CN107332820A - Digital evidence obtaining system based on Linux environment - Google Patents

Digital evidence obtaining system based on Linux environment Download PDF

Info

Publication number
CN107332820A
CN107332820A CN201710385433.7A CN201710385433A CN107332820A CN 107332820 A CN107332820 A CN 107332820A CN 201710385433 A CN201710385433 A CN 201710385433A CN 107332820 A CN107332820 A CN 107332820A
Authority
CN
China
Prior art keywords
evidence
module
information
evidence obtaining
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710385433.7A
Other languages
Chinese (zh)
Inventor
孙国梓
吴嘉元
黄江伟
吴西
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Post and Telecommunication University
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing Post and Telecommunication University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Post and Telecommunication University filed Critical Nanjing Post and Telecommunication University
Priority to CN201710385433.7A priority Critical patent/CN107332820A/en
Publication of CN107332820A publication Critical patent/CN107332820A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Technology Law (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses the digital evidence obtaining system based on Linux environment, the system is made up of host service function sign survey module, network operation sign survey module, log information inquiry module, memory information inquiry module and evidence stuck-module, and wherein host service function sign survey module includes basic operation investigation function and application information investigation function;Network operation sign survey module includes basic operation information investigation function, network-caching investigation function and network application state investigation function;Log information inquiry module enters library facility and key search module including log file analysis;Memory information inquiry module internally deposits into row dump using fmem instruments, realizes that memory information is investigated with reference to system tool;Evidence stuck-module carries out hash processing to evidence original and treated database file.The present invention effectively reduces the workload of evidence obtaining investigator, introduces the concept of forensic tools " engineering " and " evidence is fixed ", it is to avoid evidence obtaining personnel itself the illegal modifications instrument of evidence.

Description

Digital evidence obtaining system based on Linux environment
Technical field
The invention belongs to digital evidence obtaining field, it is related to the Computer Crime Forensic for being carried out under (SuSE) Linux OS, has Body is related to a kind of digital evidence obtaining system based on Linux environment.
Technical background
Digital evidence obtaining (Computer Crime Forensic) is also referred to as computor method medical science, refers to that computer, which is regarded as crime, to be showed , with advanced discrimination technology, the dissection of legal medical expert's formula is carried out to computer crime behavior, searches and confirms criminal and its crime card According to, and litigate accordingly.Mainly to electronic evidence identification, preservation, collection, analysis and produce (shenglvehao)in court, produced so as to disclose with numeral Criminal offence or fault that condition is closed.Digital evidence obtaining technology by computer investigation and analytical technology be applied to it is potential, have method The determination and acquisition of the electronic evidence of effect are restrained, equally they are both for hacker and invasion, and purpose is all Logistics networks Safety.In the last few years, the judicial effect of digital evidence had also progressively been recognized by every country, and gradually initially as master The exhibit wanted is appeared in the related judicial adjudication of computer.At present, the digital evidence obtaining technology under windows platform has become In ripe and perfect, and a whole set of forensics process specification and methodology are generated, but for widely used Linux operations The evidence obtaining of system is not but because popularization degree is high in masses or technology is still immature and makes slow progress.
(SuSE) Linux OS is a set of free class Unix operating systems using with Free propagation, because its performance is stable, It is now widely used in various big-and-middle-sized servers, interchanger, router;With becoming increasingly popular for current graphical user interface, (SuSE) Linux OS also begins to carry graphic interface, starts to traditional desktop operating system development;Linux operations system The kernel of system is short and pithy, and present part manufacturer makes it run and embedded platform also by the modification to kernel, such as mobile phone, Smart home, the equipment such as Internet of Things.Linux system is simple to operate, it is only necessary to which an order line terminal just can be whole with complete operation The operation of individual system, and based on its characteristic of increasing income, anyone can be changed it, created and met the special of personal use custom Category system, thus (SuSE) Linux OS deeply liked by programmer and hacker, particularly become the attack sharp weapon in hacker's hand.Closely Over a little years, attacked by using linux system and frequent for your the server attack event based on (SuSE) Linux OS Occur, and with some penetration attack platforms based on linux system, such as:KALI, Parrot etc. birth and grow in intensity.
There are a small amount of forensic tools available for Linux in the market, such as FTK, Volatility etc., but mostly transplant From Windows systems, it is impossible to be competent at the evidence obtaining work under Linux environment completely, and for the difference of evidence obtaining content, function list One, such as:FTK is simply possible to use in carries out mirror image and parsing to disk, and Volatility is simply possible to use in the parsing of memory mirror again.And show Grow directly from seeds in living, tend not to meet the support of judicial availability to the evidences collection of single direction, meanwhile, also these instruments are used Get up of a relatively high to the skill set requirements of operating personnel, therefore cause in evidence obtaining process, evidence obtaining investigator will not only carry greatly The forensic tools bag of amount, while can not also ensure that extracted evidence is synchronous, effective, causes to go out for (SuSE) Linux OS During existing computer crime activity, evidence obtaining work often can not be carried out effectively, cause that evidence obtaining work is delayed or vaild evidence is lost in Serious situation.At present, the maximum difficult point for carrying out digital evidence obtaining for (SuSE) Linux OS is:(1) operating system is in itself It is no that readable digital evidence is provided;(2) which the digital evidence that (SuSE) Linux OS can be acquired has;(3) it is assorted from system Position acquisition digital evidence;(4) how the digital evidence obtained is recognized by law, that is, ensures digital evidence Judicial availability;(5) how to ensure to extract digital evidence not by evidence obtaining personnel's malicious modification;(6) evidence obtaining how is reduced to adjust The operation difficulty of personnel is looked into, and work of effectively collecting evidence can be carried out.
The content of the invention
The purpose of the present invention be for above-mentioned prior art shortcoming provide complete set based on the number under Linux environment Word evidence-obtaining system, to integrate the single forensic tools of existing various functions, there is provided for disk, network, daily record and internal memory Evidence-gathering and analytic function.
For this purpose, the technical solution adopted by the present invention is the digital evidence obtaining system based on Linux environment, the system is by leading Machine operation sign survey module, network operation sign survey module, log information inquiry module, memory information inquiry module and card Constituted according to stuck-module, wherein, the host service function sign survey module includes basic operation investigation function and application information and adjusted Function is looked into, the latter assures reason program data base by extraction system and realized;The network operation sign survey module includes basic Operation information investigation function, network-caching investigation function and network application state investigation function;The log information inquiry module Enter library facility and key search module including log file analysis;The memory information inquiry module is opened using a third party The instrument fmem in source internally to deposit into row dump, and realizes that memory information is investigated with reference to system dd instruments;The evidence stent Block carries out hash processing to evidence original and treated database file, and records for information about, it is ensured that the instrument of evidence Damage or have and can in time be found by supervision department during modification suspicion.
Further, above-mentioned basic operation investigation function includes:
(1) the login time list of system is obtained, is to investigate by resolution system real-time files wtmp and btmp file The information such as the no abnormal access that there is unauthorized access or tricky time;
(2) system starts service list in login process, with what is installed in investigating system with the presence or absence of attacker Rootkit or other self-starting backdoor programs;
(3) elemental user information, for judging current system with the presence or absence of illegal, suspicious user.
Further, above-mentioned application message investigation function includes:
(1) installation procedure list in acquisition system, judges whether that Rootkit and other illegal applications and malice should With;
(2) installation kit remained in acquisition system, with reference to installation procedure list, judge whether to install in current system or Corresponding unauthorized applications were installed, so as to investigator judge network residing for current system or system under fire degree and Coverage, can also carry out Source Tracing by this partial information to attack.
Further, above-mentioned basic operation information investigation function, is produced by parsing netstat procedure results, including:
(1) current network connection status is extracted, determines whether that abnormal connection enters or sent;
(2) if it find that there is abnormal network connection, then screened for these information, can quick seat offence source, Investigator is facilitated to carry out Source Tracing and attack path reproduction.
Further, above-mentioned network-caching investigation function includes:
(1) arp cache information, by consulting arp cache, it can be determined that whether the system receives ARP spoofing attacks, so that It is easy to investigator's analytical attack source and attack method;
(2) DNS cache information, passes through DNS cache information, it can be determined that go out whether current system is polluted by DNS, or by Be oriented to where, be easy to investigator trace to the source and determine attack entrance.
Further, above-mentioned network application state investigation function, is produced by parsing netstat procedure results, obtains network Using with ip, the corresponding relation of listening port and being connected existing state, so by this relation can with judgement system whether Network application and its listening port in the presence of malice, so as to facilitate investigator to be traced to the source attack and cut in internal storage data Obtain malicious application transferring content.
Further, it is that all necessary daily records are analyzed that above-mentioned log file analysis, which enters library facility, according to different words In the database of the attribute deposit different pieces of information structure composition of section so that evidence obtaining investigator clearly knows each field when checking The implication of expression, forms a kind of clear thinking, the result feedback form of friendly interface.
Further, above-mentioned key search module is the keyword inputted by the investigator that collects evidence, automatically in database In match all relative recordings and shown, the function of information sifting and arrangement is provided for evidence obtaining investigator.
Further, system of the invention can also include graphical runnable interface.
Further, above-mentioned evidence stuck-module is specially:By will evidence obtaining investigator name, identity ID, contact method, In temporal information of collecting evidence write-in evidence project file, and hash processing is carried out to acquired digital evidence file, form base This file verification, prevents the evidence obtaining personnel of malice from changing the purpose of the instrument of evidence to realize that evidence is fixed.
Compared with prior art, the invention has the advantages that:
1, system proposed by the present invention reduces the requirement in terms of the stock of knowledge that evidence obtaining personnel collect evidence to Linux, passes through Simple training is that can be used.
2, the system reduces the workload of evidence obtaining investigator, and investigator without carrying a large amount of Linux evidence obtainings works again Tool.
3, the system has been firstly introduced the concept of forensic tools " engineering ", and the data file to acquirement is packed, convenient management.
4, the system is also firstly introduced the concept of " evidence is fixed ", it is to avoid evidence obtaining personnel itself the illegal modifications instrument of evidence.
Brief description of the drawings
Fig. 1 is system architecture diagram of the invention.
Embodiment
In conjunction with accompanying drawing, the present invention will be further described in detail.
As shown in figure 1, the digital evidence obtaining system proposed by the present invention based on Linux environment, is adjusted comprising host service function vestige Look into module, network operation sign survey module, log information inquiry module, memory information inquiry module and evidence stuck-module.
Host service function sign survey module is mainly used in extraction system essential information and operation note, by being investigated for evidence obtaining Analysis people provides the information, can both cause evidence obtaining investigator to set up " security baseline " to the system by experience, Some sensitive abnormal informations can also be provided, such as:Whether include disabled user, it is not recommended that operation with access etc..The module It is specific that following functions are provided
1st, basic operation investigation function:
(1) the login time list of system is obtained, is visited for investigating with the presence or absence of unauthorized access or the abnormal of tricky time The information such as ask.It is main by parsing wtmp, the system real-time files such as btmp.
(2) service list that system is started in login process, for being installed in investigating system with the presence or absence of attacker Rootkit or other self-starting backdoor programs etc..Mainly by parsing the relevant information in wtmp
(3) elemental user information, for judging current system with the presence or absence of illegal, suspicious user.It is main to extract parsing certainly The files such as passwd, shadow.
2nd, application message investigation function
(1) installation procedure list in acquisition system, judges whether Rootkit and other illegal applications, including end Mouth is forwarded, the malicious application such as scanning tools.The main package manager database realizing by extracting operating system.
(2) installation kit remained in acquisition system, with reference to installation procedure list, judge whether to install in current system or Corresponding unauthorized applications were installed.So as to investigator judge network residing for current system or system under fire degree and Coverage, also may carry out Source Tracing by this partial information to attack.Implementation method is ibid.
Network operation sign survey module is mainly used in extracting network operation state in operating system, for evidence obtaining investigator The details of network in current system, including network application, basic network etc. are provided.Specific connection is refined as three parts: Basic operation information investigation function, network-caching investigation function, network application state investigation function
1st, basic operation information investigation function, is mainly produced by parsing netstat procedure results.
(1) current network connection status is extracted, determines whether that abnormal connection enters or sent.
(2) IP address corresponding to each network connection, subnet mask, gateway address, network interface card information etc..If it find that having Abnormal network is connected, then is screened for these information, can quick seat offence source, facilitate investigator's progress to trace to the source point Analysis and attack path reproduction.
2nd, (function is main based on the network-caching of operating system, by parsing operation system for network-caching investigation function Cache file of uniting is obtained)
(1) arp cache information, by consulting arp cache, it can be determined that whether the system receives ARP spoofing attacks, so that It is easy to investigator's analytical attack source and attack method.
(2) DNS cache information, passes through DNS cache information, it can be determined that go out whether current system is polluted by DNS, or by Be oriented to where, be easy to investigator trace to the source and determine attack entrance.
3rd, network application state investigation function, is mainly produced by parsing netstat procedure results.
Obtain network application and ip, the corresponding relation of listening port and be connected existing state:Can be with by such relation In judgement system with the presence or absence of malice network application and its listening port so that facilitate investigator to attack progress trace to the source and Malicious application transferring content is intercepted and captured in internal storage data.
Because linux system can be managed collectively to all applications and the daily record of itself in system, so log information The groundwork of inquiry module is to extract these system journals, and these daily records are carried out with a classification, and statistics files work Make, while providing a key search function, facilitate investigator according to corresponding keyword, search in specific daily record Hold, such as:System login is abnormal, using information such as operation exceptions, facilitates investigator to be checked under a kind of friendly pattern, analyzes Log content.It is main extract be located at/var/log under partial log file.
Mainly there are two functions to support the realization of the module:
1st, log file analysis is put in storage:All necessary daily records are analyzed, according to different field, attribute deposit is different In the database of data structure composition so that evidence obtaining investigator clearly knows the implication that each field is represented when checking, is formed A kind of clear thinking, the result feedback form of friendly interface.
2nd, key search module:The keyword inputted by the investigator that collects evidence, matches institute in database automatically There is relative recording and shown, investigator provides information sifting and the function of arranging for evidence obtaining.
On memory information inquiry module, due to there are a large amount of presence informations of current system in internal memory, cover file, day The much informations such as will, network, user, therefore internally the meaning of access card is:(1) being provided in judicial effect supports other several The physical data of the investigation result of big inquiry module, is easy to all digital evidences extracted to the system to be examined and answered Inspection, it is ensured that its judicial availability;(2) also there are other in internal memory not by the sensitive information that above several big modules are covered, can be with More detailed analysis and excavation are carried out to the internal storage data that extracts, is easy to extract unconventional computer crime technology and is left Judicial available digital evidence.
In the present invention, because the security mechanism in modern linux system does not allow user program directly to enter to internal storage data Row Dump, so we employ the instrument fmem that a third party increases income here, to internal memory just dump, with reference to system dd Instrument realizes memory information inquiry module.Because the instrument needs to load kernel module on by evidence-obtaining system, in order to avoid Because changing system environments and the data file that may trigger is insincere, we using internal memory evidence obtaining module as forensics process most Metasomite, so as to effectively evade the insecure problem of other digital evidences brought because of memory mirror.
Evidence stuck-module is mainly used in that all evidences extracted are fixed, and covering content has all data files MD5 values, evidences collection time, investigator's name, investigator ID, investigator's contact method etc., it is ensured that extracted Evidence is not participated in personnel's malicious modification of investigation, influences its judicial effect
In really evidence obtaining fact-finding process, because digital evidence has easy modification, flimsy characteristic is also possible to In the presence of part evidence obtaining personnel's malicious modification instrument of evidence, so that situation about being played one's own game for other people risks in fraud of law, the system Enter the operation phase after data are extracted, " insincere " principle is employed for evidence obtaining personnel, that is, distrust evidence obtaining evidence obtaining people Member will not change the instrument of evidence.Therefore the evidence original that can be extracted to each of program, treated database file enter Row hash processing (the system employs Md5 algorithms to carry out this operation), and in last " engineering " file, record in detail The evidences collection time, personnel's name of collecting evidence, collect evidence personnel identity ID, evidence obtaining personnel's contact method etc., it is ensured that the instrument of evidence is damaged Or when having by modification suspicion, can in time be found by supervision department, carry out accountability processing.
Present invention also offers a graphical runnable interface, the interface is by QT programmings, due in program architecture On realize the principle that function code and GUI code are separated from each other, therefore the interface only provides basic operation and display function, By reasonably using Shipping Options Page, the details function of modules classify displaying on interface, collect evidence investigator for position There is provided a thinking clearly, clear and intuitive evidence obtaining result, on the one hand conveniently evidence obtaining investigator operation, on the other hand convenient to demonstrate,prove The acquired instrument of evidence is analyzed according to analysis personnel.

Claims (10)

1. the digital evidence obtaining system based on Linux environment, it is characterised in that system is grasped by host service function sign survey module, network Make sign survey module, log information inquiry module, memory information inquiry module and evidence stuck-module composition, wherein, it is described Host service function sign survey module includes basic operation and investigates function and application information investigation function, and the latter passes through extraction system bag Management program database realizing;The network operation sign survey module includes basic operation information investigation function, network-caching Investigate function and network application state investigation function;The log information inquiry module including log file analysis enter library facility and Key search module;The instrument fmem that the memory information inquiry module is increased income using a third party turns internally to deposit into row Storage, and realize that memory information is investigated with reference to system dd instruments;The evidence stuck-module is to evidence original and treated Database file carries out hash processing, and records for information about, it is ensured that the instrument of evidence is damaged or can supervised when having by modification suspicion Pipe portion door is found in time.
2. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the basic operation is adjusted Looking into function includes:
(1) the login time list of system is obtained, whether is deposited by resolution system real-time files wtmp and btmp file with investigating In information such as the abnormal access of unauthorized access or tricky time;
(2) system starts service list in login process, with investigating system with the presence or absence of attacker install Rootkit or Other self-starting backdoor programs;
(3) elemental user information, for judging current system with the presence or absence of illegal, suspicious user.
3. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the application message is adjusted Looking into function includes:
(1) installation procedure list in acquisition system, judges whether Rootkit and other illegal applications and malicious application;
(2) installation kit remained in acquisition system, with reference to installation procedure list, judges whether install or install in current system Corresponding unauthorized applications are crossed, so that investigator judges under fire degree and the influence of network residing for current system or system Scope, can also carry out Source Tracing by this partial information to attack.
4. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the basic operation letter Breath investigation function, is produced by parsing netstat procedure results, including:
(1) current network connection status is extracted, determines whether that abnormal connection enters or sent;
(2) if it find that there is abnormal network connection, then screened for these information, can quick seat offence source, it is convenient Investigator carries out Source Tracing and attack path reproduction.
5. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the network-caching is adjusted Looking into function includes:
(1) arp cache information, by consulting arp cache, it can be determined that whether the system receives ARP spoofing attacks, consequently facilitating Investigator's analytical attack source and attack method;
(2) DNS cache information, passes through DNS cache information, it can be determined that go out whether current system is polluted by DNS, or is directed to Where, it is easy to investigator to trace to the source and determine to attack entrance.
6. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the network application shape State investigates function, is produced by parsing netstat procedure results, obtain network application and ip, the corresponding relation of listening port and Existing state is connected, and then can be with the network application in judgement system with the presence or absence of malice and its monitoring end by this relation Mouthful, so as to facilitate investigator to be traced to the source attack and the intercepting and capturing malicious application transferring content in internal storage data.
7. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the journal file point It is that all necessary daily records are analyzed to analyse into library facility, and different pieces of information structure composition is stored according to the attribute of different field In database so that evidence obtaining investigator clearly knows the implication that each field is represented when checking, forms a kind of clear thinking, boundary The good result feedback form of friend.
8. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the key search Module is the keyword inputted by the investigator that collects evidence, matches all relative recordings in database automatically and is shown Show, for evidence obtaining, investigator provides information sifting and the function of arranging.
9. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that system can also be included Graphical runnable interface.
10. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the evidence is fixed Module is specially:Evidence engineering text is write by the investigator's name that will collect evidence, identity ID, contact method, evidence obtaining temporal information In part, and hash processing is carried out to acquired digital evidence file, basic file verification is formed, to realize that evidence is fixed Prevent the evidence obtaining personnel of malice from changing the purpose of the instrument of evidence.
CN201710385433.7A 2017-05-26 2017-05-26 Digital evidence obtaining system based on Linux environment Pending CN107332820A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710385433.7A CN107332820A (en) 2017-05-26 2017-05-26 Digital evidence obtaining system based on Linux environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710385433.7A CN107332820A (en) 2017-05-26 2017-05-26 Digital evidence obtaining system based on Linux environment

Publications (1)

Publication Number Publication Date
CN107332820A true CN107332820A (en) 2017-11-07

Family

ID=60193089

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710385433.7A Pending CN107332820A (en) 2017-05-26 2017-05-26 Digital evidence obtaining system based on Linux environment

Country Status (1)

Country Link
CN (1) CN107332820A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737373A (en) * 2018-04-12 2018-11-02 国家计算机网络与信息安全管理中心 A kind of security forensics method for catenet equipment concealment techniques
CN111030975A (en) * 2019-04-26 2020-04-17 北京安天网络安全技术有限公司 Load analysis-based threat prediction method and device and storage equipment
CN111475465A (en) * 2020-03-19 2020-07-31 重庆邮电大学 Intelligent home evidence obtaining method based on body

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101017563A (en) * 2006-11-21 2007-08-15 北京大学 Method for fixing and saving evidence of computer crime and device therefor
US20110314148A1 (en) * 2005-11-12 2011-12-22 LogRhythm Inc. Log collection, structuring and processing
CN102708152A (en) * 2012-04-18 2012-10-03 南京邮电大学 Integrated management method for electronic evidence
CN104392177A (en) * 2014-12-16 2015-03-04 武汉虹旭信息技术有限责任公司 Android platform based virus forensics system and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110314148A1 (en) * 2005-11-12 2011-12-22 LogRhythm Inc. Log collection, structuring and processing
CN101017563A (en) * 2006-11-21 2007-08-15 北京大学 Method for fixing and saving evidence of computer crime and device therefor
CN102708152A (en) * 2012-04-18 2012-10-03 南京邮电大学 Integrated management method for electronic evidence
CN104392177A (en) * 2014-12-16 2015-03-04 武汉虹旭信息技术有限责任公司 Android platform based virus forensics system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘涛: ""基于Linux系统的证据收集研究与实现"", 《中国优秀硕士论文全文数据库》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737373A (en) * 2018-04-12 2018-11-02 国家计算机网络与信息安全管理中心 A kind of security forensics method for catenet equipment concealment techniques
CN108737373B (en) * 2018-04-12 2020-09-22 国家计算机网络与信息安全管理中心 Safety evidence obtaining method for large network equipment hiding technology
CN111030975A (en) * 2019-04-26 2020-04-17 北京安天网络安全技术有限公司 Load analysis-based threat prediction method and device and storage equipment
CN111030975B (en) * 2019-04-26 2023-02-28 北京安天网络安全技术有限公司 Load analysis-based threat prediction method and device and storage equipment
CN111475465A (en) * 2020-03-19 2020-07-31 重庆邮电大学 Intelligent home evidence obtaining method based on body

Similar Documents

Publication Publication Date Title
CN110677408B (en) Attack information processing method and device, storage medium and electronic device
CN110324310B (en) Network asset fingerprint identification method, system and equipment
CN105915532B (en) A kind of recognition methods of host of falling and device
Dezfoli et al. Digital forensic trends and future
Yaacoub et al. Advanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations
US20170111391A1 (en) Enhanced intrusion prevention system
US9992216B2 (en) Identifying malicious executables by analyzing proxy logs
Alghamdi Digital forensics in cyber security—recent trends, threats, and opportunities
CN110188538B (en) Method and device for detecting data by adopting sandbox cluster
Olagunju et al. In search of effective honeypot and honeynet systems for real-time intrusion detection and prevention
Yaacoub et al. Digital forensics vs. Anti-digital forensics: Techniques, limitations and recommendations
Lovanshi et al. Comparative study of digital forensic tools
Vargas et al. Knowing your enemies: Leveraging data analysis to expose phishing patterns against a major US financial institution
CN107332820A (en) Digital evidence obtaining system based on Linux environment
CN111510463A (en) Abnormal behavior recognition system
CN107231364B (en) Website vulnerability detection method and device, computer device and storage medium
CN117454376A (en) Industrial Internet data security detection response and tracing method and device
Hemdan et al. Spark-based log data analysis for reconstruction of cybercrime events in cloud environment
Asante et al. Content-based technical solution for cyberstalking detection
Hnamte et al. An extensive survey on intrusion detection systems: Datasets and challenges for modern scenario
Vast et al. Artificial intelligence based security orchestration, automation and response system
Feng et al. Cj-sniffer: Measurement and content-agnostic detection of cryptojacking traffic
Wu et al. Research on investigation and evidence collection of cybercrime cases
CN117375997A (en) Malicious traffic attack security knowledge plane construction method based on honey points
Mendonça et al. Botnets: a heuristic-based detection framework

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171107