CN102289485A - Method for analyzing timeline aiming at computer files - Google Patents
Method for analyzing timeline aiming at computer files Download PDFInfo
- Publication number
- CN102289485A CN102289485A CN2011102230644A CN201110223064A CN102289485A CN 102289485 A CN102289485 A CN 102289485A CN 2011102230644 A CN2011102230644 A CN 2011102230644A CN 201110223064 A CN201110223064 A CN 201110223064A CN 102289485 A CN102289485 A CN 102289485A
- Authority
- CN
- China
- Prior art keywords
- time
- record
- data
- timeline
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses a method for analyzing a timeline aiming at computer files and recorded data. The method comprises the following steps of: sequencing the creation time, the modification time and the last access time of all files in a system, the creation time of registry keys, the transmission time of emails, the server receipt time, the save-to-local time, the last access time of internet logs, the system and log application time, the instant messaging record time, the creation time of a file download item, the receipt time and the finish time; and displaying the sequence through a chart and an abstract.
Description
Technical field
The present invention relates to the computer forensics field, specially refer to a kind of method of analyzing at document time, data recording time.
Background technology
Computer forensics (Computer Forensics, computer forensics technology, computing machine appreciation, computor method medical science) is meant utilization computing machine discrimination technology, the computer crime behavior is analyzed with affirmation criminal and computing machine evidence, and litigated in view of the above.Just, carry out evidence and obtain, preserve, analyze and show at computer intrusion and crime.The content with its record that the computing machine fingerprint evidence produces in the computer system operational process proves the electromagnetic recording thing of case facts.Technically, computer forensics is that a computer system that case is correlated with scans and analyzes, with the process that field data in the computing machine is rebuild.Can be regarded as " extracting evidence from computing machine " promptly: the evidence that obtains, preserves, analyzes, shows, provides must be credible.Computer forensics (Computer Forensics) effect in hitting the computing machine and the network crime is very crucial, its purpose is that " vestige " that the criminal will be stayed in the computing machine offers court as effective Evidence in Litigation, so that the suspect is restrained by law.Therefore, computer forensics is an interdisciplinary science of computer realm and realm of jurisprudence, is used to solve a large amount of computer crimes and accident, comprises network intrusions, usurps intellecture property and network cheating etc.
Attribute in the file is preserved creation-time, modification time, and the last access time, the key in the registration table is preserved creation-time, instant messaging is preserved the chat record time etc.In certain period, the establishment of a file, two people's chat content may take place, and a new key produces, and these change mutual probably relevant property, but not related software can not described these and changes in the market, and the influence that brings at these variations.
In sum, at the defective of prior art, need especially a kind ofly to carry out the method that timeline is analyzed, to solve the deficiencies in the prior art at file in the computing machine and data recording.
Summary of the invention
The purpose of this invention is to provide and a kind ofly carry out the method that timeline is analyzed at file in the computing machine and data recording, creation-time at All Files in the system, correction time, the last access time, the creation-time of registry key, the transmitting time of mail, the server time of reception, be saved in local zone time, the last access time of internet log, operating system and application daily record time, instant messaging writing time, the creation-time of file download items, time of reception, deadline sorts, mode by chart and summary shows, thereby realizes purpose of the present invention.
Technical matters solved by the invention can realize by the following technical solutions:
A kind ofly carry out the method that timeline is analyzed, it is characterized in that described method comprises the steps: at file in the computing machine and data recording
1) obtains corresponding file logging data by resolving concrete file system;
2) determine the concrete form of every kind of record type place file, parse this record, obtain the relevant temporal information of file;
3) resolve the registration table record, obtain the temporal information of registry entry;
4) resolve mail data, obtain mail transmitting time, server time of reception, be saved in local time information;
5) resolve the internet log record, obtain the access time information of internet log;
6) resolve the instant messaging log record, obtain the temporal information of instant messaging record;
7) parse operation system and use daily record data obtains the temporal information of daily record;
8) the download items record of all kinds of downloaded software of parsing obtains download items creation-time, receiving time information;
9) with the pointer of above-mentioned record, it is right to form data together with the time type, joins in the tabulation, sorts by time value;
10) the right quantity of data in the calculations list, and record is shown in the interface;
In one embodiment of the invention, described method energy fixed time section shows corresponding time period data and record.
In one embodiment of the invention, various records are shown disaggregatedly with different colors.
In one embodiment of the invention, when resolving a kind of new record or loading a disk, the data according to unified are right again, carry out time-sequencing.
In one embodiment of the invention, can be to data to filtering according to its data characteristic.
Embodiment
For technological means, creation characteristic that the present invention is realized, reach purpose and effect is easy to understand, below in conjunction with concrete diagram, further set forth the present invention.
The present invention was primarily aimed in certain the given period, at creation-time, correction time, the last access time of All Files in the system, the creation-time of registry key, the transmitting time of mail, server time of reception, be saved in local zone time, the last access time of internet log, operating system and use the daily record time, instant messaging writing time, the creation-time of file download items, time of reception, deadline sort, and the mode by chart and summary shows.
At seven types records (comprising file/file, internet log, mail record, instant messaging, registration table, system journal, Download History), it is as follows that corresponding time type enumerated variable is set:
These time types are convenient to tabulation is filtered, the obtaining of element time and time type.
The data that all records itself and its time are formed are to depositing in the tabulation.
For repeatedly loading disk and the situation of repeatedly doing applied analysis, provided corresponding countermeasure: because multi-pass operations, may cause unit in the tabulation to have the phenomenon of repetition, utilize std::set to reject identical element for this reason, again it be inserted in the tabulation.
For the record of file/Directory Type, down travel through from the root node of being given, all nodes (comprising file) and its time corresponding type are inserted in the tabulation.
For the record of applied analysis type, also be down to travel through to root node from institute, the node of insertion should satisfy following condition:
Record type | The node condition |
Instant messaging: | Non-folder |
Download: | Non-folder |
Operating system and application daily record | Non-folder |
Internet log: | Non-folder |
Mail record: | Non-folder |
Registration table | All nodes |
Specifically the insertion operation to each node has following classification again:
Filter by the time: filter out minimum time (minT) and all records between maximum time (maxT).Return the beginning iterator and the finishing iteration device that are in the tabulation.
Filter by type: the record that from given beginning, finishing iteration device, obtains type preset time.
Beneficial effect of the present invention is:
1) by the length of adjustment time control or adjustment left side progress bar, can realize filtering out record in the random time section;
2) by selecting respective type record and time type thereof, can control needed record;
3) by filtrator, information such as can filter out title, summary, whether delete;
4) can check every type concrete number;
5) every type color can be set;
6) every granularity that shows in the certain hour that is provided with;
7) can jump to system's set-up time and last unused time;
8) can beat to choose at Useful Information and select;
9) can derive significant tabulation;
10) can jump to source record, so that check more detailed information;
Here be example how to analyze the registration table time, the method that timeline is analyzed be described:
1, by the research registration table, confirm that registration table has several main files, wherein the system under the Windows/System32/Config represents the SYTEM key under the HKEY_LOCAL_MACHINE, and software represents the SOFTWARE key under the HKEY_LOCAL_MACHINE, or the like.
2, resolve the form of registry file, obtain the tree-shaped expression of corresponding registration table key assignments;
3, by its form of research, confirm to have only registry key that creation-time is arranged, registry value is the item that has no time, so can only be that registry key participates in the timeline analysis;
4, it is right the pointer of each registry key to be set up into data with its relevant enumerated value (REGISTRY_TIME);
5, the data with all are right, all import in the tabulation of an overall situation, wherein can preserve various types of records and relevant time type;
6, sort at this tabulation, ordering criterion relatively is, according to the relevant time, is registry key here, then gets the creation-time of its key;
7, the quantity of element in the calculations list (be data to) is shown to record in the interface;
More than show and described ultimate principle of the present invention and principal character and advantage of the present invention.The technician of the industry should understand; the present invention is not restricted to the described embodiments; that describes in the foregoing description and the instructions just illustrates principle of the present invention; without departing from the spirit and scope of the present invention; the present invention also has various changes and modifications; all in the claimed scope of the invention, the claimed scope of the present invention is defined by appending claims and equivalent thereof these changes and improvements.
Claims (5)
1. a method of carrying out the timeline analysis at computer documents and record data is characterized in that described method comprises the steps:
1) obtains corresponding file logging data by resolving concrete file system;
2) determine the concrete form of every kind of record type place file, parse this record, obtain the relevant temporal information of file;
3) resolve the registration table record, obtain the temporal information of registry entry;
4) resolve mail data, obtain mail transmitting time, server time of reception, be saved in local time information;
5) resolve the internet log record, obtain the access time information of internet log;
6) resolve the instant messaging log record, obtain the temporal information of instant messaging record;
7) parse operation system and use daily record data obtains the temporal information of daily record;
8) the download items record of all kinds of downloaded software of parsing obtains download items creation-time, receiving time information;
9) with the pointer of above-mentioned record, it is right to form data together with the time type, joins in the tabulation, sorts by time value;
10) the right quantity of data in the calculations list, and record is shown in the interface;
2. as claimed in claim a kind of carries out the method that timeline is analyzed at computer documents and record data, it is characterized in that, described method can the fixed time section, and corresponding time period data and record are filtered and show.
3. as claimed in claim a kind of carries out the method that timeline is analyzed at computer documents and record data, it is characterized in that, various records are shown disaggregatedly with different colors.
4. as claimed in claim a kind of carries out the method that timeline is analyzed at computer documents and record data, it is characterized in that when resolving a kind of new record or loading a disk, the data according to unified are right again, carry out time-sequencing.
5. as claimed in claim a kind of carries out the method that timeline is analyzed at computer documents and record data, it is characterized in that described method can be to data to filtering according to its data characteristic.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011102230644A CN102289485A (en) | 2011-08-04 | 2011-08-04 | Method for analyzing timeline aiming at computer files |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011102230644A CN102289485A (en) | 2011-08-04 | 2011-08-04 | Method for analyzing timeline aiming at computer files |
Publications (1)
Publication Number | Publication Date |
---|---|
CN102289485A true CN102289485A (en) | 2011-12-21 |
Family
ID=45335912
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2011102230644A Pending CN102289485A (en) | 2011-08-04 | 2011-08-04 | Method for analyzing timeline aiming at computer files |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102289485A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103076950A (en) * | 2012-12-25 | 2013-05-01 | 北京百度网讯科技有限公司 | Managing method for session threading list |
CN103297315A (en) * | 2012-02-27 | 2013-09-11 | 腾讯科技(深圳)有限公司 | Information processing method and device |
CN104380322A (en) * | 2012-04-05 | 2015-02-25 | 诺基亚公司 | User event content, associated apparatus and methods |
CN106021623A (en) * | 2016-07-15 | 2016-10-12 | 珠海金山网络游戏科技有限公司 | Method and device for log dotting information |
CN109246297A (en) * | 2018-08-29 | 2019-01-18 | 厦门市美亚柏科信息股份有限公司 | A kind of method, apparatus and storage medium of determining mobile terminal factory reset time |
CN113886338A (en) * | 2021-12-07 | 2022-01-04 | 天津联想协同科技有限公司 | Method, device and storage medium for reverse tracing of outer link |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1976299A (en) * | 2005-12-01 | 2007-06-06 | 国际商业机器公司 | Method and system of managing application log configuration settings |
-
2011
- 2011-08-04 CN CN2011102230644A patent/CN102289485A/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1976299A (en) * | 2005-12-01 | 2007-06-06 | 国际商业机器公司 | Method and system of managing application log configuration settings |
Non-Patent Citations (2)
Title |
---|
张俊等: "计算机取证中的时间调查", 《警察技术》 * |
赵小敏: "《基于日志的计算机取证技术的研究及系统设计与实现》", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103297315A (en) * | 2012-02-27 | 2013-09-11 | 腾讯科技(深圳)有限公司 | Information processing method and device |
CN103297315B (en) * | 2012-02-27 | 2018-01-30 | 腾讯科技(深圳)有限公司 | Information processing method and equipment |
CN104380322A (en) * | 2012-04-05 | 2015-02-25 | 诺基亚公司 | User event content, associated apparatus and methods |
CN103076950A (en) * | 2012-12-25 | 2013-05-01 | 北京百度网讯科技有限公司 | Managing method for session threading list |
CN103076950B (en) * | 2012-12-25 | 2016-12-28 | 北京百度网讯科技有限公司 | A kind of management method of threads of conversation list |
CN106021623A (en) * | 2016-07-15 | 2016-10-12 | 珠海金山网络游戏科技有限公司 | Method and device for log dotting information |
CN109246297A (en) * | 2018-08-29 | 2019-01-18 | 厦门市美亚柏科信息股份有限公司 | A kind of method, apparatus and storage medium of determining mobile terminal factory reset time |
CN113886338A (en) * | 2021-12-07 | 2022-01-04 | 天津联想协同科技有限公司 | Method, device and storage medium for reverse tracing of outer link |
CN113886338B (en) * | 2021-12-07 | 2022-03-15 | 天津联想协同科技有限公司 | Method, device and storage medium for reverse tracing of outer link |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108664375B (en) | Method for detecting abnormal behavior of computer network system user | |
CN107667370B (en) | Method and system for abnormal process detection | |
CN102289485A (en) | Method for analyzing timeline aiming at computer files | |
Beebe | Digital forensic research: The good, the bad and the unaddressed | |
Casey et al. | Leveraging CybOX™ to standardize representation and exchange of digital forensic information | |
Ghosh et al. | Entropy-based classification of’retweeting’activity on twitter | |
Zawoad et al. | Digital forensics in the age of big data: Challenges, approaches, and opportunities | |
Haddad et al. | The impact of intention of use on the success of big data adoption via organization readiness factor | |
CN106599686A (en) | Malware clustering method based on TLSH character representation | |
Taylor et al. | Detecting malicious exploit kits using tree-based similarity searches | |
CN105138709B (en) | Remote evidence taking system based on physical memory analysis | |
Hosseinkhani et al. | Detecting suspicion information on the Web using crime data mining techniques | |
Balduzzi et al. | Targeted attacks detection with spunge | |
Hauger et al. | The state of database forensic research | |
CN111709724A (en) | Deep attendance checking method and system | |
Oladipo et al. | The state of the art in machine learning-based digital forensics | |
Khanuja et al. | Role of metadata in forensic analysis of database attacks | |
Bagga et al. | Big data and its challenges: a review | |
Khan et al. | Hot zone identification: Analyzing effects of data sampling on spam clustering | |
Gabriel et al. | Analyzing malware log data to support security information and event management: Some research results | |
Lee et al. | A proposal for automating investigations in live forensics | |
Joseph et al. | An automata based approach for the prevention of nosql injections | |
Balasubramanian et al. | Leaders or followers? A temporal analysis of tweets from IRA trolls | |
Hao et al. | Detecting shilling profiles in collaborative recommender systems via multidimensional profile temporal features | |
Kayarkar et al. | Mining frequent sequences for emails in cyber forensics investigation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20111221 |