CN105117640A - Method for extracting account number and password from computer memory in criminal investigation - Google Patents
Method for extracting account number and password from computer memory in criminal investigation Download PDFInfo
- Publication number
- CN105117640A CN105117640A CN201510404932.7A CN201510404932A CN105117640A CN 105117640 A CN105117640 A CN 105117640A CN 201510404932 A CN201510404932 A CN 201510404932A CN 105117640 A CN105117640 A CN 105117640A
- Authority
- CN
- China
- Prior art keywords
- password
- account
- account number
- characters
- context
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
Abstract
The invention puts forward a method for extracting an account number and a password from a computer memory in criminal investigation. The method includes the following steps: 1) reading the memory: searching a password keyword in read memory information, intercepting characters around the password keyword and taking the characters as an extracted context after the password keyword is searched; 2) extracting an account number: searching an account number keyword in the extracted context and intercepting account number characters from the end position of the account number keyword in the extracted context; 3) extracting a password: intercepting password characters from the end position of the password keyword in the extracted context; 4) verifying validity of the account number and the password; and 5) saving the account number characters, the password characters, the extracted context, and positions thereof. According to the method of the invention, when the computer memory data is verified and analyzed, account numbers and passwords which are matched in the memory can be quickly acquired in a short time, and any valuable data cannot be left out, so that the evidence collection efficiency and quality can be greatly improved.
Description
Technical field
The present invention relates to computer security technique field, be specifically related to a kind of extracting method for account number cipher in the calculator memory of criminal investigation.
Background technology
Under normal circumstances, the people account that logged in a browser and password major part when using computing machine are kept in calculator memory with certain specific form, such as: the account of mailbox, shopping website, friend-making sites and other various websites for logging in and password.And can not lose before computing machine cuts out.When again starting shooting after shutdown, if the internal memory retaining this segment data is not by other data covers, the account so inputted and password also will be retained in internal memory in this form.At present, the account that usually can be logged in a browser by certain method acquisition suspect during police's criminal investigation and password are to obtain handle a case clue or evidence obtaining.
In current calculator memory forensic technologies, extraction for the account of preserving in internal memory and password does not have a kind of well solution, because the account logged in a browser and password can preserve many places in internal memory, and might not relevant property, evidence obtaining person is checked by internal memory piecemeal before, or the mode that investigation retrieved one by one in key word is searched, and both loses time like this, can not ensure accuracy again
Summary of the invention
The object of the invention is, for overcoming above-mentioned the deficiencies in the prior art, to provide one and can extract calculator memory fast and accurately.
For achieving the above object, the present invention adopts following technical proposals: a kind of extracting method for account number cipher in the calculator memory of criminal investigation, comprises the following steps:
One, read internal memory, in the memory information read, retrieve cryptographic key, after retrieving cryptographic key, intercept the context of the character before and after cryptographic key as extraction;
Two, extract account, extract context in retrieve account key word, from account key word extract context in end position intercept account character;
Three, extract password, from cryptographic key extract context in end position intercept code characters;
Four, account number cipher legitimate verification;
Five, account character, code characters, the context of extraction and their position is preserved.
Described cryptographic key is for being at least Password, pwd and passwd.
Described account key word is at least username, login, userid and mail.
Before and after described cryptographic key, the number of the character of suitable quantity is before and after cryptographic key each 100.
The invention has the beneficial effects as follows: adopt the technical program, when calculator memory data authentication is analyzed, the account that can match in quick obtaining internal memory at short notice and password, and any valuable data can not be omitted, greatly improve evidence obtaining efficiency and quality, a higher step on the calculator memory analytical technology band of China.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is logical procedure diagram of the present invention;
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
A kind of extracting method for account number cipher in the calculator memory of criminal investigation as shown in Figure 1, first reads in internal memory account, the password in the browser preserved in a particular form, then by relevant search coupling find out match account and password.
The preservation form of account number cipher in internal memory:
In routine use computer, log in Website login, after inputting account and password, account and password are generally and can be retained in internal memory with the form of (xxx logs in network address xxx[account key word]=account xxx[cryptographic key]=password xxx), until the internal memory retaining this segment data is by other data covers.If retain the internal memory of this segment data not by other data covers, the account so inputted and password also will be retained in internal memory in this form.
The key word of account is generally: " username ", " login ", " userid ", " mail " etc.
The key word of password is generally: " Password ", " pwd ", " passwd " etc.
The key word of account and password volume keyword match occur, and interval can not be too far away, too far then do not have relevance.In acquisition, largest interval is set to 100.
The acquisition methods of data is as follows:
1. read internal storage data and extract context.The key word (" password ", " pwd ", " passwd ") of password is retrieved in internal memory, after retrieving key word, before and after the key word of intercepting password, each 100 characters are as the context extracted, and using the position of search key as key word position.
2. extract account.Extracting the key word (" username ", " login ", " userid " that retrieve account in context, " mail "), after retrieving the key word of account, extracting the end position in context, character is intercepted from account key word, run into space, non-displayable characters and character [&] time terminate to intercept, and using the character that is truncated to as account character.When the account character be truncated to is not sky, then obtain account success.
3. extract password.From the end position of cryptographic key in the context extracted, intercept character, run into space, non-displayable characters and character [&] time terminate to intercept, and using the character that is truncated to as password.When the password be truncated to is not sky, then obtain password success.
4. account, password legitimate verification.When the account number cipher got is the special keyword such as " username ", " password ", " value ", " input ", then think that the account number cipher got is illegal, account number cipher obtains unsuccessfully, otherwise, then think that account number cipher obtains successfully.
5. preserve context, account character and the code characters and their position in the context extracted extracted.The website that user can determine belonging to this account number cipher according to the key word context of account or password, or whether have affiliated site information by checking in key word position to file before and after key word.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (4)
1., for an extracting method for account number cipher in the calculator memory of criminal investigation, it is characterized in that: comprise the following steps:
One, read internal memory, in the memory information read, retrieve cryptographic key, after retrieving cryptographic key, intercept the context of the character before and after cryptographic key as extraction;
Two, extract account, extract context in retrieve account key word, from account key word extract context in end position intercept account character;
Three, extract password, from cryptographic key extract context in end position intercept code characters;
Four, account number cipher legitimate verification;
Five, account character, code characters, the context of extraction and their position is preserved.
2. the extracting method for account number cipher in the calculator memory of criminal investigation according to claim 1, is characterized in that: described cryptographic key is for being at least Password, pwd and passwd.
3. the extracting method for account number cipher in the calculator memory of criminal investigation according to claim 1, is characterized in that: described account key word is at least username, login, userid and mail.
4. the extracting method for account number cipher in the calculator memory of criminal investigation according to claim 1, is characterized in that: before and after the cryptographic key of described intercepting, the number of character is before and after cryptographic key each 100.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510404932.7A CN105117640A (en) | 2015-07-10 | 2015-07-10 | Method for extracting account number and password from computer memory in criminal investigation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510404932.7A CN105117640A (en) | 2015-07-10 | 2015-07-10 | Method for extracting account number and password from computer memory in criminal investigation |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105117640A true CN105117640A (en) | 2015-12-02 |
Family
ID=54665626
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510404932.7A Pending CN105117640A (en) | 2015-07-10 | 2015-07-10 | Method for extracting account number and password from computer memory in criminal investigation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105117640A (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101086744A (en) * | 2007-07-18 | 2007-12-12 | 江百朋 | Business information search method |
CN101201834A (en) * | 2007-11-01 | 2008-06-18 | 复旦大学 | Method for searching XML data stream keyword based on document type definition |
CN102122285A (en) * | 2010-01-11 | 2011-07-13 | 卓望数码技术(深圳)有限公司 | Data cache system and data inquiry method |
CN102682068A (en) * | 2012-03-01 | 2012-09-19 | 沈文策 | Method and system for searching user name |
-
2015
- 2015-07-10 CN CN201510404932.7A patent/CN105117640A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101086744A (en) * | 2007-07-18 | 2007-12-12 | 江百朋 | Business information search method |
CN101201834A (en) * | 2007-11-01 | 2008-06-18 | 复旦大学 | Method for searching XML data stream keyword based on document type definition |
CN102122285A (en) * | 2010-01-11 | 2011-07-13 | 卓望数码技术(深圳)有限公司 | Data cache system and data inquiry method |
CN102682068A (en) * | 2012-03-01 | 2012-09-19 | 沈文策 | Method and system for searching user name |
Non-Patent Citations (2)
Title |
---|
殷联甫: "计算机取证中的物理内存取证分析方法研究", 《计算机应用与软件》 * |
贾宝安: "内存取证技术的研究及应用", 《中国优秀硕士学位论文全文数据库,信息科技辑2014年01期》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Tian et al. | Needle in a haystack: Tracking down elite phishing domains in the wild | |
US8856937B1 (en) | Methods and systems for identifying fraudulent websites | |
CN104951680B (en) | A kind of biological information processing method, store method and device | |
CN105847288A (en) | Verification code processing method and device | |
CN106982188B (en) | Malicious propagation source detection method and device | |
CN106161710B (en) | A kind of user account safety management system based on smart phone | |
CN103607387A (en) | A network login authentication cloud service system based on face identification and a method | |
CN101964792B (en) | Multimode mapping based strong authentication method | |
CN110851854A (en) | Image processing method and device for preventing information leakage | |
CN116319089B (en) | Dynamic weak password detection method, device, computer equipment and medium | |
CN116055067B (en) | Weak password detection method, device, electronic equipment and medium | |
CN106911635A (en) | A kind of method and device of detection website with the presence or absence of backdoor programs | |
CN105404796A (en) | JavaScript source file protection method and apparatus | |
CN107220262B (en) | Information processing method and device | |
CN112055355A (en) | Internet access password management system based on 5G super SIM card | |
CN106788999A (en) | A kind of wechat evidence collecting method and system based on data collision | |
CN105117640A (en) | Method for extracting account number and password from computer memory in criminal investigation | |
CN103873442B (en) | The treating method and apparatus of log-on message | |
CN205427857U (en) | Identity identification system based on many biological characteristics combine equipment fingerprint | |
CN106919842A (en) | Computer safety protective method and computer | |
CN108632263A (en) | A kind of detection method of SQL injection point | |
CN106657139A (en) | Login password processing method, apparatus and system | |
CN107770112A (en) | A kind of method for preventing that account is stolen and server | |
WO2018166365A1 (en) | Method and device for recording website access log | |
CN110868421A (en) | Malicious code identification method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20151202 |