CN102571976A - Method for locating geographical position of disk based on protocol head of hyper text transfer protocol (HTTP) - Google Patents
Method for locating geographical position of disk based on protocol head of hyper text transfer protocol (HTTP) Download PDFInfo
- Publication number
- CN102571976A CN102571976A CN201210024268XA CN201210024268A CN102571976A CN 102571976 A CN102571976 A CN 102571976A CN 201210024268X A CN201210024268X A CN 201210024268XA CN 201210024268 A CN201210024268 A CN 201210024268A CN 102571976 A CN102571976 A CN 102571976A
- Authority
- CN
- China
- Prior art keywords
- http
- name
- node
- chained list
- geographic position
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method for locating a geographical position of a computer hard disk. The method comprises the following steps of: extracting protocol head information of a hyper text transfer protocol (HTTP) in the computer hard disk; constructing a geographical position name tree and a two-dimensional weight value linked list, scanning a Cookie data area of the HTTP protocol head, traversing the geographical position name tree for matching the geographical position name tree with each Cookie data area, if the matching succeeds, performing add operation on weights of nodes; constructing a data dictionary, and sequencing the data dictionary according to the sizes of weight values; and scanning a Data area in the HTTP protocol head, and acquiring the time when the computer hard disk is located at a certain historical position, so that strong physical evidence can be provided for criminal investigation work. According to the method, manual intervention is not required in a forensics process, disk scanning, calculation and final result generation can be automatically realized, operating cost is low, deployment is easy, and the method is applied to the field of computer hard disk digital forensics and has a wide application prospect.
Description
Technical field
The present invention relates to a kind of hard disc of computer digital evidence obtaining technology, belong to field of information security technology.
Background technology
Computer application day by day increases with universal feasible criminal activity based on computer network, and a lot of users' daily network operation all can be by the computer record in its hard disk.In computer digit evidence obtaining field, the hard disk of detection computations machine obtains it and will help the criminal detective to obtain the case clue at the geographical location information that specific historical time occurs, for court provides strong evidence.Obtaining its historical geography information for a hard disc of computer that does not have a networking is comparison difficulty; Because traditional network delay geographic position locating method; The IP address locating methods all needs equipment to connect the Internet; Feedback information through the Internet calculates definite geographical position, and these methods can only obtain the current geographical position of hard disk, can not obtain the historical geography positional information of this hard disk.In concrete digital evidence obtaining field, the investigator need know the geographical position that is occurred at specific historical time computer.
The Chinese patent publication number is that the application case of CN101383855 discloses a kind of method of obtaining the computer accurate geological positional information based on the IP address information; But this method need be safeguarded a huge database, and the user visits can only ask that its website obtains the locating information of given IP address.For the removable computer user, its IP address is along with moving of user geographical position changes, and this method can not be obtained a historical juncture user's IP address, thereby historical geography position that can not position computer.Patent publication No. is the storage medium that the application case of CN1190481 discloses a kind of carrying geographical location data, and it is the storage medium coding in advance that this method needs, and for the memory device of not encoding in advance, this method is unavailable, thereby it has significant limitation.To the deficiency of foregoing invention, the present invention proposes a kind of method of carrying out the location, geographical position to hard disc of computer.This method is through analyzing the Cookie that is stored in the computer disk; Extraction is stored in the computer geographical location information that is used for http protocol among the Cookie; Thereby obtain historical geography position and time of occurrence that computer disk occurs, for criminal investigation work provides strong material evidence.
The present invention is based on the operation principle of http protocol and a kind of evidence collecting method of proposing, and it has following characteristics:
1) evidence obtaining process need not manual intervention, can accomplish disk scanning automatically, calculates, and generates final result;
2) this method possesses higher accuracy and reliability based on the basic principle of http protocol;
3) operating cost is low, disposes simple.
The present invention can be used for hard disc of computer digital evidence obtaining field, is with a wide range of applications.
Summary of the invention
The present invention proposes a kind of hard disc of computer geographic position locating method based on http header.This method at first scans the file in the hard disc of computer, obtains all HTTP protocol header that keep in this hard disk, generates the http header listing file; The applied geography location database makes up the geographic position name tree then, economizes the ground floor that (state) is positioned at this place name tree, and county (city) is the second layer; Make up two-dimentional geographic location weight value chained list afterwards, for each the geographical position node in the place name tree generates its corresponding weighted value; Scan the Cookie data field in all http headers,, then the child node below this http header and this node is mated if match the node name of ground floor in the geographic position name tree.If match some child nodes, then the weight of this child node is carried out add operation; After table coupling is swept in completion, make up data dictionary and it is sorted, weighted value is considered to the geographical position that this hard disc of computer once occurred greater than zero node; Date data field in the scanning http header obtains the time that this hard disc of computer appears at a certain geographical position.
Before setting forth the present invention in detail, do following term definition earlier:
HTTP header field: the data field that http header comprised.
Date data field: the time that expression message is sent.The time that Date describes is Greenwich mean time.
Cookie: the small documents that server is stayed in the subscriber computer makes things convenient for the specific computer client of server identification.In the time of the same website of user's back-call, its browser will read in Cookie and send to server from hard disc of computer automatically, thereby makes server can discern this user and this user's particular network information and service is provided.
Description of drawings
Fig. 1 is a fundamental diagram of the present invention.
Fig. 2 is the scanning computer disk, generates the step of http protocol header file.
Fig. 3 is the step that makes up geographic position name tree and two-dimentional geographic location weight value chained list.
Fig. 4 is geographic position name tree and http protocol header file coupling, calculates the step of weighted value.
Fig. 5 generates data dictionary and to its ordering, exports the step of geographical location information.
Embodiment
Specify concrete grammar of the present invention below in conjunction with accompanying drawing.
Fig. 1 is a fundamental diagram of the present invention.
The computer user is when the visit number of site, and Website server can calculate this user's particular geographic location according to user's IP address, for the user info web and service according to its specific geographical position cutting is provided afterwards.Like CNN, MSN etc., after its server obtained the user geographical position, through state (province) title of Set-Cookie data field with the user place is set, city name or county's name sent client to.When the user after server sends request, server end is retained in the geographical location information at user place in the Cookie file of subscriber's local.In the time of this same website of user's back-call, its browser will read in geographical location information and send to server end from hard disc of computer automatically, thereby is retrieved as the network information and the service of its customization automatically.
As shown in Figure 1, this method is the scanning computer disk at first, obtains all http headers that are stored on the disk; Make up geographic position name tree and two-dimentional geographic location weight value chained list according to geographical location database then; Scan the http protocol header file afterwards, if traversal geographic position name tree and its coupling are the leafy node that successful match is set to geographic position name then revise the weighted value of this leafy node; Generate data dictionary at last, according to the descending sort of weighted value size, the geographical location information after output is calculated.Concrete, the concrete steps based on the disk geographic position locating method of http header that the present invention proposes comprise following four steps:
1) scanning computer disk, the step of generation http protocol header file;
2) step of structure geographic position name tree and two-dimentional geographic location weight value chained list;
3) geographic position name tree and http protocol header file coupling, the step of calculating weighted value;
4) generate data dictionary and, the step of output geographical location information to its ordering.
Fig. 2 is the scanning computer disk, generates the step of http protocol header file.
Fig. 2 has provided the scanning computer disk that the present invention proposes, and generates the concrete steps of http protocol header file.Http protocol is to use the most a kind of procotol on the Internet.All WWW files are all observed this standard.Its protocol header is made up of an initial row and one or more HTTP header field.The HTTP header field is by a domain name, and colon (:) and thresholding three parts are formed.This method is according to the definition of http protocol, and the scanning computer disk file is also extracted storage http protocol header hereof.Particularly, the scanning computer disk that the present invention proposes, the step that generates the http protocol header file may further comprise the steps:
1) step of structure http header data field chained list;
2) scanning computer disk, the step of traversal All Files;
3) each file is carried out the step of branch line operate;
4) step of extraction HTTP header field; It may further comprise the steps:
A) coupling identifies the step that it is the beginning of a http header with the initial row of ' HTTP/ version number ' beginning;
B) match node in the data field chained list, extract the step of this data field;
C) extraction of a protocol header is then accomplished in the beginning that matches another http header, begins the step of new coupling.
5) scan All Files, all http headers that extract are left in the step of specified file.
Fig. 3 is the step that makes up geographic position name tree and two-dimentional geographic location weight value chained list.
Fig. 3 has provided the structure geographic position name tree of the present invention's proposition and the concrete steps of two-dimentional geographic location weight value chained list.In order to make up the geographic position name tree; This method is at first read in the geographical location information data storehouse of a country; Then to economize the ground floor node that (state) name is referred to as the geographic position name tree; With the city that each province (state) had jurisdiction over, administrative units such as county make up the geographic position name tree as the second layer node of geographic position name tree, generate the weighted value of correspondence for each leafy node of this tree.The structure geographic position name tree that the present invention proposes and the step of two-dimentional geographic location weight value chained list may further comprise the steps:
1) reads in the step of geographic position name database;
2) step of structure state (province) name full name chained list;
3) step of structure state (province) name abbreviation chained list;
4) be the step of the child list of each node structure correspondence in the name list of state (province);
5) fill this state (province) by each child list and had jurisdiction over the city, the step of county's title;
6) for each child list makes up the corresponding weighted value chained list, generate the step of two-dimentional weighted value chained list;
7) initialization two dimension weighted value chained list, the equal assignment of the initial weight of each node is 0 step.
Fig. 4 is geographic position name tree and http protocol header file coupling, calculates the step of weighted value.
Fig. 4 has provided geographic position name tree and http protocol header file coupling that the present invention proposes, calculates the concrete steps of weighted value.This method is mated http protocol header file and geographic position name tree, if match the leafy node in the geographic position name tree, then the weighted value of this node is done add operation, otherwise continues traversal geographic position name tree.The calculating weighted value that the present invention proposes generates the data dictionary structure and it is sorted, and output geographical position and the step of time may further comprise the steps:
1) reads the step of http protocol header file;
2) extract the step of the Cookie data field in each http header;
3) travel through each Cookie data field, with the step of geographic position name tree coupling;
4) each Cookie data field is converted into the step of English capitalization character string; This step is in order to ignore the English alphabet capital and small letter, for subsequent character string coupling step is prepared;
5) content of each node in the place name chained list is converted into the step of English capitalization character string;
6) step of weighted value modification may further comprise the steps:
A) scan the step of each Cookie data field;
B) match the step of the node in the name full name chained list of state (province);
C) match the step of the node in the name abbreviation chained list of state (province);
D) if match the node in the name full name chained list of state (province), perhaps arrive the node in the name abbreviation chained list of state (province), then that this node is corresponding child list is the step of Cookie data field coupling therewith;
E) if match the some nodes in the child list then the corresponding weighted value of this node done the step of add operation.
Fig. 5 generates data dictionary and to its ordering, exports the step of geographical location information.
Fig. 5 has provided the generation data dictionary of the present invention's proposition and to its ordering, has exported the concrete steps of geographical location information.Weighted value after this method handle calculates and its corresponding geographical location information make up data dictionary as the element of data dictionary; Then to the data dictionary according to the descending sort of weighted value size; Scan the Date data field acquisition time information in the http protocol header file at last and export the object information after calculating.The generation data dictionary that the present invention proposes and to its ordering, the step of output geographical location information may further comprise the steps:
1) make up data dictionary, each element of dictionary comprises state (provinces) name full name, city or county's title, with and the step in the state, weight numerical value state of correspondence;
2) the dictionary data structure is carried out the step of descending sort according to the weight size;
3) step that the dictionary data structure after the ordering is traveled through;
4) scanning http protocol header file, the coupling weighted value obtains the step of corresponding Date data field greater than zero node;
5) step of output geographical location information and time corresponding thereof.
Claims (5)
1. the disk geographic position locating method based on http header is characterized in that, said method comprising the steps of:
1) scanning computer disk, the step of generation http protocol header file;
2) step of structure geographic position name tree and two-dimentional geographic location weight value chained list;
3) geographic position name tree and http protocol header file coupling, the step of calculating weighted value;
4) generate data dictionary and, the step of output geographical location information to its ordering.
2. a kind of disk geographic position locating method based on http header according to claim 1 is characterized in that, said scanning computer disk, and the step that generates the http protocol header file may further comprise the steps:
1) step of structure http header data field chained list;
2) scanning computer disk, the step of traversal All Files;
3) each file is carried out the step of branch line operate;
4) step of extraction HTTP header field; It may further comprise the steps:
A) coupling identifies the step that it is the beginning of a http header with the initial row of ' HTTP/ version number ' beginning;
B) match node in the data field chained list, extract the step of this data field;
C) extraction of a protocol header is then accomplished in the beginning that matches another http header, begins the step of new coupling;
5) scan All Files, all http headers that extract are left in the step of specified file.
3. a kind of disk geographic position locating method based on http header according to claim 1 is characterized in that, the step of said structure geographic position name tree and two-dimentional geographic location weight value chained list may further comprise the steps:
1) reads in the step of geographic position name database;
2) step of structure state (province) name full name chained list;
3) step of structure state (province) name abbreviation chained list;
4) be the step of the child list of each node structure correspondence in the name list of state (province);
5) fill this state (province) by each child list and had jurisdiction over the city, the step of county's title;
6) for each child list makes up the corresponding weighted value chained list, generate the step of two-dimentional weighted value chained list;
7) initialization two dimension weighted value chained list, the equal assignment of the initial weight of each node is 0 step.
4. a kind of disk geographic position locating method based on http header according to claim 1 is characterized in that, said geographic position name tree and http protocol header file coupling, and the step of calculating weighted value may further comprise the steps:
1) reads the step of http protocol header file;
2) extract the step of the Cookie data field in each http header;
3) travel through each Cookie data field, with the step of geographic position name tree coupling;
4) each Cookie data field is converted into the step of English capitalization character string; This step is in order to ignore the English alphabet capital and small letter, for subsequent character string coupling step is prepared;
5) content of each node in the place name chained list is converted into the step of English capitalization character string;
6) step of weighted value modification may further comprise the steps:
A) scan the step of each Cookie data field;
B) match the step of the node in the name full name chained list of state (province);
C) match the step of the node in the name abbreviation chained list of state (province);
D) if match the node in the name full name chained list of state (province), perhaps arrive the node in the name abbreviation chained list of state (province), then that this node is corresponding child list is the step of Cookie data field coupling therewith;
E) if match the some nodes in the child list then the corresponding weighted value of this node done the step of add operation.
5. a kind of disk geographic position locating method based on http header according to claim 1 is characterized in that, said generation data dictionary and to its ordering, output geographical location information step may further comprise the steps:
1) make up data dictionary, each element of dictionary comprises state (provinces) name full name, city or county's title, with and the step in the state, weight numerical value state of correspondence;
2) the dictionary data structure is carried out the step of descending sort according to the weight size;
3) step that the dictionary data structure after the ordering is traveled through;
4) scanning http protocol header file, the coupling weighted value obtains the step of corresponding Date data field greater than zero node;
5) step of output geographical location information and time corresponding thereof.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210024268.XA CN102571976B (en) | 2012-02-05 | 2012-02-05 | Method for locating geographical position of disk based on protocol head of hyper text transfer protocol (HTTP) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210024268.XA CN102571976B (en) | 2012-02-05 | 2012-02-05 | Method for locating geographical position of disk based on protocol head of hyper text transfer protocol (HTTP) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102571976A true CN102571976A (en) | 2012-07-11 |
| CN102571976B CN102571976B (en) | 2014-06-25 |
Family
ID=46416436
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210024268.XA Expired - Fee Related CN102571976B (en) | 2012-02-05 | 2012-02-05 | Method for locating geographical position of disk based on protocol head of hyper text transfer protocol (HTTP) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102571976B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103684899A (en) * | 2012-09-17 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Remote debugging method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU2002310402A1 (en) * | 2001-06-12 | 2002-12-23 | At And T Wireless Services, Inc. | Using wireless cookies to deliver mobile-based location information |
| US20030187949A1 (en) * | 2002-03-28 | 2003-10-02 | Bhatt Jaydutt B. | Determining geographic location of internet users |
| US20070239852A1 (en) * | 2006-03-28 | 2007-10-11 | Michael Kotzin | Method of tracking mobile station location |
| CN101383855A (en) * | 2007-09-04 | 2009-03-11 | 沈阳 | Method for obtaining computer accurate geological position information based on IP address information |
-
2012
- 2012-02-05 CN CN201210024268.XA patent/CN102571976B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU2002310402A1 (en) * | 2001-06-12 | 2002-12-23 | At And T Wireless Services, Inc. | Using wireless cookies to deliver mobile-based location information |
| US20030187949A1 (en) * | 2002-03-28 | 2003-10-02 | Bhatt Jaydutt B. | Determining geographic location of internet users |
| US20070239852A1 (en) * | 2006-03-28 | 2007-10-11 | Michael Kotzin | Method of tracking mobile station location |
| CN101383855A (en) * | 2007-09-04 | 2009-03-11 | 沈阳 | Method for obtaining computer accurate geological position information based on IP address information |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103684899A (en) * | 2012-09-17 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Remote debugging method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102571976B (en) | 2014-06-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103218431B (en) | A kind ofly can identify the system that info web gathers automatically | |
| CN105095211B (en) | The acquisition methods and device of multi-medium data | |
| CN103514234B (en) | A kind of page info extracting method and device | |
| CN104268271B (en) | The myspace of the double cohesions of a kind of interest and network structure finds method | |
| CN109905288B (en) | Application service classification method and device | |
| CN104202441B (en) | The data processing method and device of IP address data | |
| CN103593371A (en) | Method and device for recommending search keywords | |
| CN104143005A (en) | Related searching system and method | |
| CN107046586A (en) | A kind of algorithm generation domain name detection method based on natural language feature | |
| CN103823888A (en) | Node-closeness-based social network site friend recommendation method | |
| JP2014506355A (en) | Collecting method and system for electronic bulletin board reply increase amount | |
| CN105573995A (en) | Interest identification method, interest identification equipment and data analysis method | |
| CN109905873B (en) | Network account correlation method based on characteristic identification information | |
| CN104899243A (en) | Method and apparatus for detecting accuracy of POI (Point of Interest) data | |
| CN113572752B (en) | Abnormal flow detection method and device, electronic equipment and storage medium | |
| Jalali et al. | Social network sampling using spanning trees | |
| CN103136358A (en) | Method for automatically extracting BBS (bulletin board system) data | |
| CN102760150A (en) | Webpage extraction method based on attribute reproduction and labeled path | |
| CN104268289B (en) | The abatement detecting method and device of link URL | |
| CN104572787B (en) | The recognition methods of pseudo- original website and device | |
| CN108111547B (en) | Domain name health monitoring method and system | |
| CN102571976B (en) | Method for locating geographical position of disk based on protocol head of hyper text transfer protocol (HTTP) | |
| CN107220262B (en) | Information processing method and device | |
| CN106855864A (en) | A kind of method and apparatus of extraction information | |
| CN108153860A (en) | A kind of geolocation analysis method based on multilingual news |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140625 Termination date: 20220205 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |