CN110348240B - Method and device for extracting and analyzing off-line data of duplicator - Google Patents
Method and device for extracting and analyzing off-line data of duplicator Download PDFInfo
- Publication number
- CN110348240B CN110348240B CN201910549045.7A CN201910549045A CN110348240B CN 110348240 B CN110348240 B CN 110348240B CN 201910549045 A CN201910549045 A CN 201910549045A CN 110348240 B CN110348240 B CN 110348240B
- Authority
- CN
- China
- Prior art keywords
- equipment
- data
- file
- extracting
- storage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
- Facsimiles In General (AREA)
Abstract
The invention belongs to the technical field of copier safety protection, and particularly relates to a method and a device for extracting and analyzing off-line data of a copier, wherein the method comprises the following steps: reading a device firmware code, and obtaining a device target file through reverse analysis, wherein the target file comprises a storage rule of working data; analyzing and extracting the file format of the equipment, and acquiring a user operating system in the equipment; and acquiring coding information of the equipment storage data by combining the file format and the storage rule, and extracting the off-line data with reference value in the equipment. The invention can not only be suitable for extracting different picture data storage formats of different series of duplicators, but also can realize the extraction and analysis of the offline data of the equipment; can be used independently as a data acquisition module of a copying machine; the security check system can also be embedded into a security check system of the copier, plays an important role and important security benefits for security check, operation security control, operation information anti-disclosure and the like of the operation of the checked single-digit digital copier, and has strong practicability and application prospect.
Description
Technical Field
The invention belongs to the technical field of safety protection of a copying machine, and particularly relates to a method and a device for extracting and analyzing offline data of the copying machine.
Background
With the development of information technology, the digitization degree of common office equipment such as a digital copier is increasing day by day, and the storage function of the common office equipment is from nothing to nothing and from weak to strong. The increase of the storage function is accompanied by the increase of the risk of disclosure. Unlike computer memory, the information in the memory of a digital copier is difficult to find and clear, which brings about a great potential safety hazard. On one hand, in order to eliminate the potential safety hazard from the source and eliminate the possibility of secret leakage, the use of the copying machine equipment in daily work is standardized; on the other hand, in order to provide a corresponding technical guarantee means for detecting whether the storage component is confidential during equipment maintenance and warranty or when the equipment is eliminated and scrapped, a software tool for carrying out confidential inspection on the storage component is needed. The software tool is used by an inspector to carry out security inspection and check on the digital copying machine, generate an inspection report and archive and export inspection results, the contents comprise the equipment model and security level, the storage medium model and serial number, the file and the creation time thereof, the file security level, the file sensitive information discrimination and the like, and the software tool plays an important role and great security benefits for security inspection, operation security control and operation information leakage prevention of the unit digital copying machine to be inspected. At present, a plurality of software and tools for detecting and secretly checking illegal use of computers are used, but few security check technologies are used for intelligent office equipment such as copying machines, and the copying machine manufacturers represented by japan make public research on absolute monopoly of the copying machine technology and protection of intellectual property rights. According to the inquiry, reports and research data special for the safety research of the copying machine are rarely seen at home and abroad at present, and related technologies are not found in open occasions at home and abroad. The digital copying machine product has a fast updating speed, the realization of the functions, the types of the adopted file systems and the coding modes of the data of different series of digital copying machines of manufacturers of the same brand are possibly different, and even the realization modes of the machines of the same series and different models are possibly different, which leads to the increase of the difficulty and the workload of the research on the tools for the safety protection of the copying machine equipment.
Disclosure of Invention
The invention provides a method and a device for extracting and analyzing off-line data of a copying machine, which are used for extracting and analyzing the off-line data of the copying machine, are convenient for safety protection and supervision of working data of the copying machine, prevent information leakage and have stronger application prospect.
According to the design scheme provided by the invention, the method for extracting and analyzing the off-line data of the copying machine comprises the following contents:
A) reading a device firmware code, and obtaining a device target file through reverse analysis, wherein the target file comprises a storage rule of working data;
B) analyzing and extracting the file format of the equipment, and acquiring a user operating system in the equipment;
C) and acquiring coding information of the equipment storage data by combining the file format and the storage rule, and extracting the off-line data with reference value in the equipment.
In the above, in a) reading the device firmware code, first, the device storage component is identified, and the target file including the device storage information storage rule is obtained by reversely analyzing the composition structure and the logic function of the device firmware code, where the storage rule at least includes the firmware code encoding mode.
In the above, in a), the disassembling tool is used to disassemble and/or decompile the device storage component to obtain the disassembling and/or decompiling codes thereof, and obtain the device target file, where the target file further includes a storage protocol, a communication protocol, and a control command in three working states of scanning, copying, and printing.
Preferably, for the device storage component, reading a flash memory chip storing the firmware code through a programmer, and acquiring a binary file in the flash memory chip; obtaining a file system of the binary file by analyzing the binary file and an embedded system used by the binary file; and converting the binary file machine code into a readable object code by using a disassembling tool, analyzing the object code, and extracting an object code storage rule, wherein the object code storage rule comprises an object code logic function structure.
And B) acquiring user operation information in the equipment, wherein the user operation information comprises the type of the operating system of the equipment identified by the extracted equipment target file.
Preferably, the identification of the operating system type of the equipment comprises firmware module stripping analysis, operating system type identification and kernel version identification, wherein in the firmware module stripping analysis, a binary firmware image of an equipment target file is read, address range division is carried out by combining a module feature database, and different module images are transferred and stored; in the operation system type identification, extracting operation system type identification characteristics, screening by combining a type identification characteristic library, eliminating operation systems which do not accord with the screening characteristics, and acquiring an operation system type identification result according to a similarity sorting result between the screened operation systems and the operation systems to be identified of the firmware module; in kernel version identification, the kernel to be identified is matched with the functions of the standard kernel by utilizing the function matching of the static library function, and the kernel version is identified by utilizing the similarity between the kernel to be identified and the standard kernel calculated by utilizing the function matching quantity.
Preferably, different module images are transferred and stored, and decompression software is adopted to restore the compressed files to the maximum extent; and analyzing and releasing the internal data of the file system according to a file system storage mechanism aiming at the file system mapping.
Preferably, by using function matching of a static library function, firstly loading a kernel function library signature, and performing first-round matching on the kernel function by using a FLIRT function matching method; then, performing functional structural matching on the function which is not successfully matched by a structural matching method; and finally, collecting all the functions successfully matched, calculating the similarity between the kernel to be identified and the standard kernel, and selecting the kernel with the highest similarity with the kernel to be identified in the static library functions as an identification result.
In the step C), all the resolvable files in the device storage bank are parsed according to the file format, and the reference data in the device storage bank is recovered, where the reference data includes a picture type, a device user log, and a device work log.
Furthermore, the present invention provides an apparatus for extracting and analyzing offline data of a copier, comprising: an analysis module, an acquisition module and an extraction module, wherein,
the analysis module is used for reading the equipment firmware code and obtaining an equipment target file through reverse analysis, wherein the target file contains the storage rule of the working data;
the acquisition module is used for analyzing and extracting the file format of the equipment and acquiring a user operating system in the equipment;
and the extraction module is used for acquiring the coding information of the equipment storage data by combining the file format and the storage rule and extracting the off-line data with reference value in the equipment.
The invention has the beneficial effects that:
the invention analyzes the aspects of equipment firmware codes, storage formats, operating systems, file structures, file characteristics and the like, realizes the extraction and analysis of offline data, can extract and analyze picture data, and can extract valuable data such as user logs, work logs and the like; not only can the extraction and analysis of different picture data storage formats of different series of copiers be realized, but also the extraction and analysis of equipment off-line data can be realized; the problem of extraction and analysis of off-line data of the existing copying machine is solved, and the off-line data acquisition module can be independently used as a copying machine data acquisition module; the system can also be embedded into a security check system of the copying machine, is used as a check and analysis object, provides deep data extraction for the system, plays a data support role in detecting whether the copying machine illegally copies or scans security-related sensitive information, plays an important role and important security benefits in security check, operation security control, operation information leakage prevention and the like of the operation of the checked single-digit digital copying machine, and has a strong application prospect.
Description of the drawings:
FIG. 1 is a flowchart of an embodiment of a method for extracting and parsing offline data;
FIG. 2 is a schematic diagram of an offline data extraction and analysis apparatus in an embodiment;
FIG. 3 is a schematic diagram of a binary file read result in one embodiment;
FIG. 4 is a second illustration of the reading result of the binary file in the embodiment;
FIG. 5 is a diagram of a file system obtained by file parsing in an embodiment;
FIG. 6 is a diagram showing the recognition result of the device bank in the embodiment;
FIG. 7 is a partially sectioned development illustration of the memory part of the device in the embodiment;
FIG. 8 is a partially sectioned development illustration of the memory part of the device in the embodiment;
FIG. 9 is a partially partitioned expanded view of a memory bank of the device in the embodiment;
FIG. 10 is a partially sectioned development illustration of the memory part of the device in the embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
The off-line checking of the security of the copying machine refers to the steps of safely disassembling a storage part of the copying machine, connecting a computer through an external interface of the storage part, and starting a security checking system of the digital copying machine to directly perform security checking on the storage part of the copying machine. For the safety protection work of the current copier device, in the embodiment of the present invention, referring to fig. 1, a method for extracting and analyzing offline data of a copier is provided, which includes the following steps:
s101) reading equipment firmware codes, and obtaining an equipment target file through reverse analysis, wherein the target file comprises a storage rule of working data;
s102) analyzing and extracting the file format of the equipment, and acquiring a user operating system in the equipment;
s103) acquiring coding information of the equipment storage data by combining the file format and the storage rule, and extracting the off-line data with reference value in the equipment.
The method analyzes the aspects of equipment firmware codes, storage formats, operating systems, file structures, file characteristics and the like, realizes extraction and analysis of offline data, can extract and analyze picture data, and can extract valuable data such as user logs, work logs and the like.
Further, in the embodiment of the present invention, the device firmware code is read, the device storage unit is identified first, and the target file including the device storage information storage rule is obtained by reversely analyzing the composition structure and the logic function of the device firmware code, where the storage rule at least includes a firmware code encoding manner.
Further, in the embodiment of the present invention, tools such as IDA Pro and Hex-rays are used to disassemble and/or decompile the device storage component, obtain a decompilated and/or decompilated code of the device storage component, and obtain a device target file, where the target file further includes a storage protocol, a communication protocol, and a control command in three working states of scanning, copying, and printing.
Further, in the embodiment of the present invention, for the device storage component, the flash memory chip storing the firmware code is read by the programmer, and the binary file in the flash memory chip is obtained; obtaining a file system of the binary file by analyzing the binary file and an embedded system used by the binary file; and converting the binary file machine code into a readable object code by using a disassembling tool, analyzing the object code, and extracting an object code storage rule, wherein the object code storage rule comprises an object code logic function structure.
Further, in the embodiment of the present invention, the user operation information in the device is acquired, and the type of the operating system executed by the device is identified through the extracted device target file.
Furthermore, in the embodiment of the present invention, identifying the type of the operating system run by the device includes firmware module stripping analysis, operating system type identification and kernel version identification, wherein in the firmware module stripping analysis, the binary firmware image of the device target file is read, address range division is performed in combination with the module feature database, and different module images are transferred; in the operation system type identification, extracting operation system type identification characteristics, screening by combining a type identification characteristic library, eliminating operation systems which do not accord with the screening characteristics, and acquiring an operation system type identification result according to a similarity sorting result between the screened operation systems and the operation systems to be identified of the firmware module; in kernel version identification, the kernel to be identified is matched with the functions of the standard kernel by utilizing the function matching of the static library function, and the kernel version is identified by utilizing the similarity between the kernel to be identified and the standard kernel calculated by utilizing the function matching quantity.
Furthermore, in the embodiment of the invention, different module images are transferred and stored, and decompression software is adopted to restore the compressed files to the maximum extent; and analyzing and releasing the internal data of the file system according to a file system storage mechanism aiming at the file system mapping.
Furthermore, in the embodiment of the invention, by using the function matching of the static library function, firstly, loading the kernel function library signature, and performing the first round matching on the kernel function by using the FLIRT function matching method; then, performing functional structural matching on the function which is not successfully matched by a structural matching method; and finally, collecting all the functions successfully matched, calculating the similarity between the kernel to be identified and the standard kernel, and selecting the kernel with the highest similarity with the kernel to be identified in the static library functions as an identification result.
Further, in the embodiment of the present invention, all the resolvable files in the device storage bank are parsed according to the file format, and the reference value data in the device storage bank is recovered, where the reference value data type includes a picture type, a device user log, and a device work log.
Furthermore, an embodiment of the present invention further provides an offline data extracting and analyzing device for a copier, as shown in fig. 2, including: an analysis module 101, an acquisition module 102 and an extraction module 103, wherein,
the analysis module 101 is configured to read a device firmware code, and obtain a device target file through reverse analysis, where the target file includes a storage rule of the working data;
an obtaining module 102, configured to analyze and extract a device file format, and obtain a user operating system in the device;
and the extraction module 103 is configured to, in combination with the file format and the storage rule, obtain coding information of the device storage data, and extract offline data with reference value in the device.
The technical scheme in the embodiment of the present invention is further explained below by combining a Kyocera digital copier (taking Kyocera 3500i as an example):
the Kyocera 3500i back plate of the porcelain copier is disassembled, the storage component of the Kyocera 3500i back plate is a 160G hard disk with the west number of 2.5 inches, and a current mainstream SATA (Serial ATA) interface is used. The brand copier belongs to a typical embedded device, and is an embedded system composed of an embedded processor, firmware codes and a storage component. Recognizing the storage component of the copier is a prerequisite for the cracking of the firmware code. And analyzing the composition structure and logic function of the firmware code of the equipment and cracking the coding mode of the information stored by the equipment by aiming at inverse analysis such as disassembling, decompiling, static simulation, dynamic simulation and the like of the firmware code in the control chip. Some digital copier management and control storage chips mainly use PowerPC or ARM, some digital copier manufacturers use their own special chips, there is no sign and description information on the chips, tools such as IDA Pro, Hex-rays and the like can be used to disassemble and decompile the control chips of the common office equipment, so as to obtain the decompiled and decompiled codes, and break the contents such as storage protocols, communication protocols, control commands and the like. With the continuous innovation of the technology, the security technology of the digital copier is more and more perfect. The data in the hard disk of the Beijing porcelain copier is stored in a special format and cannot be directly checked. In order to analyze these data, it is necessary to read the firmware code of the copying machine. The firmware code reading analysis process is as follows:
and detaching the FLASH chip storing the firmware codes from the main board. The Beijing porcelain mainboard has 3 FLASH chips: the front surface is 2 pieces of NOR FLASH, which are respectively as follows: u12 LH _2f 00003.040. nor, U22 LH _2f 00003.040. nor; the reverse side is 1 sheet NAND FLASH: u32 LH _2f 00003.040. nand. The embedded firmware is stored in a FLASH chip in a form of a compiled binary file (BIN), and a programmer is used for reading data in the FLASH chip. Reading a BIN file from each chip, and respectively naming the BIN file as: nor u1.BIN, nor u2.BIN, and nand u3. BIN. The file is read by using binary editing software, for example, what is shown in fig. 3 is nor u1.bin, and what is shown in fig. 4 is nand u3. bin. Since most of the data is stored in NAND FLASH, the focus is on parsing nand u3. bin. By analyzing the format of the firmware file, it is known that the embedded file system used by nand u3.bin is Cramfs, and the file system obtained after decompressing the file is shown in fig. 5. The analyzed files are mostly machine codes in binary form, and the codes must be restored firstly for analysis, and then the codes are converted into a code expression form with readability. A method for using a disassembling tool and manual analysis includes the steps of firstly using the disassembling tool to convert machine codes in a binary form into readable Power PC assembly codes, then reading and analyzing object codes manually, carrying out flow analysis on the disassembled assembly level codes, recording relevant information of a changed code flow, and finally sorting and extracting a logic function structure of the object codes.
After the firmware code is read, the next job is to determine the type of operating system that the digital copier is running. Research has revealed that most of the Operating systems used in commercially available digital copiers are Embedded Operating Systems (EOSs). The embedded operating system is used as the management core of the digital copying machine, is responsible for the distribution and scheduling work of all the software and hardware resources of the copying machine, and is system software supporting the normal work of the digital copying machine. The reverse analysis for the embedded operating system is a process of stripping the operating system in the firmware of the digital copier and reversely analyzing the structure, the module and the code of the operating system. The identification of the operating system type in the firmware of the digital copier is divided into three steps of firmware module stripping and reverse analysis, operating system type identification and kernel version identification. A firmware module feature library, an operating system type identification feature library and a kernel version identification feature library generated by analyzing various existing embedded operating systems are needed.
The stripping and reverse analysis of the module are basic reverse processing of the firmware, the processing object of the process is an unknown binary firmware image which is read out in the early stage, the address range division is carried out on the main module in the binary firmware image by combining the support of the module characteristic database, and different module images are transferred and stored on the basis. Aiming at the compressed file, adopting proper decompression software to carry out restoration to the maximum extent; aiming at the file system mapping, a file system restoration method is designed according to a file system storage mechanism to analyze and release the internal data of the file system.
Operating system type identification is primarily predicated on the type of operating system used by the firmware. Through the basic reverse processing of the firmware codes, information related to the operating system can be obtained, and aiming at data and files which are reversely analyzed, the extraction of the type identification characteristics of the operating system is firstly carried out; on the basis of obtaining the type identification characteristics, the operating system screening is carried out by combining the type identification characteristic library, so that the operating systems which do not accord with the screening characteristics are eliminated; and calculating the similarity between the screened operating system and the operating system to be identified in the firmware, sequencing the similarity, and further judging the screening result according to the similarity to obtain an identification result.
The kernel version identification is mainly used for identifying the version of the kernel image of the operating system stripped in the reverse processing process. And matching the functions of the kernel to be recognized and the standard kernel by using a function matching idea in the static library function recognition, and calculating the similarity between the kernel to be recognized and the standard kernel by using the function matching quantity to judge the kernel version. The function matching adopts an FLIRT library function identification method of IDA Pro, combines the existing kernel version identification feature database, firstly loads the kernel function library signature, and carries out first-round matching on the kernel function by using the FLIRT function matching method; then, performing functional structural matching by using an improved structural matching method, and further matching the functions which are not successfully matched; and finally, collecting all the functions successfully matched, calculating the similarity between the kernel to be identified and the standard kernel, and selecting the kernel with the highest similarity with the kernel to be identified in the feature library as an identification result.
After the embedded operating system used by the digital copying machine is judged, the file system type of the digital copying machine is further identified, and all the separable files stored in the storage body are analyzed according to the definition format of the file system. There are various file system types of embedded operating systems, such as Cramfs, Ext2, Ext3, Reiserfs, ufs2, xfs, etc. The file system is divided according to the structure and is based on directory and compression; the file system is divided according to a file storage mode and is based on an index and chain structure; the file system is divided according to the operation mode and the existence form of the file system, and is based on a hard disk, a FLASH and a memory. Different brands of hard disk copy machines use different file systems for storing data and are closely related to the operating systems used by them. Through detailed analysis of the hard disk of the Beijing porcelain copier, the hard disk of Kyocera 3500i has been determined to use the xfs file system.
After the hard disk file system of Kyocera 3500i is determined, all data and files on its hard disk can be parsed by using a parse file system tool for the XFS file system, thereby recovering valuable data on the hard disk. And carrying out detailed analysis according to the analyzed file system partition. Fig. 6 shows the number of partitions recognized by the file system tool for the Kyocera 3500i hard disk, starting from hdb [298.09GB, fiexd ] (hda [298.09GB, fiexd ] is the local physical hard disk identifier), there are 11 partitions in total of hdb5-hdb15, and there are next-level folders and some files under each partition, where the partitions that have value in code cracking and information erasure are the contents of hdb6, hdb10, and hdb 14. The hdb6 partition is expanded as shown in FIG. 7, and it can be seen that there are two folders and 10 files named beginning with 00000001 — which are analyzed to find some data files, preview files and attribute files that are primarily related to the scanned data. The hdb10 partition is expanded as in fig. 8, where user log data, work log data, etc. are primarily stored. Folders and files related to various types of print data are mainly stored under the jbps directory in the hdb14 partition, and are expanded as shown in fig. 9. The folders and files related to the copy data are mainly stored under the rep directory in the hdb14 partition, expanded as shown in fig. 10. Table 1 shows the results of analyzing the valuable document data in each partition and its folder and displaying the analyzed data in a list.
TABLE 1 Kyocera 3500i hard disk file system parsing case
TABLE 1 Kyocera 3500i hard disk file system analysis case (continuation Table 1)
The storage directory of the scanned file of the Beijing porcelain copier is hdb6\ user \ root \ b000X \ d000X (wherein X in b000X represents the serial number of a folder, and X in d000X represents the serial number of a file), and a main data file is 0000000X _ page _ image.dat (wherein X represents the serial number of the page number of the file) and an attribute file is 0000000X _ page _ attr.dat. After the original picture data is extracted, the display cannot be opened directly, and further analysis work is needed. The experimental analysis shows that the image data of the Beijing porcelain copying machine is in a jpg format and is divided into a plurality of strip-shaped image blocks for discontinuous strip storage. Firstly, extracting the block number of the picture and the height and width of each block of the picture from the attribute file, then extracting image blocks in the data file one by one according to the file characteristics in the jpg format, and finally splicing a plurality of image blocks into a complete picture according to the extraction sequence. Thus, the analysis of one picture is completed.
Aiming at the Beijing porcelain digital copier, detailed analysis is carried out on aspects such as firmware codes, storage formats, operating systems, file structures, file characteristics and the like, extraction and analysis of offline data are realized, picture data are extracted and analyzed, and valuable data such as user logs, work logs and the like are extracted. The image data storage formats of different series of Beijing porcelain copiers are different, and the technical scheme of the invention realizes the extraction and analysis of off-line data; the off-line data extraction and analysis of the Beijing porcelain copying machine are achieved, and the implementation steps of the method also provide reference for obtaining off-line data of copying machines of other brands. The technical scheme of the invention can be used as a data acquisition module of the copying machine independently, can also be embedded into a security check system of the copying machine to provide deep data extraction for the system, and can be used as an object for checking and analyzing to play a data support role in detecting whether the copying machine violates copying or scans confidential sensitive information. The method plays an important role and important security benefits for the security inspection of the operation, the operation security control and the operation information leakage prevention of the checked single-digit digital copier, and has strong practicability and application prospect.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Based on the foregoing method, an embodiment of the present invention further provides a server, including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.
Based on the above method, the embodiment of the present invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the above method.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (8)
1. A method for extracting and analyzing off-line data of a copier is characterized in that,
A) reading a device firmware code, and obtaining a device target file through reverse analysis, wherein the target file comprises a storage rule of working data;
B) analyzing and extracting the file format of the equipment, and acquiring a user operating system in the equipment;
C) acquiring coding information of equipment storage data by combining a file format and a storage rule, and extracting off-line data with reference value in the equipment;
B) acquiring user operation information in the equipment, wherein the type of an operating system operated by the equipment is identified through the extracted equipment target file;
identifying the type of an operating system operated by the equipment, including firmware module stripping analysis, operating system type identification and kernel version identification, wherein in the firmware module stripping analysis, a binary firmware image of an equipment target file is read, address range division is carried out by combining a module characteristic database, and different module images are transferred and stored; in the operation system type identification, extracting operation system type identification characteristics, screening by combining a type identification characteristic library, eliminating operation systems which do not accord with the screening characteristics, and acquiring an operation system type identification result according to a similarity sorting result between the screened operation systems and the operation systems to be identified of the firmware module; in kernel version identification, the kernel to be identified is matched with the functions of the standard kernel by utilizing the function matching of the static library function, and the kernel version is identified by utilizing the similarity between the kernel to be identified and the standard kernel calculated by utilizing the function matching quantity.
2. The method for extracting and analyzing offline data of a copying machine according to claim 1, wherein A) reading device firmware codes, firstly identifying device storage components, and obtaining a target file containing device storage information storage rules by reversely analyzing the composition structure and logic function of the device firmware codes, wherein the storage rules at least comprise firmware code encoding modes.
3. The method for extracting and analyzing offline data of a copying machine according to claim 1 or 2, wherein in a), a disassembling tool is used for disassembling and/or decompiling the device storage component to obtain a disassembled and/or decompiled code thereof, and a device target file is obtained, wherein the target file further comprises a storage protocol, a communication protocol and a control command in three working states of scanning, copying and printing.
4. The method for extracting and parsing offline data of a copier according to claim 2, wherein, for the device storage unit, a flash memory chip storing firmware codes is read by a programmer to obtain a binary file in the flash memory chip; obtaining a file system of the binary file by analyzing the binary file and an embedded system used by the binary file; and converting the binary file machine code into a readable object code by using a disassembling tool, analyzing the object code, and extracting an object code storage rule, wherein the object code storage rule comprises an object code logic function structure.
5. The method for extracting and analyzing offline data of a copying machine according to claim 1, wherein different module images are transferred and stored, and decompression software is adopted to perform maximum restoration on compressed files; and analyzing and releasing the internal data of the file system according to a file system storage mechanism aiming at the file system mapping.
6. The method for extracting and analyzing offline data of a copying machine according to claim 1, wherein the method comprises the steps of firstly loading a kernel function library signature by using function matching of static library functions, and carrying out first-pass matching on kernel functions by using a FLIRT function matching method; then, performing functional structural matching on the function which is not successfully matched by a structural matching method; and finally, collecting all the functions successfully matched, calculating the similarity between the kernel to be identified and the standard kernel, and selecting the kernel with the highest similarity with the kernel to be identified in the static library functions as an identification result.
7. The method for extracting and parsing offline data of a copier according to claim 1, wherein in step C), all parsable files in the device memory bank are parsed according to the file format, and reference-value data in the device memory bank is recovered, wherein the reference-value data types comprise a picture type, a device user log and a device work log.
8. An off-line data extraction and analysis device for a copying machine, which is realized based on the off-line data extraction and analysis method for a copying machine according to claim 1, comprising: an analysis module, an acquisition module and an extraction module, wherein,
the analysis module is used for reading the equipment firmware code and obtaining an equipment target file through reverse analysis, wherein the target file contains the storage rule of the working data;
the acquisition module is used for analyzing and extracting the file format of the equipment and acquiring a user operating system in the equipment;
and the extraction module is used for acquiring the coding information of the equipment storage data by combining the file format and the storage rule and extracting the off-line data with reference value in the equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910549045.7A CN110348240B (en) | 2019-06-24 | 2019-06-24 | Method and device for extracting and analyzing off-line data of duplicator |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910549045.7A CN110348240B (en) | 2019-06-24 | 2019-06-24 | Method and device for extracting and analyzing off-line data of duplicator |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110348240A CN110348240A (en) | 2019-10-18 |
| CN110348240B true CN110348240B (en) | 2021-02-23 |
Family
ID=68182888
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910549045.7A Active CN110348240B (en) | 2019-06-24 | 2019-06-24 | Method and device for extracting and analyzing off-line data of duplicator |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110348240B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111259389B (en) * | 2020-01-09 | 2022-08-05 | 青岛海尔科技有限公司 | Operating system protection method, device and storage medium |
| CN116226885B (en) * | 2023-03-07 | 2024-01-23 | 达思凯瑞技术(北京)有限公司 | Copying machine security check evidence obtaining system and method |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN207115412U (en) * | 2017-04-26 | 2018-03-16 | 北京立思辰计算机技术有限公司 | A kind of duplicator safety check system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102737176A (en) * | 2011-09-23 | 2012-10-17 | 新奥特(北京)视频技术有限公司 | Data security prevention and control file analysis method and device |
| CN103886234B (en) * | 2014-02-27 | 2017-01-04 | 浙江诸暨奇创电子科技有限公司 | A kind of fail-safe computer based on encryption hard disk and data security control method thereof |
| CN105718807B (en) * | 2016-01-26 | 2018-08-03 | 东北大学 | Android system and its authentic authentication system based on soft TCM and credible software stack and method |
-
2019
- 2019-06-24 CN CN201910549045.7A patent/CN110348240B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN207115412U (en) * | 2017-04-26 | 2018-03-16 | 北京立思辰计算机技术有限公司 | A kind of duplicator safety check system |
Non-Patent Citations (1)
| Title |
|---|
| 复印机内容分析系统的研究与实现;胡思琦;《北京邮电大学硕士学位论文》;20181230;正文第16-17页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110348240A (en) | 2019-10-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110765770B (en) | Automatic contract generation method and device | |
| CN112052749A (en) | Archive filing method and device, electronic equipment and computer readable storage medium | |
| US20070206851A1 (en) | Information processing apparatus, information processing method, computer readable medium, and computer data signal | |
| CN110348240B (en) | Method and device for extracting and analyzing off-line data of duplicator | |
| CN101539947B (en) | Information processing apparatus for tracking changes of images | |
| Al-Sabaawi et al. | A comparison study of android mobile forensics for retrieving files system | |
| CN112132710B (en) | Legal element processing method and device, electronic equipment and storage medium | |
| CN113409020A (en) | Electronic file management system and method | |
| Sankar et al. | Digitizing a million books: Challenges for document analysis | |
| CN114637870B (en) | Image data processing method, device, equipment and storage medium | |
| CN116719785A (en) | Database management system based on metadata | |
| CN104156669A (en) | Computer information evidence obtaining system | |
| Hutchins | Testing software tools of potential interest for digital preservation activities at the national library of australia | |
| KR102294926B1 (en) | Automated system for forming analyzed data by extracting original data | |
| CN104615948A (en) | Method for automatically recognizing file completeness and restoring | |
| CN104516692A (en) | Print management in print-on-demand jobs | |
| CN105260423A (en) | Duplicate removal method and apparatus for electronic cards | |
| CN107392060A (en) | A kind of hard disk, duplicator safety detection method, system | |
| CN112613290A (en) | Document template generation method, device, equipment and storage medium | |
| CN112163583A (en) | Method for recognizing digital meter reading, recognition device and computer readable storage medium | |
| Booker | Data Carving Against Known File Obfuscation Techniques: A Proposed Data Carving Algorithm | |
| JP6303742B2 (en) | Image processing apparatus, image processing method, and image processing program | |
| CN115295061B (en) | Memory firmware overhauling method and system | |
| KR101871407B1 (en) | Apparatus for identifying work history of removable storage media and method using the same | |
| KR102698896B1 (en) | System of forensic for analyzing target data by selectively sorting and mapping |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |