CN105138709B - Remote evidence taking system based on physical memory analysis - Google Patents

Abstract

The invention provides a remote evidence taking system based on physical memory analysis. The remote evidence taking system is characterized by comprising a client and a server, wherein a physical memory of the client is mirrored and stored locally, and a mirror image file is subjected to hash value calculation; the mirror image file is analyzed by calling a physical memory analysis line program, and an analysis result and the mirror image file are sent to the server together; the server is used for monitoring the client; if a client connection request is provided, a client fixing character string is sent, and the physical memory mirror image file and the corresponding mirror image file analysis result of the client are mainly collected; the server collects multiple threads and can simultaneously collect the physical memory mirror image files of multiple clients and memory analysis result information and store the memory analysis results into a database; on the other hand, the server is connected with a remote control terminal to mainly send log information of the client to the remote control terminal; retrieval information meeting retrieval conditions are searched from the database according to the conditions of the remote control terminal.

Description

A kind of remote evidence obtaining system based on physical memory analysis

Technical field

The present invention relates to cloud forensics analysis field, more particularly, to a kind of remote object terminals physical memory mirror file is entered The forensics analysis of row, specifically, refer to a kind of remote evidence obtaining system based on physical memory analysis.

Background technology

During electronic data evidence obtaining, the analysis process of forensic data is often relied on evidence obtaining personnel personal experience and Thinking judges selecting appropriate analysis method to realize the detection to electronic evidence-collecting data and analysis, because evidence obtaining personnel are to taking The analysis of card data is often related to various analysis.It is right that this personal subjective selection forensics analysis method is not only unfavorable for The abundant effectively utilizes of forensic data, also create negative effect to evidence obtaining efficiency.Furthermore, it is necessary to carry out the case of identification of collecting evidence Quantity is increased sharply year by year, but evidence obtaining personnel amount limited it is impossible to evidence obtaining of investigating of reaching the spot in time, and personal experience has Limit is it is difficult to carrying out in all directions is collected evidence.Online evidence is mainly saved in computer physical memory, therefore physical memory is divided Analysis is the key of online evidence analysis.3rd, current traditional online evidence obtaining mode is to need all kinds of forensic tools in target Run in computer system, to complete collection and the analysis work of data, this makes the collection activity of evidence have a strong impact on card The credibility of part, even if achieving some evidences, its integrity and verity also are difficult to be proven, especially as kernel mode wood Horse and the development of anti-forensics technology, the data that a lot of online tools obtain is likely to be tampered.Traditional evidence obtaining mode is first Obtain the image file of disk (hard disk), then again hard disk mirror-image file is scanned for, analyzes, presents etc. with work, hard disk mirror As file is easy to be distorted in advance, verity and credibility be not high.Master's thesis is taken based on the remote computer of data recovery Card systematic research and realization, achieve the recovery to systems such as data, files using remotely control, but data recovery mould Block, the system resource occupancy of destination host is higher, easily found by suspect；On the other hand, remote evidence obtaining system Can operate in windows system, not support the ubiquitous systems such as linux.Patent of invention CN103647791B is open to be accomplished that The evidence obtaining that remote mobile terminal is carried out, take pictures including double-directional speech call, transmission of video and to remote control terminal, will clap According to passing back to PC end, belong to one kind of traditional evidence collecting method.The information such as voice call, video are simply transmitted by this patent, Particular content has perhaps been altered before transmission it is impossible to these information of real-time Transmission.

Content of the invention

The technical problem to be solved in the present invention is to provide a kind of remote information collection evidence obtaining management system, helps staff Key evidence required for finding in mass storage analysis result, by analyzing the physical memory image file of destination host, Obtain the important information running in internal memory, substantially increase work efficiency and the genuine and believable property of electronic evidence.

The present invention realizes goal of the invention using following technological means：

A kind of remote evidence obtaining system based on physical memory analysis is it is characterised in that include：

Client：The physical memory of mirror image client, and store local, and image file is done with the calculating of hash value, so After call physical memory analysis order line program analyze this image file, by analysis result and image file be sent collectively to service End；

Service end：Intercept client, if there being client connection request, service end connects confirmation, successful connection, and service end is received The markup character string starting transmission information sent to client, then start to receive client-side information, main collection client Physical memory image file and corresponding image file analysis result, service end takes multithreading, can collect several visitors simultaneously The physical memory image file at family end and memory analysis object information, and memory analysis result is stored hadoop hive number According to storehouse；On the other hand, set up with remote control terminal and be connected, mainly send the log information of client, root to remote control terminal According to the search condition of remote control terminal, from hadoop hive data base, search qualified retrieval information, be sent to long-range Control end is shown；

Remote control terminal：Main management service end, obtains the information of client by remote management services, and to client The log information at end is shown, the function of also retrieving, and user can get the memory mirror of client according to key word Analysis result, and export function is provided, retrieval result and memory analysis result are derived, is easy to evidence obtaining personnel and analyzes further；

Described client includes：

User client communication module：Set up the communication and service end between, carry out the transmission of file；

Client log file module：By calling EventLog.exe order line program, obtain client host is System daily record, security log, application log；

Client Physical memory mirror module：Call MemDump driver, the physical memory of mirror image client host, Flow process, load driver, create service, the service of opening, load driver, mirror image physical memory, unloading drive；

Client Physical memory analysis module：Open the physical memory file of mirror image, analyze the client host of key Essential information, registry information, email accounts, instant messaging accounts information, BIOS password, HD encryption password and network are submitted to List, the network information, system log message, log-on message, progress information, activation bit, hook information are simultaneously temporarily stored in this Ground；

Client side transmission module：Transmitting physical memory file, physical memory analysis result file, syslog file；

Client memory module：The physical memory file that will transmit, physical memory analysis result, syslog file are temporary When store local.

As the restriction further to the technical program, the log information of described client include the ip address of client, Port, the image filename of transmission, memory analysis document result and corresponding md5 value.

As the restriction further to the technical program, described service end includes：

Service end communication module：On the one hand set up the communication and remote control terminal between, on the other hand open multiple threads Communicated and multiple client between；

Service end receiver module：According to the agreement establishing, the content of different client transmissions is received simultaneously, The big file of physical memory stores in the form of a file, for physical memory analysis result, is stored in hadoop hive mode；

Service end memory module：Storage physical memory file and system journal, security log and application log；Storage Physical memory analysis result is to hadoop hive data base；

Service end parallel parsing module：Analyze several physical memory files simultaneously；

Service end database retrieval module：Support the essential information to client, registry information, sensitive information, network The retrieval of critical field in information, system log message, log-on message, progress information, activation bit, hook information；

Service end display module：The log information of main presentation client, including：Transmission time, client ip address, end Mouth, the physical memory filename of transmission, the hash value of physical memory file；Another aspect main presentation：Hadoop hive data Physical memory analysis result in storehouse, shows the physical memory analysis result comprising key word in different time sections.

As the restriction further to the technical program, described remote control terminal includes：

Remotely newly-built case module：The essential information of newly-built case includes case title, Case No., the hansh calculation using Method, case storing path and case description；

Remote opening service module：Input service end ip address and port, set up the connecting communication with service end, and service is opened Open；

Remote communication module：Set up the communication and service end between；

Remote journal management module：Support journal file to be preserved and analyzes；

Remote key document retrieval module：Critical field in input hive table and table, sends order to service end, that is, right Key word in certain critical file that physical memory analyzes enters line retrieval, to get the physical memory of different time sections Analysis result；

Long-range parallel parsing module：Click on client one of physical memory file of transmission or several, to Service end sends parallel parsing instruction, and service end will be analyzed to one or several physical memory files；

Long-range export module：Derive retrieval analysis result to file.

Compared with prior art, advantages of the present invention and good effect are：The pattern by remote management services for the present invention Collect client-side information, obtain the daily record letter of the physical memory image file, physical memory analysis result and client of client Breath, and retrieval physical memory analysis result and the function of parallel parsing internal memory are provided, get valency from memory analysis result The information of value, the chance that physical memory information is not tampered with, there is very big credibility and effectiveness, judicial people can be helped The evidence that member wants required for finding in mass storage analysis result, greatly improves work efficiency.

The present invention is from obtaining physical memory image file, physical memory analytic angle, long-range a large amount of of real-time collecting Equipment, the physical memory such as server, PC, intelligent terminal carries out mirror image and is analyzed, and completes the analysis of magnanimity evidence Process, realize the functions such as Unknown Computer Virus Detection, unusual checking, high intensity password cracking that unit is difficult to complete, it is right to realize Security threat in the Internet, the sensitive perception of criminal offence, evidence obtaining and complete monitoring in thing, change and can only carry out in the past The situation of post-mordem forensics, physical memory obtains and analysis method, with more credible and effectiveness.The client of this long-range evidence obtaining Slipped in the form of process or service in client operating system, it shields the difference of user and operating system and hardware configuration Different, collected evidence by long-range, according to the demand of remote server, it is possible to achieve the teleprocessing of local evidence, including evidence Preservation, the analysis of evidence, can realize real-time collecting and the place of evidence with remotely control forensic tools and other third-party application Manage, and long-range evidence and analysis result are sent to server end and carry out evidence preservation, analyzing and processing.

Security audit can be realized on the other hand, the safety that long-range evidence obtaining can obtain client operating system in real time is examined Meter information, inclusion application log, security log, system journal etc., realize evidence obtaining personnel are carried out with whole supervision simultaneously, examine Meter and recording, and it is sent to remote server analyzing and processing, accomplish timely to Network Security Vulnerabilities or illegal activity Find.Long-range evidence obtaining achieves demand in terms of evidence obtaining and security audit for the IT industry user, expands application, extends The industrial chain of computer forensics.

Based on physical memory analysis remote evidence obtaining system propose effectively, meet evidence obtaining require digital evidence obtaining analyze Scheme, the program has important function to the precision aspect of the credibility improving forensic data and lifting forensics analysis.

The method more meets the requirement of traditional material evidence technology than traditional online evidence obtaining mode.Traditional online evidence collecting method, It is clear that each stage of evidence obtaining is all difficult to division.Just can naturally be distinguished using the online evidence obtaining mode analyzed based on physical memory Each stage, investigation and analysis all rely on obtained physical memory image file, are just being easy to checking analysis and investigation work Really property, more meets the requirement of material evidence technology than traditional online evidence obtaining mode.

Brief description

Fig. 1 is the workflow diagram of the present invention.

Specific embodiment:

With reference to embodiment, further illustrate the present invention.

Referring to Fig. 1, the present invention includes：

Client：The physical memory of mirror image client, and store local, and image file is done with the calculating of hash value, so After call physical memory analysis order line program analyze this image file, by analysis result and image file be sent collectively to service End；

Service end：Intercept client, if there being client connection request, service end connects confirmation, successful connection, and service end is received The markup character string starting transmission information sent to client, then start to receive client-side information, main collection client Physical memory image file and corresponding image file analysis result, service end takes multithreading, can collect several visitors simultaneously The physical memory image file at family end and memory analysis object information, and memory analysis result is stored hadoop hive number According to storehouse；On the other hand, set up with remote control terminal and be connected, mainly send the log information of client, root to remote control terminal According to the search condition of remote control terminal, from hadoop hive data base, search qualified retrieval information, be sent to long-range Control end is shown；

Remote control terminal：Main management service end, obtains the information of client by remote management services, and to client The log information at end is shown, the function of also retrieving, and user can get the memory mirror of client according to key word Analysis result, and export function is provided, retrieval result and memory analysis result are derived, is easy to evidence obtaining personnel and analyzes further.

The log information of described client includes the ip address of client, port, the image filename of transmission, memory analysis Document result and corresponding md5 value.

Described client includes：

User client communication module：Set up the communication and service end between, carry out the transmission of file；

Client log file module：By calling EventLog.exe order line program, obtain client host is System daily record, security log, application log；

Client Physical memory mirror module：Call MemDump driver, the physical memory of mirror image client host, Flow process, load driver, create service, the service of opening, load driver, mirror image physical memory, unloading drive；

Client Physical memory analysis module：Open the physical memory file of mirror image, analyze the client host of key Essential information, registry information, email accounts, instant messaging accounts information, BIOS password, HD encryption password and network are submitted to List, the network information, system log message, log-on message, progress information, activation bit, hook information are simultaneously temporarily stored in this Ground；

Client side transmission module：Transmitting physical memory file, physical memory analysis result file, syslog file；

Client memory module：The physical memory file that will transmit, physical memory analysis result, syslog file are temporary When store local.

Described service end includes：

Service end communication module：On the one hand set up the communication and remote control terminal between, on the other hand open multiple threads Communicated and multiple client between；

Service end receiver module：According to the agreement establishing, the content of different client transmissions is received simultaneously, The big file of physical memory stores in the form of a file, for physical memory analysis result, is stored in hadoop hive mode；

Service end memory module：Storage physical memory file and system journal, security log and application log；Storage Physical memory analysis result is to hadoop hive data base；

Service end parallel parsing module：Analyze several physical memory files simultaneously；

Service end database retrieval module：Support the essential information to client, registry information, sensitive information, network The retrieval of critical field in information, system log message, log-on message, progress information, activation bit, hook information；

Service end display module：The log information of main presentation client, including：Transmission time, client ip address, end Mouth, the physical memory filename of transmission, the hash value of physical memory file；Another aspect main presentation：Hadoop hive data Physical memory analysis result in storehouse, shows the physical memory analysis result comprising key word in different time sections.

Described remote control terminal includes：

Remotely newly-built case module：The essential information of newly-built case includes case title, Case No., the hansh calculation using Method, case storing path and case description；

Remote opening service module：Input service end ip address and port, set up the connecting communication with service end, and service is opened Open；

Remote communication module：Set up the communication and service end between；

Remote journal management module：Support journal file to be preserved and analyzes；

Remote key document retrieval module：Critical field in input hive table and table, sends order to service end, that is, right Key word in certain critical file that physical memory analyzes enters line retrieval, to get the physical memory of different time sections Analysis result；

Long-range parallel parsing module：Click on client one of physical memory file of transmission or several, to Service end sends parallel parsing instruction, and service end will be analyzed to one or several physical memory files；

Long-range export module：Derive retrieval analysis result to file.

The present invention is from acquisition physical memory image file, physical memory analytic angle, the long-range cloud computing of real-time collecting Large number quipments in environment, the physical memory such as server, PC, intelligent terminal carries out mirror image and is analyzed, using super Calculation technology completes the analyzing and processing of magnanimity evidence, realizes Unknown Computer Virus Detection, unusual checking that unit is difficult to complete, high-strength The degree function such as password cracking, realizes to evidence obtaining in security threat in the Internet, the sensitive perception of criminal offence, thing and whole Monitoring, changes the situation that in the past can only carry out post-mordem forensics, and physical memory obtains and analysis method, with more credible and have Effect property.The client of this long-range evidence obtaining slips in client operating system in the form of process or service, and it shields user With the difference of operating system and hardware configuration, collected evidence by long-range, according to the demand of remote server, it is possible to achieve local card According to teleprocessing, including the analysis of the preservation of evidence, evidence, can with remotely control forensic tools and other third-party application, Realize real-time collecting and the process of evidence, and long-range evidence and analysis result be sent to server end carrying out evidence preservation, dividing Analysis is processed.

Security audit can be realized on the other hand, the safety that long-range evidence obtaining can obtain client operating system in real time is examined Meter information, inclusion application log, security log, system journal etc., realize evidence obtaining personnel are carried out with whole supervision simultaneously, examine Meter and recording, and it is sent to remote server analyzing and processing, accomplish timely to Network Security Vulnerabilities or illegal activity Find.Long-range evidence obtaining achieves demand in terms of evidence obtaining and security audit for the IT industry user, expands application, extends The industrial chain of computer forensics.

For the analysis of Windows physical memory, employ the physical memory analysis method based on KPCR, solve Windows The difference in version of memory analysis and address translation problem, technique is in the leading level in the world.

The method more meets the requirement of traditional material evidence technology than traditional online evidence obtaining mode.Traditional online evidence collecting method, It is clear that each stage of evidence obtaining is all difficult to division.Just can naturally be distinguished using the online evidence obtaining mode analyzed based on physical memory Each stage, investigation and analysis all rely on obtained physical memory image file, are just being easy to checking analysis and investigation work Really property, more meets the requirement of material evidence technology than traditional online evidence obtaining mode.

Claims (4)

1. a kind of remote evidence obtaining system based on physical memory analysis is it is characterised in that include：

Client：The physical memory of mirror image client, and store local, and image file is done with the calculating of hash value, then adjust Analyze this image file with physical memory analysis order line program, analysis result and image file are sent collectively to service end；

Service end：Intercept client, if there being client connection request, service end connects confirmation, successful connection, and service end receives visitor What family end was sent starts the markup character string of transmission information, then start to receive client-side information, the main physics collecting client Memory mirror file and corresponding image file analysis result, service end takes multithreading, can collect several clients simultaneously Physical memory image file and memory analysis object information, and memory analysis result is stored hadoop hive data base； On the other hand, set up with remote control terminal and be connected, mainly send the log information of client to remote control terminal, according to long-range The search condition of control end, searches qualified retrieval information from hadoop hive data base, is sent to remote control terminal It is shown；

Remote control terminal：Main management service end, obtains the information of client by remote management services, and to client Log information is shown, the function of also retrieving, and user can get the memory mirror analysis of client according to key word As a result, and export function is provided, retrieval result and memory analysis result are derived, be easy to evidence obtaining personnel and analyze further；

Described client includes：

User client communication module：Set up the communication and service end between, carry out the transmission of file；

Client log file module：By calling EventLog.exe order line program, obtain the system day of client host Will, security log, application log；

Client Physical memory mirror module：Call MemDump driver, the physical memory of mirror image client host, flow process, Load driver, creates service, the service of opening, load driver, and mirror image physical memory, unloading drive；

Client Physical memory analysis module：Open the physical memory file of mirror image, the client host analyzing key is basic Information, registry information, email accounts, instant messaging accounts information, BIOS password, HD encryption password and network submit table to List, the network information, system log message, log-on message, progress information, activation bit, hook information are simultaneously temporarily stored in this Ground；

Client side transmission module：Transmitting physical memory file, physical memory analysis result file, syslog file；

Client memory module：The physical memory file that will transmit, physical memory analysis result, syslog file are temporarily deposited Store up local.

2. the remote evidence obtaining system based on physical memory analysis according to claim 1 is it is characterised in that described client Log information include the ip address of client, port, the image filename of transmission, memory analysis document result and corresponding Md5 value.

3. the remote evidence obtaining system based on physical memory analysis according to claim 1 is it is characterised in that described service end Including：

Service end communication module：On the one hand set up the communication and remote control terminal between, on the other hand open multiple threads with many Communicated between individual client；

Service end receiver module：According to the agreement establishing, the content of different client transmissions is received simultaneously, physics The big file of internal memory stores in the form of a file, for physical memory analysis result, is stored in hadoop hive mode；

Service end memory module：Storage physical memory file and system journal, security log and application log；Storage physics Memory analysis result is to hadoop hive data base；

Service end parallel parsing module：Analyze several physical memory files simultaneously；

Service end database retrieval module：Support to the essential information of client, registry information, sensitive information, the network information, The retrieval of critical field in system log message, log-on message, progress information, activation bit, hook information；

Service end display module：The log information of main presentation client, including：Transmission time, client ip address, port, The physical memory filename of transmission, the hash value of physical memory file；Another aspect main presentation：Hadoop hive data base Middle physical memory analysis result, shows the physical memory analysis result comprising key word in different time sections.

4. the remote evidence obtaining system based on physical memory analysis according to claim 1 is it is characterised in that described long-range control End processed includes：

Remotely newly-built case module：The essential information of newly-built case includes case title, Case No., the hash algorithm using, case Example storing path and case description；

Remote opening service module：Input service end ip address and port, set up the connecting communication with service end, and service is opened；

Remote communication module：Set up the communication and service end between；

Remote journal management module：Support journal file to be preserved and analyzes；

Remote key document retrieval module：Critical field in input hive table and table, sends order to service end, that is, to physics Key word in certain critical file that memory analysis go out enters line retrieval, to get the physical memory analysis of different time sections Result；

Long-range parallel parsing module：Click on client one of physical memory file of transmission or several, to service End sends parallel parsing instruction, and service end will be analyzed to one or several physical memory files；

Long-range export module：Derive retrieval analysis result to file.