CN107463714A - A kind of key evidence binary search method based on chain of evidence time series - Google Patents
A kind of key evidence binary search method based on chain of evidence time series Download PDFInfo
- Publication number
- CN107463714A CN107463714A CN201710736597.XA CN201710736597A CN107463714A CN 107463714 A CN107463714 A CN 107463714A CN 201710736597 A CN201710736597 A CN 201710736597A CN 107463714 A CN107463714 A CN 107463714A
- Authority
- CN
- China
- Prior art keywords
- evidence
- key
- chain
- time series
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/33—Querying
- G06F16/3331—Query processing
Abstract
The invention discloses a kind of key evidence binary search method based on chain of evidence time series, including:Initial data sorted according to timestamp to obtain chain of evidence time series;Using the material time stamp or the initial time stamp of period of required lookup, timestamp is terminated as key assignments;Using binary chop, the node time stamp equal with key assignments is searched in the node of chain of evidence time series;According to lookup result, evidence obtaining investigation is carried out in the material time point of chain of evidence time series or in the period.The present invention can effectively reduce the time spent by search key evidence in the analysis of the digital evidence obtaining of larger data amount, improve evidence obtaining efficiency, compared with the matching searching method that existing forensic tools are provided, have preferable time performance.
Description
Technical field
The invention belongs to digital evidence obtaining technical field, is related to the electronic evidence analysis in digital evidence obtaining field, more particularly to one
Key evidence binary search method of the kind based on chain of evidence time series.
Background technology
With the rapid development of cloud computing technology, the data-handling capacity and data of electronic equipment and the network equipment are deposited at present
Energy storage power is obtained for larger raising, and the data volume of individual, colony or enterprise are all considerably beyond artificial institute's energy
The order of magnitude scope of processing.The development of the communication technology and the popularization of intelligent electronic device, have also largely encouraged informationization
Crime, the importance of digital evidence obtaining are increasingly shown.
Digital evidence obtaining includes equipment evidence obtaining and network forensics, is broadly divided into initial data acquisition, data analysis and evidence and is in
Existing three steps, wherein data analysis is a highly important step.The major significance of data analysis is the initial data in acquisition
On the basis of find and search and have the clue directly acted on and evidence to case, or the analysis Jing Guo more deep layer obtain can be
Case investigation and crack the extraneous information for playing help.Traditional work analyzed original electron data is generally by collecting evidence
Investigator is accomplished manually, although having there is many more ripe electronic evidence-collecting instruments to occur, in terms of data analysis, and mesh
Preceding existing electronic evidence-collecting instrument is only capable of providing simple data visualization processing and locating function, is carried out by keyword match
Data search.It is complete by keyword match in existing electronic evidence-collecting instrument with the gradual increase of data volume in information system
Method into data search can not meet the needs of digital evidence obtaining is to time performance.
The content of the invention
In order to solve the problems, such as key evidence how is quickly searched in a large amount of initial data, the present invention provides one kind and is based on
The key evidence binary search method of chain of evidence time series.
To achieve the above object, the present invention provides a kind of key evidence binary search side based on chain of evidence time series
Method, including:
Initial data sorted according to timestamp to obtain chain of evidence time series;
Using the material time stamp or the initial time stamp of period of required lookup, timestamp is terminated as key assignments;
Using binary chop, the node time stamp equal with the key assignments is searched in the node of chain of evidence time series;
According to lookup result, evidence obtaining investigation is carried out in the material time point of chain of evidence time series or in the period.
As a further improvement on the present invention, when evidence, which look for time point, to be searched, this method includes:
Step 11, according to timestamp initial data sorted to obtain chain of evidence time series S;
Step 12, the material time of required lookup stabbed as key assignments key;
Step 13, using binary chop, the timestamp t and key assignments key of chain of evidence time series S intermediate nodes are compared
Compared with;
If step 14, t=key, skip to step 16;Otherwise the subchain before intermediate node is designated as S1, son afterwards
Chain is designated as S2, and skips to step 15;
If step 15, t > key, S=S1, skip to step 13;Otherwise S=S2, step 13 is skipped to;
Step 16, according to lookup result, evidence obtaining investigation is carried out in the material time point of chain of evidence time series.
As a further improvement on the present invention, chain of evidence time series S nodal point number > 2.
As a further improvement on the present invention, when evidence look for time segment search, this method includes:
Step 21, according to timestamp initial data sorted to obtain chain of evidence time series S;
Step 22, using it is required lookup the period initial time stamp as key assignments key;
Step 23, using binary chop, the timestamp t of chain of evidence time series S intermediate nodes and institute key assignments key is carried out
Compare;
If step 24, t=key, skip to step 26;Otherwise the subchain before intermediate node is designated as S1, son afterwards
Chain is designated as S2, and skips to step 25;
If step 25, t > key, S=S1, skip to step 23;Otherwise S=S2, step 23 is skipped to;
Chain of evidence time series S is divided into two subchains by step 26, initial time, and the subchain after initial time is designated as L;
Step 27, using it is required lookup the period termination timestamp as key assignments key ';
Step 28, using binary chop, by the timestamp t ' of subchain L intermediate nodes compared with key assignments key ';
If step 29, t '=key ', skip to step 211;Otherwise subchain before intermediate node is designated as L1, afterwards
Subchain is designated as L2, and skips to step 210;
If step 210, t ' > key ', L=L1, skip to step 28;Otherwise L=L2, step 28 is skipped to;
Step 211, according to lookup result, in initial time stamp and terminate to enter in chain of evidence time series between timestamp
Row evidence obtaining investigation.
As a further improvement on the present invention, chain of evidence time series S nodal point number > 2, subchain L nodal point number > 2.
Compared with prior art, beneficial effects of the present invention are:
The present invention can be being reduced effectively spent by search key evidence in the analysis of the digital evidence obtaining of larger data amount
Time, improve evidence obtaining efficiency, compared with the matching searching method that existing forensic tools are provided, there is preferable timeliness
Energy.
Brief description of the drawings
Fig. 1 is the key evidence binary search method based on chain of evidence time series disclosed in an embodiment of the present invention
Flow chart;
Fig. 2 is the key evidence binary search method based on chain of evidence time series disclosed in another embodiment of the present invention
Flow chart.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
The part of the embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill people
The every other embodiment that member is obtained on the premise of creative work is not made, belongs to the scope of protection of the invention.
In the description of the invention, it is necessary to explanation, term " " center ", " on ", " under ", "left", "right", " vertical ",
The orientation or position relationship of the instruction such as " level ", " interior ", " outer " be based on orientation shown in the drawings or position relationship, merely to
Be easy to the description present invention and simplify description, rather than instruction or imply signified device or element must have specific orientation,
With specific azimuth configuration and operation, therefore it is not considered as limiting the invention.In addition, term " first ", " second ",
" the 3rd " is only used for describing purpose, and it is not intended that instruction or hint relative importance.
In the description of the invention, it is also necessary to explanation, unless otherwise clearly defined and limited, term " installation ",
" connected ", " connection " should be interpreted broadly, for example, it may be being fixedly connected or being detachably connected, or integratedly be connected
Connect;Can be mechanical connection or electrical connection;Can be joined directly together, can also be indirectly connected by intermediary, can
To be the connection of two element internals.For the ordinary skill in the art, above-mentioned term can be understood with concrete condition
Concrete meaning in the present invention.
The present invention provides a kind of key evidence binary search method based on chain of evidence time series, i.e., a kind of to apply two points
The method that lookup algorithm carries out key evidence search based on chain of evidence time series;In the evidence obtaining investigation of reality, certain is only searched
The evidence at one time point often makes the field of investigation compare limitation, it is common practice to searches the evidence of certain time period;Therefore,
According to being actually needed for evidence obtaining investigation, the present invention, which searches evidence, is divided into time point lookup and time segment search.
The present invention provides a kind of key evidence binary search method based on chain of evidence time series, according to timestamp by original
Beginning data sorting obtains chain of evidence time series;By the material time stamp or the initial time stamp of period of required lookup, terminate
Timestamp is as key assignments;Using binary chop, the node equal with the key assignments is searched in the node of chain of evidence time series
Timestamp;According to lookup result, evidence obtaining investigation is carried out in the material time point of chain of evidence time series or in the period.Specifically
's:
The present invention is ranked up according to the timestamp of initial data first, and initial data specification is turned to according to time series
The chain of evidence time series of sequence;Secondly the thought of binary chop algorithm is applied, by the material time stamp of case or period
Rise, only timestamp as key assignments, with the timestamp of the Data Node among chain of evidence compared with key assignments, intermediate data knot
Chain of evidence is divided into two subchains by point, determines which subchain should be searched in next step according to comparative result, successively recurrence, until
The timestamp node equal with key assignments is found, or the subchain searched only is left two nodes, now search terminates.It is if right
Certain time period scans for, then is searched using the above method using initial time as key assignments first, then will terminate time work
Searched for the subchain of key-value pair initial time backward, the chain of evidence for being eventually located at initial time and terminating between the time is
The target of evidence obtaining investigation.
The present invention is described in further detail below in conjunction with the accompanying drawings:
As shown in figure 1, the present invention provides a kind of key evidence binary search method based on chain of evidence time series, it is used
Search, specifically include in time point:
Step 11, according to timestamp initial data sorted to obtain chain of evidence time series S;
Step 12, the material time of required lookup is stabbed case is searched for needed for user as key assignments key, material time stamp
The timestamp of material time point;
Step 13, the target sequence using S as lookup, if nodal point number n≤2 in S, skip to step 17, otherwise find card
According to chain intermediate node, its time stab is t;
Step 14, using binary chop, the timestamp t and key assignments key of chain of evidence time series S intermediate nodes are compared
Compared with;
If step 15, t=key, skip to step 17;Otherwise the subchain before intermediate node is designated as S1, son afterwards
Chain is designated as S2, and skips to step 16;
If step 16, t > key, S=S1, skip to step 13;Otherwise S=S2, step 13 is skipped to;
Step 17, according to the search result conclusion evidence field of investigation, i.e.,:According to lookup result in chain of evidence time series
Evidence obtaining investigation is carried out in material time point.
As shown in Fig. 2 the present invention provides a kind of key evidence binary search method based on chain of evidence time series, it is used
In time segment search, specifically include:
Step 21, according to timestamp initial data sorted to obtain chain of evidence time series S;
Step 22, using it is required lookup the period initial time stamp as key assignments key;
Step 23, the target sequence using S as lookup, if nodal point number n≤2 in S, skip to step 27, otherwise find card
According to chain intermediate node, its time stab is t;
Step 24, using binary chop, the timestamp t of chain of evidence time series S intermediate nodes and institute key assignments key is carried out
Compare;
If step 25, t=key, skip to step 27;Otherwise the subchain before intermediate node is designated as S1, son afterwards
Chain is designated as S2, and skips to step 26;
If step 26, t > key, S=S1, skip to step 23;Otherwise S=S2, step 23 is skipped to;
Chain of evidence time series S is divided into two subchains by step 27, initial time, and the subchain after initial time is designated as L;
Step 28, using it is required lookup the period termination timestamp as key assignments key ';
Step 29, the target sequence using L as lookup, if nodal point number n≤2 in L, skip to step 213, otherwise find card
According to chain intermediate node, its time stab is t ';
Step 210, using binary chop, by the timestamp t ' of subchain L intermediate nodes compared with key assignments key ';
If step 211, t '=key ', skip to step 213;Otherwise the subchain before intermediate node is designated as L1, afterwards
Subchain be designated as L2, and skip to step 212;
If step 212, t ' > key ', L=L1, skip to step 29;Otherwise L=L2, step 29 is skipped to;
Step 213, according to lookup result, in initial time stamp and terminate to enter in chain of evidence time series between timestamp
Row evidence obtaining investigation.
The present invention can be being reduced effectively spent by search key evidence in the analysis of the digital evidence obtaining of larger data amount
Time, improve evidence obtaining efficiency, compared with the matching searching method that existing forensic tools are provided, there is preferable timeliness
Energy.
The preferred embodiments of the present invention are these are only, are not intended to limit the invention, for those skilled in the art
For member, the present invention can have various modifications and variations.Any modification within the spirit and principles of the invention, being made,
Equivalent substitution, improvement etc., should be included in the scope of the protection.
Claims (5)
- A kind of 1. key evidence binary search method based on chain of evidence time series, it is characterised in that including:Initial data sorted according to timestamp to obtain chain of evidence time series;Using the material time stamp or the initial time stamp of period of required lookup, timestamp is terminated as key assignments;Using binary chop, the node time stamp equal with the key assignments is searched in the node of chain of evidence time series;According to lookup result, evidence obtaining investigation is carried out in the material time point of chain of evidence time series or in the period.
- 2. the key evidence binary search method based on chain of evidence time series as claimed in claim 1, it is characterised in that when When evidence look for time point lookup, this method includes:Step 11, according to timestamp initial data sorted to obtain chain of evidence time series S;Step 12, the material time of required lookup stabbed as key assignments key;Step 13, using binary chop, by the timestamp t of chain of evidence time series S intermediate nodes compared with key assignments key;If step 14, t=key, skip to step 16;Otherwise the subchain before intermediate node is designated as S1, subchain afterwards is remembered For S2, and skip to step 15;If step 15, t > key, S=S1, skip to step 13;Otherwise S=S2, step 13 is skipped to;Step 16, according to lookup result, evidence obtaining investigation is carried out in the material time point of chain of evidence time series.
- 3. the key evidence binary search method based on chain of evidence time series as claimed in claim 1, it is characterised in that card According to chain time series S nodal point number > 2.
- 4. the key evidence binary search method based on chain of evidence time series as claimed in claim 1, it is characterised in that when When evidence look for time segment search, this method includes:Step 21, according to timestamp initial data sorted to obtain chain of evidence time series S;Step 22, using it is required lookup the period initial time stamp as key assignments key;Step 23, using binary chop, the timestamp t of chain of evidence time series S intermediate nodes and institute key assignments key is compared Compared with;If step 24, t=key, skip to step 26;Otherwise the subchain before intermediate node is designated as S1, subchain afterwards is remembered For S2, and skip to step 25;If step 25, t > key, S=S1, skip to step 23;Otherwise S=S2, step 23 is skipped to;Chain of evidence time series S is divided into two subchains by step 26, initial time, and the subchain after initial time is designated as L;Step 27, using it is required lookup the period termination timestamp as key assignments key ';Step 28, using binary chop, by the timestamp t ' of subchain L intermediate nodes compared with key assignments key ';If step 29, t '=key ', skip to step 211;Otherwise the subchain before intermediate node is designated as L1, subchain afterwards L2 is designated as, and skips to step 210;If step 210, t ' > key ', L=L1, skip to step 28;Otherwise L=L2, step 28 is skipped to;Step 211, according to lookup result, taken in initial time stamp and terminating in chain of evidence time series between timestamp Card investigation.
- 5. the key evidence binary search method based on chain of evidence time series as claimed in claim 4, it is characterised in that card According to chain time series S nodal point number > 2, subchain L nodal point number > 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710736597.XA CN107463714A (en) | 2017-08-24 | 2017-08-24 | A kind of key evidence binary search method based on chain of evidence time series |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710736597.XA CN107463714A (en) | 2017-08-24 | 2017-08-24 | A kind of key evidence binary search method based on chain of evidence time series |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107463714A true CN107463714A (en) | 2017-12-12 |
Family
ID=60549495
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710736597.XA Pending CN107463714A (en) | 2017-08-24 | 2017-08-24 | A kind of key evidence binary search method based on chain of evidence time series |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107463714A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101944115A (en) * | 2010-09-14 | 2011-01-12 | 杭州海康威视数字技术股份有限公司 | Method and system for searching logs |
| US8917130B2 (en) * | 2011-04-20 | 2014-12-23 | Ps4 Luxco S.A.R.L. | Semiconductor device including a delay locked loop circuit |
| CN105260640A (en) * | 2015-10-28 | 2016-01-20 | 南京邮电大学 | Evidence collecting system and method based on fingerprint authentication and GPS |
| CN105653456A (en) * | 2015-12-31 | 2016-06-08 | 网易(杭州)网络有限公司 | Application program performance testing method, device and system |
| CN105959328A (en) * | 2016-07-15 | 2016-09-21 | 北京工业大学 | Evidence graph and vulnerability reasoning combined network evidence collection method and system |
| CN106452450A (en) * | 2015-08-06 | 2017-02-22 | Sap欧洲公司 | Data compression |
-
2017
- 2017-08-24 CN CN201710736597.XA patent/CN107463714A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101944115A (en) * | 2010-09-14 | 2011-01-12 | 杭州海康威视数字技术股份有限公司 | Method and system for searching logs |
| US8917130B2 (en) * | 2011-04-20 | 2014-12-23 | Ps4 Luxco S.A.R.L. | Semiconductor device including a delay locked loop circuit |
| CN106452450A (en) * | 2015-08-06 | 2017-02-22 | Sap欧洲公司 | Data compression |
| CN105260640A (en) * | 2015-10-28 | 2016-01-20 | 南京邮电大学 | Evidence collecting system and method based on fingerprint authentication and GPS |
| CN105653456A (en) * | 2015-12-31 | 2016-06-08 | 网易(杭州)网络有限公司 | Application program performance testing method, device and system |
| CN105959328A (en) * | 2016-07-15 | 2016-09-21 | 北京工业大学 | Evidence graph and vulnerability reasoning combined network evidence collection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103514201B (en) | Method and device for querying data in non-relational database | |
| CN105279276A (en) | Database index optimization system | |
| CN105989076A (en) | Data statistical method and device | |
| CN102867049B (en) | Chinese PINYIN quick word segmentation method based on word search tree | |
| CN103810168A (en) | Search application method, device and terminal | |
| CN108563697B (en) | Data processing method, device and storage medium | |
| CN112115183B (en) | Honeypot system threat information analysis method based on graph | |
| CN106804055A (en) | A kind of Wireless Fidelity Wi Fi connection methods and mobile terminal | |
| CN101369278A (en) | Approximate adaptation method and apparatus | |
| CN104636368A (en) | Data retrieval method and device and server | |
| CN105468981A (en) | Vulnerability identification technology-based plugin safety scanning device and scanning method | |
| CN103246663A (en) | Searching method and communication terminal | |
| CN107870935A (en) | A kind of searching method and device | |
| CN107590233B (en) | File management method and device | |
| CN109344333A (en) | A kind of internet big data analysis extracting method and system | |
| CN111310076B (en) | Geographic position query method, geographic position query device, geographic position query medium and electronic equipment | |
| CN103955519A (en) | Account inquiring and recording system and inquiring and recording method thereof | |
| CN107463714A (en) | A kind of key evidence binary search method based on chain of evidence time series | |
| CN112052248A (en) | Audit big data processing method and system | |
| CN110941831A (en) | Vulnerability matching method based on fragmentation technology | |
| US20210240688A1 (en) | Data Index Establishment Method, and Apparatus | |
| CN101763370A (en) | Method for establishing tags for video and audio data and device therefor | |
| CN104516916A (en) | Method and device for analyzing network report incidence relation | |
| CN107506473A (en) | A kind of big data search method based on cloud computing | |
| CN106793016A (en) | A kind of Wireless Fidelity Wi Fi connection methods and mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171212 |