CN108229187A - A kind of method and system intelligently collected evidence using movable memory equipment - Google Patents
A kind of method and system intelligently collected evidence using movable memory equipment Download PDFInfo
- Publication number
- CN108229187A CN108229187A CN201711465431.5A CN201711465431A CN108229187A CN 108229187 A CN108229187 A CN 108229187A CN 201711465431 A CN201711465431 A CN 201711465431A CN 108229187 A CN108229187 A CN 108229187A
- Authority
- CN
- China
- Prior art keywords
- evidence obtaining
- data
- memory equipment
- movable memory
- target device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
Abstract
The present invention provides a kind of method and system intelligently collected evidence using movable memory equipment, this method includes:The movable memory equipment of evidence obtaining program is built-in with for target device installation;The evidence obtaining program that movable memory equipment carries is run in target device;By the historical data of the default search strategy searched targets equipment for program of collecting evidence, target data is determined;Target data is exported, and derived target data is stored by the encryption of predetermined encryption strategy to movable memory equipment.As it can be seen that operating procedure of the present invention is simple, without being improved to target device and without being investigated and collected evidence by professional operator by the analysis software of profession to target device, reducing the complexity of evidence obtaining process, save a large amount of time and energy.The present invention, without manually participating in, reduces error rate of manual operation, the accuracy of evidence obtaining is more improved from side, realize the purpose of forensic information timely, conveniently, needed for accurate offer during evidence obtaining.
Description
Technical field
The present invention relates to technical field of information processing, and intelligent take is carried out using movable memory equipment more particularly to a kind of
The method and system of card.
Background technology
A large amount of with computer application popularize, and more and more computer crime phenomenons continue to bring out, and such as implement to meter
Stealing for machine information data is calculated, computer significant data is implemented to destroy or distort, using computer manufacture or propagates harmful letter
Breath by computer manufacture, transmitted virus or implements " hacker " physical sabotage network order etc..This computer crime row
For caused consequence, the development of the development of the national economy and the safety and stablization of society are severely impacted, to computer crime
Evidence obtaining prospecting is carried out into the important means of present strike and prevention computer crime behavior.
But in the prior art, the analysis software of profession would generally be used when investigating and collecting evidence to computer crime, this
Class professional software is although powerful, but use is very complicated, operating personnel is required higher.Under normal conditions, it needs to grasp
Making personnel has higher computer technology level, and need technically to train operating personnel, expends a large amount of people
Power, material resources.Therefore, when investigating and collecting evidence to computer crime, the required human and material resources paid are bigger at this stage, and
And operating procedure is complicated, can not in time, easily provide necessary forensic information.
Invention content
In view of the above problems, it is proposed that the present invention overcomes the above problem in order to provide one kind or solves at least partly
State the method intelligently collected evidence using movable memory equipment of problem and corresponding system.
One side according to the present invention provides a kind of method intelligently collected evidence using movable memory equipment,
Including:
The movable memory equipment of evidence obtaining program is built-in with for target device installation;
The evidence obtaining program that the movable memory equipment carries is run in the target device;
The historical data of the target device is retrieved by the default search strategy of the evidence obtaining program, determines number of targets
According to;
Export the target data, and by the derived target data by the encryption of predetermined encryption strategy store to it is described can
Movable storage device.
Optionally, it before the evidence obtaining program that the movable memory equipment is run in target device and is carried, also wraps
It includes:
It detects and whether there is the movable memory equipment in the target device;
If so, trigger the evidence obtaining program carried in the movable memory equipment;
If it is not, reinstall the movable memory equipment for the target device.
Optionally, the evidence obtaining program carried in the triggering movable memory equipment, including:
It is clicked in the evidence obtaining program bag by execution or double click operation is triggered in the movable memory equipment
The evidence obtaining program of carrying;And/or
Keyboard Control mode is taken to trigger the evidence obtaining carried in the movable memory equipment in the evidence obtaining program bag
Program.
Optionally, the default search strategy by program of collecting evidence retrieves the historical data of the target device, determines
Target data, including:
Pass through the browser merchant data of target device, local browser data, local described in the evidence obtaining program search
The browsing data of disk, determine target data.
Optionally, browser merchant data, the local browser number by target device described in program search of collecting evidence
According to the browsing data of, local disk, target data is determined, including:
By the browser merchant data of target device described in the evidence obtaining program search, browser interface is extracted, according to
The browser interface determines target data;
By the local browser data of target device described in the evidence obtaining program search, extraction particular browser fixes mesh
Record fixes catalogue according to the particular browser and determines target data;
The local disk browser data of the target device is retrieved by the evidence obtaining routine call file enumeration function,
Further determine that target data.
Optionally, the export target data, and by the derived target data by the encryption storage of predetermined encryption strategy
After to the movable memory equipment, further include:
The data of the encryption storage are uploaded to decryption system, and be decrypted by default decryption policy;
Extract the data after the decryption and display.
Optionally, the derived target data includes at least one of:
The browsing record of browser, the data in collection, the login username of cookie, document files, specific application
The account of software.
Other side according to the present invention, additionally provides and a kind of is using what movable memory equipment was intelligently collected evidence
System, including target device and movable memory equipment, the movable memory equipment is installed into the target device,
In, it is built-in with evidence obtaining program in the movable memory equipment, the target device, including:
Module is run, is configured to run the evidence obtaining program that the movable memory equipment carries in the target device;
Determining module is configured to retrieve the history number of the target device by the default search strategy of the evidence obtaining program
According to determining target data;
Export module is configured to export the target data, and the derived target data is pressed predetermined encryption strategy
Encryption is stored to the movable memory equipment.
Optionally, the target device, further includes:
Detection module is configured to detect in the target device with the presence or absence of the movable memory equipment;
If so, trigger the evidence obtaining program carried in the movable memory equipment;
If it is not, reinstall the movable memory equipment for the target device.
Optionally, the detection module, is additionally configured to:
It is clicked in the evidence obtaining program bag by execution or double click operation is triggered in the movable memory equipment
The evidence obtaining program of carrying;And/or
Keyboard Control mode is taken to trigger the evidence obtaining carried in the movable memory equipment in the evidence obtaining program bag
Program.
Optionally, the determining module, is additionally configured to:
Pass through the browser merchant data of target device, local browser data, local described in the evidence obtaining program search
The browsing data of disk, determine target data.
Optionally, the determining module, is additionally configured to:
By the browser merchant data of target device described in the evidence obtaining program search, browser interface is extracted, according to
The browser interface determines target data;
By the local browser data of target device described in the evidence obtaining program search, extraction particular browser fixes mesh
Record fixes catalogue according to the particular browser and determines target data;
The local disk browser data of the target device is retrieved by the evidence obtaining routine call file enumeration function,
Further determine that target data.
Optionally, the target device, further includes:
Deciphering module is configured to the data of the encryption storage being uploaded to decryption system, and by default decryption policy into
Row decryption;
Extract the data after the decryption and display.
Optionally, the derived target data includes at least one of:
The browsing record of browser, the data in collection, the login username of cookie, document files, specific application
The account of software.
The method and system intelligently collected evidence using movable memory equipment according to the present invention are deposited first to be removable
Storage device configuration is collected evidence program accordingly, and installs the movable memory equipment for being built-in with evidence obtaining program on the target device.
And then the evidence obtaining program carried in the movable memory equipment is run in target device, further pass through the pre- of program of collecting evidence
If the historical data of search strategy searched targets equipment, determines target data.Then, target data is exported from target device,
And derived target data is stored by the encryption of predetermined encryption strategy to movable memory equipment.It follows that the present invention passes through
Specific evidence obtaining program in movable memory equipment is set, and passes through the corresponding search strategy of evidence obtaining program setting, and then
The evidence obtaining program is directly run in target device, you can target device is retrieved according to the search strategy of the evidence obtaining program
Evidence obtaining.As it can be seen that the operating procedure of the present invention is simple, only it need to install on the target device and run evidence obtaining program, without to target
Equipment is improved and without being investigated and collected evidence by professional operator by the analysis software of profession to target device,
The complexity of evidence obtaining process is reduced, saves a large amount of time and energy.Also, the method for present invention nothing during evidence obtaining
It need to manually participate in, intelligent evidence obtaining is carried out by evidence obtaining program, error rate of manual operation is reduced, more improves evidence obtaining from side
Accuracy, realize in time, the purpose of required forensic information is easily and accurately provided.In addition, in movable memory equipment
Evidence obtaining program can also be suitably adjusted according to the difference of the evidence obtaining actual demands such as environment, it is adaptable, can be most
Meet evidence obtaining demand in big degree.
Above description is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, below the special specific embodiment for lifting the present invention.
According to the accompanying drawings to the detailed description of the specific embodiment of the invention, those skilled in the art will be brighter
The above and other objects, advantages and features of the present invention.
Description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this field
Technical staff will become clear.Attached drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is the method flow according to an embodiment of the invention intelligently collected evidence using movable memory equipment
Figure;
Fig. 2 is the specific method stream according to an embodiment of the invention intelligently collected evidence using movable memory equipment
Cheng Tu;
Fig. 3 is the specific method according to an embodiment of the invention intelligently collected evidence using movable memory equipment
Another flow chart;
Fig. 4 is according to an embodiment of the invention movable memory equipment to be utilized to carry out the schematic of intelligent evidence-obtaining system
Block diagram;And
Fig. 5 be it is according to an embodiment of the invention intelligent evidence-obtaining system is carried out using movable memory equipment another
Schematic block diagram.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
The prior art would generally use the analysis software of profession when investigating and collecting evidence to computer crime, this kind of profession is soft
Part is although powerful, but use is very complicated, operating personnel is required higher.Under normal conditions, operating personnel is needed to have
There is higher computer technology level, and need technically to train operating personnel, expend a large amount of human and material resources.
Therefore, when investigating and collecting evidence to computer crime, the required human and material resources paid are bigger at this stage, and operate step
It is rapid complicated, it can not in time, easily submit necessary information.
In order to solve the above technical problems, the present invention provides a kind of sides intelligently collected evidence using movable memory equipment
Method and system.Fig. 1 is the method flow according to an embodiment of the invention intelligently collected evidence using movable memory equipment
Figure.As shown in Figure 1, this method includes at least step S102 to step S108:
Step S102, the movable memory equipment of evidence obtaining program is built-in with for target device installation;
Step S104, the evidence obtaining program that movable memory equipment carries is run in target device;
Step S106, by the historical data of the default search strategy searched targets equipment for program of collecting evidence, number of targets is determined
According to;
Step S108, target data is exported, and derived target data is stored by the encryption of predetermined encryption strategy to removable
Dynamic storage device.
The method and system intelligently collected evidence using movable memory equipment according to the present invention are deposited first to be removable
Storage device configuration is collected evidence program accordingly, and installs the movable memory equipment for being built-in with evidence obtaining program on the target device.
And then the evidence obtaining program carried in the movable memory equipment is run in target device, further pass through the pre- of program of collecting evidence
If the historical data of search strategy searched targets equipment, determines target data.Then, target data is exported from target device,
And derived target data is stored by the encryption of predetermined encryption strategy to movable memory equipment.It follows that the present invention passes through
Specific evidence obtaining program in movable memory equipment is set, and passes through the corresponding search strategy of evidence obtaining program setting, and then
The evidence obtaining program is directly run in target device, you can target device is retrieved according to the search strategy of the evidence obtaining program
Evidence obtaining.As it can be seen that the operating procedure of the present invention is simple, only it need to install on the target device and run evidence obtaining program, without to target
Equipment is improved and without being investigated and collected evidence by professional operator by the analysis software of profession to target device,
The complexity of evidence obtaining process is reduced, saves a large amount of time and energy.Also, the method for present invention nothing during evidence obtaining
It need to manually participate in, intelligent evidence obtaining is carried out by evidence obtaining program, error rate of manual operation is reduced, more improves evidence obtaining from side
Accuracy, realize in time, the purpose of required forensic information is easily and accurately provided.In addition, in movable memory equipment
Evidence obtaining program can be suitably adjusted according to the difference of the evidence obtaining actual demands such as environment, taken with meeting to the full extent
Card demand.
In the present embodiment, step S102 is first carried out, being built-in with evidence obtaining the removable of program for target device installation deposits
Store up equipment.Specifically, in this step, can be first movable memory equipment configuration evidence obtaining program, which can be with
Self-defined setting is carried out according to practical evidence obtaining environment or other specific conditions.Under normal conditions, in program of collecting evidence can by with
Family presets different search strategies, during the evidence obtaining program is run, to pass through itself preset retrieval
The corresponding search operaqtion of strategy implement is to realize intelligent evidence obtaining.In the present embodiment, search strategy can be according to the reality of user
The conditions such as demand or special evidence obtaining environment carry out self-defined setting.For example, in the present embodiment, it can be according to user demand pair
Target device designated disk is retrieved, and the web page storage of target device browser can also be pressed from both sides and retrieved, this certain hair
Bright search strategy can also retrieve other data of target device, and above description is only to search strategy of the present invention
It enumerates, does not form the specific restriction to search strategy of the present invention.
Further, carry out above-mentioned configuration for the evidence obtaining program in movable memory equipment, and this is installed for target device can
After movable storage device, the evidence obtaining program in the movable memory equipment can be run in target device.In the present embodiment
In, in order to which the error rate for reducing evidence obtaining program operation promotes the fluency of evidence obtaining program operation process in other words, can also transport
Corresponding detection operation is performed before row evidence obtaining program to target device.
Specifically, according to the method for the present embodiment, it can detect in target device and be set with the presence or absence of removable Storage first
It is standby.When, there are during movable memory equipment, the storage that further can also judge to be installed in target device is set in target device
Whether standby be the above-mentioned movable memory equipment for being built-in with evidence obtaining program referred to.If so, it method according to the invention it is possible to touches
The evidence obtaining program carried in the movable memory equipment is sent out, and then performs step S104, removable deposit is run in target device
Store up the evidence obtaining program that equipment carries.If it is not present in mounted movable memory equipment or target device in target device
It is according to the present invention when the storage device of installation is not the movable memory equipment for being built-in with evidence obtaining program that the present embodiment refers to
Method can also be that target device reinstalls the movable memory equipment, and continue in target device after installation is complete
The detection for carrying out movable memory equipment judges operation, until detecting that successfully installation is built-in with evidence obtaining program to target device
Movable memory equipment.
In the present embodiment, when having detected in target device that successfully installation is built-in with the removable Storage of evidence obtaining program and sets
After standby, according to the method for the present embodiment, the evidence obtaining program carried in movable memory equipment can also be triggered.It specifically, can be with
It is clicked in evidence obtaining program bag by execution or double click operation triggers the evidence obtaining program carried in movable memory equipment.Also
Keyboard Control mode can be taken to trigger the evidence obtaining program carried in movable memory equipment in evidence obtaining program bag.It needs to illustrate
, the present embodiment can also trigger the evidence obtaining program carried in movable memory equipment by other a variety of possible modes,
The above description of the present embodiment is only to enumerate, and does not form the specific restriction that evidence obtaining procedure operation is triggered to the present invention.
After above-mentioned steps execution terminates, the evidence obtaining journey carried in movable memory equipment can be run in target device
Sequence.Further, step S106 is performed, by the historical data of the default search strategy searched targets equipment for program of collecting evidence, is determined
Target data.It can be seen from the above, the search strategy of the present embodiment can according to practical evidence obtaining environment or other evidence obtaining demands into
The self-defined setting of row.Specifically, in the present embodiment, the browser businessman's number for program search target device of collecting evidence can be passed through
According to, the browsing data of local browser data, local disk, target data is determined.It, can be with more specifically, in the present embodiment
By the browser merchant data for program search target device of collecting evidence, browser internal interface is extracted, inside the browser
Interface determines target data.It for example, can be by a variety of data for program search target device UC browsers itself of collecting evidence, into one
Step extracts each interface data of its internal correlation, and then obtains corresponding associated data by the UC browser interfaces, will obtain
Data as target data.
In addition, it in the present embodiment, can also be extracted by the local browser data for program search target device of collecting evidence
Particular browser fixes catalogue, and fixing catalogue according to particular browser determines target data.Specifically, program of collecting evidence can be passed through
Searched targets equipment is stored in local browsing record when using fixed browser browsing webpage, further records the browsing
Data are as target data.More, in the present embodiment, can also mesh be retrieved by routine call file enumeration function of collecting evidence
The local disk browser data of marking device, further determines that target data.File enumeration function through this embodiment can be with
The All Files traversed in target device take out required specific file, to determine target data.
As it can be seen that the present embodiment in target device by running the executable program set in movable memory equipment (i.e.
The evidence obtaining program of the present embodiment), using browser interface or particular browser fix catalogue (support various major browsers,
Such as UC browsers, 360 secure browsers, QQ browsers etc.), file enumeration function takes out required file.In the present embodiment
In, the data of required taking-up include browser browsing record, the data in collection, the login username of cookie, document text
The account of part and application specific software (such as QQ accounts, wechat account).It should be noted that the above-mentioned browsing of the present embodiment
Device type, account of application specific software etc. are to enumerate, and are not formed to browser type of the present invention and application specific software
The specific restriction of account.
After above-mentioned steps execution terminates, it may be determined that required target data further, performs step S108, export
The determining target data, and derived target data is stored by the encryption of predetermined encryption strategy to movable memory equipment.This
Embodiment has carried out encryption setting, further ensure that the safety of forensic data when carrying out export storage to target data
Property.It should be noted that setting can be encrypted according to the cryptographic operation of system default in the encryption policy of the present invention, it can be with
Self-defined setting is carried out to cipher mode according to user demand or other actual conditions.It for example, can be to the data of fetched evidence
Head is encrypted, can by realize in a manner of special layout of data format progress of access evidence etc. to access evidence add
Close storage.
In addition, in the present embodiment, target data is exported, and derived target data is deposited by the encryption of predetermined encryption strategy
After storage to movable memory equipment, the data for encrypting storage can also be uploaded to decryption system, and by default decryption policy
It is decrypted.Decryption policy herein can be arranged in a one-to-one correspondence according to the encryption policy in cryptographic operation, to guarantee
It is enough that encryption information is specifically parsed, it is ensured that the accuracy of information after decryption.Then, the data after decrypted system is decrypted
It is shown on corresponding display screen, to complete entire intelligent forensics process.
As it can be seen that the operating procedure of the present invention is simple, only it need to install on the target device and run evidence obtaining program, without to mesh
Marking device is improved and is taken without carrying out investigation to target device by the analysis software of profession by professional operator
Card, reduces the complexity of evidence obtaining process, saves a large amount of time and energy.Also, the method for the present invention is in evidence obtaining process
In without manually participating in, intelligent evidence obtaining is carried out by evidence obtaining program, error rate of manual operation is reduced, is more improved from side
The accuracy of evidence obtaining realizes the purpose in time, easily and accurately providing required forensic information.In addition, removable Storage is set
Evidence obtaining program in standby can be suitably adjusted according to the difference of the actual demands such as evidence obtaining environment, with full to the full extent
Foot evidence obtaining demand.
Below with several specific embodiments to the method intelligently collected evidence using movable memory equipment of the present invention
It is described in detail.
Embodiment one
The present embodiment is by taking police collects evidence to suspect's computer as an example.Fig. 2 shows according to a reality of the invention
Apply the specific method flow chart intelligently collected evidence using movable memory equipment of example.
In the present embodiment, first, step S201 is performed, for program setting search strategy of collecting evidence, and by the evidence obtaining program
It stores to movable memory equipment.
In this step, the search strategy for program of collecting evidence can be carried out according to practical evidence obtaining environment or other evidence obtaining demands
Self-defined setting, to meet evidence obtaining demand to the full extent.For example, in the present embodiment, the reality that can be handled a case according to police
Border demand retrieves the designated disk of suspect's computer, and the webpage of suspect's computer browser can also be received
Folder to be hidden to be retrieved, the search strategy of certain the present embodiment can also retrieve other data of suspect's computer,
Above description is only that part enumerates, and does not form the specific restriction to search strategy of the present invention.
Further, step S202 is performed, the movable memory equipment for being stored with evidence obtaining program is installed to suspect
Computer.
Then, step S203 is performed, detects in suspect's computer whether movable memory equipment is installed, if so,
Step S204 is performed, if it is not, performing step S205.
Step S204 judges whether the movable memory equipment is that the above-mentioned removable Storage for being stored with evidence obtaining program is set
It is standby, if so, step S206 is performed, if it is not, performing step S205.
Step S205 reinstalls the movable memory equipment for being stored with evidence obtaining program until installing successfully.
After above-mentioned steps execution terminates, it can be detected in suspect's computer and be stored with the removable of evidence obtaining program
Dynamic storage device.Further, step S206 is performed, above-mentioned installed removable Storage is run on suspect's computer and is set
Evidence obtaining program in standby.
Embodiment two
The present embodiment is based on embodiment one, in the present embodiment, can be detected on suspect's computer interior
It is equipped with the movable memory equipment of evidence obtaining program.For the present embodiment by taking Fig. 3 as an example, Fig. 3 is profit according to an embodiment of the invention
With another flow chart for the specific method that movable memory equipment is intelligently collected evidence.
As shown in figure 3, in this embodiment, step S301 can be first carried out, triggering of the user to program of collecting evidence is received, and
The evidence obtaining program is run on suspect's computer.
In this step, it when triggering the evidence obtaining program, can be clicked or double click in evidence obtaining program bag by performing
It operates to trigger the evidence obtaining program carried in movable memory equipment;In addition, in the present embodiment, it can also be in evidence obtaining program bag
On the mode of Keyboard Control is taken to trigger the evidence obtaining program that is carried in movable memory equipment to be transported on suspect's computer
The row evidence obtaining program.It should be noted that the present embodiment can also trigger removable Storage by other a variety of possible modes
The evidence obtaining program carried in equipment, the above description of the present embodiment are only to enumerate, and do not form and evidence obtaining program is triggered to the present invention
The specific restriction of operation.
Further, step S302 is performed, suspect's computer is retrieved by the search strategy for program internal preset of collecting evidence
Historical data, determine target data.
In this step, method according to the invention it is possible to using browser interface or particular browser fix catalogue,
File enumeration function takes out required file.Specifically, in this example, the browsing installed on suspect's computer can be retrieved
Device takes out partial document by the browser and is used as target data.If it in the present embodiment, is only installed on suspect's computer
There is IE browser, then the Business Information that can retrieve the IE browser first is (related in initial setting up including the IE browser
The various functions and additional information that technical staff assigns it).Further, browser is extracted according to the browser Business Information
Interface, then, data according to associated by the browser interface of extraction obtains it (for example, from IE browser page jump to its
The browsing record data of his function pages), and the associated data is extracted as target data.
In addition, in the present embodiment, particular browser can also be retrieved and fix catalogue, for example retrieval IE browser is locally received
The browsing data collected in folder or cookie are hidden, and then local browsing data are extracted as target data.More
Ground according to the method for the present invention, can also utilize file enumeration function to take out required file.It when it is implemented, can root
Corresponding file enumeration function is selected or set according to actual demand, and then retrieves the storage in all disks of suspect's computer
Data are finally taken out the file for the condition that meets, as target data.
It should be noted that the above-mentioned search strategy of the present embodiment is only to enumerate, the present invention can also be by a variety of feasible
Retrieval measure suspect's computer is retrieved.
Above-mentioned steps execution can determine target data after terminating, and further, perform step S303, export number of targets
According to, and target data derived from institute is stored to movable memory equipment.
In this step, when target data is exported, target data can be encrypted according to preset encryption policy,
And encrypted target data is stored to movable memory equipment.Encryption policy herein can be according to the encryption of system default
Setting is encrypted in operation, can also carry out self-defined setting to cipher mode according to user demand or other actual conditions.Than
Such as, the data head of fetched evidence can be encrypted, special layout etc. can also be carried out to the data format of fetched evidence
Mode with realize to access evidence encryption store.
Further, if when exporting target data, encryption has been carried out to target data, and by encrypted mesh
Mark data are stored to movable memory equipment.In the present embodiment, the data for encrypting storage can also be uploaded to decryption system,
And it is decrypted by default decryption policy.It is a pair of that decryption policy herein can carry out one according to the encryption policy in cryptographic operation
It should set, to guarantee specifically to parse encryption information, it is ensured that the accuracy of information after decryption.It then, will be decrypted
Data after system decryption are shown on corresponding display screen, to complete entire intelligent forensics process.
Based on same inventive concept, it is using what movable memory equipment was intelligently collected evidence the present invention also provides a kind of
System, as shown in figure 4, including target device and movable memory equipment, movable memory equipment is installed into target device,
In, it is built-in with evidence obtaining program in movable memory equipment, target device, including:
Module 410 is run, is configured to run the evidence obtaining program that movable memory equipment carries in target device;
Determining module 420 is coupled with operation module 410, is configured to retrieve mesh by the default search strategy for program of collecting evidence
The historical data of marking device, determines target data;
Export module 430 is coupled with determining module 420, is configured to export target data, and derived target data is pressed
The encryption of predetermined encryption strategy is stored to movable memory equipment.
In a preferred embodiment, as shown in figure 5, target device, further includes:
Detection module 440 is configured in detection target device with the presence or absence of movable memory equipment;
If so, the evidence obtaining program carried in triggering movable memory equipment;
If it is not, reinstall movable memory equipment for target device.
In a preferred embodiment, detection module 440 are additionally configured to:
Evidence obtaining program bag on by perform click or double click operation triggering movable memory equipment in carry take
Demonstrate,prove program;And/or
Keyboard Control mode is taken to trigger the evidence obtaining program carried in movable memory equipment in evidence obtaining program bag.
In a preferred embodiment, determining module 420 are additionally configured to:
By the browser merchant data for program search target device of collecting evidence, local browser data, local disk it is clear
It lookes at data, determines target data.
In a preferred embodiment, determining module 420 are additionally configured to:
By the browser merchant data for program search target device of collecting evidence, browser interface is extracted, is connect according to browser
The determining target data of mouth;
By the local browser data for program search target device of collecting evidence, extraction particular browser fixes catalogue, according to
Particular browser fixes catalogue and determines target data;
It is further true by the local disk browser data for routine call file enumeration function searched targets equipment of collecting evidence
Set the goal data.
In a preferred embodiment, as shown in figure 5, target device, further includes:
Deciphering module 450 is coupled with export module 430, is configured to the data for encrypting storage being uploaded to decryption system, and
It is decrypted by default decryption policy;
Data and display after extraction decryption.
In a preferred embodiment, derived target data includes at least one of:
The browsing record of browser, the data in collection, the login username of cookie, document files, specific application
The account of software.
The method and system using the present invention intelligently collected evidence using movable memory equipment can reach to be had as follows
Beneficial effect:
The method and system intelligently collected evidence using movable memory equipment according to the present invention are deposited first to be removable
Storage device configuration is collected evidence program accordingly, and installs the movable memory equipment for being built-in with evidence obtaining program on the target device.
And then the evidence obtaining program carried in the movable memory equipment is run in target device, further pass through the pre- of program of collecting evidence
If the historical data of search strategy searched targets equipment, determines target data.Then, target data is exported from target device,
And derived target data is stored by the encryption of predetermined encryption strategy to movable memory equipment.It follows that the present invention passes through
Specific evidence obtaining program in movable memory equipment is set, and passes through the corresponding search strategy of evidence obtaining program setting, and then
The evidence obtaining program is directly run in target device, you can target device is retrieved according to the search strategy of the evidence obtaining program
Evidence obtaining.As it can be seen that the operating procedure of the present invention is simple, only it need to install on the target device and run evidence obtaining program, without to target
Equipment is improved and without being investigated and collected evidence by professional operator by the analysis software of profession to target device,
The complexity of evidence obtaining process is reduced, saves a large amount of time and energy.Also, the method for present invention nothing during evidence obtaining
It need to manually participate in, intelligent evidence obtaining is carried out by evidence obtaining program, error rate of manual operation is reduced, more improves evidence obtaining from side
Accuracy, realize in time, the purpose of required forensic information is easily and accurately provided.In addition, in movable memory equipment
Evidence obtaining program can be suitably adjusted according to the difference of the evidence obtaining actual demands such as environment, taken with meeting to the full extent
Card demand.
In the specification provided in this place, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
Shield the present invention claims the more features of feature than being expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim is in itself
Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.It can be the module or list in embodiment
Member or component be combined into a module or unit or component and can be divided into addition multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it may be used any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Profit requirement, abstract and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in detail in the claims, embodiment claimed it is one of arbitrary
It mode can use in any combination.
The all parts embodiment of the present invention can be with hardware realization or to be run on one or more processor
Software module realize or realized with combination thereof.It will be understood by those of skill in the art that it can use in practice
Microprocessor or digital signal processor (DSP) according to embodiments of the present invention utilize movable memory equipment to carry out to realize
The some or all functions of some or all components in intelligent evidence taking equipment.The present invention is also implemented as performing
The some or all equipment or program of device of method as described herein are (for example, computer program and computer journey
Sequence product).It is such realize the present invention program can may be stored on the computer-readable medium either can have there are one or
The form of multiple signals.Such signal can be downloaded from internet website obtain either providing on carrier signal or
It is provided in the form of any other.
It should be noted that the present invention will be described rather than limits the invention, and ability for above-described embodiment
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference mark between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any sequence.These words can be explained and run after fame
Claim.
So far, although those skilled in the art will appreciate that detailed herein have shown and described multiple showing for the present invention
Example property embodiment, still, without departing from the spirit and scope of the present invention, still can according to the present disclosure directly
Determine or derive many other variations or modifications consistent with the principles of the invention.Therefore, the scope of the present invention is understood that and recognizes
It is set to and covers other all these variations or modifications.
According to an aspect of the invention, there is provided a kind of sides intelligently collected evidence using movable memory equipment of A1.
Method, including:
The movable memory equipment of evidence obtaining program is built-in with for target device installation;
The evidence obtaining program that the movable memory equipment carries is run in the target device;
The historical data of the target device is retrieved by the default search strategy of the evidence obtaining program, determines number of targets
According to;
Export the target data, and by the derived target data by the encryption of predetermined encryption strategy store to it is described can
Movable storage device.
A2. the method according to A1, wherein, it is described to run what the movable memory equipment carried in target device
Before program of collecting evidence, further include:
It detects and whether there is the movable memory equipment in the target device;
If so, trigger the evidence obtaining program carried in the movable memory equipment;
If it is not, reinstall the movable memory equipment for the target device.
A3. the method according to A2, wherein, the evidence obtaining program carried in the triggering movable memory equipment, including:
It is clicked in the evidence obtaining program bag by execution or double click operation is triggered in the movable memory equipment
The evidence obtaining program of carrying;And/or
Keyboard Control mode is taken to trigger the evidence obtaining carried in the movable memory equipment in the evidence obtaining program bag
Program.
A4. the method according to A1, wherein, the default search strategy by program of collecting evidence is retrieved the target and is set
Standby historical data, determines target data, including:
Pass through the browser merchant data of target device, local browser data, local described in the evidence obtaining program search
The browsing data of disk, determine target data.
A5. the method according to A4, wherein, the browser businessman by target device described in program search of collecting evidence
Data, local browser data, the browsing data of local disk, determine target data, including:
By the browser merchant data of target device described in the evidence obtaining program search, browser interface is extracted, according to
The browser interface determines target data;
By the local browser data of target device described in the evidence obtaining program search, extraction particular browser fixes mesh
Record fixes catalogue according to the particular browser and determines target data;
The local disk browser data of the target device is retrieved by the evidence obtaining routine call file enumeration function,
Further determine that target data.
A6. the method according to A1, wherein, the export target data, and by the derived target data by pre-
If encryption policy encryption is stored to the movable memory equipment, further include:
The data of the encryption storage are uploaded to decryption system, and be decrypted by default decryption policy;
Extract the data after the decryption and display.
A7. according to A1-A6 any one of them methods, wherein, the derived target data includes at least one of:
The browsing record of browser, the data in collection, the login username of cookie, document files, specific application
The account of software.
According to another aspect of the present invention, additionally provide that B8. is a kind of to utilize movable memory equipment to carry out intelligent evidence obtaining
System, including target device and movable memory equipment, the movable memory equipment is installed into the target device,
Wherein, it is built-in with evidence obtaining program in the movable memory equipment, the target device, including:
Module is run, is configured to run the evidence obtaining program that the movable memory equipment carries in the target device;
Determining module is configured to retrieve the history number of the target device by the default search strategy of the evidence obtaining program
According to determining target data;
Export module is configured to export the target data, and the derived target data is pressed predetermined encryption strategy
Encryption is stored to the movable memory equipment.
B9. the system according to B8, wherein, the target device further includes:
Detection module is configured to detect in the target device with the presence or absence of the movable memory equipment;
If so, trigger the evidence obtaining program carried in the movable memory equipment;
If it is not, reinstall the movable memory equipment for the target device.
B10. the system according to B9, wherein, the detection module is additionally configured to:
It is clicked in the evidence obtaining program bag by execution or double click operation is triggered in the movable memory equipment
The evidence obtaining program of carrying;And/or
Keyboard Control mode is taken to trigger the evidence obtaining carried in the movable memory equipment in the evidence obtaining program bag
Program.
B11. the system according to B8, wherein, the determining module is additionally configured to:
Pass through the browser merchant data of target device, local browser data, local described in the evidence obtaining program search
The browsing data of disk, determine target data.
B12. the system according to B11, wherein, the determining module is additionally configured to:
By the browser merchant data of target device described in the evidence obtaining program search, browser interface is extracted, according to
The browser interface determines target data;
By the local browser data of target device described in the evidence obtaining program search, extraction particular browser fixes mesh
Record fixes catalogue according to the particular browser and determines target data;
The local disk browser data of the target device is retrieved by the evidence obtaining routine call file enumeration function,
Further determine that target data.
B13. the system according to B8, wherein, the target device further includes:
Deciphering module is configured to the data of the encryption storage being uploaded to decryption system, and by default decryption policy into
Row decryption;
Extract the data after the decryption and display.
B14. according to B8-B13 any one of them systems, wherein, the derived target data include it is following at least it
One:
The browsing record of browser, the data in collection, the login username of cookie, document files, specific application
The account of software.
Claims (10)
1. a kind of method intelligently collected evidence using movable memory equipment, including:
The movable memory equipment of evidence obtaining program is built-in with for target device installation;
The evidence obtaining program that the movable memory equipment carries is run in the target device;
The historical data of the target device is retrieved by the default search strategy of the evidence obtaining program, determines target data;
The target data is exported, and the derived target data is stored by the encryption of predetermined encryption strategy to described removable
Storage device.
It is described the movable memory equipment is run in target device to carry 2. according to the method described in claim 1, wherein
Evidence obtaining program before, further include:
It detects and whether there is the movable memory equipment in the target device;
If so, trigger the evidence obtaining program carried in the movable memory equipment;
If it is not, reinstall the movable memory equipment for the target device.
3. according to the method described in claim 2, wherein, the evidence obtaining program carried in the triggering movable memory equipment is wrapped
It includes:
It is clicked in the evidence obtaining program bag by execution or double click is operated to trigger and be carried in the movable memory equipment
Evidence obtaining program;And/or
Keyboard Control mode is taken to trigger the evidence obtaining program carried in the movable memory equipment in the evidence obtaining program bag.
4. according to the method described in claim 1, wherein, the default search strategy by program of collecting evidence retrieves the target
The historical data of equipment, determines target data, including:
Pass through browser merchant data, local browser data, the local disk of target device described in the evidence obtaining program search
Browsing data, determine target data.
5. according to the method described in claim 4, wherein, the browser quotient by target device described in program search of collecting evidence
Family's data, local browser data, the browsing data of local disk, determine target data, including:
By the browser merchant data of target device described in the evidence obtaining program search, browser interface is extracted, according to described
Browser interface determines target data;
By the local browser data of target device described in the evidence obtaining program search, extraction particular browser fixes catalogue,
Catalogue is fixed according to the particular browser and determines target data;
The local disk browser data of the target device is retrieved by the evidence obtaining routine call file enumeration function, into one
Step determines target data.
6. according to the method described in claim 1, wherein, the export target data, and the derived target data is pressed
The encryption of predetermined encryption strategy is stored to the movable memory equipment, is further included:
The data of the encryption storage are uploaded to decryption system, and be decrypted by default decryption policy;
Extract the data after the decryption and display.
7. according to claim 1-6 any one of them methods, wherein, the derived target data include it is following at least it
One:
The browsing record of browser, the data in collection, the login username of cookie, document files, application specific software
Account.
8. a kind of system intelligently collected evidence using movable memory equipment, including target device and movable memory equipment,
The movable memory equipment is installed into the target device, wherein, evidence obtaining is built-in in the movable memory equipment
Program, the target device, including:
Module is run, is configured to run the evidence obtaining program that the movable memory equipment carries in the target device;
Determining module is configured to retrieve the historical data of the target device by the default search strategy of the evidence obtaining program,
Determine target data;
Export module is configured to export the target data, and encrypting the derived target data by predetermined encryption strategy
It stores to the movable memory equipment.
9. system according to claim 8, wherein, the target device further includes:
Detection module is configured to detect in the target device with the presence or absence of the movable memory equipment;
If so, trigger the evidence obtaining program carried in the movable memory equipment;
If it is not, reinstall the movable memory equipment for the target device.
10. system according to claim 9, wherein, the detection module is additionally configured to:
It is clicked in the evidence obtaining program bag by execution or double click is operated to trigger and be carried in the movable memory equipment
Evidence obtaining program;And/or
Keyboard Control mode is taken to trigger the evidence obtaining program carried in the movable memory equipment in the evidence obtaining program bag.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711465431.5A CN108229187A (en) | 2017-12-28 | 2017-12-28 | A kind of method and system intelligently collected evidence using movable memory equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711465431.5A CN108229187A (en) | 2017-12-28 | 2017-12-28 | A kind of method and system intelligently collected evidence using movable memory equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108229187A true CN108229187A (en) | 2018-06-29 |
Family
ID=62646158
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711465431.5A Pending CN108229187A (en) | 2017-12-28 | 2017-12-28 | A kind of method and system intelligently collected evidence using movable memory equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108229187A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1949240A (en) * | 2006-10-10 | 2007-04-18 | 中国科学院软件研究所 | Electronic data evidence obtaining method and system for computer |
| CN201489539U (en) * | 2009-09-01 | 2010-05-26 | 北京鼎普科技股份有限公司 | Computer security evidence collecting device |
| US9043913B2 (en) * | 2006-01-23 | 2015-05-26 | University Of Washington Through Its Center For Commercialization | Detection of spyware threats within virtual machine |
| CN105139322A (en) * | 2015-07-02 | 2015-12-09 | 盘石软件(上海)有限公司 | Distributed electronic data evidence collecting system and distributed electronic data evidence collecting method |
| CN106919855A (en) * | 2017-04-25 | 2017-07-04 | 王小易 | A kind of law enforcement evidence-obtaining system and its evidence collecting method based on USB flash disk |
| CN107025229A (en) * | 2016-01-29 | 2017-08-08 | 四川效率源信息安全技术股份有限公司 | The method of off-line file trace detection based on browser client application program |
-
2017
- 2017-12-28 CN CN201711465431.5A patent/CN108229187A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9043913B2 (en) * | 2006-01-23 | 2015-05-26 | University Of Washington Through Its Center For Commercialization | Detection of spyware threats within virtual machine |
| CN1949240A (en) * | 2006-10-10 | 2007-04-18 | 中国科学院软件研究所 | Electronic data evidence obtaining method and system for computer |
| CN201489539U (en) * | 2009-09-01 | 2010-05-26 | 北京鼎普科技股份有限公司 | Computer security evidence collecting device |
| CN105139322A (en) * | 2015-07-02 | 2015-12-09 | 盘石软件(上海)有限公司 | Distributed electronic data evidence collecting system and distributed electronic data evidence collecting method |
| CN107025229A (en) * | 2016-01-29 | 2017-08-08 | 四川效率源信息安全技术股份有限公司 | The method of off-line file trace detection based on browser client application program |
| CN106919855A (en) * | 2017-04-25 | 2017-07-04 | 王小易 | A kind of law enforcement evidence-obtaining system and its evidence collecting method based on USB flash disk |
Non-Patent Citations (1)
| Title |
|---|
| 张佑乐: "计算机使用痕迹分析与取证系统", 《计算机安全》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Carvey | Windows registry forensics: Advanced digital forensic analysis of the windows registry | |
| US8856937B1 (en) | Methods and systems for identifying fraudulent websites | |
| US9009841B2 (en) | Testing web applications for file upload vulnerabilities | |
| JP5144488B2 (en) | Information processing system and program | |
| US8931100B2 (en) | Disinfection of a file system | |
| US11301947B2 (en) | System and method for collecting forensic data via a mobile device | |
| CN104268473B (en) | Method and device for detecting application programs | |
| CN101964036A (en) | Leak detection method and device | |
| WO2016029795A1 (en) | Method and device for detecting payment security | |
| CN108632219A (en) | A kind of website vulnerability detection method, detection service device and system | |
| Vidas | The acquisition and analysis of random access memory | |
| JP2003196476A5 (en) | ||
| CN101833496B (en) | Detection device based on host anti-object reusability of hard disk and detection method thereof | |
| Carbone | Computer forensics with FTK | |
| US20200034217A1 (en) | Method and device for acquiring application information | |
| Alnaeli et al. | Vulnerable C/C++ code usage in IoT software systems | |
| Talebi et al. | Introducing and analysis of the Windows 8 event log for forensic purposes | |
| Meland et al. | An experimental analysis of cryptojacking attacks | |
| CN108229187A (en) | A kind of method and system intelligently collected evidence using movable memory equipment | |
| Spreitzenbarth et al. | Mastering python forensics | |
| Wang et al. | Specularizer: Detecting speculative execution attacks via performance tracing | |
| CN104850801B (en) | File encrypting method and device | |
| CN106612283A (en) | Method and device for identifying source of downloaded file | |
| CN104301300B (en) | A kind of method, client and the system of detection phishing scam risk | |
| US20120072492A1 (en) | Browsing information gathering system, browsing information gathering method, server, and recording medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180629 |