CN107332820A - Digital evidence obtaining system based on Linux environment - Google Patents
Digital evidence obtaining system based on Linux environment Download PDFInfo
- Publication number
- CN107332820A CN107332820A CN201710385433.7A CN201710385433A CN107332820A CN 107332820 A CN107332820 A CN 107332820A CN 201710385433 A CN201710385433 A CN 201710385433A CN 107332820 A CN107332820 A CN 107332820A
- Authority
- CN
- China
- Prior art keywords
- evidence
- module
- information
- evidence obtaining
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Technology Law (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses the digital evidence obtaining system based on Linux environment, the system is made up of host service function sign survey module, network operation sign survey module, log information inquiry module, memory information inquiry module and evidence stuck-module, and wherein host service function sign survey module includes basic operation investigation function and application information investigation function;Network operation sign survey module includes basic operation information investigation function, network-caching investigation function and network application state investigation function;Log information inquiry module enters library facility and key search module including log file analysis;Memory information inquiry module internally deposits into row dump using fmem instruments, realizes that memory information is investigated with reference to system tool;Evidence stuck-module carries out hash processing to evidence original and treated database file.The present invention effectively reduces the workload of evidence obtaining investigator, introduces the concept of forensic tools " engineering " and " evidence is fixed ", it is to avoid evidence obtaining personnel itself the illegal modifications instrument of evidence.
Description
Technical field
The invention belongs to digital evidence obtaining field, it is related to the Computer Crime Forensic for being carried out under (SuSE) Linux OS, has
Body is related to a kind of digital evidence obtaining system based on Linux environment.
Technical background
Digital evidence obtaining (Computer Crime Forensic) is also referred to as computor method medical science, refers to that computer, which is regarded as crime, to be showed
, with advanced discrimination technology, the dissection of legal medical expert's formula is carried out to computer crime behavior, searches and confirms criminal and its crime card
According to, and litigate accordingly.Mainly to electronic evidence identification, preservation, collection, analysis and produce (shenglvehao)in court, produced so as to disclose with numeral
Criminal offence or fault that condition is closed.Digital evidence obtaining technology by computer investigation and analytical technology be applied to it is potential, have method
The determination and acquisition of the electronic evidence of effect are restrained, equally they are both for hacker and invasion, and purpose is all Logistics networks
Safety.In the last few years, the judicial effect of digital evidence had also progressively been recognized by every country, and gradually initially as master
The exhibit wanted is appeared in the related judicial adjudication of computer.At present, the digital evidence obtaining technology under windows platform has become
In ripe and perfect, and a whole set of forensics process specification and methodology are generated, but for widely used Linux operations
The evidence obtaining of system is not but because popularization degree is high in masses or technology is still immature and makes slow progress.
(SuSE) Linux OS is a set of free class Unix operating systems using with Free propagation, because its performance is stable,
It is now widely used in various big-and-middle-sized servers, interchanger, router;With becoming increasingly popular for current graphical user interface,
(SuSE) Linux OS also begins to carry graphic interface, starts to traditional desktop operating system development;Linux operations system
The kernel of system is short and pithy, and present part manufacturer makes it run and embedded platform also by the modification to kernel, such as mobile phone,
Smart home, the equipment such as Internet of Things.Linux system is simple to operate, it is only necessary to which an order line terminal just can be whole with complete operation
The operation of individual system, and based on its characteristic of increasing income, anyone can be changed it, created and met the special of personal use custom
Category system, thus (SuSE) Linux OS deeply liked by programmer and hacker, particularly become the attack sharp weapon in hacker's hand.Closely
Over a little years, attacked by using linux system and frequent for your the server attack event based on (SuSE) Linux OS
Occur, and with some penetration attack platforms based on linux system, such as:KALI, Parrot etc. birth and grow in intensity.
There are a small amount of forensic tools available for Linux in the market, such as FTK, Volatility etc., but mostly transplant
From Windows systems, it is impossible to be competent at the evidence obtaining work under Linux environment completely, and for the difference of evidence obtaining content, function list
One, such as:FTK is simply possible to use in carries out mirror image and parsing to disk, and Volatility is simply possible to use in the parsing of memory mirror again.And show
Grow directly from seeds in living, tend not to meet the support of judicial availability to the evidences collection of single direction, meanwhile, also these instruments are used
Get up of a relatively high to the skill set requirements of operating personnel, therefore cause in evidence obtaining process, evidence obtaining investigator will not only carry greatly
The forensic tools bag of amount, while can not also ensure that extracted evidence is synchronous, effective, causes to go out for (SuSE) Linux OS
During existing computer crime activity, evidence obtaining work often can not be carried out effectively, cause that evidence obtaining work is delayed or vaild evidence is lost in
Serious situation.At present, the maximum difficult point for carrying out digital evidence obtaining for (SuSE) Linux OS is:(1) operating system is in itself
It is no that readable digital evidence is provided;(2) which the digital evidence that (SuSE) Linux OS can be acquired has;(3) it is assorted from system
Position acquisition digital evidence;(4) how the digital evidence obtained is recognized by law, that is, ensures digital evidence
Judicial availability;(5) how to ensure to extract digital evidence not by evidence obtaining personnel's malicious modification;(6) evidence obtaining how is reduced to adjust
The operation difficulty of personnel is looked into, and work of effectively collecting evidence can be carried out.
The content of the invention
The purpose of the present invention be for above-mentioned prior art shortcoming provide complete set based on the number under Linux environment
Word evidence-obtaining system, to integrate the single forensic tools of existing various functions, there is provided for disk, network, daily record and internal memory
Evidence-gathering and analytic function.
For this purpose, the technical solution adopted by the present invention is the digital evidence obtaining system based on Linux environment, the system is by leading
Machine operation sign survey module, network operation sign survey module, log information inquiry module, memory information inquiry module and card
Constituted according to stuck-module, wherein, the host service function sign survey module includes basic operation investigation function and application information and adjusted
Function is looked into, the latter assures reason program data base by extraction system and realized;The network operation sign survey module includes basic
Operation information investigation function, network-caching investigation function and network application state investigation function;The log information inquiry module
Enter library facility and key search module including log file analysis;The memory information inquiry module is opened using a third party
The instrument fmem in source internally to deposit into row dump, and realizes that memory information is investigated with reference to system dd instruments;The evidence stent
Block carries out hash processing to evidence original and treated database file, and records for information about, it is ensured that the instrument of evidence
Damage or have and can in time be found by supervision department during modification suspicion.
Further, above-mentioned basic operation investigation function includes:
(1) the login time list of system is obtained, is to investigate by resolution system real-time files wtmp and btmp file
The information such as the no abnormal access that there is unauthorized access or tricky time;
(2) system starts service list in login process, with what is installed in investigating system with the presence or absence of attacker
Rootkit or other self-starting backdoor programs;
(3) elemental user information, for judging current system with the presence or absence of illegal, suspicious user.
Further, above-mentioned application message investigation function includes:
(1) installation procedure list in acquisition system, judges whether that Rootkit and other illegal applications and malice should
With;
(2) installation kit remained in acquisition system, with reference to installation procedure list, judge whether to install in current system or
Corresponding unauthorized applications were installed, so as to investigator judge network residing for current system or system under fire degree and
Coverage, can also carry out Source Tracing by this partial information to attack.
Further, above-mentioned basic operation information investigation function, is produced by parsing netstat procedure results, including:
(1) current network connection status is extracted, determines whether that abnormal connection enters or sent;
(2) if it find that there is abnormal network connection, then screened for these information, can quick seat offence source,
Investigator is facilitated to carry out Source Tracing and attack path reproduction.
Further, above-mentioned network-caching investigation function includes:
(1) arp cache information, by consulting arp cache, it can be determined that whether the system receives ARP spoofing attacks, so that
It is easy to investigator's analytical attack source and attack method;
(2) DNS cache information, passes through DNS cache information, it can be determined that go out whether current system is polluted by DNS, or by
Be oriented to where, be easy to investigator trace to the source and determine attack entrance.
Further, above-mentioned network application state investigation function, is produced by parsing netstat procedure results, obtains network
Using with ip, the corresponding relation of listening port and being connected existing state, so by this relation can with judgement system whether
Network application and its listening port in the presence of malice, so as to facilitate investigator to be traced to the source attack and cut in internal storage data
Obtain malicious application transferring content.
Further, it is that all necessary daily records are analyzed that above-mentioned log file analysis, which enters library facility, according to different words
In the database of the attribute deposit different pieces of information structure composition of section so that evidence obtaining investigator clearly knows each field when checking
The implication of expression, forms a kind of clear thinking, the result feedback form of friendly interface.
Further, above-mentioned key search module is the keyword inputted by the investigator that collects evidence, automatically in database
In match all relative recordings and shown, the function of information sifting and arrangement is provided for evidence obtaining investigator.
Further, system of the invention can also include graphical runnable interface.
Further, above-mentioned evidence stuck-module is specially:By will evidence obtaining investigator name, identity ID, contact method,
In temporal information of collecting evidence write-in evidence project file, and hash processing is carried out to acquired digital evidence file, form base
This file verification, prevents the evidence obtaining personnel of malice from changing the purpose of the instrument of evidence to realize that evidence is fixed.
Compared with prior art, the invention has the advantages that:
1, system proposed by the present invention reduces the requirement in terms of the stock of knowledge that evidence obtaining personnel collect evidence to Linux, passes through
Simple training is that can be used.
2, the system reduces the workload of evidence obtaining investigator, and investigator without carrying a large amount of Linux evidence obtainings works again
Tool.
3, the system has been firstly introduced the concept of forensic tools " engineering ", and the data file to acquirement is packed, convenient management.
4, the system is also firstly introduced the concept of " evidence is fixed ", it is to avoid evidence obtaining personnel itself the illegal modifications instrument of evidence.
Brief description of the drawings
Fig. 1 is system architecture diagram of the invention.
Embodiment
In conjunction with accompanying drawing, the present invention will be further described in detail.
As shown in figure 1, the digital evidence obtaining system proposed by the present invention based on Linux environment, is adjusted comprising host service function vestige
Look into module, network operation sign survey module, log information inquiry module, memory information inquiry module and evidence stuck-module.
Host service function sign survey module is mainly used in extraction system essential information and operation note, by being investigated for evidence obtaining
Analysis people provides the information, can both cause evidence obtaining investigator to set up " security baseline " to the system by experience,
Some sensitive abnormal informations can also be provided, such as:Whether include disabled user, it is not recommended that operation with access etc..The module
It is specific that following functions are provided
1st, basic operation investigation function:
(1) the login time list of system is obtained, is visited for investigating with the presence or absence of unauthorized access or the abnormal of tricky time
The information such as ask.It is main by parsing wtmp, the system real-time files such as btmp.
(2) service list that system is started in login process, for being installed in investigating system with the presence or absence of attacker
Rootkit or other self-starting backdoor programs etc..Mainly by parsing the relevant information in wtmp
(3) elemental user information, for judging current system with the presence or absence of illegal, suspicious user.It is main to extract parsing certainly
The files such as passwd, shadow.
2nd, application message investigation function
(1) installation procedure list in acquisition system, judges whether Rootkit and other illegal applications, including end
Mouth is forwarded, the malicious application such as scanning tools.The main package manager database realizing by extracting operating system.
(2) installation kit remained in acquisition system, with reference to installation procedure list, judge whether to install in current system or
Corresponding unauthorized applications were installed.So as to investigator judge network residing for current system or system under fire degree and
Coverage, also may carry out Source Tracing by this partial information to attack.Implementation method is ibid.
Network operation sign survey module is mainly used in extracting network operation state in operating system, for evidence obtaining investigator
The details of network in current system, including network application, basic network etc. are provided.Specific connection is refined as three parts:
Basic operation information investigation function, network-caching investigation function, network application state investigation function
1st, basic operation information investigation function, is mainly produced by parsing netstat procedure results.
(1) current network connection status is extracted, determines whether that abnormal connection enters or sent.
(2) IP address corresponding to each network connection, subnet mask, gateway address, network interface card information etc..If it find that having
Abnormal network is connected, then is screened for these information, can quick seat offence source, facilitate investigator's progress to trace to the source point
Analysis and attack path reproduction.
2nd, (function is main based on the network-caching of operating system, by parsing operation system for network-caching investigation function
Cache file of uniting is obtained)
(1) arp cache information, by consulting arp cache, it can be determined that whether the system receives ARP spoofing attacks, so that
It is easy to investigator's analytical attack source and attack method.
(2) DNS cache information, passes through DNS cache information, it can be determined that go out whether current system is polluted by DNS, or by
Be oriented to where, be easy to investigator trace to the source and determine attack entrance.
3rd, network application state investigation function, is mainly produced by parsing netstat procedure results.
Obtain network application and ip, the corresponding relation of listening port and be connected existing state:Can be with by such relation
In judgement system with the presence or absence of malice network application and its listening port so that facilitate investigator to attack progress trace to the source and
Malicious application transferring content is intercepted and captured in internal storage data.
Because linux system can be managed collectively to all applications and the daily record of itself in system, so log information
The groundwork of inquiry module is to extract these system journals, and these daily records are carried out with a classification, and statistics files work
Make, while providing a key search function, facilitate investigator according to corresponding keyword, search in specific daily record
Hold, such as:System login is abnormal, using information such as operation exceptions, facilitates investigator to be checked under a kind of friendly pattern, analyzes
Log content.It is main extract be located at/var/log under partial log file.
Mainly there are two functions to support the realization of the module:
1st, log file analysis is put in storage:All necessary daily records are analyzed, according to different field, attribute deposit is different
In the database of data structure composition so that evidence obtaining investigator clearly knows the implication that each field is represented when checking, is formed
A kind of clear thinking, the result feedback form of friendly interface.
2nd, key search module:The keyword inputted by the investigator that collects evidence, matches institute in database automatically
There is relative recording and shown, investigator provides information sifting and the function of arranging for evidence obtaining.
On memory information inquiry module, due to there are a large amount of presence informations of current system in internal memory, cover file, day
The much informations such as will, network, user, therefore internally the meaning of access card is:(1) being provided in judicial effect supports other several
The physical data of the investigation result of big inquiry module, is easy to all digital evidences extracted to the system to be examined and answered
Inspection, it is ensured that its judicial availability;(2) also there are other in internal memory not by the sensitive information that above several big modules are covered, can be with
More detailed analysis and excavation are carried out to the internal storage data that extracts, is easy to extract unconventional computer crime technology and is left
Judicial available digital evidence.
In the present invention, because the security mechanism in modern linux system does not allow user program directly to enter to internal storage data
Row Dump, so we employ the instrument fmem that a third party increases income here, to internal memory just dump, with reference to system dd
Instrument realizes memory information inquiry module.Because the instrument needs to load kernel module on by evidence-obtaining system, in order to avoid
Because changing system environments and the data file that may trigger is insincere, we using internal memory evidence obtaining module as forensics process most
Metasomite, so as to effectively evade the insecure problem of other digital evidences brought because of memory mirror.
Evidence stuck-module is mainly used in that all evidences extracted are fixed, and covering content has all data files
MD5 values, evidences collection time, investigator's name, investigator ID, investigator's contact method etc., it is ensured that extracted
Evidence is not participated in personnel's malicious modification of investigation, influences its judicial effect
In really evidence obtaining fact-finding process, because digital evidence has easy modification, flimsy characteristic is also possible to
In the presence of part evidence obtaining personnel's malicious modification instrument of evidence, so that situation about being played one's own game for other people risks in fraud of law, the system
Enter the operation phase after data are extracted, " insincere " principle is employed for evidence obtaining personnel, that is, distrust evidence obtaining evidence obtaining people
Member will not change the instrument of evidence.Therefore the evidence original that can be extracted to each of program, treated database file enter
Row hash processing (the system employs Md5 algorithms to carry out this operation), and in last " engineering " file, record in detail
The evidences collection time, personnel's name of collecting evidence, collect evidence personnel identity ID, evidence obtaining personnel's contact method etc., it is ensured that the instrument of evidence is damaged
Or when having by modification suspicion, can in time be found by supervision department, carry out accountability processing.
Present invention also offers a graphical runnable interface, the interface is by QT programmings, due in program architecture
On realize the principle that function code and GUI code are separated from each other, therefore the interface only provides basic operation and display function,
By reasonably using Shipping Options Page, the details function of modules classify displaying on interface, collect evidence investigator for position
There is provided a thinking clearly, clear and intuitive evidence obtaining result, on the one hand conveniently evidence obtaining investigator operation, on the other hand convenient to demonstrate,prove
The acquired instrument of evidence is analyzed according to analysis personnel.
Claims (10)
1. the digital evidence obtaining system based on Linux environment, it is characterised in that system is grasped by host service function sign survey module, network
Make sign survey module, log information inquiry module, memory information inquiry module and evidence stuck-module composition, wherein, it is described
Host service function sign survey module includes basic operation and investigates function and application information investigation function, and the latter passes through extraction system bag
Management program database realizing;The network operation sign survey module includes basic operation information investigation function, network-caching
Investigate function and network application state investigation function;The log information inquiry module including log file analysis enter library facility and
Key search module;The instrument fmem that the memory information inquiry module is increased income using a third party turns internally to deposit into row
Storage, and realize that memory information is investigated with reference to system dd instruments;The evidence stuck-module is to evidence original and treated
Database file carries out hash processing, and records for information about, it is ensured that the instrument of evidence is damaged or can supervised when having by modification suspicion
Pipe portion door is found in time.
2. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the basic operation is adjusted
Looking into function includes:
(1) the login time list of system is obtained, whether is deposited by resolution system real-time files wtmp and btmp file with investigating
In information such as the abnormal access of unauthorized access or tricky time;
(2) system starts service list in login process, with investigating system with the presence or absence of attacker install Rootkit or
Other self-starting backdoor programs;
(3) elemental user information, for judging current system with the presence or absence of illegal, suspicious user.
3. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the application message is adjusted
Looking into function includes:
(1) installation procedure list in acquisition system, judges whether Rootkit and other illegal applications and malicious application;
(2) installation kit remained in acquisition system, with reference to installation procedure list, judges whether install or install in current system
Corresponding unauthorized applications are crossed, so that investigator judges under fire degree and the influence of network residing for current system or system
Scope, can also carry out Source Tracing by this partial information to attack.
4. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the basic operation letter
Breath investigation function, is produced by parsing netstat procedure results, including:
(1) current network connection status is extracted, determines whether that abnormal connection enters or sent;
(2) if it find that there is abnormal network connection, then screened for these information, can quick seat offence source, it is convenient
Investigator carries out Source Tracing and attack path reproduction.
5. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the network-caching is adjusted
Looking into function includes:
(1) arp cache information, by consulting arp cache, it can be determined that whether the system receives ARP spoofing attacks, consequently facilitating
Investigator's analytical attack source and attack method;
(2) DNS cache information, passes through DNS cache information, it can be determined that go out whether current system is polluted by DNS, or is directed to
Where, it is easy to investigator to trace to the source and determine to attack entrance.
6. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the network application shape
State investigates function, is produced by parsing netstat procedure results, obtain network application and ip, the corresponding relation of listening port and
Existing state is connected, and then can be with the network application in judgement system with the presence or absence of malice and its monitoring end by this relation
Mouthful, so as to facilitate investigator to be traced to the source attack and the intercepting and capturing malicious application transferring content in internal storage data.
7. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the journal file point
It is that all necessary daily records are analyzed to analyse into library facility, and different pieces of information structure composition is stored according to the attribute of different field
In database so that evidence obtaining investigator clearly knows the implication that each field is represented when checking, forms a kind of clear thinking, boundary
The good result feedback form of friend.
8. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the key search
Module is the keyword inputted by the investigator that collects evidence, matches all relative recordings in database automatically and is shown
Show, for evidence obtaining, investigator provides information sifting and the function of arranging.
9. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that system can also be included
Graphical runnable interface.
10. the digital evidence obtaining system according to claim 1 based on Linux environment, it is characterised in that the evidence is fixed
Module is specially:Evidence engineering text is write by the investigator's name that will collect evidence, identity ID, contact method, evidence obtaining temporal information
In part, and hash processing is carried out to acquired digital evidence file, basic file verification is formed, to realize that evidence is fixed
Prevent the evidence obtaining personnel of malice from changing the purpose of the instrument of evidence.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710385433.7A CN107332820A (en) | 2017-05-26 | 2017-05-26 | Digital evidence obtaining system based on Linux environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710385433.7A CN107332820A (en) | 2017-05-26 | 2017-05-26 | Digital evidence obtaining system based on Linux environment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107332820A true CN107332820A (en) | 2017-11-07 |
Family
ID=60193089
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710385433.7A Pending CN107332820A (en) | 2017-05-26 | 2017-05-26 | Digital evidence obtaining system based on Linux environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107332820A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108737373A (en) * | 2018-04-12 | 2018-11-02 | 国家计算机网络与信息安全管理中心 | A kind of security forensics method for catenet equipment concealment techniques |
CN111030975A (en) * | 2019-04-26 | 2020-04-17 | 北京安天网络安全技术有限公司 | Load analysis-based threat prediction method and device and storage equipment |
CN111475465A (en) * | 2020-03-19 | 2020-07-31 | 重庆邮电大学 | Intelligent home evidence obtaining method based on body |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101017563A (en) * | 2006-11-21 | 2007-08-15 | 北京大学 | Method for fixing and saving evidence of computer crime and device therefor |
US20110314148A1 (en) * | 2005-11-12 | 2011-12-22 | LogRhythm Inc. | Log collection, structuring and processing |
CN102708152A (en) * | 2012-04-18 | 2012-10-03 | 南京邮电大学 | Integrated management method for electronic evidence |
CN104392177A (en) * | 2014-12-16 | 2015-03-04 | 武汉虹旭信息技术有限责任公司 | Android platform based virus forensics system and method |
-
2017
- 2017-05-26 CN CN201710385433.7A patent/CN107332820A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110314148A1 (en) * | 2005-11-12 | 2011-12-22 | LogRhythm Inc. | Log collection, structuring and processing |
CN101017563A (en) * | 2006-11-21 | 2007-08-15 | 北京大学 | Method for fixing and saving evidence of computer crime and device therefor |
CN102708152A (en) * | 2012-04-18 | 2012-10-03 | 南京邮电大学 | Integrated management method for electronic evidence |
CN104392177A (en) * | 2014-12-16 | 2015-03-04 | 武汉虹旭信息技术有限责任公司 | Android platform based virus forensics system and method |
Non-Patent Citations (1)
Title |
---|
刘涛: ""基于Linux系统的证据收集研究与实现"", 《中国优秀硕士论文全文数据库》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108737373A (en) * | 2018-04-12 | 2018-11-02 | 国家计算机网络与信息安全管理中心 | A kind of security forensics method for catenet equipment concealment techniques |
CN108737373B (en) * | 2018-04-12 | 2020-09-22 | 国家计算机网络与信息安全管理中心 | Safety evidence obtaining method for large network equipment hiding technology |
CN111030975A (en) * | 2019-04-26 | 2020-04-17 | 北京安天网络安全技术有限公司 | Load analysis-based threat prediction method and device and storage equipment |
CN111030975B (en) * | 2019-04-26 | 2023-02-28 | 北京安天网络安全技术有限公司 | Load analysis-based threat prediction method and device and storage equipment |
CN111475465A (en) * | 2020-03-19 | 2020-07-31 | 重庆邮电大学 | Intelligent home evidence obtaining method based on body |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110677408B (en) | Attack information processing method and device, storage medium and electronic device | |
CN110324310B (en) | Network asset fingerprint identification method, system and equipment | |
CN105915532B (en) | A kind of recognition methods of host of falling and device | |
Dezfoli et al. | Digital forensic trends and future | |
Yaacoub et al. | Advanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations | |
US20170111391A1 (en) | Enhanced intrusion prevention system | |
US9992216B2 (en) | Identifying malicious executables by analyzing proxy logs | |
Alghamdi | Digital forensics in cyber security—recent trends, threats, and opportunities | |
CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
Olagunju et al. | In search of effective honeypot and honeynet systems for real-time intrusion detection and prevention | |
Yaacoub et al. | Digital forensics vs. Anti-digital forensics: Techniques, limitations and recommendations | |
Lovanshi et al. | Comparative study of digital forensic tools | |
Vargas et al. | Knowing your enemies: Leveraging data analysis to expose phishing patterns against a major US financial institution | |
CN107332820A (en) | Digital evidence obtaining system based on Linux environment | |
CN111510463A (en) | Abnormal behavior recognition system | |
CN107231364B (en) | Website vulnerability detection method and device, computer device and storage medium | |
CN117454376A (en) | Industrial Internet data security detection response and tracing method and device | |
Hemdan et al. | Spark-based log data analysis for reconstruction of cybercrime events in cloud environment | |
Asante et al. | Content-based technical solution for cyberstalking detection | |
Hnamte et al. | An extensive survey on intrusion detection systems: Datasets and challenges for modern scenario | |
Vast et al. | Artificial intelligence based security orchestration, automation and response system | |
Feng et al. | Cj-sniffer: Measurement and content-agnostic detection of cryptojacking traffic | |
Wu et al. | Research on investigation and evidence collection of cybercrime cases | |
CN117375997A (en) | Malicious traffic attack security knowledge plane construction method based on honey points | |
Mendonça et al. | Botnets: a heuristic-based detection framework |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171107 |