CN102708152A - Integrated management method for electronic evidence - Google Patents
Integrated management method for electronic evidence Download PDFInfo
- Publication number
- CN102708152A CN102708152A CN201210113777XA CN201210113777A CN102708152A CN 102708152 A CN102708152 A CN 102708152A CN 201210113777X A CN201210113777X A CN 201210113777XA CN 201210113777 A CN201210113777 A CN 201210113777A CN 102708152 A CN102708152 A CN 102708152A
- Authority
- CN
- China
- Prior art keywords
- file
- evidence
- server
- mirror image
- image
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to an integrated management method for electronic evidence. Through a platform, a user can upload data obtained from a storage medium as images to a mirror server for centralized storage at any time. Data files worthy of evidence collection can be extracted from the mirror server and stored on a file server according to categories. Attributes of the files can be stored in a database. Defects that existing evidence collection software can only collect and analyze evidence from single storage medium and relevant analyzing is difficult are overcome. Through the platform, the user can browse, examine, and analyze mirrored data and sensitive files stored on the platform at any time. The user can examine the files according to categories or download the files so as to analyze the files. The user can trace to original mirrored files of suspicious files and simulate and further analyze the files. By the method, efficiency of forensic analysis is improved, range of the forensic analysis is widened, and safety of evidence source is guaranteed.
Description
Technical field
The present invention is a kind of method that is applicable to the original preservation of evidence and integrated management in the computer forensics analytic process; Be mainly used in and solve that the source is different, type is different, storage, reduction, pre-service and the extraction of the complicated original evidence of the magnanimity of asynchronism(-nization), belong to information security and computer systems technology field.
Background technology
Along with the development of infotech and the arrival of big data age, the data source that computer forensics is faced becomes more and more widely, comprises mobile memory medium, mobile phone, computer, network etc., and data volume is calculated with TB easily.But these data are not all to have evidence obtaining value, and this just need identify has the data that evidence obtaining is worth in these mass datas, filter out the data that not evidence obtaining is worth, the scope of dwindling forensics analysis, the efficient of raising forensics analysis.
At present, the data source of evidence obtaining data analysis basically all is single, is difficult to accomplish the magnanimity complex data from the different medium of different time is carried out analysis-by-synthesis, and will wait until forensics analysis the time, just the evidence source is extracted and data analysis.The object of tradition forensics analysis is the individual data source, and its shortcoming is can not be to carrying out analysis-by-synthesis from the data in a plurality of different types of data source.And in fact; But often exist the contact of countless ties between the data in different pieces of information source; Therefore current technology has lagged far behind the development of present infotech, presses for a kind ofly can carry out data extract to data source in real time, and these are carried out the system of storage and uniform and management from the data in different types of data source; Make the evidence obtaining personnel when having evidence obtaining to need, the evidence obtaining data that can obtain fast wanting are carried out forensics analysis.
Summary of the invention
Technical matters: to the problem of above-mentioned existence; The purpose of this invention is to provide a kind of electronic data to different complex datas source and save from damage and the scheme of potential evidence data extract and integrated management and relevant supporting mechanism thereof, described electronic evidence total management system just is based on that above mechanism realizes.
Technical scheme:The integrated management approach of electronic evidence of the present invention is extracted to be connected with classification and storage module, database management module four parts by administrative client, mirrored storage administration module, the potential instrument of evidence and combines; Administrative client runs on user computer, accomplish the evidence image file extraction, reduce, upload, and the checking and downloading of the potential instrument of evidence; The mirrored storage administration module is positioned at mirror image server, has the uploading of storage medium, stores, the function of management, carry; The potential instrument of evidence extracts with the classification and storage module and runs on the file server, has Telefile traversal, regular initialization, file extraction and classification and storage function; Database management module runs on the database server; Be responsible for the storage administration of file extracting rule, classifying rules; And the storage and the management of mirror image and file correlation attribute information, after these three servers interconnect again with operate in user computer on administrative client link to each other.
The data creating that administrative client will have in the storage medium that forensics analysis is worth becomes image file; Preserve on the mirror image server of then image file being uploaded; And the correlation attribute information of image file stored in the database, then image file is mounted on the mirror image server.
The potential instrument of evidence that runs on the file server extracts and the classification and storage module; Traversal is mounted to the file system of the image file on the mirror image server; According to extracting rule; Extraction wherein having the data file of evidence obtaining value as the instrument of evidence, and the rule of storing according to document classification is saved on the file server, and the attribute information of file is stored in the database.
What administrative client was real-time transfers to the management of mirror image managed storage module stores with the data upload on the storage medium to mirror image server.
Image file and the top content that has existed on the mirror image server browsed and downloaded to administrative client at any time, and specify the mirror-image format that will download.
The real-time classification of administrative client check that system fetches all have the file that evidence obtaining is worth, or needed file downloaded to this locality do further forensics analysis.
The potential instrument of evidence that runs on the file server extracts the disk mirroring file of being traceable to this document place with the classification and storage module according to the instrument of evidence that extracts.
This method will realize following target:
1. the interpolation of data does not receive the restriction of time; Any time can be added data in system; And do not receive the influence of data storage medium; System will extract with the form of mirror image be stored in the original electron data in the storage medium, and mirror image uploaded on the mirror image server with unprocessed form preserves.
2. the extraction of mirror image is with harmless form step-by-step storage medium to be carried out mirror image, guarantees the file deleted through to the operation reduction of image file, and can be with the reverse physical storage medium that reverts to of mirror image;
3. can carry out emulation to the computer system disk mirroring by virtual machine;
4. from image file, extract automatically and have the electronic data (like journal file, document, data file, application program or the like) that evidence obtaining is worth; Filter and also not possess analysis condition and known at present and do not have the data that evidence obtaining is worth (like some system files etc.), and some additional informations of electronic data are stored in the database;
5. when electronic data extracts, the electronic data that extracts is stored classifiedly on file server automatically according to certain classifying rules;
6. has unitarity, to electronic data unified depositing on file server of extracting in different time, the different medium mirror image, for further forensics analysis provides the most comprehensively data.
The personnel in charge of the case can collect suspect's the electronic equipment that is in various forms in the process of handling a case, comprise PC, mobile phone, panel computer, portable hard drive, USB flash disk or the like; Stored a large amount of electronic data in these electronic equipments; Personal information, personal data and communication data that a large amount of suspects are wherein arranged, these data have not only comprised required bulk information and the electronic evidence of cracking of cases at that time, the clue and the evidence of other case after also having comprised probably; The objective of the invention is; After various data sources are saved from damage with the form extraction of mirror image, extract the file that wherein comprises sensitive information, and with they centralized stores.The purpose of doing so on the one hand is at that time a forensics analysis for ease, also is the comprehensive forensics analysis of sensitive data between different time, different medium in the future for ease on the other hand.
The electronic evidence comprehensive management platform of functions such as the present invention is the collection data acquisition, reduce, save from damage, emulation, evidence screening and storage, it mainly is made up of five sub-systems such as mirror image extraction and reduction, mirror image management, emulation, classification of evidence extraction and regulation managements.
1) mirror image extracts and reduction:
The user is with certain authority login system, and after successfully landing, the user can browse information such as time of checking the mirror image that existed on the mirror image server and mirror image, size, source, affiliated partner, mirror image type.When the user will extract mirror image; As long as physical medium is connected to the computer that operation has the electronic evidence-collecting client through read-only device; Next the user need fill in the partial information that is associated with this disk; Such as the object related with data storage medium is the owner of storage medium, the case of mirror relationship, remark information etc.System then can extract automatically and generate some other build-in attribute, and the type of the time of extracting such as mirror image, the size of mirror image, mirror image is the type of original storage medium etc.After all these information that need are all extracted completion, system begins to read mirror image data will read the data upload that obtains simultaneously to the mirror image server storage.The user also can select to have utilized third party's evidence obtaining instrument to extract good image file and store to mirror image server through client upload.
After the mirror image manager receives the mirrored storage request from client; Can obtain the information of the physical storage medium that will store through client; Then, the mirror image supervisory routine can detect whether the remaining storage space of disk memory array satisfies the needs of storing new image file on the server, if condition satisfies; Then notify client extraction mirror image and upload mirror image data; Otherwise the Spoke-to-Client end does not possess the condition and the reason thereof of mirrored storage at present, and gives the user through client with information feedback.After image file is created completion; The mirror image ADMINISTRATION SUBSYSTEM can calculate the SHA-1 value of image file and the SHA-1 value comparison of the original storage medium that calculates with client; Then return success if equate; And, otherwise return mistake with the part of inferior SHA-1 value as the image file attribute information, delete when letting the user select next step operation and upload again or ignore mistake.
When the user will revert to the mirror image on the mirror image server on the storage medium of appointment; The physical storage medium that the user will reduce is connected on the reduction interface of computer; The image file that will reduce through the client selection then; According to system suggestion, client can be downloaded the image file data of mirror image server, and when downloading, restores the data on the purpose storage medium.After reduction finished, client can be calculated the initial of purpose storage medium and compare to the SHA-1 value of assigned address and with the SHA-1 value of image file, if equate, then reduce successfully, otherwise, go back primary failure.
2) mirror image ADMINISTRATION SUBSYSTEM.
Because the special requirement of computer forensics; Must guarantee the just the same of image file and original storage medium; Simultaneously also recover the needs that reduce with mirror image for data; Adopted the storage format of DD file layout as image file in the native system, the DD form is a kind of general disk mirroring form, is also referred to as original mirror image (RAM IMAGE) form.The DD form is the file layout that is generated by the order of the DD under the LINUX at first, and the DD order can be pursued bit to the target media and duplicated and make image file.The support software of this form is the most extensive, almost can be read by all evidence obtaining software.The suffix of this form image file is .dd or .001, and can be cut apart, to adapt to the needs of image file storage.It is also advantageous in that, can be carried out special conversion by each class method, has so just avoided introducing in the format conversion mistake.Because the whole size of the file of this form is consistent with original media size; Image file can not comprise the metadata such as annotation information of image file; Therefore some metadata store that our warp is relevant with image file are in database; Also be convenient to directly from database, directly inquire and browse Mirror Info, and need do not carry out any operation, thereby avoided image file by maloperation to image file.
All image files all are to store in the disk memory array of mirror image server with read-only mode.When the user will browse the file of checking in the disk array; The mirror image manager can be mounted to the disk mirroring of the appointment form with virtual disk on the server; And this virtual disk is mapped on the assigned ip address of host with read-only shared form; The user promptly can browse the file of checking on the disk mirroring on the assigned ip address of host, can guarantee that again data are not destroyed.
3) subsystem is extracted in the classification of evidence.
Popular operating system mainly is Windows and Linux at present, and the Data Source that native system is directed against also mainly is these two operating systems.No matter be which kind of operating system; Evidence obtaining the information spinner that will obtain to comprise: the data file of normal file, journal file, swap file, Email, temporary file, recycle bin, message file fragment, the file of opening recently, cache pool (printing) file, Installer Information, Internet internet records, registration table, file idle area, hidden file, program source code, the file of deletion, the file of encrypting, installation procedure etc.; On the disk mirroring of different operating system; The deposit position of these data files is different, need extract in a different manner.
After image file is created completion; The image file that mirror image server can just have been created with the form carry of read-only virtual disk automatically; And virtual disk is mapped on the file server to share form, the file reptile on the file server can travel through and be mapped to local virtual disk, grasps rule according to the file that from rule base, extracts; Grasp needed file to local file server, and according to file attribute and classifying rules classification and storage to file server.
4) rule base management
Rule in the rule base mainly is divided into two types: file extracting rule and document classification rule.
The file extracting rule is to be used for explaining that which from disk mirroring, extracts possibly comprise the rule of the data file of potential electronic evidence, and the file that acquiescence is extracted comprises: the file of normal file, journal file, swap file, Email, temporary file, recycle bin, message file fragment, the file of opening recently, Installer Information, Internet internet records, registration table, hidden file, program source code, deletion, encrypt file, installation procedure file etc.On the disk mirroring of different operating system, the deposit position of these files is different, need extract with different extracting modes.
The classification basis when the document classification rule is document storage mainly is divided into two big types of customer documentation and system documentations.Customer documentation mainly is some documentum privatums of user, can be divided into text (txt, source code, Office document, PDF document etc.) again, picture file, audio file, video file etc.System documentation is divided into configuration file and data file of syslog file, configuration file, application program etc. again.
This part extract and storage in, with some attribute informations of file, comprise that attribute information and the file storage of file in original mirror image some attribute informations behind the file server store in the database.So that from database, retrieve and browse file and the classified information that needs.Can trace to the source to an instrument of evidence through these attribute informations and to find its position in disk mirroring and original storage medium.
5) mirror image simulation subsystem.
When the user need carry out Computer Simulation to image file; The user can select to want the disk mirroring and the simulated environment (VMware, VirtualPC) of emulation in the emulation client; The emulation client can be downloaded the disk mirroring data of wanting emulation automatically, and certainly image file being converted into the needed virtual disk format of simulation virtual machine to local.At this moment, the user can utilize third-party simulation virtual device to accomplish the emulation of disk mirroring.
6) rights management
For the security that guarantees original mirror image and the privacy of data; System has adopted rights management mechanism; Have only the user of certain authority just can extract and upload image file; Simultaneously, different users can browse and use different mirror images and data file, then haves no right to visit for other mirror image and file thereof.
Beneficial effect:The electronic evidence comprehensive management platform that this collection storage medium mirror image extracts, saves from damage, the classification of evidence is extracted from one mainly contains following advantage:
1, evidence is preserved convenient and safe; Electronic evidence extracts between client and mirror image server through the network interconnection; Do not receive spacial influence, no matter in any place, can extract mirror image data and upload to mirror image server as long as can network; Even also can earlier mirror image be preserved in this locality, under the environment that can surf the Net, again the mirror image that extracts is uploaded to above the mirror image server in the place that can not network.The image file of uploading does not receive type, the extraction time of original storage medium, the influence in extraction space.
2, all original image file all on mirror image server with read-only format, thereby guaranteed the safety issue of image file storage.And the user browses and uses through rights management mechanism and realize the mirror image and the instrument of evidence, has guaranteed safety of data.
3, image file is with the most basic DD format, and is corresponding fully with original storage medium, can be converted into the image file of multiple other form, and convenient other evidence obtaining software that uses is analyzed, and has also satisfied the needs that disk mirroring carried out emulation simultaneously.
4, system has carried out the classification extraction according to extracting rule and classifying rules to the file that has evidence obtaining value on the image file automatically; Filtered out the file of not evidence obtaining value; Reduce the workload that electronic evidence is analyzed, effectively raised the efficient that electronic evidence is analyzed.
5, the file consolidation classification and storage on file server that will extract from different time, different image file of system is for the user carries out from the administrative analysis of the electronic evidence of multi-data source the data basis being provided.
6, all electronic data files of system's extraction all can be traced to the source, and the user can carry out emulation experiment according to original image file.
Description of drawings
Fig. 1 is the physics deployment diagram of system,
Fig. 2 is the process flow diagram of systemic-function.
Embodiment
See also Fig. 1; System deployment figure for electronic evidence comprehensive management platform of the present invention; This platform is made up of mirror image server, database server, file server; They have accomplished all back-stage management of this platform and store operational, the interface that the integrated management client will be carried out data interaction as this platform and user.
Mirror image server operating system is the CentOS system, and memory device is a disk array, mainly is responsible for the storage and the management of image file, responds the request from client and file server, and in database, writes the relevant information of image file; File server operating system also is the CentOS system; Main being responsible for extracted and classifying rules from initialization files; And from the image file of mirror image server, extract sensitive data file and classification and storage to this locality according to rule, the relevant information with file stores in the database simultaneously; Database server adopts oracle database, mainly is in charge of sensitive data file extracting rule and document classification rule, and the storage and the management of the relevant information of the sensitive data file of storing on the relevant information of image file and the file server; Client running environment is the Windows system; The main extraction of being responsible for the physical storage medium mirror image, upload, download, mirror image reduction, mirror image emulation; The user can also browse the file system of checking image file through client, and the sensitive data file of checking classification and storage on analysis and the file in download server.
Do with reference to Fig. 2 in the face of the workflow of electronic evidence comprehensive management platform down and set forth, instrument of evidence leaching process is following:
1) user at first logs in the native system through client; Only have just having of administrator right and upload image file and the power of upgrading image file information, domestic consumer can only check and download and its relevant image file and data file of being responsible for of case.
2) user's storage medium of desire being extracted image file is mounted on the computing machine through read-only interface; When client recognizes equipment; Just can selective extraction disk mirroring file, the user also can select upload the image file that has extracted through client.At this moment; Client can point out the user to fill in some relating attributes of the image file of desire extraction; Comprise device name, affiliated partner (being the owner of original storage medium), affiliated case, place, remarks etc.; System can automatically extract and distribute information such as mirror image sequence number, mirror image size, image file form, mirror image extraction time, cryptographic hash, state, and these have constituted the complete attribute information of mirror image.
3) after client has been obtained the attribute information of mirror image, can information be sent to mirror image server, mirror image server can be notified the client upload mirror image data after receiving information, and receives mirror image data at mirror image server, and accomplishes the storage of image file.
4) upload in the data procedures, what the data receiver of client and mirror image server can continuous record data uploads and store status, when system because after accidental cause interrupted restarting, system can pass according to the state of record is continuous automatically.
5) after image file is created completion; Mirror image server can calculate the SHA-1 value of the image file of new establishment; And with the SHA-1 value of original storage medium relatively; Create successfully if mate then image file, the relating attribute information stores of image file in database, and is returned image file to client and created successfully.If do not match; Then do not match to the HASH of client feedback image file value; The user can select to upload again mirror image data, and the image file on the mirror image server is deleted, and also can select to ignore mistake; This moment, mirror image server can be changed to the HASH value in the image file SHA-1 value of image file, and state is that HASH and original storage medium do not match.
6) after image file was successfully created, mirror image server can be a virtual disk with the image file carry of newly creating automatically, and file server is accomplished the mapping of virtual disk and the extraction and the classification and storage of file simultaneously.
7) file server is mapped to this locality with the virtual disk path after receiving message; According to the type of disk file, be that Windows system image, linux system mirror image or common storage mirror image come to load corresponding extracting rule and load corresponding classifying rules with the classifying rules storehouse through the extracting rule storehouse.
8) after the extracting rule of file server and the classifying rules initialization; Begin the file system of traversal disk from be mapped to local virtual disk path; According to the sensitive data file of extracting rule extraction needs, and then classify the documents according to classifying rules and to store this locality into.Simultaneously the attribute information of file in original image file stored in the database into convenient needs of tracing to the source later.
The mirror image reduction process is following:
9) user selects image file that will reduce and the physical storage device that will be written into through client; Client can be calculated the size of image file and physical storage device then; When physical storage device is big or small more than or equal to image file; Client can be downloaded image file, and the image file data is write in the physical storage medium go.
10) when the image file data be written to fully go in the physical storage medium after; The client singly can calculate the HASH value that writes the image file data division on the physical storage medium; And with the comparison of the HASH value of former image file, if equate then to return success, otherwise return failure.
The mirror file system navigation process is following:
11) behind the disk mirroring that the user selects to check through client, mirror image server can be a virtual disk with the disk carry of selecting, and with read-only mode map on client computer.
12) user can browse, check, download the data in the image file through client.
Sensitive data document classification navigation process is following:
11) user is connected on the file server through client; Can see the classified information of sensitive document; Through classified information, the user can select to check the data file of different classification, also can check their content or they are downloaded to this locality to do further analysis.
12) when the user is interested to some files, can also be through client according to the relevant information of files stored in the database to file the trace to the source disk mirroring that finds the file place and path wherein.
The image file process of simulation is following:
13) user can select own interested disk mirroring; Type with the simulation virtual machine; Client can download to this locality with the disk mirroring of selecting automatically; And be automatically converted to the virtual disk form that virtual machine can carry, download and after conversion finishes, call third party's virtual machine and load the disk mirroring file.The virtual disk that the conversion of system disk image file comes, virtual machine can load and move, and the virtual disk that common storage converts is merely able to loaded by virtual machine.
The process of regulation management is following:
14) extracting rule, the extracting rule of system's some acquiescences of meeting initialization has different extracting rules to different image file types.For the Windows system according to three type systematic daily records such as the application log of filename and path extraction system, security log, system journals; Go up the application's data file of installing with windows; Configuration file and data file that softwares such as Outlook, Foxmail, Skype, MSN, QQ, Fetion, IE, Firefox, Chrome are arranged; We can extract system journals such as tie-time daily record, process monitoring daily record, system and service daily record to Linux; And the configuration file and the data file of software such as Firefox, Chrome, the general document of extraction comprises file, encrypt file, installation procedure file of daily file, journal file, swap file, Email, temporary file, recycle bin, message file fragment, the file of opening recently, Installer Information, Internet internet records, registration table, hidden file, program source code, deletion etc.
15) classifying rules; The document classification rule of acquiescence has two kinds; A kind of is according to the Doctype classification, is divided into: program's source code file, journal file, installation procedure file, common document (txt, pdf, doc, excel, ppt or the like), encrypt file, mail document etc.; Another kind is to classify according to the document position; Be divided into: system file, program file, temporary file, recycle bin file, deleted document, hidden file, the file of opening recently, ordinary file etc.
16) regulation management, above-mentioned rule are the default rule of system, and the user can be according to needs increase, editor and the deletion rule of oneself, and system also adopts plug-in unit thought, can increase plug-in unit to special rules Doctype is discerned.
Claims (7)
1. the integrated management approach of an electronic evidence is characterized in that: extracted to be connected with classification and storage module, database management module four parts by administrative client, mirrored storage administration module, the potential instrument of evidence and combine; Administrative client runs on user computer, accomplish the evidence image file extraction, reduce, upload, and the checking and downloading of the potential instrument of evidence; The mirrored storage administration module is positioned at mirror image server, has the uploading of storage medium, stores, the function of management, carry; The potential instrument of evidence extracts with the classification and storage module and runs on the file server, has Telefile traversal, regular initialization, file extraction and classification and storage function; Database management module runs on the database server; Be responsible for the storage administration of file extracting rule, classifying rules; And the storage and the management of mirror image and file correlation attribute information, after these three servers interconnect again with operate in user computer on administrative client link to each other.
2. the integrated management approach of electronic evidence as claimed in claim 1; It is characterized in that; The data creating that administrative client will have in the storage medium that forensics analysis is worth becomes image file; Preserve on the mirror image server of then image file being uploaded, and the correlation attribute information of image file is stored in the database, then image file is mounted on the mirror image server.
3. the integrated management approach of electronic evidence as claimed in claim 2; It is characterized in that the potential instrument of evidence that runs on the file server extracts and the classification and storage module, traversal is mounted to the file system of the image file on the mirror image server; According to extracting rule; Extraction wherein having the data file of evidence obtaining value as the instrument of evidence, and the rule of storing according to document classification is saved on the file server, and the attribute information of file is stored in the database.
4. the integrated management approach of electronic evidence as claimed in claim 1 is characterized in that, what administrative client was real-time transfers to the management of mirror image managed storage module stores with the data upload on the storage medium to mirror image server.
5. the integrated management approach of electronic evidence as claimed in claim 2 is characterized in that, image file and the top content that has existed on the mirror image server browsed and downloaded to administrative client at any time, and specify the mirror-image format that will download.
6. the integrated management approach of electronic evidence as claimed in claim 3; It is characterized in that; The real-time classification of administrative client check that system fetches all have the file that evidence obtaining is worth, or needed file downloaded to this locality do further forensics analysis.
7. the integrated management approach of electronic evidence as claimed in claim 3 is characterized in that, the potential instrument of evidence that runs on the file server extracts the disk mirroring file of being traceable to this document place with the classification and storage module according to the instrument of evidence that extracts.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210113777XA CN102708152A (en) | 2012-04-18 | 2012-04-18 | Integrated management method for electronic evidence |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210113777XA CN102708152A (en) | 2012-04-18 | 2012-04-18 | Integrated management method for electronic evidence |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102708152A true CN102708152A (en) | 2012-10-03 |
Family
ID=46900919
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210113777XA Pending CN102708152A (en) | 2012-04-18 | 2012-04-18 | Integrated management method for electronic evidence |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102708152A (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103019827A (en) * | 2012-12-28 | 2013-04-03 | 盘石软件(上海)有限公司 | Breakpoint re-copying method for medium data |
| CN104156669A (en) * | 2014-08-11 | 2014-11-19 | 南京龙联信息技术有限公司 | Computer information evidence obtaining system |
| CN104216917A (en) * | 2013-06-04 | 2014-12-17 | 安世盾信息技术(北京)有限公司 | Database evidence obtaining method and device |
| CN104951515A (en) * | 2015-05-29 | 2015-09-30 | 四川效率源信息安全技术有限责任公司 | Method for extracting and analyzing Android mobile phone track |
| CN106844710A (en) * | 2017-02-07 | 2017-06-13 | 郑州云海信息技术有限公司 | One kind is based on linux log extracting methods and device |
| CN106845913A (en) * | 2015-12-07 | 2017-06-13 | 四川效率源信息安全技术股份有限公司 | Outlook express receive and dispatch the extracting method of vestige |
| CN106850389A (en) * | 2015-12-04 | 2017-06-13 | 四川效率源信息安全技术股份有限公司 | A kind of extracting method of off line mail transmission/reception vestige |
| CN107332820A (en) * | 2017-05-26 | 2017-11-07 | 南京邮电大学 | Digital evidence obtaining system based on Linux environment |
| CN107437168A (en) * | 2017-08-03 | 2017-12-05 | 武汉远众科技有限公司 | A kind of evidence correlating method based on time and geographical position |
| CN107832021A (en) * | 2017-11-29 | 2018-03-23 | 厦门市美亚柏科信息股份有限公司 | A kind of electronic evidence fixing means, terminal device and storage medium |
| CN108711031A (en) * | 2018-04-13 | 2018-10-26 | 广州中国科学院软件应用技术研究所 | A kind of intelligent terminal electron evidence library management training system and method |
| CN109344272A (en) * | 2018-10-15 | 2019-02-15 | 广东电网有限责任公司 | Image processing method and device |
| CN109547236A (en) * | 2018-10-25 | 2019-03-29 | 南京邮电大学 | Electronic data uploads storage method, readable storage medium storing program for executing and terminal |
| CN109561135A (en) * | 2018-10-25 | 2019-04-02 | 南京邮电大学 | Electronic data uploads storage system |
| CN111353079A (en) * | 2020-02-29 | 2020-06-30 | 重庆百事得大牛机器人有限公司 | Electronic evidence analysis suggestion system and method |
| CN111581659A (en) * | 2020-06-16 | 2020-08-25 | 深圳市大恒数据安全科技有限责任公司 | Method and device for calling electronic evidence |
| CN111586174A (en) * | 2020-05-08 | 2020-08-25 | 安徽三音电子科技有限公司 | Network service system |
| CN113138965A (en) * | 2021-05-06 | 2021-07-20 | 中国电子科技集团公司第三十八研究所 | Storage management method and device based on large file |
| CN114339299A (en) * | 2021-12-27 | 2022-04-12 | 司法鉴定科学研究院 | Video evidence obtaining method for automobile driving recorder |
| CN114500565A (en) * | 2021-12-28 | 2022-05-13 | 奇安盘古(上海)信息技术有限公司 | Method and device for manufacturing disk mirror image of remote server |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1534507A (en) * | 2003-03-31 | 2004-10-06 | 联想(北京)有限公司 | Realizing method of sharing virtual optical disk network and its system |
| CN1882911A (en) * | 2003-11-14 | 2006-12-20 | 文件波国际控股公司 | A method in a network of the delivery of files |
-
2012
- 2012-04-18 CN CN201210113777XA patent/CN102708152A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1534507A (en) * | 2003-03-31 | 2004-10-06 | 联想(北京)有限公司 | Realizing method of sharing virtual optical disk network and its system |
| CN1882911A (en) * | 2003-11-14 | 2006-12-20 | 文件波国际控股公司 | A method in a network of the delivery of files |
Non-Patent Citations (2)
| Title |
|---|
| 杨淑棉等: "多目标机电子证据的在线收集与分析模型", 《计算机工程与设计》 * |
| 王海平等: "电子数据取证有效性关键技术研究", 《信息网络安全》 * |
Cited By (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103019827A (en) * | 2012-12-28 | 2013-04-03 | 盘石软件(上海)有限公司 | Breakpoint re-copying method for medium data |
| CN104216917B (en) * | 2013-06-04 | 2016-08-24 | 安世盾信息技术(北京)有限公司 | Data base's evidence collecting method and device |
| CN104216917A (en) * | 2013-06-04 | 2014-12-17 | 安世盾信息技术(北京)有限公司 | Database evidence obtaining method and device |
| CN104156669A (en) * | 2014-08-11 | 2014-11-19 | 南京龙联信息技术有限公司 | Computer information evidence obtaining system |
| CN104951515B (en) * | 2015-05-29 | 2019-01-25 | 四川效率源信息安全技术股份有限公司 | A method of it extracts and analyzes Android phone whereabouts trace information |
| CN104951515A (en) * | 2015-05-29 | 2015-09-30 | 四川效率源信息安全技术有限责任公司 | Method for extracting and analyzing Android mobile phone track |
| CN106850389A (en) * | 2015-12-04 | 2017-06-13 | 四川效率源信息安全技术股份有限公司 | A kind of extracting method of off line mail transmission/reception vestige |
| CN106850389B (en) * | 2015-12-04 | 2019-12-10 | 四川效率源信息安全技术股份有限公司 | method for extracting off-line mail receiving and sending trace |
| CN106845913A (en) * | 2015-12-07 | 2017-06-13 | 四川效率源信息安全技术股份有限公司 | Outlook express receive and dispatch the extracting method of vestige |
| CN106844710A (en) * | 2017-02-07 | 2017-06-13 | 郑州云海信息技术有限公司 | One kind is based on linux log extracting methods and device |
| CN107332820A (en) * | 2017-05-26 | 2017-11-07 | 南京邮电大学 | Digital evidence obtaining system based on Linux environment |
| CN107437168A (en) * | 2017-08-03 | 2017-12-05 | 武汉远众科技有限公司 | A kind of evidence correlating method based on time and geographical position |
| CN107832021A (en) * | 2017-11-29 | 2018-03-23 | 厦门市美亚柏科信息股份有限公司 | A kind of electronic evidence fixing means, terminal device and storage medium |
| CN107832021B (en) * | 2017-11-29 | 2020-09-22 | 厦门市美亚柏科信息股份有限公司 | Electronic evidence fixing method, terminal equipment and storage medium |
| CN108711031A (en) * | 2018-04-13 | 2018-10-26 | 广州中国科学院软件应用技术研究所 | A kind of intelligent terminal electron evidence library management training system and method |
| CN108711031B (en) * | 2018-04-13 | 2022-04-12 | 广州中国科学院软件应用技术研究所 | Intelligent terminal electronic evidence library management training system and method |
| CN109344272A (en) * | 2018-10-15 | 2019-02-15 | 广东电网有限责任公司 | Image processing method and device |
| CN109547236A (en) * | 2018-10-25 | 2019-03-29 | 南京邮电大学 | Electronic data uploads storage method, readable storage medium storing program for executing and terminal |
| CN109561135A (en) * | 2018-10-25 | 2019-04-02 | 南京邮电大学 | Electronic data uploads storage system |
| CN111353079A (en) * | 2020-02-29 | 2020-06-30 | 重庆百事得大牛机器人有限公司 | Electronic evidence analysis suggestion system and method |
| CN111353079B (en) * | 2020-02-29 | 2023-05-05 | 重庆百事得大牛机器人有限公司 | Electronic evidence analysis suggestion system and method |
| CN111586174A (en) * | 2020-05-08 | 2020-08-25 | 安徽三音电子科技有限公司 | Network service system |
| CN111586174B (en) * | 2020-05-08 | 2023-03-28 | 安徽三音电子科技有限公司 | Network service system |
| CN111581659A (en) * | 2020-06-16 | 2020-08-25 | 深圳市大恒数据安全科技有限责任公司 | Method and device for calling electronic evidence |
| CN111581659B (en) * | 2020-06-16 | 2023-10-31 | 深圳市大恒数据安全科技有限责任公司 | Method and device for calling electronic evidence |
| CN113138965A (en) * | 2021-05-06 | 2021-07-20 | 中国电子科技集团公司第三十八研究所 | Storage management method and device based on large file |
| CN113138965B (en) * | 2021-05-06 | 2023-05-02 | 中国电子科技集团公司第三十八研究所 | Storage management method and device based on large file |
| CN114339299A (en) * | 2021-12-27 | 2022-04-12 | 司法鉴定科学研究院 | Video evidence obtaining method for automobile driving recorder |
| CN114500565A (en) * | 2021-12-28 | 2022-05-13 | 奇安盘古(上海)信息技术有限公司 | Method and device for manufacturing disk mirror image of remote server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102708152A (en) | Integrated management method for electronic evidence | |
| JP6797290B2 (en) | Content management capabilities for messaging services | |
| US10216810B2 (en) | Content item-centric conversation aggregation in shared folder backed integrated workspaces | |
| JP6482602B2 (en) | Predictive storage service | |
| Teing et al. | CloudMe forensics: A case of big data forensic investigation | |
| US20110153748A1 (en) | Remote forensics system based on network | |
| US8407241B2 (en) | Content mesh searching | |
| US20160267095A1 (en) | Tools for storing, accessing and restoring website content via a website repository | |
| CN103780700A (en) | Application system and method for achieving compatibility and sharing among multi-source heterogeneous systems | |
| CN111104680B (en) | Safe and intelligent experimental data management system and method | |
| US20200358850A1 (en) | Uploading user and system data from a source location to a destination location | |
| CN105824932A (en) | Archive system for storing OSS based on Aliskiu object | |
| US20140344267A1 (en) | Storing, Accessing and Restoring Website Content via a Website Repository | |
| CN111048164A (en) | Medical big data long-term storage system | |
| Wu et al. | Forensics on Twitter and WeChat using a customised android emulator | |
| KR20110070767A (en) | Remote forensics system based on network | |
| CN104281486B (en) | A kind of virtual machine treating method and apparatus | |
| US20220075769A1 (en) | Logfile collection and consolidation | |
| KR20130082712A (en) | System for providing personal information based on generation and consumption of content | |
| Quick | Forensic Analysis of Cloud Storage Client Data | |
| CN106557532A (en) | A kind of use plug-in unit carries out the business data cloud of data collection | |
| Lim et al. | A framework for unified digital evidence management in security convergence | |
| Ries | Digital history and born-digital archives: the importance of forensic methods | |
| Povar et al. | Digital forensic architecture for cloud computing systems: methods of evidence identification, segregation, collection and partial analysis | |
| Cleveland et al. | Tapis v3 Streams API: Time‐series and data‐driven event support in science gateway infrastructure |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20121003 |