CN105138709B - Remote evidence taking system based on physical memory analysis - Google Patents
Remote evidence taking system based on physical memory analysis Download PDFInfo
- Publication number
- CN105138709B CN105138709B CN201510655761.5A CN201510655761A CN105138709B CN 105138709 B CN105138709 B CN 105138709B CN 201510655761 A CN201510655761 A CN 201510655761A CN 105138709 B CN105138709 B CN 105138709B
- Authority
- CN
- China
- Prior art keywords
- client
- physical memory
- file
- information
- service end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/16—File or folder operations, e.g. details of user interfaces specifically adapted to file systems
- G06F16/168—Details of user interfaces specifically adapted to file systems, e.g. browsing and visualisation, 2d or 3d GUIs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1805—Append-only file systems, e.g. using logs or journals to store data
- G06F16/1815—Journaling file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/182—Distributed file systems
- G06F16/1824—Distributed file systems implemented using Network-attached Storage [NAS] architecture
- G06F16/183—Provision of network file services by network file servers, e.g. by using NFS, CIFS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Human Computer Interaction (AREA)
- Debugging And Monitoring (AREA)
- Computer And Data Communications (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a remote evidence taking system based on physical memory analysis. The remote evidence taking system is characterized by comprising a client and a server, wherein a physical memory of the client is mirrored and stored locally, and a mirror image file is subjected to hash value calculation; the mirror image file is analyzed by calling a physical memory analysis line program, and an analysis result and the mirror image file are sent to the server together; the server is used for monitoring the client; if a client connection request is provided, a client fixing character string is sent, and the physical memory mirror image file and the corresponding mirror image file analysis result of the client are mainly collected; the server collects multiple threads and can simultaneously collect the physical memory mirror image files of multiple clients and memory analysis result information and store the memory analysis results into a database; on the other hand, the server is connected with a remote control terminal to mainly send log information of the client to the remote control terminal; retrieval information meeting retrieval conditions are searched from the database according to the conditions of the remote control terminal.
Description
Technical field
The present invention relates to cloud forensics analysis field, more particularly, to a kind of remote object terminals physical memory mirror file is entered
The forensics analysis of row, specifically, refer to a kind of remote evidence obtaining system based on physical memory analysis.
Background technology
During electronic data evidence obtaining, the analysis process of forensic data is often relied on evidence obtaining personnel personal experience and
Thinking judges selecting appropriate analysis method to realize the detection to electronic evidence-collecting data and analysis, because evidence obtaining personnel are to taking
The analysis of card data is often related to various analysis.It is right that this personal subjective selection forensics analysis method is not only unfavorable for
The abundant effectively utilizes of forensic data, also create negative effect to evidence obtaining efficiency.Furthermore, it is necessary to carry out the case of identification of collecting evidence
Quantity is increased sharply year by year, but evidence obtaining personnel amount limited it is impossible to evidence obtaining of investigating of reaching the spot in time, and personal experience has
Limit is it is difficult to carrying out in all directions is collected evidence.Online evidence is mainly saved in computer physical memory, therefore physical memory is divided
Analysis is the key of online evidence analysis.3rd, current traditional online evidence obtaining mode is to need all kinds of forensic tools in target
Run in computer system, to complete collection and the analysis work of data, this makes the collection activity of evidence have a strong impact on card
The credibility of part, even if achieving some evidences, its integrity and verity also are difficult to be proven, especially as kernel mode wood
Horse and the development of anti-forensics technology, the data that a lot of online tools obtain is likely to be tampered.Traditional evidence obtaining mode is first
Obtain the image file of disk (hard disk), then again hard disk mirror-image file is scanned for, analyzes, presents etc. with work, hard disk mirror
As file is easy to be distorted in advance, verity and credibility be not high.Master's thesis is taken based on the remote computer of data recovery
Card systematic research and realization, achieve the recovery to systems such as data, files using remotely control, but data recovery mould
Block, the system resource occupancy of destination host is higher, easily found by suspect;On the other hand, remote evidence obtaining system
Can operate in windows system, not support the ubiquitous systems such as linux.Patent of invention CN103647791B is open to be accomplished that
The evidence obtaining that remote mobile terminal is carried out, take pictures including double-directional speech call, transmission of video and to remote control terminal, will clap
According to passing back to PC end, belong to one kind of traditional evidence collecting method.The information such as voice call, video are simply transmitted by this patent,
Particular content has perhaps been altered before transmission it is impossible to these information of real-time Transmission.
Content of the invention
The technical problem to be solved in the present invention is to provide a kind of remote information collection evidence obtaining management system, helps staff
Key evidence required for finding in mass storage analysis result, by analyzing the physical memory image file of destination host,
Obtain the important information running in internal memory, substantially increase work efficiency and the genuine and believable property of electronic evidence.
The present invention realizes goal of the invention using following technological means:
A kind of remote evidence obtaining system based on physical memory analysis is it is characterised in that include:
Client:The physical memory of mirror image client, and store local, and image file is done with the calculating of hash value, so
After call physical memory analysis order line program analyze this image file, by analysis result and image file be sent collectively to service
End;
Service end:Intercept client, if there being client connection request, service end connects confirmation, successful connection, and service end is received
The markup character string starting transmission information sent to client, then start to receive client-side information, main collection client
Physical memory image file and corresponding image file analysis result, service end takes multithreading, can collect several visitors simultaneously
The physical memory image file at family end and memory analysis object information, and memory analysis result is stored hadoop hive number
According to storehouse;On the other hand, set up with remote control terminal and be connected, mainly send the log information of client, root to remote control terminal
According to the search condition of remote control terminal, from hadoop hive data base, search qualified retrieval information, be sent to long-range
Control end is shown;
Remote control terminal:Main management service end, obtains the information of client by remote management services, and to client
The log information at end is shown, the function of also retrieving, and user can get the memory mirror of client according to key word
Analysis result, and export function is provided, retrieval result and memory analysis result are derived, is easy to evidence obtaining personnel and analyzes further;
Described client includes:
User client communication module:Set up the communication and service end between, carry out the transmission of file;
Client log file module:By calling EventLog.exe order line program, obtain client host is
System daily record, security log, application log;
Client Physical memory mirror module:Call MemDump driver, the physical memory of mirror image client host,
Flow process, load driver, create service, the service of opening, load driver, mirror image physical memory, unloading drive;
Client Physical memory analysis module:Open the physical memory file of mirror image, analyze the client host of key
Essential information, registry information, email accounts, instant messaging accounts information, BIOS password, HD encryption password and network are submitted to
List, the network information, system log message, log-on message, progress information, activation bit, hook information are simultaneously temporarily stored in this
Ground;
Client side transmission module:Transmitting physical memory file, physical memory analysis result file, syslog file;
Client memory module:The physical memory file that will transmit, physical memory analysis result, syslog file are temporary
When store local.
As the restriction further to the technical program, the log information of described client include the ip address of client,
Port, the image filename of transmission, memory analysis document result and corresponding md5 value.
As the restriction further to the technical program, described service end includes:
Service end communication module:On the one hand set up the communication and remote control terminal between, on the other hand open multiple threads
Communicated and multiple client between;
Service end receiver module:According to the agreement establishing, the content of different client transmissions is received simultaneously,
The big file of physical memory stores in the form of a file, for physical memory analysis result, is stored in hadoop hive mode;
Service end memory module:Storage physical memory file and system journal, security log and application log;Storage
Physical memory analysis result is to hadoop hive data base;
Service end parallel parsing module:Analyze several physical memory files simultaneously;
Service end database retrieval module:Support the essential information to client, registry information, sensitive information, network
The retrieval of critical field in information, system log message, log-on message, progress information, activation bit, hook information;
Service end display module:The log information of main presentation client, including:Transmission time, client ip address, end
Mouth, the physical memory filename of transmission, the hash value of physical memory file;Another aspect main presentation:Hadoop hive data
Physical memory analysis result in storehouse, shows the physical memory analysis result comprising key word in different time sections.
As the restriction further to the technical program, described remote control terminal includes:
Remotely newly-built case module:The essential information of newly-built case includes case title, Case No., the hansh calculation using
Method, case storing path and case description;
Remote opening service module:Input service end ip address and port, set up the connecting communication with service end, and service is opened
Open;
Remote communication module:Set up the communication and service end between;
Remote journal management module:Support journal file to be preserved and analyzes;
Remote key document retrieval module:Critical field in input hive table and table, sends order to service end, that is, right
Key word in certain critical file that physical memory analyzes enters line retrieval, to get the physical memory of different time sections
Analysis result;
Long-range parallel parsing module:Click on client one of physical memory file of transmission or several, to
Service end sends parallel parsing instruction, and service end will be analyzed to one or several physical memory files;
Long-range export module:Derive retrieval analysis result to file.
Compared with prior art, advantages of the present invention and good effect are:The pattern by remote management services for the present invention
Collect client-side information, obtain the daily record letter of the physical memory image file, physical memory analysis result and client of client
Breath, and retrieval physical memory analysis result and the function of parallel parsing internal memory are provided, get valency from memory analysis result
The information of value, the chance that physical memory information is not tampered with, there is very big credibility and effectiveness, judicial people can be helped
The evidence that member wants required for finding in mass storage analysis result, greatly improves work efficiency.
The present invention is from obtaining physical memory image file, physical memory analytic angle, long-range a large amount of of real-time collecting
Equipment, the physical memory such as server, PC, intelligent terminal carries out mirror image and is analyzed, and completes the analysis of magnanimity evidence
Process, realize the functions such as Unknown Computer Virus Detection, unusual checking, high intensity password cracking that unit is difficult to complete, it is right to realize
Security threat in the Internet, the sensitive perception of criminal offence, evidence obtaining and complete monitoring in thing, change and can only carry out in the past
The situation of post-mordem forensics, physical memory obtains and analysis method, with more credible and effectiveness.The client of this long-range evidence obtaining
Slipped in the form of process or service in client operating system, it shields the difference of user and operating system and hardware configuration
Different, collected evidence by long-range, according to the demand of remote server, it is possible to achieve the teleprocessing of local evidence, including evidence
Preservation, the analysis of evidence, can realize real-time collecting and the place of evidence with remotely control forensic tools and other third-party application
Manage, and long-range evidence and analysis result are sent to server end and carry out evidence preservation, analyzing and processing.
Security audit can be realized on the other hand, the safety that long-range evidence obtaining can obtain client operating system in real time is examined
Meter information, inclusion application log, security log, system journal etc., realize evidence obtaining personnel are carried out with whole supervision simultaneously, examine
Meter and recording, and it is sent to remote server analyzing and processing, accomplish timely to Network Security Vulnerabilities or illegal activity
Find.Long-range evidence obtaining achieves demand in terms of evidence obtaining and security audit for the IT industry user, expands application, extends
The industrial chain of computer forensics.
Based on physical memory analysis remote evidence obtaining system propose effectively, meet evidence obtaining require digital evidence obtaining analyze
Scheme, the program has important function to the precision aspect of the credibility improving forensic data and lifting forensics analysis.
The method more meets the requirement of traditional material evidence technology than traditional online evidence obtaining mode.Traditional online evidence collecting method,
It is clear that each stage of evidence obtaining is all difficult to division.Just can naturally be distinguished using the online evidence obtaining mode analyzed based on physical memory
Each stage, investigation and analysis all rely on obtained physical memory image file, are just being easy to checking analysis and investigation work
Really property, more meets the requirement of material evidence technology than traditional online evidence obtaining mode.
Brief description
Fig. 1 is the workflow diagram of the present invention.
Specific embodiment:
With reference to embodiment, further illustrate the present invention.
Referring to Fig. 1, the present invention includes:
Client:The physical memory of mirror image client, and store local, and image file is done with the calculating of hash value, so
After call physical memory analysis order line program analyze this image file, by analysis result and image file be sent collectively to service
End;
Service end:Intercept client, if there being client connection request, service end connects confirmation, successful connection, and service end is received
The markup character string starting transmission information sent to client, then start to receive client-side information, main collection client
Physical memory image file and corresponding image file analysis result, service end takes multithreading, can collect several visitors simultaneously
The physical memory image file at family end and memory analysis object information, and memory analysis result is stored hadoop hive number
According to storehouse;On the other hand, set up with remote control terminal and be connected, mainly send the log information of client, root to remote control terminal
According to the search condition of remote control terminal, from hadoop hive data base, search qualified retrieval information, be sent to long-range
Control end is shown;
Remote control terminal:Main management service end, obtains the information of client by remote management services, and to client
The log information at end is shown, the function of also retrieving, and user can get the memory mirror of client according to key word
Analysis result, and export function is provided, retrieval result and memory analysis result are derived, is easy to evidence obtaining personnel and analyzes further.
The log information of described client includes the ip address of client, port, the image filename of transmission, memory analysis
Document result and corresponding md5 value.
Described client includes:
User client communication module:Set up the communication and service end between, carry out the transmission of file;
Client log file module:By calling EventLog.exe order line program, obtain client host is
System daily record, security log, application log;
Client Physical memory mirror module:Call MemDump driver, the physical memory of mirror image client host,
Flow process, load driver, create service, the service of opening, load driver, mirror image physical memory, unloading drive;
Client Physical memory analysis module:Open the physical memory file of mirror image, analyze the client host of key
Essential information, registry information, email accounts, instant messaging accounts information, BIOS password, HD encryption password and network are submitted to
List, the network information, system log message, log-on message, progress information, activation bit, hook information are simultaneously temporarily stored in this
Ground;
Client side transmission module:Transmitting physical memory file, physical memory analysis result file, syslog file;
Client memory module:The physical memory file that will transmit, physical memory analysis result, syslog file are temporary
When store local.
Described service end includes:
Service end communication module:On the one hand set up the communication and remote control terminal between, on the other hand open multiple threads
Communicated and multiple client between;
Service end receiver module:According to the agreement establishing, the content of different client transmissions is received simultaneously,
The big file of physical memory stores in the form of a file, for physical memory analysis result, is stored in hadoop hive mode;
Service end memory module:Storage physical memory file and system journal, security log and application log;Storage
Physical memory analysis result is to hadoop hive data base;
Service end parallel parsing module:Analyze several physical memory files simultaneously;
Service end database retrieval module:Support the essential information to client, registry information, sensitive information, network
The retrieval of critical field in information, system log message, log-on message, progress information, activation bit, hook information;
Service end display module:The log information of main presentation client, including:Transmission time, client ip address, end
Mouth, the physical memory filename of transmission, the hash value of physical memory file;Another aspect main presentation:Hadoop hive data
Physical memory analysis result in storehouse, shows the physical memory analysis result comprising key word in different time sections.
Described remote control terminal includes:
Remotely newly-built case module:The essential information of newly-built case includes case title, Case No., the hansh calculation using
Method, case storing path and case description;
Remote opening service module:Input service end ip address and port, set up the connecting communication with service end, and service is opened
Open;
Remote communication module:Set up the communication and service end between;
Remote journal management module:Support journal file to be preserved and analyzes;
Remote key document retrieval module:Critical field in input hive table and table, sends order to service end, that is, right
Key word in certain critical file that physical memory analyzes enters line retrieval, to get the physical memory of different time sections
Analysis result;
Long-range parallel parsing module:Click on client one of physical memory file of transmission or several, to
Service end sends parallel parsing instruction, and service end will be analyzed to one or several physical memory files;
Long-range export module:Derive retrieval analysis result to file.
The present invention is from acquisition physical memory image file, physical memory analytic angle, the long-range cloud computing of real-time collecting
Large number quipments in environment, the physical memory such as server, PC, intelligent terminal carries out mirror image and is analyzed, using super
Calculation technology completes the analyzing and processing of magnanimity evidence, realizes Unknown Computer Virus Detection, unusual checking that unit is difficult to complete, high-strength
The degree function such as password cracking, realizes to evidence obtaining in security threat in the Internet, the sensitive perception of criminal offence, thing and whole
Monitoring, changes the situation that in the past can only carry out post-mordem forensics, and physical memory obtains and analysis method, with more credible and have
Effect property.The client of this long-range evidence obtaining slips in client operating system in the form of process or service, and it shields user
With the difference of operating system and hardware configuration, collected evidence by long-range, according to the demand of remote server, it is possible to achieve local card
According to teleprocessing, including the analysis of the preservation of evidence, evidence, can with remotely control forensic tools and other third-party application,
Realize real-time collecting and the process of evidence, and long-range evidence and analysis result be sent to server end carrying out evidence preservation, dividing
Analysis is processed.
Security audit can be realized on the other hand, the safety that long-range evidence obtaining can obtain client operating system in real time is examined
Meter information, inclusion application log, security log, system journal etc., realize evidence obtaining personnel are carried out with whole supervision simultaneously, examine
Meter and recording, and it is sent to remote server analyzing and processing, accomplish timely to Network Security Vulnerabilities or illegal activity
Find.Long-range evidence obtaining achieves demand in terms of evidence obtaining and security audit for the IT industry user, expands application, extends
The industrial chain of computer forensics.
For the analysis of Windows physical memory, employ the physical memory analysis method based on KPCR, solve Windows
The difference in version of memory analysis and address translation problem, technique is in the leading level in the world.
The method more meets the requirement of traditional material evidence technology than traditional online evidence obtaining mode.Traditional online evidence collecting method,
It is clear that each stage of evidence obtaining is all difficult to division.Just can naturally be distinguished using the online evidence obtaining mode analyzed based on physical memory
Each stage, investigation and analysis all rely on obtained physical memory image file, are just being easy to checking analysis and investigation work
Really property, more meets the requirement of material evidence technology than traditional online evidence obtaining mode.
Claims (4)
1. a kind of remote evidence obtaining system based on physical memory analysis is it is characterised in that include:
Client:The physical memory of mirror image client, and store local, and image file is done with the calculating of hash value, then adjust
Analyze this image file with physical memory analysis order line program, analysis result and image file are sent collectively to service end;
Service end:Intercept client, if there being client connection request, service end connects confirmation, successful connection, and service end receives visitor
What family end was sent starts the markup character string of transmission information, then start to receive client-side information, the main physics collecting client
Memory mirror file and corresponding image file analysis result, service end takes multithreading, can collect several clients simultaneously
Physical memory image file and memory analysis object information, and memory analysis result is stored hadoop hive data base;
On the other hand, set up with remote control terminal and be connected, mainly send the log information of client to remote control terminal, according to long-range
The search condition of control end, searches qualified retrieval information from hadoop hive data base, is sent to remote control terminal
It is shown;
Remote control terminal:Main management service end, obtains the information of client by remote management services, and to client
Log information is shown, the function of also retrieving, and user can get the memory mirror analysis of client according to key word
As a result, and export function is provided, retrieval result and memory analysis result are derived, be easy to evidence obtaining personnel and analyze further;
Described client includes:
User client communication module:Set up the communication and service end between, carry out the transmission of file;
Client log file module:By calling EventLog.exe order line program, obtain the system day of client host
Will, security log, application log;
Client Physical memory mirror module:Call MemDump driver, the physical memory of mirror image client host, flow process,
Load driver, creates service, the service of opening, load driver, and mirror image physical memory, unloading drive;
Client Physical memory analysis module:Open the physical memory file of mirror image, the client host analyzing key is basic
Information, registry information, email accounts, instant messaging accounts information, BIOS password, HD encryption password and network submit table to
List, the network information, system log message, log-on message, progress information, activation bit, hook information are simultaneously temporarily stored in this
Ground;
Client side transmission module:Transmitting physical memory file, physical memory analysis result file, syslog file;
Client memory module:The physical memory file that will transmit, physical memory analysis result, syslog file are temporarily deposited
Store up local.
2. the remote evidence obtaining system based on physical memory analysis according to claim 1 is it is characterised in that described client
Log information include the ip address of client, port, the image filename of transmission, memory analysis document result and corresponding
Md5 value.
3. the remote evidence obtaining system based on physical memory analysis according to claim 1 is it is characterised in that described service end
Including:
Service end communication module:On the one hand set up the communication and remote control terminal between, on the other hand open multiple threads with many
Communicated between individual client;
Service end receiver module:According to the agreement establishing, the content of different client transmissions is received simultaneously, physics
The big file of internal memory stores in the form of a file, for physical memory analysis result, is stored in hadoop hive mode;
Service end memory module:Storage physical memory file and system journal, security log and application log;Storage physics
Memory analysis result is to hadoop hive data base;
Service end parallel parsing module:Analyze several physical memory files simultaneously;
Service end database retrieval module:Support to the essential information of client, registry information, sensitive information, the network information,
The retrieval of critical field in system log message, log-on message, progress information, activation bit, hook information;
Service end display module:The log information of main presentation client, including:Transmission time, client ip address, port,
The physical memory filename of transmission, the hash value of physical memory file;Another aspect main presentation:Hadoop hive data base
Middle physical memory analysis result, shows the physical memory analysis result comprising key word in different time sections.
4. the remote evidence obtaining system based on physical memory analysis according to claim 1 is it is characterised in that described long-range control
End processed includes:
Remotely newly-built case module:The essential information of newly-built case includes case title, Case No., the hash algorithm using, case
Example storing path and case description;
Remote opening service module:Input service end ip address and port, set up the connecting communication with service end, and service is opened;
Remote communication module:Set up the communication and service end between;
Remote journal management module:Support journal file to be preserved and analyzes;
Remote key document retrieval module:Critical field in input hive table and table, sends order to service end, that is, to physics
Key word in certain critical file that memory analysis go out enters line retrieval, to get the physical memory analysis of different time sections
Result;
Long-range parallel parsing module:Click on client one of physical memory file of transmission or several, to service
End sends parallel parsing instruction, and service end will be analyzed to one or several physical memory files;
Long-range export module:Derive retrieval analysis result to file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510655761.5A CN105138709B (en) | 2015-10-12 | 2015-10-12 | Remote evidence taking system based on physical memory analysis |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510655761.5A CN105138709B (en) | 2015-10-12 | 2015-10-12 | Remote evidence taking system based on physical memory analysis |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105138709A CN105138709A (en) | 2015-12-09 |
CN105138709B true CN105138709B (en) | 2017-02-22 |
Family
ID=54724056
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510655761.5A Expired - Fee Related CN105138709B (en) | 2015-10-12 | 2015-10-12 | Remote evidence taking system based on physical memory analysis |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105138709B (en) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105740348A (en) * | 2016-01-25 | 2016-07-06 | 武汉精伦电气有限公司 | Key log information extraction method and system based on distributed terminal system |
CN106886476B (en) * | 2017-02-08 | 2022-08-12 | 腾讯科技(深圳)有限公司 | Memory analysis method, device and system for client |
CN109254902B (en) * | 2018-07-10 | 2022-02-08 | 南京大学 | Evidence obtaining system and method based on user intention detection and applied to cloud computing environment |
CN108924151A (en) * | 2018-07-23 | 2018-11-30 | 杭州安恒信息技术股份有限公司 | A kind of method and system of internet of things equipment evidence obtaining |
CN109587141B (en) * | 2018-12-08 | 2022-01-28 | 公安部第三研究所 | System and method for obtaining evidence by remote server |
CN112181447A (en) * | 2020-10-20 | 2021-01-05 | 深圳市大恒数据安全科技有限责任公司 | Certificate adjusting method and device convenient for judicial verification |
CN112486922B (en) * | 2020-12-02 | 2022-12-06 | 中国人民解放军战略支援部队信息工程大学 | Memory fragment file reconstruction method and system based on reverse structure chain |
CN113420288B (en) * | 2021-06-30 | 2022-07-15 | 上海交通大学 | Container mirror image sensitive information detection system and method |
CN114500565B (en) * | 2021-12-28 | 2024-06-21 | 奇安盘古(上海)信息技术有限公司 | Method and device for manufacturing remote server disk mirror image |
CN114629711B (en) * | 2022-03-21 | 2024-02-06 | 广东云智安信科技有限公司 | Method and system for detecting special Trojan horse on Windows platform |
-
2015
- 2015-10-12 CN CN201510655761.5A patent/CN105138709B/en not_active Expired - Fee Related
Also Published As
Publication number | Publication date |
---|---|
CN105138709A (en) | 2015-12-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105138709B (en) | Remote evidence taking system based on physical memory analysis | |
US11750659B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
CN110249314B (en) | System and method for cloud-based operating system event and data access monitoring | |
US10686829B2 (en) | Identifying changes in use of user credentials | |
US20200389495A1 (en) | Secure policy-controlled processing and auditing on regulated data sets | |
CN107409126B (en) | System and method for securing an enterprise computing environment | |
US11882135B2 (en) | Machine-learning based approach for dynamically generating incident-specific playbooks for a security orchestration, automation and response (SOAR) platform | |
US20190098027A1 (en) | Joint defence method and apparatus for network security, and server and storage medium | |
US8516586B1 (en) | Classification of unknown computer network traffic | |
US9313217B2 (en) | Integrated network threat analysis | |
US7941386B2 (en) | Forensic systems and methods using search packs that can be edited for enterprise-wide data identification, data sharing, and management | |
EP3731166A1 (en) | Data clustering | |
US20200106790A1 (en) | Intelligent system for mitigating cybersecurity risk by analyzing domain name system traffic | |
US20070139231A1 (en) | Systems and methods for enterprise-wide data identification, sharing and management in a commercial context | |
US10454967B1 (en) | Clustering computer security attacks by threat actor based on attack features | |
CN108337269B (en) | WebShell detection method | |
US20220200959A1 (en) | Data collection system for effectively processing big data | |
WO2020016906A1 (en) | Method and system for intrusion detection in an enterprise | |
Khan et al. | Digital forensics and cyber forensics investigation: security challenges, limitations, open issues, and future direction | |
Actoriano et al. | Forensic Investigation on WhatsApp Web Using Framework Integrated Digital Forensic Investigation Framework Version 2 | |
CN110955890A (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
Liu et al. | A research and analysis method of open source threat intelligence data | |
CN116738369A (en) | Traffic data classification method, device, equipment and storage medium | |
Lee et al. | A proposal for automating investigations in live forensics | |
CN113037555B (en) | Risk event marking method, risk event marking device and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170222 Termination date: 20211012 |
|
CF01 | Termination of patent right due to non-payment of annual fee |