CN109587141A - A kind of system and method for remote server evidence obtaining - Google Patents

A kind of system and method for remote server evidence obtaining Download PDF

Info

Publication number
CN109587141A
CN109587141A CN201811499145.5A CN201811499145A CN109587141A CN 109587141 A CN109587141 A CN 109587141A CN 201811499145 A CN201811499145 A CN 201811499145A CN 109587141 A CN109587141 A CN 109587141A
Authority
CN
China
Prior art keywords
remote server
evidence
obtaining
collected
evidence obtaining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811499145.5A
Other languages
Chinese (zh)
Other versions
CN109587141B (en
Inventor
石奥迪
吴松洋
刘善军
张鹤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Third Research Institute of the Ministry of Public Security
Original Assignee
Third Research Institute of the Ministry of Public Security
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Third Research Institute of the Ministry of Public Security filed Critical Third Research Institute of the Ministry of Public Security
Priority to CN201811499145.5A priority Critical patent/CN109587141B/en
Publication of CN109587141A publication Critical patent/CN109587141A/en
Application granted granted Critical
Publication of CN109587141B publication Critical patent/CN109587141B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/133Protocols for remote procedure calls [RPC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Abstract

The invention discloses a kind of system and method for remote server evidence obtaining, this programme is based on SSH agreement/Windows remote management service and establishes session with remote server to be collected evidence, and then treats evidence obtaining server and carries out data evidence obtaining;Remote server data in magnetic disk to be collected evidence is replicated using the direct bit-by-bit of RPC transport protocol again.This programme is not necessarily to artificially carry out any operation, whole secret noninductive progress to remote server without increasing remote server storage burden, direct bit-by-bit duplicate remote server disk data.

Description

A kind of system and method for remote server evidence obtaining
Technical field
The present invention relates to electronic evidence-collecting technologies, and in particular to the forensic technologies of remote server.
Background technique
With the development of computer technology, network technology and information technology, " cloud storage " has become more and more answer With the one preferred technique with website, however due to server distribution extensively and the problem of physical location can not be known, to server The collection and extraction of electronic data become very difficult.
Current existing technology mostly uses in fixed remote server data in magnetic disk and directly backups to remote server Be locally stored or face increase disk and achieves the goal on the remote server, this two kinds of way can not accomplish remotely, In confidence, it noninductively collects evidence, and will increase remote server storage burden.
Summary of the invention
For existing electronic data evidence obtaining scheme the problems of in fixed remote server data in magnetic disk, one is needed The new remote server data evidence obtaining scheme of kind.
For this purpose, the purpose of the present invention is to provide a kind of systems of remote server evidence obtaining, and one is provided based on the system The method of kind remote server evidence obtaining, scheme, which is realized, accordingly remotely noninductively collects evidence to remote server progress.
In order to achieve the above object, the system of remote server evidence obtaining provided by the invention, including processor, and storage There is the computer-readable medium of computer program, when the computer program is executed by processor:
Session is established with remote server to be collected evidence based on SSH agreement/Windows remote management service;
Remote server data in magnetic disk to be collected evidence is replicated using the direct bit-by-bit of RPC transport protocol.
Further, the evidence-obtaining system includes:
Session management module, based on SSH agreement/Windows remote management service and wait long-range clothes of collecting evidence Be engaged in device create session, and by session execute in batches script return the result, upload/downloading file;
Mirror image transmission module is carried out data transmission by RPC agreement and remote server to be collected evidence, and passes through network bit-by-bit Duplicate remote server disk data are to locally.
Further, the evidence-obtaining system further includes case management module, for creating case and management case.
Further, the evidence-obtaining system further includes evidence obtaining result display module, for showing the basic of remote server Information and application message.
Further, the evidence-obtaining system further includes screenshotss record panel module, for being the real-time screenshotss of evidence obtaining process in evidence obtaining Or/and record screen.
Further, the evidence-obtaining system further includes report management module, it will the analysis result for talking about management module generates Report.
In order to achieve the above object, the method for remote server evidence obtaining provided by the invention, comprising:
Session is established with remote server to be collected evidence based on SSH agreement/Windows remote management service;
Remote server data in magnetic disk to be collected evidence is replicated using the direct bit-by-bit of RPC transport protocol.
Further, in the method, backstage execute the service of ssh agreement/Windows remote management with Remote server to be collected evidence establish session, it is long-range execute evidence obtaining script, realize it is invisible for remote server to be collected evidence, can not Sense reaches secret noninductive evidence obtaining with this.
Further, the method is in replicate data, comprising:
S1: session is managed by thread pool, batch is long-range to execute evidence obtaining script, for getting remote server to be collected evidence Essential information and application message;
S2: push RPC service end to remote server to be collected evidence;
S3: remotely started by session wait the RPC service end on remote server of collecting evidence with the customized net of monitoring users Network port, and wait the connection of local RPC client;
S4: starting local RPC client connects remote server to be collected evidence, and transmits remote server disk number to be collected evidence According to.
Further, the method further includes removing after long-range evidence obtaining is completed in remote service in replicate data The step of device remaining operation trace.
Further, the method further includes that the remote server to be collected evidence that will acquire is believed substantially in replicate data Breath and application message generate the step of subscribing form report.
Remote server evidence obtaining scheme provided by the invention, without increasing remote server storage burden, direct bit-by-bit Duplicate remote server disk data, and without artificially carrying out any operation, whole secret noninductive progress to remote server.
Detailed description of the invention
The present invention is further illustrated below in conjunction with the drawings and specific embodiments.
Fig. 1 is the system block diagram of present example remote server evidence-obtaining system;
Fig. 2 is the flow chart that remote server evidence-obtaining system is carried out in present example.
Specific embodiment
In order to be easy to understand the technical means, the creative features, the aims and the efficiencies achieved by the present invention, tie below Conjunction is specifically illustrating, and the present invention is further explained.
When this example carries out long-range electronic data evidence obtaining solidification for remote server, first with SSH agreement/ Windows remote management service establishes session with remote server, so as to build in confidence with remote server Vertical nothing helps to change communication.
Again on the basis of this, the direct bit-by-bit duplicate remote server disk data of RPC transport protocol are further used, in this way While completing data evidence obtaining, without increasing remote server disk storage space, mitigate remote server I/O burden.
Referring to Fig. 1 which shows this example gives a kind of system of remote server evidence-obtaining system based on the above principles Form exemplary diagram.
The remote server evidence-obtaining system 10 mainly includes remote server evidence obtaining program, remote server evidence obtaining program It is stored in corresponding computer-readable medium, and may operate in corresponding computer equipment, by computer equipment It manages device and calls execution, to realize the evidence obtaining function of remote server.
As seen from the figure, which collects evidence program mainly by case management module 11, session management module 12, mirror image Transmission module 13, evidence obtaining result display module 14, screenshotss record panel module 15 and report management module 16 cooperate and constitute.
It is therein, case management module 11, for creating case and management case.
The case management module 11 is particularly used in creation case, checks case and deletes case, and a case includes Case time, case information, case remarks, case-involving server list, case-involving server evidence obtaining result, case-involving server were collected evidence The screenshotss and record screen file of journey and the report that evidence obtaining result is generated.All other module be all case management module 11 at It is carried out after function creation case.
Session management module 12 for creating session with remote server, and executes in batches script by session and returns Return result, upload/downloading file.
This session management module 12 can by call directly the service of SSH agreement/Windows remote management with Remote server establishes session, is established with remote server in confidence with realizing without communication is helped to change, and on this basis, is cooperating it Its module realizes long-range execution, telefile copy etc..
The basis that this session management module 12 is interacted as this system with remote server can cooperate mirror image transmission module 13 The upload at middle RPC service end and execute in batches evidence obtaining script.
Mirror image transmission module 13 is carried out data transmission by RPC agreement with remote server, multiple by network bit-by-bit Remote server data in magnetic disk processed is to locally.
The mirror image transmission module 13 uploads RPC service end to wait collect evidence on remote server by session management module 12, RPC service end is remotely started by session management module 12 simultaneously and monitors the network port of server to be collected evidence, starting is local RPC client connects server to be collected evidence, once establishing connection, RPC service end starts step-by-step and reads server disk to be collected evidence Data simultaneously send data to local RPC client by network blocks, so far realize the step-by-step of server disk data to be collected evidence Duplication.
Evidence obtaining result display module 14, for showing the essential information and application message of remote server.Here basic Information and application message mainly include disc information, network connection information, log in log information, progress information, memory information, Apache configuration information etc..
The evidence obtaining result display module 14 is realized and is shown remotely on the basis of session management module 12 is successfully established session When the essential information and application message of server.This system after the meeting, which is successfully established, in session management module 12 executes in batches evidence obtaining foot This simultaneously stores analysis result into after database, and evidence obtaining result display module 14 is inquired database data and shown to this system UI。
Screenshotss record panel module 15, and for carrying out real-time screenshotss, record screen to entire long-range evidence obtaining process, reservation was entirely enforced the law Journey.
Existing screenshotss record screen technology can be used to realize in screenshotss record panel module 15, can be with other module synchronizations simultaneously Column operation.
It reports management module 16, generates report for result will to be analyzed.
This report management module 16 automatically generates analysis result for correspondence according to HTML/DOC/TSV/CSV syntax rule Report file.After session management module 12 is successfully established session, this system executes in batches evidence obtaining script and will analyze result It stores into after database, report management module 16 inquires database data and generates report.
Thus the remote server evidence-obtaining system constituted, first with SSH agreement/Windows remote Management service establishes session with remote server;And use the direct bit-by-bit duplicate remote server of RPC transport protocol Data in magnetic disk completes the fixation to remote server evidence;Evidence obtaining task is distributed in local analytics knot by multithreading simultaneously Fruit simultaneously shows.
Using this remote server evidence-obtaining system, technical staff can it is secret it is noninductive remote server is carried out it is remote Journey server disk evidence is fixed and automatically analyzes the essential information and application message of remote server, while strictly observing electronics Data evidence obtaining standard.As an example, illustratively remote server is carried out using this remote server evidence-obtaining system below remote The process of journey evidence obtaining.
This remote server evidence-obtaining system carry out in application, installation kit is directly opened in the equipment being related to can be automatic Installation relies on environment and disposes completion.
To guarantee that evidence obtaining process can be gone on smoothly, and guarantee the reliability of follow-up data evidence obtaining process, needs collecting evidence Secret and nothing is established between system and remote server helps to change communication connection.
As a result, before establishing session, the specific operating system of remote server to be collected evidence: (SuSE) Linux OS is determined Or Windows operating system.
If remote server is (SuSE) Linux OS, following pre-set is carried out to remote server in advance:
1) guarantee that SSH agreement is opened;
2) know the port numbers that SSH agreement occupies;
3) network environment where making this system can lead to remote Linux server with Ping.
If remote server is Windows operating system, following pre-set is carried out to remote server in advance:
1) the Win RM of remote server is serviced and is opened;
2) the PowerShell version of operating system where making this system is PowerShell5.0 or more;
3) network environment where making this system can lead to remote Windows server with Ping.
After above-mentioned setting, the process remotely collected evidence using this system to remote server is following (referring to fig. 2):
S1: session is established with remote server by SSH agreement/WinRM service.
Specifically, the common interface provided by SSH agreement and Linux remote server establish session, pass through The common interface and Windows remote server that PowerShell script provides establish session.
S2: session is managed by thread pool, batch is long-range to execute evidence obtaining script, for getting the basic of remote server Information and application message.Specifically by session, customized evidence obtaining script is pushed to remote server and is executed, remote server The evidence obtaining result of return contains the essential information and application message of remote server.
S3: push RPC service end to remote server.This step, can be by calling directly SSH agreement/Win when realizing The upload interface of RM service, RPC service end is uploaded on remote server.
S4: remotely started by session wait the RPC service end on remote server of collecting evidence with the customized net of monitoring users Network port.The customized network port of AM automatic monitoring user after RPC service end is opened will wait the connection of RPC client.
S5: starting local RPC client connects remote server to be collected evidence, and transmits remote server disk number to be collected evidence According to.
Since previous step uploads RPC service end to wait collect evidence on remote server, simultaneously by session management module 12 Remotely start RPC service end by session management module 12 and monitors the network port of server to be collected evidence.In this step, pass through Starting local RPC client connects server to be collected evidence, once establishing connection, RPC service end starts step-by-step and reads wait clothes of collecting evidence Business device data in magnetic disk simultaneously sends data to local RPC client by network blocks, so far realizes server disk number to be collected evidence According to step-by-step duplication.
S6: after long-range evidence obtaining is completed, system is removed in the remaining trace of remote server, and trace is specially to log in here Trace executes order trace and cache file trace (predominantly RPC service end).
This step deletes the login trace of this system, executes order trace, delete by remotely executing customized evidence obtaining script Except cache file (predominantly RPC service end).
S7: remote server essential information and application message are generated to the report of specific format.
This step, according to HTML/DOC/TSV/CSV syntax rule, will analyze result by the report management module 16 in system It automatically generates as corresponding report file.
Meanwhile as needed, Windows system screenshotss and record screen interface can also be called to carry out screenshotss and record screen, record screen function It can AutoBackground recording film recording after capable of opening.
Example establishes nothing with remote server in confidence it is found that system solution can be established between remote server accordingly Help to change communication;Using the direct bit-by-bit duplicate remote server disk data of RPC transport protocol, without increasing remote server magnetic Disc storage space mitigates remote server I/O burden.
In addition, this system can also a key generate forensics Report function, greatly provide user experience.
The basic principles, main features and advantages of the present invention have been shown and described above.The technology of the industry Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the above embodiments and description only describe this The principle of invention, without departing from the spirit and scope of the present invention, various changes and improvements may be made to the invention, these changes Change and improvement all fall within the protetion scope of the claimed invention.The claimed scope of the invention by appended claims and its Equivalent thereof.

Claims (10)

1. a kind of system of remote server evidence obtaining, including processor, and it is stored with computer-readable Jie of computer program Matter, which is characterized in that when the computer program is executed by processor:
Session is established with remote server to be collected evidence based on SSH agreement/Windows remote management service;
Remote server data in magnetic disk to be collected evidence is replicated using the direct bit-by-bit of RPC transport protocol.
2. the system of remote server according to claim 1 evidence obtaining, which is characterized in that the evidence-obtaining system includes:
Session management module, based on SSH agreement/Windows remote management service and remote server to be collected evidence Create session, and by session execute in batches script return the result, upload/downloading file;
Mirror image transmission module is carried out data transmission by RPC agreement and remote server to be collected evidence, and is replicated by network bit-by-bit Remote server data in magnetic disk is to locally.
3. the system of remote server evidence obtaining according to claim 2, which is characterized in that the evidence-obtaining system further includes case Part management module, for creating case and management case.
4. the system of remote server evidence obtaining according to claim 2, which is characterized in that the evidence-obtaining system further includes taking Result display module is demonstrate,proved, for showing the essential information and application message of remote server.
5. the system of remote server evidence obtaining according to claim 2, which is characterized in that the evidence-obtaining system further includes cutting Screen record panel module, for being the real-time screenshotss of evidence obtaining process or/and record screen in evidence obtaining.
6. the system of remote server evidence obtaining according to claim 2, which is characterized in that the evidence-obtaining system further includes report Accuse management module, it will the analysis result for talking about management module generates report.
7. a kind of method of remote server evidence obtaining characterized by comprising
Session is established with remote server to be collected evidence based on SSH agreement/Windows remote management service;
Remote server data in magnetic disk to be collected evidence is replicated using the direct bit-by-bit of RPC transport protocol.
8. the method for remote server evidence obtaining according to claim 7, which is characterized in that the method is in replicate data When, comprising:
S1: session is managed by thread pool, batch is long-range to execute evidence obtaining script, for getting the base of remote server to be collected evidence This information and application message;
S2: push RPC service end to remote server to be collected evidence;
S3: remotely started by session wait the RPC service end on remote server of collecting evidence with the customized network-side of monitoring users Mouthful;
S4: starting local RPC client connects remote server to be collected evidence, and transmits remote server data in magnetic disk to be collected evidence.
9. the method for remote server evidence obtaining according to claim 8, which is characterized in that the method is in replicate data When, it further include being removed the remote server remaining operation trace the step of after long-range evidence obtaining is completed.
10. the method for remote server evidence obtaining according to claim 8, which is characterized in that the method is in replicate data When, further include the steps that the remote server essential information and application message to be collected evidence that will acquire generate and subscribes form report.
CN201811499145.5A 2018-12-08 2018-12-08 System and method for obtaining evidence by remote server Active CN109587141B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811499145.5A CN109587141B (en) 2018-12-08 2018-12-08 System and method for obtaining evidence by remote server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811499145.5A CN109587141B (en) 2018-12-08 2018-12-08 System and method for obtaining evidence by remote server

Publications (2)

Publication Number Publication Date
CN109587141A true CN109587141A (en) 2019-04-05
CN109587141B CN109587141B (en) 2022-01-28

Family

ID=65929294

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811499145.5A Active CN109587141B (en) 2018-12-08 2018-12-08 System and method for obtaining evidence by remote server

Country Status (1)

Country Link
CN (1) CN109587141B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110414274A (en) * 2019-07-01 2019-11-05 北京联合信任技术服务有限公司 Electronic evidence security method and system
CN110414189A (en) * 2019-07-08 2019-11-05 厦门美亚亿安信息科技有限公司 One kind being used for the noninductive checking method of computer remote and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462996A (en) * 2014-12-03 2015-03-25 公安部第三研究所 Method and system for achieving synergic forensic analysis on remote forensic target terminal
CN105138709A (en) * 2015-10-12 2015-12-09 山东省计算中心(国家超级计算济南中心) Remote evidence taking system based on physical memory analysis
US20160234040A1 (en) * 2015-02-11 2016-08-11 Dell Products L.P. Virtual channel virtual private network
CN106161537A (en) * 2015-04-10 2016-11-23 阿里巴巴集团控股有限公司 The processing method of remote procedure call, device, system and electronic equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462996A (en) * 2014-12-03 2015-03-25 公安部第三研究所 Method and system for achieving synergic forensic analysis on remote forensic target terminal
US20160234040A1 (en) * 2015-02-11 2016-08-11 Dell Products L.P. Virtual channel virtual private network
CN106161537A (en) * 2015-04-10 2016-11-23 阿里巴巴集团控股有限公司 The processing method of remote procedure call, device, system and electronic equipment
CN105138709A (en) * 2015-10-12 2015-12-09 山东省计算中心(国家超级计算济南中心) Remote evidence taking system based on physical memory analysis

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
牧梦者: "RPC原理解析", 《HTTPS://WWW.CNBLOGS.COM/SWORDFALL/P/8683905.HTML》 *
茶仙女: "远程过程调用(RPC)的原理与要考虑的问题", 《HTTPS://BLOG.CSDN.NET/QQ_33497137/ARTICLE/DETAILS/81869293》 *
陈柱成等: "用RPC_FTP实现分布式系统中的文件传输 ", 《计算机应用与软件》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110414274A (en) * 2019-07-01 2019-11-05 北京联合信任技术服务有限公司 Electronic evidence security method and system
CN110414274B (en) * 2019-07-01 2022-03-18 北京联合信任技术服务有限公司 Electronic evidence preservation method and system
CN110414189A (en) * 2019-07-08 2019-11-05 厦门美亚亿安信息科技有限公司 One kind being used for the noninductive checking method of computer remote and system
CN110414189B (en) * 2019-07-08 2021-06-11 厦门美亚亿安信息科技有限公司 Remote non-inductive examination method and system for computer

Also Published As

Publication number Publication date
CN109587141B (en) 2022-01-28

Similar Documents

Publication Publication Date Title
US10142381B2 (en) System and method for scalable cloud services
US10923157B2 (en) System and method for event data collection and video alignment
CN102638578B (en) A kind of method of data synchronization and system based on mobile device
US20150022666A1 (en) System and method for scalable video cloud services
US10038872B2 (en) Systems and methods for managing video data
CN107302711B (en) Processing system of media resource
CN109542865B (en) Method, device, system and medium for synchronizing configuration files of distributed cluster system
CN109587141A (en) A kind of system and method for remote server evidence obtaining
US10979674B2 (en) Cloud-based segregated video storage and retrieval for improved network scalability and throughput
WO2018166415A1 (en) Cloud storage system, media data storage method and system
US20200092520A1 (en) Computer implemented systems frameworks and methods configured for enabling review of incident data
CN108880983B (en) Real-time voice processing method and device for virtual three-dimensional space
JP2019079483A (en) Information processing system, information processing device, information processing method, and program
CN112883011A (en) Real-time data processing method and device
CN111105521A (en) Data reading method and device
CN105915893A (en) Highway network image interconnection standard accordance test system
CN106231393B (en) Video information processing method, device and system
CN111478931B (en) Data processing method based on Internet of things system and Internet of things system
US9258374B2 (en) Method and system for capturing expertise of a knowledge worker in an integrated breadcrumb trail of data transactions and user interactions
CN110418092A (en) Video record management system, method, control management node and recording node
CN109299048A (en) The method for handling data and issuing data
WO2018134680A1 (en) System and method for integrating disparate computer systems and applications
CN110166561B (en) Data processing method, device, system, equipment and medium for wearable equipment
CN112596752B (en) Internet of things method and system for electronic evidence obtaining equipment
CN113900830B (en) Resource processing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant