguide or other transmission media (e.g., a light pulse propagated through an optical fiber cable), or an electrical signal transmitted over a wire. Computer-readable program instructions described herein can be downloaded to respective computing/processing devices from a computer-readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may include copper transmission cables, optical fiber transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium within the each computing/processing device. Computer program instructions used to perform operations of the present disclosure may be assembly instructions, instruction set architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, status setting data, or source code or object code written in any combination of one or more programming languages. The programming languages including object-oriented programming languages such as C++, and conventional procedural programming languages such as "C" language or similar programming languages. Computer-readable program instructions may be executed entirely on a computer of a user, partly on the computer of the user, as a stand-alone software package, partly on the computer of the user and partly on a remote computer, or entirely on the remote computer or a server. For the case involving a remote computer, the remote computer may be connected to a computer of a user through any type of network including a LAN or a WAN, or may be connected to an external computer (for example, through the Internet by using an Internet service provider). In some embodiments, an electronic circuit, such as a programmable logic circuit, a field programmable gate array (FPGA), or a programmable logic array (PLA), is customized by using status information of the computer-readable program instructions. The electronic circuit may execute the computer-readable program instructions to implement various aspects of the present disclosure. Embodiment 4 According to an aspect of one or more embodiments of the present disclosure, a terminal for digital evidence fixing based on memory forensics and blockchain is provided. The terminal for digital evidence fixing based on memory forensics and blockchain, based on the method for digital evidence fixing based on memory forensics and blockchain, includes: a forensic tool downloading module, configured to download a credible forensic tool through a blockchain network; a legitimacy verifying module, configured to interact with the blockchain network to verify legitimacy of an execution code of the forensic tool; an evidence fixing module, configured to run the forensic tool, obtain electronic data, generate an operation log, obtain computer memory information by using a memory forensics technology, and fix evidence; and a blockchain uploading module, configured to respectively generate hash values of the electronic data, the operation log, and the memory information, upload the hash values to the blockchain network, and receive a corresponding blockchain address returned. Further, the terminal for digital evidence fixing further includes a communication module, configured to send, when collected digital evidence needs to be appraised, the digital evidence, the memory information and the corresponding blockchain address to a judicial appraisal agency terminal. It should be noted that although a plurality of modules or sub-modules of a device are mentioned in the foregoing detailed description, but such division is merely exemplary, not mandatory. Actually, according to the embodiments of the present disclosure, the features and functions of two or more modules described above may be embodied in one module. Conversely, the features or functions of one module described above may be further divided and embodied by a plurality of modules. Embodiment 5 According to an aspect of one or more embodiments of the present disclosure, a method for network forensics based on memory forensics and blockchain is provided. As shown in FIG. 4, the method for network forensics based on memory forensics and blockchain is implemented in a judicial appraisal agency terminal, including: S201: Receive a blockchain address sent by a terminal for digital evidence fixing. S202: Query information on blockchain according to the blockchain address, and verify legitimacy of electronic data, an operation log, and memory information. S203: Analyze the memory information by using a memory forensics technology after verification succeeds, extract a system state when digital evidence is collected, and verify consistency of the system state with the digital evidence and the operation log. S204: Verify, by using memory analysis, whether a forensic tool is hooked or injected when running, and verify reliability of an operating environment of the forensic tool. S205: Generate a judicial appraisal report. Further, the verifying legitimacy of electronic data, an operation log, and memory information is to verify that the electronic data, the operation log, and the memory information is not modified. According to content on a blockchain address and digital evidence provided by a user, the judicial appraisal agency terminal performs the following tasks. 1) Query information on blockchain to verify whether the digital evidence, the operation log, and memory mirroring information are modified. 2) Analyze, by using a memory forensics technology, the memory mirroring information after verification succeeds, extract a system state when evidence is collected, and verify consistency of the system state with the electronic data/operation log and other information. 3) Verify, by using a memory analysis technology, that a forensic tool is not hooked or injected when running, and verify reliability of an operating environment of the forensic tool. Further, the method further includes: sending the judicial appraisal report to a user terminal. Embodiment 6 According to an aspect of one or more embodiments of the present disclosure, a computer-readable storage medium is provided. The computer-readable storage medium stores a plurality of instructions, where the instructions are adapted to be loaded and executed by a processor of an electronic device to perform the method for network forensics based on memory forensics and blockchain. Embodiment 7 According to an aspect of one or more embodiments of the present disclosure, an electronic device is provided. The electronic device includes a processor and a computer-readable storage medium, where the processor is configured to implement instructions, the computer-readable storage medium is configured to store the instructions, and the instructions are adapted to be loaded and executed by the processor to perform the method for network forensics based on memory forensics and blockchain. These computer-executable instructions, when run on a device, cause the device to perform the method or process described according to the various embodiments in the present disclosure. In this embodiment, a computer program product may include a computer-readable storage medium, storing computer-readable program instructions used for performing the aspects of the present disclosure. The computer-readable storage medium may be a physical device that can retain and store an instruction used by an instruction-executing device. The computer-readable storage medium may be, for example, but is not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any appropriate combination of the above. In a more specific example (a non-exhaustive list), the computer-readable storage medium includes a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a static random access memory (SRAM), a portable compact disk read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanical coding device such as a punched card or protrusion in a groove in which instructions are stored, and any appropriate combination of the above. The computer-readable storage medium as used herein is not explained as a transient signal itself, such as a radio wave or other electromagnetic waves propagated freely, an electromagnetic wave propagated through a waveguide or other transmission media (e.g., a light pulse propagated through an optical fiber cable), or an electrical signal transmitted over a wire. Computer-readable program instructions described herein can be downloaded to respective computing/processing devices from a computer-readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may include copper transmission cables, optical fiber transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium within the each computing/processing device. Computer program instructions used to perform operations of the present disclosure may be assembly instructions, instruction set architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, status setting data, or source code or object code written in any combination of one or more programming languages. The programming languages including object-oriented programming languages such as C++, and conventional procedural programming languages such as "C" language or similar programming languages. Computer-readable program instructions may be executed entirely on a computer of a user, partly on the computer of the user, as a stand-alone software package, partly on the computer of the user and partly on a remote computer, or entirely on the remote computer or a server. For the case involving a remote computer, the remote computer may be connected to a computer of a user through any type of network including a LAN or a WAN, or may be connected to an external computer (for example, through the Internet by using an Internet service provider). In some embodiments, an electronic circuit, such as a programmable logic circuit, a field programmable gate array (FPGA), or a programmable logic array (PLA), is customized by using status information of the computer-readable program instructions. The electronic circuit may execute the computer-readable program instructions to implement various aspects of the present disclosure. Embodiment 8 According to an aspect of one or more embodiments of the present disclosure, a terminal for network forensics based on memory forensics and blockchain is provided. The terminal for network forensics based on memory forensics and blockchain, based on the method for network forensics based on memory forensics and blockchain, includes: a blockchain address receiving module, configured to receive a blockchain address sent by a terminal for digital evidence fixing; a legitimacy verifying module, configured to query information on blockchain according to the blockchain address, and verify legitimacy of electronic data, an operation log, and memory information; a first authentication module, configured to analyze the memory information by using a memory forensics technology after verification succeeds, extract a system state when digital evidence is collected, and verify consistency of the system state with the digital evidence and the operation log; a second authentication module, configured to verify, by using memory analysis, whether a forensic tool is hooked or injected when running, and verify reliability of an operating environment of the forensic tool; and a report generating module, configured to generate a judicial appraisal report. Further, the terminal for network forensics further includes a communication module, configured to send the judicial appraisal report to a user terminal. It should be noted that although a plurality of modules or sub-modules of a device are mentioned in the foregoing detailed description, but such division is merely exemplary, not mandatory. Actually, according to the embodiments of the present disclosure, the features and functions of two or more modules described above may be embodied in one module. Conversely, the features or functions of one module described above may be further divided and embodied by a plurality of modules. Embodiment 9 According to an aspect of one or more embodiments of the present disclosure, a method for network forensics based on memory forensics and blockchain is provided. As shown in FIG. 5, the method for network forensics based on memory forensics and blockchain is implemented in a system for network forensics, includes: Step S101: A terminal for digital evidence fixing downloads a credible forensic tool through a blockchain network. Step S102: Interact with the blockchain network to verify legitimacy of an execution code of the forensic tool. Step S103: Run the forensic tool, obtain electronic data, generate an operation log, obtain computer memory information by using a memory forensics technology, and fix evidence. Step S104: Respectively generate hash values of the electronic data, the operation log, and the memory information, upload the hash values to the blockchain network, and receive a corresponding blockchain address returned. The terminal for digital evidence fixing sends, when collected digital evidence needs to be appraised, the digital evidence, the memory information and the corresponding blockchain address to a judicial appraisal agency terminal. Step S201: The judicial appraisal agency terminal receives the blockchain address sent by the terminal for digital evidence fixing. Step S202: The judicial appraisal agency terminal queries information on blockchain according to the blockchain address, and verify legitimacy of the electronic data, the operation log, and the memory information. Step S203: The judicial appraisal agency terminal analyzes the memory information by using the memory forensics technology after verification succeeds, extracts a system state when the digital evidence is collected, and verifies consistency of the system state with the digital evidence and the operation log. Step S204: The judicial appraisal agency terminal verifies, by using memory analysis, whether a forensic tool is hooked or injected when running, and verifies reliability of an operating environment of the forensic tool. Step S205: The judicial appraisal agency terminal generates a judicial appraisal report. As shown in FIG. 3, a process for network forensics based on memory forensics and blockchain technologies is adopted. In a forensics process for network data or data stored on various types of network APPs according to the implementation of this patent, with support of the blockchain technology, a user collects and fixes electronic data including computer memory as required (step 1); after evidence is fixed, the user then entrusts a judicial appraisal agency to conduct judicial appraisal of digital evidence as required (step 2); and the judicial appraisal agency conducts judicial appraisal based on data, memory data, and digital evidence on the blockchain, verifies that the digital evidence is not modified when being collected and after being collected (step 3), and issues a judicial appraisal report to the user (step 4). As can be seen from a comparison between FIG. 1 and FIG. 3, by adopting a method of this patent, evidence-requiring organizations or individuals can collect and fix evidence by themselves as required, which can effectively reduce links and processing time of forming evidence, and simultaneously avoid potential risks of modifying and destroying original evidence caused by a time interval between two times of collection of evidence. Embodiment 10 According to an aspect of one or more embodiments of the present disclosure, a system for network forensics based on memory forensics and blockchain is provided. The system for network forensics based on memory forensics and blockchain, based on the method for network forensics based on memory forensics and blockchain, includes: a terminal for digital evidence fixing and a judicial appraisal agency terminal; the terminal for digital evidence fixing is configured to download a credible forensic tool through a blockchain network; interact with the blockchain network to verify legitimacy of an execution code of the forensic tool; run the forensic tool, obtain electronic data, generate an operation log, obtain computer memory information by using a memory forensics technology, and fix evidence; respectively generate hash values of the electronic data, the operation log, and the memory information, upload the hash values to the blockchain network, and receive a corresponding blockchain address returned; and send, when collected digital evidence needs to be appraised, the digital evidence, the memory information and the corresponding blockchain address to the judicial appraisal agency terminal; and the judicial appraisal agency terminal is configured to receive a blockchain address sent by the terminal for digital evidence fixing; query information on blockchain according to the blockchain address, and verify legitimacy of electronic data, an operation log, and memory information; analyze the memory information by using a memory forensics technology after verification succeeds, extract a system state when digital evidence is collected, and verify consistency of the system state with the digital evidence and the operation log; verify, by using memory analysis, whether a forensic tool is hooked or injected when running, and verify reliability of an operating environment of the forensic tool; and generate a judicial appraisal report. The above descriptions are merely exemplary embodiments of this application and are not intended to limit this application. For those skilled in the art, this application may have various modifications and changes. Any modification, equivalent replacement, or improvement made without departing from the spirit and principle of this application shall fall within the protection scope of this application. Therefore, the present invention is not limited to these embodiments illustrated herein, but conforms to the broadest scope consistent with the principles and novel features disclosed in this invention.
Claims (10)
1. A method for digital evidence fixing based on memory forensics and blockchain, wherein the method comprises: downloading a credible forensic tool through a blockchain network; interacting with the blockchain network to verify legitimacy of an execution code of the forensic tool; running the forensic tool, obtaining electronic data, generating an operation log, obtaining computer memory information by using a memory forensics technology, and fixing evidence; and respectively generating hash values of the electronic data, the operation log, and the memory information, uploading the hash values to the blockchain network, and receiving a corresponding blockchain address returned.
2. The method for digital evidence fixing based on memory forensics and blockchain according to claim 1, wherein in the method, the verifying legitimacy of an execution code of the forensic tool is to verify that the execution code of the forensic tool is not modified; alternatively, the method further comprises: sending, when collected digital evidence needs to be appraised, the digital evidence, the memory information and the corresponding blockchain address to a judicial appraisal agency terminal.
3. A computer-readable storage medium, storing a plurality of instructions, wherein the instructions are adapted to be loaded and executed by a processor of an electronic device to perform the method for digital evidence fixing based on memory forensics and blockchain according to either of claims 1 and 2.
4. An electronic device, comprising a processor and a computer-readable storage medium, wherein the processor is configured to implement instructions, and the computer-readable storage medium is configured to store the instructions, wherein the instructions are adapted to be loaded and executed by the processor to perform the method for digital evidence fixing based on memory forensics and blockchain according to either of claims l and 2.
5. A method for network forensics based on memory forensics and blockchain, wherein the method is implemented in a judicial appraisal agency terminal, comprising: receiving a blockchain address sent by a terminal for digital evidence fixing; querying information on blockchain according to the blockchain address, and verifying legitimacy of electronic data, an operation log, and memory information; analyzing the memory information by using a memory forensics technology after verification succeeds, extracting a system state when digital evidence is collected, and verifying consistency of the system state with the digital evidence and the operation log; verifying, by using memory analysis, whether a forensic tool is hooked or injected when running, and verifying reliability of an operating environment of the forensic tool; and generating a judicial appraisal report.
6. The method for network forensics based on memory forensics and blockchain according to claim 5, wherein the verifying legitimacy of electronic data, an operation log, and memory information is to verify that the electronic data, the operation log, and the memory information is not modified; alternatively, the method further comprises: sending the judicial appraisal report to a user terminal.
7. A computer-readable storage medium, storing a plurality of instructions, wherein the instructions are adapted to be loaded and executed by a processor of an electronic device to perform the method for network forensics based on memory forensics and blockchain according to either of claims 5 and 6.
8. An electronic device, comprising a processor and a computer-readable storage medium, wherein the processor is configured to implement instructions, and the computer-readable storage medium is configured to store the instructions, wherein the instructions are adapted to be loaded and executed by the processor to perform the method for network forensics based on memory forensics and blockchain according to either of claims 5 and 6.
9. A method for network forensics based on memory forensics and blockchain, wherein the method is implemented in a system for network forensics, comprising: downloading, by a terminal for digital evidence fixing, a credible forensic tool through a blockchain network; interacting with the blockchain network to verify legitimacy of an execution code of the forensic tool; running the forensic tool, obtaining electronic data, generating an operation log, obtaining computer memory information by using a memory forensics technology, and fixing evidence; respectively generating hash values of the electronic data, the operation log, and the memory information, uploading the hash values to the blockchain network, and receiving a corresponding blockchain address returned; and sending, when collected digital evidence needs to be appraised, the digital evidence, the memory information and the corresponding blockchain address to a judicial appraisal agency terminal; and receiving, by the judicial appraisal agency terminal, a blockchain address sent by a terminal for digital evidence fixing; querying information on blockchain according to the blockchain address, and verifying legitimacy of electronic data, an operation log, and memory information; analyzing the memory information by using a memory forensics technology after verification succeeds, extracting a system state when digital evidence is collected, and verifying consistency of the system state with the digital evidence and the operation log; verifying, by using memory analysis, whether a forensic tool is hooked or injected when running, and verifying reliability of an operating environment of the forensic tool; and generating a judicial appraisal report.
10. A system for network forensics based on memory forensics and blockchain, wherein based on the method for network forensics based on memory forensics and blockchain according to claim 9, the system comprises: a terminal for digital evidence fixing and a judicial appraisal agency terminal; the terminal for digital evidence fixing is configured to download a credible forensic tool through a blockchain network; interact with the blockchain network to verify legitimacy of an execution code of the forensic tool; run the forensic tool, obtain electronic data, generate an operation log, obtain computer memory information by using a memory forensics technology, and fix evidence; respectively generate hash values of the electronic data, the operation log, and the memory information, uploading the hash values to the blockchain network, and receive a corresponding blockchain address returned; and send, when collected digital evidence needs to be appraised, the digital evidence, the memory information and the corresponding blockchain address to the judicial appraisal agency terminal; and the judicial appraisal agency terminal is configured to receive a blockchain address sent by a terminal for digital evidence fixing; query information on blockchain according to the blockchain address, and verify legitimacy of electronic data, an operation log, and memory information; analyze the memory information by using a memory forensics technology after verification succeeds, extract a system state when digital evidence is collected, and verify consistency of the system state with the digital evidence and the operation log; verify, by using memory analysis, whether a forensic tool is hooked or injected when running, and verify reliability of an operating environment of the forensic tool; and generate a judicial appraisal report.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910516137.5A CN110232645B (en) | 2019-06-14 | 2019-06-14 | Electronic evidence fixing and network evidence obtaining method and system based on memory evidence obtaining and block chain |
CN201910516137.5 | 2019-06-14 | ||
PCT/CN2020/095945 WO2020249112A1 (en) | 2019-06-14 | 2020-06-12 | Method and system for digital evidence fixing and network forensics on basis of memory forensics and blockchain |
Publications (1)
Publication Number | Publication Date |
---|---|
AU2020290622A1 true AU2020290622A1 (en) | 2022-01-27 |
Family
ID=67859299
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
AU2020290622A Abandoned AU2020290622A1 (en) | 2019-06-14 | 2020-06-12 | Method and system for digital evidence fixing and network forensics on basis of memory forensics and blockchain |
Country Status (3)
Country | Link |
---|---|
CN (1) | CN110232645B (en) |
AU (1) | AU2020290622A1 (en) |
WO (1) | WO2020249112A1 (en) |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110232645B (en) * | 2019-06-14 | 2021-09-21 | 山东省计算中心(国家超级计算济南中心) | Electronic evidence fixing and network evidence obtaining method and system based on memory evidence obtaining and block chain |
CN110782374A (en) * | 2019-10-28 | 2020-02-11 | 支付宝(杭州)信息技术有限公司 | Electronic evidence obtaining method and system based on block chain |
CN112966042A (en) * | 2019-12-12 | 2021-06-15 | 成都鼎桥通信技术有限公司 | Law enforcement recorder information processing method and system based on block chain |
CN113132109B (en) * | 2019-12-31 | 2023-01-24 | 航天信息股份有限公司 | Electronic deposit certificate management method and device based on block chain and electronic equipment |
CN111475465B (en) * | 2020-03-19 | 2023-05-05 | 重庆邮电大学 | Intelligent home evidence obtaining method based on body |
CN112214801A (en) * | 2020-09-23 | 2021-01-12 | 湖南信达通信息技术有限公司 | Electronic evidence obtaining management method, electronic evidence obtaining equipment and computer readable storage medium |
CN112214464A (en) * | 2020-10-12 | 2021-01-12 | 厦门市美亚柏科信息股份有限公司 | Evidence preservation method and system based on block chain |
CN112380269B (en) * | 2020-10-28 | 2022-03-22 | 杭州链城数字科技有限公司 | Identity card information inquiry and evidence fixing and obtaining method based on block chain |
CN112632372B (en) * | 2020-12-11 | 2022-05-13 | 杭州趣链科技有限公司 | Electronic evidence information uplink method and device and block link point equipment |
CN112751920B (en) * | 2020-12-28 | 2023-03-24 | 杭州趣链科技有限公司 | Block chain-based network interaction behavior evidence obtaining method and device and terminal |
CN113986806B (en) * | 2021-11-03 | 2022-08-02 | 厦门市美亚柏科信息股份有限公司 | GOIP high-speed evidence obtaining method and system based on serial port and network port and storage medium |
CN114355853B (en) * | 2021-12-30 | 2023-09-19 | 绿盟科技集团股份有限公司 | Industrial control data evidence obtaining method and device, electronic equipment and storage medium |
CN114666353A (en) * | 2022-03-16 | 2022-06-24 | 南京邮电大学 | Electronic access evidence obtaining system and method based on block chain |
CN118133356B (en) * | 2024-05-10 | 2024-08-13 | 山东省计算中心(国家超级计算济南中心) | Evidence obtaining method and system for network transaction behavior data |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102325139B (en) * | 2011-09-14 | 2014-07-09 | 福建伊时代信息科技股份有限公司 | Electronic document processing method, processing system and verification system |
CN107948736A (en) * | 2017-11-03 | 2018-04-20 | 法信公证云(厦门)科技有限公司 | A kind of audio and video preservation of evidence method and system |
CN108924151A (en) * | 2018-07-23 | 2018-11-30 | 杭州安恒信息技术股份有限公司 | A kind of method and system of internet of things equipment evidence obtaining |
CN109102437A (en) * | 2018-08-10 | 2018-12-28 | 山东省计算中心(国家超级计算济南中心) | A kind of webpage automatic evidence-collecting method and system based on block chain |
CN109344635A (en) * | 2018-09-29 | 2019-02-15 | 华东师范大学 | A kind of electronic evidence acquisition, preservation and verification method based on block chain |
CN110232645B (en) * | 2019-06-14 | 2021-09-21 | 山东省计算中心(国家超级计算济南中心) | Electronic evidence fixing and network evidence obtaining method and system based on memory evidence obtaining and block chain |
-
2019
- 2019-06-14 CN CN201910516137.5A patent/CN110232645B/en active Active
-
2020
- 2020-06-12 WO PCT/CN2020/095945 patent/WO2020249112A1/en active Application Filing
- 2020-06-12 AU AU2020290622A patent/AU2020290622A1/en not_active Abandoned
Also Published As
Publication number | Publication date |
---|---|
CN110232645B (en) | 2021-09-21 |
CN110232645A (en) | 2019-09-13 |
WO2020249112A1 (en) | 2020-12-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
AU2020290622A1 (en) | Method and system for digital evidence fixing and network forensics on basis of memory forensics and blockchain | |
US11750659B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
US20200389495A1 (en) | Secure policy-controlled processing and auditing on regulated data sets | |
Ab Rahman et al. | Forensic-by-design framework for cyber-physical cloud systems | |
Shah et al. | An overview of vulnerability assessment and penetration testing techniques | |
Albakri et al. | Security risk assessment framework for cloud computing environments | |
US20230362200A1 (en) | Dynamic cybersecurity scoring and operational risk reduction assessment | |
Cinar et al. | Cloud computing forensics; challenges and future perspectives: A review | |
CA2966408A1 (en) | A system and method for network intrusion detection of covert channels based on off-line network traffic | |
Wazid et al. | Hacktivism trends, digital forensic tools and challenges: A survey | |
Tariq | Towards information security metrics framework for cloud computing | |
Asghari et al. | Security economics in the HTTPS value chain | |
Makutsoane et al. | A conceptual framework to determine the digital forensic readiness of a Cloud Service Provider | |
Makura et al. | Digital forensic readiness in operational cloud leveraging ISO/IEC 27043 guidelines on security monitoring | |
Bhardwaj et al. | Sql injection attack detection, evidence collection, and notifying system using standard intrusion detection system in network forensics | |
Hawanna et al. | Risk Rating System of X. 509 Certificates | |
CN113127919A (en) | Data processing method and device, computing equipment and storage medium | |
Das et al. | A Model of Cloud Forensic Application With Assurance of Cloud Log | |
Li et al. | The invisible side of certificate transparency: exploring the reliability of monitors in the wild | |
Krishnan | Role and Impact of Digital Forensics in Cyber Crime Investigations | |
Li | On Enhancing Security of Password-Based Authentication | |
Zegeye et al. | Vulnerability database analysis for 10 years for ensuring security of cyber critical green infrastructures | |
Nehinbe | A Model for Auditing Smart Intrusion Detection Systems (IDSs) and Log Analyzers in Cyber-Physical Systems (CPSs) | |
US20240195841A1 (en) | System and method for manipulation of secure data | |
Shukla | Threat Hunting Using a Machine Learning Approach |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
MK5 | Application lapsed section 142(2)(e) - patent request and compl. specification not accepted |