CN103139293B - Trace information obtaining method based on trace type to conduct coding reduction - Google Patents
Trace information obtaining method based on trace type to conduct coding reduction Download PDFInfo
- Publication number
- CN103139293B CN103139293B CN201310028598.0A CN201310028598A CN103139293B CN 103139293 B CN103139293 B CN 103139293B CN 201310028598 A CN201310028598 A CN 201310028598A CN 103139293 B CN103139293 B CN 103139293B
- Authority
- CN
- China
- Prior art keywords
- vestige
- storage medium
- data
- trace
- retrieved
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The invention discloses a trace information obtaining method based on a trace type to conduct coding reduction. The method comprises the following steps: (1) the type of a to-be-searched trace form and the storage manner of trace in a storage medium are analyzed, and a search method of the trace in the storage medium is confirmed; (2) the storage medium is opened in a direct reading manner, needed information for searching trace is contained in each datum in the storage medium; (3) data stored in the storage medium of locating trace of the storage medium is read, wherein the data comprise position and size information; (4) needed trace is searched in the data; (5) coding reduction is conducted on trace according to the form of the trace, and the searched trace data are analyzed; and (6) needed trance information is extracted. The extract method is independent of a file system and an operation system, and has large advantages in direct analysis to storage medium data and especially in extraction of original data in information type which needs to be deleted often and corrected often.
Description
Technical field
The present invention relates to a kind of mark information acquisition methods, particularly a kind of mark information acquisition methods carrying out coding reduction according to vestige type.
Background technology
Along with modern society's networking, information-based development, network intrusions is attacked and secrets disclosed by net event occurs again and again, for the safe and secret work of relating computer and Information System Security brings huge challenge, also the Information Security work of China is had higher requirement.
According to China's security work department statistics, the relating computer leakage of a state or party secret is mostly all relevant with relating computer illegal external connection and mobile memory medium cross-reference.And relating computer logs in the Internet by IE browser, after website access, a large amount of online vestiges can be left in systems in which, comprise IE historical record, cookies file, IE buffer memory temporary file etc.The use of USB movable storage device also can leave some vestiges in system registry and syslog file.
In traditional evidence obtaining software, as long as vestige is just difficult to after being eliminated find out, this brings very large trouble to safe and secret office.
Summary of the invention
Object of the present invention is just to provide one not rely on file system to solve the problem, and not relying on operating system can directly to the mark information acquisition methods carrying out coding reduction according to vestige type of storage medium data analysis.
The present invention is achieved through the following technical solutions above-mentioned purpose:
Carry out according to vestige type the mark information acquisition methods reduced of encoding, comprise the following steps:
(1) analyze type and the storage mode of vestige in storage medium of vestige form to be retrieved, determine the search method of vestige in storage medium; Any vestige has its certain storage format in storage medium, analyzes this storage format and just under the prerequisite not relying on the interfaces such as operating system, by directly reading the related data in storage medium, can reach the object that vestige is resolved.
Vestige refers to that third party is after contacted data storage device, any data structure that may comprise record third party's information or operation information that left behind, as: network vestige, file operation vestige, vestige etc. of stealing secret information.
Search method in described step (1) comprises the following steps:
(I) characteristic value of form to be retrieved is found out in advance;
(II) in disk, these characteristic values are retrieved, the position that each point retrieved is used as vestige place to be retrieved is analyzed;
(III) in the process analyzed according to the format analysis of vestige, the part that wrong report is vestige is filtered simultaneously, finally obtains the position data at real vestige place.
(2) adopt the mode directly read to open storage medium, directly whole storage medium is defined as a blocks of data, each packet of the inside is containing the information will searching for vestige; Direct reading storage medium, refer to when operating vestige on acquisition storage medium, do not rely on operating system and file system completely, directly whole storage medium is defined as a blocks of data, each data of the inside may comprise the information will searching for vestige.Like this, when data retrieval, do not rely on the interface that third party provides, but the common characteristic that the vestige analyzing a certain type operating system has, according to this common characteristic, just can navigating to the vestige position of needs, by resolving vestige and its contextual information, just can complete the extraction to vestige retrieval.
(3) data comprising position and size information that the location vestige reading storage medium stores in storage medium;
(4) according to the data that step (3) reads, according to the search method determined in step 1, the vestige of needs is retrieved in the data;
(5) according to the form of vestige, coding reduction is carried out to vestige, the Trace Data retrieved is resolved; These data will be used for locating the position of vestige fragment and the excavation of different vestige type and extraction.After navigating to the position at vestige place, to its contextual data analysis, coding reduction technique can be used and come decoding data corresponding to context and escape.The analysis mode of variety classes vestige may be identical, also may be different.
(6) according to the analysis result of step (5), the mark information needed is extracted.
Described storage medium comprises the data medium of the fragmentation information such as disk, flash memory disk, internal memory, file, process.
Beneficial effect of the present invention is:
The coding reduction that the present invention adopts vestige type to carry out its type is that the mode scanned by fragment is retrieved memory device, then according to the difference of fragment type, carry out dissimilar operation, DASD, do not rely on file system, do not rely on operating system, by the direct analysis to storage medium data, particularly the carrying out of respective type data is initiatively resolved, obtain the true content of these information of reduction, can be applied on any storage medium of any operating system, there is very strong anti-deletion, anti-masking property, particularly for the extraction of often deleting initial data in the frequent information type revised, there is very large advantage.
Embodiment
The invention will be further described below:
Carry out according to vestige type the mark information acquisition methods reduced of encoding, comprise the following steps:
(1) analyze type and the storage mode of vestige in storage medium of vestige form to be retrieved, determine the search method of vestige in storage medium;
Search method in described step (1) comprises the following steps:
(I) characteristic value of form to be retrieved is found out in advance;
(II) in disk, these characteristic values are retrieved, the position that each point retrieved is used as vestige place to be retrieved is analyzed;
(III) in the process analyzed according to the format analysis of vestige, the part that wrong report is vestige is filtered simultaneously, finally obtains the position data at real vestige place.
(2) adopt the mode directly read to open storage medium, directly whole storage medium is defined as a blocks of data, each packet of the inside is containing the information will searching for vestige;
(3) data comprising position and size information that the location vestige reading storage medium stores in storage medium;
(4) according to the data that step (3) reads, according to the search method determined in step 1, the vestige of needs is retrieved in the data;
(5) according to the form of vestige, coding reduction is carried out to vestige, the Trace Data retrieved is resolved;
(6) according to the analysis result of step (5), the mark information needed is extracted.
Described storage medium comprises the data medium of the fragmentation information such as disk, flash memory disk, internal memory, file, process.
Case study on implementation: file checking in violation of rules and regulations
Certain company by Analysis of Network Information, finds upper situation internal information occurring and leaks of a company machine A, but uncertain be that user's active of machine A sends, or to be stolen by wooden horse after machine A is implanted wooden horse by people.
Now, machine A checks, (Eraser: a very famous Disk Cleanup instrument, the disk remaining space cleaning tool of a lot of main flow is all the Eraser thinking adopted to find machine A to be used Eraser instrument to carry out the cleaning of remaining space.Remaining space is cleared up: the remaining space of disk is carried out zero filling operation, stops the possibility of date restoring), and after cleaning terminates, once its system was reset.
Like this, be no matter traditionally conventional thinking, or according to what is called further date restoring mode check, all can not detect any vestige on machine.Because no matter be now registration table or file, all there is not any record.
According to the information getting method of vestige type coding reduction, the information checked still can be obtained.Concrete operations are as follows:
1, in order to collect evidence, what need acquisition is the record of machine A once file use and the content of corresponding document.The record that file uses is kept in registration table.By the analysis to this class file of registration table, we are aware of the roughly form that registration table stores on hard disk.The common trait that such as they store has " nk " to mark.By that analogy, by using the information of record also to have the common trait of similar storage on a storage medium to file, storage medium comprises the data medium of the fragmentation information such as disk, flash memory disk, internal memory, file, process.
2, extraction and analysis is carried out to the data on disk.Cleared up because disk is carried out remaining space by Eraser, so can not extract complete file, but Eraser has a leak after cleaning out, and similar exactly small documents and end-of-file data can not be operated by zero filling.It is also a no small data volume that these information are added up.In addition, pagefile.sys records the data of virtual memory, is also can not be cleared up by tool for destroying.
3, read these and also there is no cleaned Data Position.
4, to the data analysis of these positions, see whether to comprise using the record of file and the file content relevant with leakage.If find the characteristic value of registration table stored record in these files, just to the data analysis of front and back.
If 5 have registration table record, so just the Context resolution of registration table out, can finally restore the complete documentation of this registration table.This makes it possible to the record obtaining user's operation file on this main frame.If wooden horse is stolen secret information, then wooden horse can be found record to be installed and to start record etc.
In the process of some documents editing, temporary file can be generated in a hard disk, these temporary files can preserve this change involved by file content.The mode that these temporary files are preserved in a hard disk also has the information of similar registration table vestige for extracting.
For this type of temporary file, the mode that can adopt orients the sensitive data be concerned about in data, such as " company's secret " etc.Then in fragment, the fragment containing these sensitive datas is searched for according to various coding techniques, after finding, can according to the similar mode with registration table mark analysis, the mode of resolving tile structure finds these fragments.But with registration table vestige unlike, this type of vestige fragment, can relate to the problem of research content, as unicode, UTF-8 etc.According to different fragment type, coding reduction to be carried out to content wherein, the content of original document can be seen.
6, by the operation of above a few step, if having found operation note and the Document Editing record of the document, and the data of the content of the Document Editing stolen content of company just, just can prove that this machine is initiatively sent by user.If install vestige at software and start in vestige, find the vestige of wooden horse, and found the record of wooden horse steal files, proved that this file is that the mode implanting wooden horse by third party personnel is stolen really.So far, the extraction and analysis process of this vestige is complete.
Claims (1)
1. carry out according to vestige type the mark information acquisition methods reduced of encoding, it is characterized in that: comprise the following steps:
(1) analyze type and the storage mode of vestige in storage medium of vestige form to be retrieved, determine the search method of vestige in storage medium;
(2) adopt the mode directly read to open storage medium, directly whole storage medium is defined as a blocks of data, each packet of the inside is containing the information will searching for vestige;
(3) data comprising position and size information that the location vestige reading storage medium stores in storage medium;
(4) according to the data that step (3) reads, according to the search method determined in step (1), the vestige of needs is retrieved in the data;
(5) according to the form of vestige, coding reduction is carried out to vestige, the Trace Data retrieved is resolved;
(6) according to the analysis result of step (5), the mark information needed is extracted;
Search method in described step (1) comprises the following steps:
(I) characteristic value of form to be retrieved is found out in advance;
(II) in disk, these characteristic values are retrieved, the position that each point retrieved is used as vestige place to be retrieved is analyzed;
(III) in the process analyzed according to the format analysis of vestige, the part that wrong report is vestige is filtered simultaneously, finally obtains the position data at real vestige place.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310028598.0A CN103139293B (en) | 2013-01-25 | 2013-01-25 | Trace information obtaining method based on trace type to conduct coding reduction |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310028598.0A CN103139293B (en) | 2013-01-25 | 2013-01-25 | Trace information obtaining method based on trace type to conduct coding reduction |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103139293A CN103139293A (en) | 2013-06-05 |
| CN103139293B true CN103139293B (en) | 2015-05-13 |
Family
ID=48498590
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310028598.0A Expired - Fee Related CN103139293B (en) | 2013-01-25 | 2013-01-25 | Trace information obtaining method based on trace type to conduct coding reduction |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103139293B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105426468A (en) * | 2015-11-16 | 2016-03-23 | 四川效率源信息安全技术股份有限公司 | Method for recovering and extracting 360 browser historical record data |
| CN111818075B (en) * | 2020-07-20 | 2021-11-30 | 北京华赛在线科技有限公司 | Illegal external connection detection method, device, equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101093527A (en) * | 2007-07-25 | 2007-12-26 | 郭发源 | Outer placed mobile storage in use for alete information processing |
-
2013
- 2013-01-25 CN CN201310028598.0A patent/CN103139293B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101093527A (en) * | 2007-07-25 | 2007-12-26 | 郭发源 | Outer placed mobile storage in use for alete information processing |
Non-Patent Citations (1)
| Title |
|---|
| 基于Thumbs.db文件的数据恢复技术研究与开发;杜江等;《电子设计工程》;20110930;第19卷(第17期);第10-12页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103139293A (en) | 2013-06-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Raghavan | Digital forensic research: current state of the art | |
| CN104281808B (en) | A kind of general Android malicious act detection methods | |
| CN101763394B (en) | Method for searching secret-related files in computer system | |
| US20100070518A1 (en) | Method for protecting private information and computer-readable recording medium storing program for executing the same | |
| Rochmadi et al. | Live forensics for anti-forensics analysis on private portable web browser | |
| CA2816781C (en) | Identifying client states | |
| CN109783457B (en) | CGI interface management method, device, computer equipment and storage medium | |
| KR20090064699A (en) | Digital forensic server for investigating digital evidence and method therefor | |
| CN104298766A (en) | Method for clearing data in SQLite database | |
| CN103139293B (en) | Trace information obtaining method based on trace type to conduct coding reduction | |
| CN113872965A (en) | SQL injection detection method based on Snort engine | |
| US8341538B1 (en) | Systems and methods for reducing redundancies in quality-assurance reviews of graphical user interfaces | |
| CN111563256A (en) | Safe big data collection and storage method | |
| CN105022677B (en) | A kind of USB device usage record restores inspection method | |
| CN111061593B (en) | Electronic evidence obtaining system and method | |
| Shu et al. | Rapid screening of transformed data leaks with efficient algorithms and parallel computing | |
| Haggerty et al. | Forsigs: Forensic signature analysis of the hard drive for multimedia file fingerprints | |
| CN102194071B (en) | Time-domain-based data evidence acquisition and cross analysis method | |
| CN107358098A (en) | SQL SQL injection detection method and device based on plug-in unit | |
| CN106874147A (en) | A kind of recovery simultaneously parses the method that Windows operating system pre-reads file | |
| CN112733187B (en) | Digital evidence obtaining, analyzing and identifying method based on time attribute | |
| Prem et al. | Disk memory forensics: Analysis of memory forensics frameworks flow | |
| Dija et al. | Forensic reconstruction of executables from Windows 7 physical memory | |
| Marrington | Computer profiling for forensic purposes | |
| CN105718334A (en) | Method for extracting multiple files based on features |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150513 Termination date: 20220125 |