CN104750675A - Identification method for encrypted file of unknown format - Google Patents

Abstract

The invention discloses an identification method for an encrypted file of an unknown format. The method includes the following steps that S1, the file of any format to be identified in an encrypted mode is determined and identified as an object file; S2, data in the object file are extracted; S3, the data extracted in the step S2 are judged, wherein if the data are judged to be plaintext data, the result that the file is a non-encrypted file is output, and if the data are judged to be encrypted files, the result that the file is an encrypted file is output. According to the method, the data in the object file are extracted and the extracted data are subjected to encryption judgment, so under the circumstance that the format of the file is unknown, whether the file of any format is automatically identified and judged, the encrypted file can be identified effectively, judgment efficiency is high, and the problem that time and labor are consumed due to manual judgment can be solved.

Description

A kind of recognition methods of unknown format encrypt file

Technical field

The present invention relates to file identification technical field, specifically a kind of recognition methods of unknown format encrypt file.

Background technology

In computer forensics field, suspect is often encrypted storage important evidence of crime, and change file form.When evidence obtaining personnel obtain the disk that suspect stores evidence of crime, need in mass file, find these encrypted files fast, then adopt the method for password cracking to crack these encrypt files, thus obtain the evidence of crime of suspect.

But for the file of arbitrary format, how robotization judge a file whether through encryption be not an easy thing.At present in computer forensics field, whether a file is encrypted, generally has two kinds of methods.One method is that evidence obtaining personnel judge by hand, such as, open a Word file by hand, if need to input password, then this Word file is encrypted, otherwise can directly open; Another kind method is for specific file type, such as Word file, if a Word file is encrypted, in file header, then there is an encryption indicator to be set to 1, can judge whether this encryption indicator is 1 by programming automation like this, then can whether encrypt by this Word file of automatization judgement.Obviously, front a kind of method efficiency is very low, wastes time and energy, and cannot check the file of magnanimity one by one; A then method, for specific file layout, if the conscious change file layout of assailant, then can only be easy to this decision method of out-tricking, causes effectively to judge encrypt file.

Whether current encrypt file decision method is difficult to automatically judge through encryption the file of the multiple format of the magnanimity run in computer forensics field, therefore, in the urgent need to a kind of technology not knowing whether to judge through encryption file in file layout situation.

Summary of the invention

For above-mentioned deficiency, the invention provides the recognition methods of a kind of unknown format encrypt file, whether it can encrypt arbitrary format file when not knowing file layout is carried out robotization identification decision, effectively can not only identify encrypt file, judge that efficiency is high, and can avoid manually carrying out judging and cause the problem that wastes time and energy, still further provides a kind of data extraction method of unknown format file and a kind of data encryption decision method.

The present invention solves the technical scheme that its technical matters takes: a kind of recognition methods of unknown format encrypt file, is characterized in that, comprise the following steps:

S1: determine the arbitrary format file needing to be encrypted identification, and be designated file destination;

S2: the data in file destination are extracted;

S3: judge the data that step S2 extracts, if be judged to be clear data, then exports the result that this file is non-encrypt file, if be judged to be encrypt file, then exports the result that this file is encrypt file.

Describedly leaching process carried out to the data in file destination comprise the following steps:

S21: open file destination in a binary format;

S22: the content reading file destination with the form of binary word throttling, and by the file destination content of reading stored in buffer area, till the content reading that file destination is all is complete;

S23: close file destination.

Described the process that extracted data judge to be comprised the following steps:

S31: the size calculating file destination byte stream in buffer zone, in units of byte, is designated as size, then content in byte stream is designated as b from the 1st byte successively to size byte ₁, b ₂..., b _size;

S32: by b ₁, b ₂..., b _sizebe converted into signless integer;

S33: computation of mean values μ according to the following equation:

$\mathrm{\μ}=\frac{1}{\mathrm{size}}\underset{n=1}{\overset{\mathrm{size}}{\mathrm{\Σ}}}{b}_n;$

S34: calculate E according to the following equation:

$E=\frac{1}{\mathrm{size}-1}\underset{n=1}{\overset{\mathrm{size}-1}{\mathrm{\Σ}}}(b_n-\mathrm{\μ})(b_{n+1}-\mathrm{\μ});$

S35: calculate σ according to the following equation:

$\mathrm{\σ}=\sqrt{\frac{1}{\mathrm{size}}\underset{n=1}{\overset{\mathrm{size}}{\mathrm{\Σ}}}{(b_n-\mathrm{\μ})}^2};$

S36: calculate R according to the following equation:

$R=\frac{E}{{\mathrm{\σ}}^2};$

S37: the threshold values f comparing R Yu preset, if R<f, then judge that file destination is as encrypted file, otherwise then judge the file that file destination is crossed as unencryption.

Described threshold values f is the correlativity after encryption between file byte.

Present invention also offers a kind of data extraction method of file destination, it is characterized in that, comprise the following steps:

S21: open file destination in a binary format;

S22: the content reading file destination with the form of binary word throttling, and by the file destination content of reading stored in buffer area, till the content reading that file destination is all is complete;

S23: close file destination.

Described file destination is the arbitrary format file determining to need to be encrypted identification.

Present invention also offers a kind of data encryption decision method of file destination, it is characterized in that, comprise the process that the data of unknown format file are extracted and the process that extracted data are judged.

Described the process that the data of unknown format file are extracted to be comprised the following steps:

S21: open file destination in a binary format;

S22: the content reading file destination with the form of binary word throttling, and by the file destination content of reading stored in buffer area, till the content reading that file destination is all is complete;

S23: close file destination.

Described the process that extracted data judge to be comprised the following steps:

S31: the size calculating file destination byte stream in buffer zone, in units of byte, is designated as size, then content in byte stream is designated as b from the 1st byte successively to size byte ₁, b ₂..., b _size;

S32: by b ₁, b ₂..., b _sizebe converted into signless integer;

S33: computation of mean values μ according to the following equation:

$\mathrm{\&mu;}=\frac{1}{\mathrm{size}}\underset{n=1}{\overset{\mathrm{size}}{\mathrm{\&Sigma;}}}{b}_n;$

S34: calculate E according to the following equation:

$E=\frac{1}{\mathrm{size}-1}\underset{n=1}{\overset{\mathrm{size}-1}{\mathrm{\&Sigma;}}}(b_n-\mathrm{\&mu;})(b_{n+1}-\mathrm{\&mu;});$

S35: calculate σ according to the following equation:

$\mathrm{\&sigma;}=\sqrt{\frac{1}{\mathrm{size}}\underset{n=1}{\overset{\mathrm{size}}{\mathrm{\&Sigma;}}}{(b_n-\mathrm{\&mu;})}^2};$

S36: calculate R according to the following equation:

$R=\frac{E}{{\mathrm{\&sigma;}}^2};$

S37: the threshold values f comparing R Yu preset, if R<f, then judge that file destination is as encrypted file, otherwise then judge the file that file destination is crossed as unencryption, described threshold values f is the correlativity after encryption between file byte.

Described file destination is the arbitrary format file determining to need to be encrypted identification.

The invention has the beneficial effects as follows: the present invention is by carrying out data extraction to file destination and being encrypted judgement to the data extracted, can when not knowing file layout, whether arbitrary format file is encrypted and carries out robotization identification decision, effectively can not only identify encrypt file, judge that efficiency is high, and can avoid manually carrying out judging and cause the problem that wastes time and energy.

The present invention does not need the form knowing file in advance, the format information utilizing file is not needed in decision process yet, just can realize whether judging through the robotization of encryption any file, facilitate evidence obtaining personnel and carry out computer forensics, improve the case handling efficiency of public security organ.

Accompanying drawing explanation

Below in conjunction with Figure of description, the present invention will be described.

Fig. 1 is the process flow diagram of unknown format encrypt file of the present invention recognition methods;

Fig. 2 is the method flow diagram that the present invention extracts file destination data;

Fig. 3 is the method flow diagram that the present invention judges file destination data encryption.

Embodiment

For clearly demonstrating the technical characterstic of this programme, below by embodiment, and in conjunction with its accompanying drawing, the present invention will be described in detail.Disclosing hereafter provides many different embodiments or example is used for realizing different structure of the present invention.Of the present invention open in order to simplify, hereinafter the parts of specific examples and setting are described.In addition, the present invention can in different example repeat reference numerals and/or letter.This repetition is to simplify and clearly object, itself does not indicate the relation between discussed various embodiment and/or setting.It should be noted that parts illustrated in the accompanying drawings are not necessarily drawn in proportion.Present invention omits the description of known assemblies and treatment technology and process to avoid unnecessarily limiting the present invention.

Main thought of the present invention is that unknown file is analyzed autocorrelation between its byte as byte stream, file after encryption can present good randomness, and unencrypted file has correlativity due to meaningful between byte, a therefore criterion whether can encrypting as file of the height of auto-correlation degree.The recognition methods of unknown format encrypt file of the present invention have employed data extraction method and the data encryption decision method of file destination.

As shown in Figure 1, the recognition methods of a kind of unknown format encrypt file of the present invention, it comprises the following steps:

S1: determine the arbitrary format file needing to be encrypted identification, and be designated file destination;

S2: utilize the data extraction method of file destination to extract the data in file destination;

S3: utilize data encryption decision method to judge the data that step S2 extracts, if be judged to be clear data, then exports the result that this file is non-encrypt file, if be judged to be encrypt file, then exports the result that this file is encrypt file.

As shown in Figure 2, the data extraction method of a kind of file destination of the present invention, it comprises the following steps:

S21: open file destination in a binary format;

S22: the content reading file destination with the form of binary word throttling, and by the file destination content of reading stored in buffer area, till the content reading that file destination is all is complete;

S23: close file destination.

As shown in Figure 3, the data encryption decision method of a kind of file destination of the present invention, it comprises the following steps:

S31: the size calculating file destination byte stream in buffer zone, in units of byte, is designated as size, then content in byte stream is designated as b from the 1st byte successively to size byte ₁, b ₂..., b _size;

S32: by b ₁, b ₂..., b _sizebe converted into signless integer;

S33: computation of mean values μ according to the following equation:

$\mathrm{\&mu;}=\frac{1}{\mathrm{size}}\underset{n=1}{\overset{\mathrm{size}}{\mathrm{\&Sigma;}}}{b}_n;$

S34: calculate E according to the following equation:

$E=\frac{1}{\mathrm{size}-1}\underset{n=1}{\overset{\mathrm{size}-1}{\mathrm{\&Sigma;}}}(b_n-\mathrm{\&mu;})(b_{n+1}-\mathrm{\&mu;});$

S35: calculate σ according to the following equation:

$\mathrm{\&sigma;}=\sqrt{\frac{1}{\mathrm{size}}\underset{n=1}{\overset{\mathrm{size}}{\mathrm{\&Sigma;}}}{(b_n-\mathrm{\&mu;})}^2};$

S36: calculate R according to the following equation:

$R=\frac{E}{{\mathrm{\&sigma;}}^2};$

S37: the threshold values f comparing R Yu preset, if R<f, then judge that file destination is as encrypted file, otherwise then judge the file that file destination is crossed as unencryption, described threshold values f is the correlativity after encryption between file byte.

File destination described in said method is the arbitrary format file determining to need to be encrypted identification.

The above is the preferred embodiment of the present invention, and for those skilled in the art, under the premise without departing from the principles of the invention, can also make some improvements and modifications, these improvements and modifications are also regarded as protection scope of the present invention.

Claims (10)

1. a recognition methods for unknown format encrypt file, is characterized in that, comprises the following steps:

S1: determine the arbitrary format file needing to be encrypted identification, and be designated file destination;

S2: the data in file destination are extracted;

S3: judge the data that step S2 extracts, if be judged to be clear data, then exports the result that this file is non-encrypt file, if be judged to be encrypt file, then exports the result that this file is encrypt file.

2. the recognition methods of a kind of unknown format encrypt file according to claim 1, is characterized in that, describedly carries out leaching process to the data in file destination and comprises the following steps:

S21: open file destination in a binary format;

S22: the content reading file destination with the form of binary word throttling, and by the file destination content of reading stored in buffer area, till the content reading that file destination is all is complete;

S23: close file destination.

3. the recognition methods of a kind of unknown format encrypt file according to claim 2, is characterized in that, describedly comprises the following steps the process that extracted data judge:

S31: the size calculating file destination byte stream in buffer zone, in units of byte, is designated as size, then content in byte stream is designated as b from the 1st byte successively to size byte ₁, b ₂..., b _size;

S32: by b ₁, b ₂..., b _sizebe converted into signless integer;

S33: computation of mean values μ according to the following equation:

$\mathrm{\&mu;}=\frac{1}{\mathrm{size}}\underset{n=1}{\overset{\mathrm{size}}{\mathrm{\&Sigma;}}}{b}_n;$

S34: calculate E according to the following equation:

$E=\frac{1}{\mathrm{size}-1}\underset{n=1}{\overset{\mathrm{size}-1}{\mathrm{\&Sigma;}}}(b_n-\mathrm{\&mu;})(b_{n+1}-\mathrm{\&mu;});$

S35: calculate σ according to the following equation:

$\mathrm{\&sigma;}=\sqrt{\frac{1}{\mathrm{size}}\underset{n=1}{\overset{\mathrm{size}}{\mathrm{\&Sigma;}}}{(b_n-\mathrm{\&mu;})}^2};$

S36: calculate R according to the following equation:

$R=\frac{E}{{\mathrm{\&sigma;}}^2};$

S37: the threshold values f comparing R Yu preset, if R<f, then judge that file destination is as encrypted file, otherwise then judge the file that file destination is crossed as unencryption.

4. the recognition methods of a kind of unknown format encrypt file according to claim 3, is characterized in that, described threshold values f is the correlativity after encryption between file byte.

5. a data extraction method for file destination, is characterized in that, comprises the following steps:

S21: open file destination in a binary format;

S22: the content reading file destination with the form of binary word throttling, and by the file destination content of reading stored in buffer area, till the content reading that file destination is all is complete;

S23: close file destination.

6. the data extraction method of a kind of file destination according to claim 5, is characterized in that, described file destination is the arbitrary format file determining to need to be encrypted identification.

7. a data encryption decision method for file destination, is characterized in that, comprises the process extracted the data of unknown format file and the process judged extracted data.

8. the data encryption decision method of a kind of file destination according to claim 7, is characterized in that, describedly comprises the following steps the process that the data of unknown format file are extracted:

S21: open file destination in a binary format;

S22: the content reading file destination with the form of binary word throttling, and by the file destination content of reading stored in buffer area, till the content reading that file destination is all is complete;

S23: close file destination.

9. the data encryption decision method of a kind of file destination according to claim 7, is characterized in that, describedly comprises the following steps the process that extracted data judge:

S31: the size calculating file destination byte stream in buffer zone, in units of byte, is designated as size, then content in byte stream is designated as b from the 1st byte successively to a si ze byte ₁, b ₂..., b _size;

S32: by b ₁, b ₂..., b _sizebe converted into signless integer;

S33: computation of mean values μ according to the following equation:

$\mathrm{\&mu;}=\frac{1}{\mathrm{size}}\underset{n=1}{\overset{\mathrm{size}}{\mathrm{\&Sigma;}}}{b}_n;$

S34: calculate E according to the following equation:

$E=\frac{1}{\mathrm{size}-1}\underset{n=1}{\overset{\mathrm{size}-1}{\mathrm{\&Sigma;}}}(b_n-\mathrm{\&mu;})(b_{n+1}-\mathrm{\&mu;});$

S35: calculate σ according to the following equation:

$\mathrm{\&sigma;}=\sqrt{\frac{1}{\mathrm{size}}\underset{n=1}{\overset{\mathrm{size}}{\mathrm{\&Sigma;}}}{(b_n-\mathrm{\&mu;})}^2};$

S36: calculate R according to the following equation:

$R=\frac{E}{{\mathrm{\&sigma;}}^2};$

S37: the threshold values f comparing R Yu preset, if R<f, then judge that file destination is as encrypted file, otherwise then judge the file that file destination is crossed as unencryption, described threshold values f is the correlativity after encryption between file byte.

10. the data encryption decision method of a kind of file destination according to any one of claim 7 to 9, is characterized in that, described file destination is the arbitrary format file determining to need to be encrypted identification.