CN110348240B - Method and device for extracting and analyzing offline data of copier - Google Patents

Method and device for extracting and analyzing offline data of copier Download PDF

Info

Publication number
CN110348240B
CN110348240B CN201910549045.7A CN201910549045A CN110348240B CN 110348240 B CN110348240 B CN 110348240B CN 201910549045 A CN201910549045 A CN 201910549045A CN 110348240 B CN110348240 B CN 110348240B
Authority
CN
China
Prior art keywords
file
data
storage
copier
kernel
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910549045.7A
Other languages
Chinese (zh)
Other versions
CN110348240A (en
Inventor
刘铁铭
何红旗
韩世鲁
张有为
朱晓青
邓国军
段永强
薛兵
谢江涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan Sincerity Information Technology Co ltd
PLA Information Engineering University
Original Assignee
Henan Sincerity Information Technology Co ltd
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan Sincerity Information Technology Co ltd, PLA Information Engineering University filed Critical Henan Sincerity Information Technology Co ltd
Priority to CN201910549045.7A priority Critical patent/CN110348240B/en
Publication of CN110348240A publication Critical patent/CN110348240A/en
Application granted granted Critical
Publication of CN110348240B publication Critical patent/CN110348240B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Facsimiles In General (AREA)

Abstract

The invention belongs to the technical field of copier safety protection, and particularly relates to a method and a device for extracting and analyzing off-line data of a copier, wherein the method comprises the following steps: reading a device firmware code, and obtaining a device target file through reverse analysis, wherein the target file comprises a storage rule of working data; analyzing and extracting the file format of the equipment, and acquiring a user operating system in the equipment; and acquiring coding information of the equipment storage data by combining the file format and the storage rule, and extracting the off-line data with reference value in the equipment. The invention can not only be suitable for extracting different picture data storage formats of different series of duplicators, but also can realize the extraction and analysis of the offline data of the equipment; can be used independently as a data acquisition module of a copying machine; the security check system can also be embedded into a security check system of the copier, plays an important role and important security benefits for security check, operation security control, operation information anti-disclosure and the like of the operation of the checked single-digit digital copier, and has strong practicability and application prospect.

Description

Method and device for extracting and analyzing off-line data of duplicator
Technical Field
The invention belongs to the technical field of safety protection of a copying machine, and particularly relates to a method and a device for extracting and analyzing offline data of the copying machine.
Background
With the development of information technology, the digitization degree of common office equipment such as a digital copier is increasing day by day, and the storage function of the common office equipment is from nothing to nothing and from weak to strong. The increase of the storage function is accompanied by the increase of the risk of disclosure. Unlike computer memory, the information in the memory of a digital copier is difficult to find and clear, which brings about a great potential safety hazard. On one hand, in order to eliminate the potential safety hazard from the source and eliminate the possibility of secret leakage, the use of the copying machine equipment in daily work is standardized; on the other hand, in order to provide a corresponding technical guarantee means for detecting whether the storage component is confidential during equipment maintenance and warranty or when the equipment is eliminated and scrapped, a software tool for carrying out confidential inspection on the storage component is needed. The software tool is used by an inspector to carry out security inspection and check on the digital copying machine, generate an inspection report and archive and export inspection results, the contents comprise the equipment model and security level, the storage medium model and serial number, the file and the creation time thereof, the file security level, the file sensitive information discrimination and the like, and the software tool plays an important role and great security benefits for security inspection, operation security control and operation information leakage prevention of the unit digital copying machine to be inspected. At present, a plurality of software and tools for detecting and secretly checking illegal use of computers are used, but few security check technologies are used for intelligent office equipment such as copying machines, and the copying machine manufacturers represented by japan make public research on absolute monopoly of the copying machine technology and protection of intellectual property rights. According to the inquiry, reports and research data special for the safety research of the copying machine are rarely seen at home and abroad at present, and related technologies are not found in open occasions at home and abroad. The digital copying machine product has a fast updating speed, the realization of the functions, the types of the adopted file systems and the coding modes of the data of different series of digital copying machines of manufacturers of the same brand are possibly different, and even the realization modes of the machines of the same series and different models are possibly different, which leads to the increase of the difficulty and the workload of the research on the tools for the safety protection of the copying machine equipment.
Disclosure of Invention
The invention provides a method and a device for extracting and analyzing off-line data of a copying machine, which are used for extracting and analyzing the off-line data of the copying machine, are convenient for safety protection and supervision of working data of the copying machine, prevent information leakage and have stronger application prospect.
According to the design scheme provided by the invention, the method for extracting and analyzing the off-line data of the copying machine comprises the following contents:
A) reading a device firmware code, and obtaining a device target file through reverse analysis, wherein the target file comprises a storage rule of working data;
B) analyzing and extracting the file format of the equipment, and acquiring a user operating system in the equipment;
C) and acquiring coding information of the equipment storage data by combining the file format and the storage rule, and extracting the off-line data with reference value in the equipment.
In the above, in a) reading the device firmware code, first, the device storage component is identified, and the target file including the device storage information storage rule is obtained by reversely analyzing the composition structure and the logic function of the device firmware code, where the storage rule at least includes the firmware code encoding mode.
In the above, in a), the disassembling tool is used to disassemble and/or decompile the device storage component to obtain the disassembling and/or decompiling codes thereof, and obtain the device target file, where the target file further includes a storage protocol, a communication protocol, and a control command in three working states of scanning, copying, and printing.
Preferably, for the device storage component, reading a flash memory chip storing the firmware code through a programmer, and acquiring a binary file in the flash memory chip; obtaining a file system of the binary file by analyzing the binary file and an embedded system used by the binary file; and converting the binary file machine code into a readable object code by using a disassembling tool, analyzing the object code, and extracting an object code storage rule, wherein the object code storage rule comprises an object code logic function structure.
And B) acquiring user operation information in the equipment, wherein the user operation information comprises the type of the operating system of the equipment identified by the extracted equipment target file.
Preferably, the identification of the operating system type of the equipment comprises firmware module stripping analysis, operating system type identification and kernel version identification, wherein in the firmware module stripping analysis, a binary firmware image of an equipment target file is read, address range division is carried out by combining a module feature database, and different module images are transferred and stored; in the operation system type identification, extracting operation system type identification characteristics, screening by combining a type identification characteristic library, eliminating operation systems which do not accord with the screening characteristics, and acquiring an operation system type identification result according to a similarity sorting result between the screened operation systems and the operation systems to be identified of the firmware module; in kernel version identification, the kernel to be identified is matched with the functions of the standard kernel by utilizing the function matching of the static library function, and the kernel version is identified by utilizing the similarity between the kernel to be identified and the standard kernel calculated by utilizing the function matching quantity.
Preferably, different module images are transferred and stored, and decompression software is adopted to restore the compressed files to the maximum extent; and analyzing and releasing the internal data of the file system according to a file system storage mechanism aiming at the file system mapping.
Preferably, by using function matching of a static library function, firstly loading a kernel function library signature, and performing first-round matching on the kernel function by using a FLIRT function matching method; then, performing functional structural matching on the function which is not successfully matched by a structural matching method; and finally, collecting all the functions successfully matched, calculating the similarity between the kernel to be identified and the standard kernel, and selecting the kernel with the highest similarity with the kernel to be identified in the static library functions as an identification result.
In the step C), all the resolvable files in the device storage bank are parsed according to the file format, and the reference data in the device storage bank is recovered, where the reference data includes a picture type, a device user log, and a device work log.
Furthermore, the present invention provides an apparatus for extracting and analyzing offline data of a copier, comprising: an analysis module, an acquisition module and an extraction module, wherein,
the analysis module is used for reading the equipment firmware code and obtaining an equipment target file through reverse analysis, wherein the target file contains the storage rule of the working data;
the acquisition module is used for analyzing and extracting the file format of the equipment and acquiring a user operating system in the equipment;
and the extraction module is used for acquiring the coding information of the equipment storage data by combining the file format and the storage rule and extracting the off-line data with reference value in the equipment.
The invention has the beneficial effects that:
the invention analyzes the aspects of equipment firmware codes, storage formats, operating systems, file structures, file characteristics and the like, realizes the extraction and analysis of offline data, can extract and analyze picture data, and can extract valuable data such as user logs, work logs and the like; not only can the extraction and analysis of different picture data storage formats of different series of copiers be realized, but also the extraction and analysis of equipment off-line data can be realized; the problem of extraction and analysis of off-line data of the existing copying machine is solved, and the off-line data acquisition module can be independently used as a copying machine data acquisition module; the system can also be embedded into a security check system of the copying machine, is used as a check and analysis object, provides deep data extraction for the system, plays a data support role in detecting whether the copying machine illegally copies or scans security-related sensitive information, plays an important role and important security benefits in security check, operation security control, operation information leakage prevention and the like of the operation of the checked single-digit digital copying machine, and has a strong application prospect.
Description of the drawings:
FIG. 1 is a flowchart of an embodiment of a method for extracting and parsing offline data;
FIG. 2 is a schematic diagram of an offline data extraction and analysis apparatus in an embodiment;
FIG. 3 is a schematic diagram of a binary file read result in one embodiment;
FIG. 4 is a second illustration of the reading result of the binary file in the embodiment;
FIG. 5 is a diagram of a file system obtained by file parsing in an embodiment;
FIG. 6 is a diagram showing the recognition result of the device bank in the embodiment;
FIG. 7 is a partially sectioned development illustration of the memory part of the device in the embodiment;
FIG. 8 is a partially sectioned development illustration of the memory part of the device in the embodiment;
FIG. 9 is a partially partitioned expanded view of a memory bank of the device in the embodiment;
FIG. 10 is a partially sectioned development illustration of the memory part of the device in the embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
The off-line checking of the security of the copying machine refers to the steps of safely disassembling a storage part of the copying machine, connecting a computer through an external interface of the storage part, and starting a security checking system of the digital copying machine to directly perform security checking on the storage part of the copying machine. For the safety protection work of the current copier device, in the embodiment of the present invention, referring to fig. 1, a method for extracting and analyzing offline data of a copier is provided, which includes the following steps:
s101) reading equipment firmware codes, and obtaining an equipment target file through reverse analysis, wherein the target file comprises a storage rule of working data;
s102) analyzing and extracting the file format of the equipment, and acquiring a user operating system in the equipment;
s103) acquiring coding information of the equipment storage data by combining the file format and the storage rule, and extracting the off-line data with reference value in the equipment.
The method analyzes the aspects of equipment firmware codes, storage formats, operating systems, file structures, file characteristics and the like, realizes extraction and analysis of offline data, can extract and analyze picture data, and can extract valuable data such as user logs, work logs and the like.
Further, in the embodiment of the present invention, the device firmware code is read, the device storage unit is identified first, and the target file including the device storage information storage rule is obtained by reversely analyzing the composition structure and the logic function of the device firmware code, where the storage rule at least includes a firmware code encoding manner.
Further, in the embodiment of the present invention, tools such as IDA Pro and Hex-rays are used to disassemble and/or decompile the device storage component, obtain a decompilated and/or decompilated code of the device storage component, and obtain a device target file, where the target file further includes a storage protocol, a communication protocol, and a control command in three working states of scanning, copying, and printing.
Further, in the embodiment of the present invention, for the device storage component, the flash memory chip storing the firmware code is read by the programmer, and the binary file in the flash memory chip is obtained; obtaining a file system of the binary file by analyzing the binary file and an embedded system used by the binary file; and converting the binary file machine code into a readable object code by using a disassembling tool, analyzing the object code, and extracting an object code storage rule, wherein the object code storage rule comprises an object code logic function structure.
Further, in the embodiment of the present invention, the user operation information in the device is acquired, and the type of the operating system executed by the device is identified through the extracted device target file.
Furthermore, in the embodiment of the present invention, identifying the type of the operating system run by the device includes firmware module stripping analysis, operating system type identification and kernel version identification, wherein in the firmware module stripping analysis, the binary firmware image of the device target file is read, address range division is performed in combination with the module feature database, and different module images are transferred; in the operation system type identification, extracting operation system type identification characteristics, screening by combining a type identification characteristic library, eliminating operation systems which do not accord with the screening characteristics, and acquiring an operation system type identification result according to a similarity sorting result between the screened operation systems and the operation systems to be identified of the firmware module; in kernel version identification, the kernel to be identified is matched with the functions of the standard kernel by utilizing the function matching of the static library function, and the kernel version is identified by utilizing the similarity between the kernel to be identified and the standard kernel calculated by utilizing the function matching quantity.
Furthermore, in the embodiment of the invention, different module images are transferred and stored, and decompression software is adopted to restore the compressed files to the maximum extent; and analyzing and releasing the internal data of the file system according to a file system storage mechanism aiming at the file system mapping.
Furthermore, in the embodiment of the invention, by using the function matching of the static library function, firstly, loading the kernel function library signature, and performing the first round matching on the kernel function by using the FLIRT function matching method; then, performing functional structural matching on the function which is not successfully matched by a structural matching method; and finally, collecting all the functions successfully matched, calculating the similarity between the kernel to be identified and the standard kernel, and selecting the kernel with the highest similarity with the kernel to be identified in the static library functions as an identification result.
Further, in the embodiment of the present invention, all the resolvable files in the device storage bank are parsed according to the file format, and the reference value data in the device storage bank is recovered, where the reference value data type includes a picture type, a device user log, and a device work log.
Furthermore, an embodiment of the present invention further provides an offline data extracting and analyzing device for a copier, as shown in fig. 2, including: an analysis module 101, an acquisition module 102 and an extraction module 103, wherein,
the analysis module 101 is configured to read a device firmware code, and obtain a device target file through reverse analysis, where the target file includes a storage rule of the working data;
an obtaining module 102, configured to analyze and extract a device file format, and obtain a user operating system in the device;
and the extraction module 103 is configured to, in combination with the file format and the storage rule, obtain coding information of the device storage data, and extract offline data with reference value in the device.
The technical scheme in the embodiment of the present invention is further explained below by combining a Kyocera digital copier (taking Kyocera 3500i as an example):
the Kyocera 3500i back plate of the porcelain copier is disassembled, the storage component of the Kyocera 3500i back plate is a 160G hard disk with the west number of 2.5 inches, and a current mainstream SATA (Serial ATA) interface is used. The brand copier belongs to a typical embedded device, and is an embedded system composed of an embedded processor, firmware codes and a storage component. Recognizing the storage component of the copier is a prerequisite for the cracking of the firmware code. And analyzing the composition structure and logic function of the firmware code of the equipment and cracking the coding mode of the information stored by the equipment by aiming at inverse analysis such as disassembling, decompiling, static simulation, dynamic simulation and the like of the firmware code in the control chip. Some digital copier management and control storage chips mainly use PowerPC or ARM, some digital copier manufacturers use their own special chips, there is no sign and description information on the chips, tools such as IDA Pro, Hex-rays and the like can be used to disassemble and decompile the control chips of the common office equipment, so as to obtain the decompiled and decompiled codes, and break the contents such as storage protocols, communication protocols, control commands and the like. With the continuous innovation of the technology, the security technology of the digital copier is more and more perfect. The data in the hard disk of the Beijing porcelain copier is stored in a special format and cannot be directly checked. In order to analyze these data, it is necessary to read the firmware code of the copying machine. The firmware code reading analysis process is as follows:
and detaching the FLASH chip storing the firmware codes from the main board. The Beijing porcelain mainboard has 3 FLASH chips: the front surface is 2 pieces of NOR FLASH, which are respectively as follows: u12 LH _2f 00003.040. nor, U22 LH _2f 00003.040. nor; the reverse side is 1 sheet NAND FLASH: u32 LH _2f 00003.040. nand. The embedded firmware is stored in a FLASH chip in a form of a compiled binary file (BIN), and a programmer is used for reading data in the FLASH chip. Reading a BIN file from each chip, and respectively naming the BIN file as: nor u1.BIN, nor u2.BIN, and nand u3. BIN. The file is read by using binary editing software, for example, what is shown in fig. 3 is nor u1.bin, and what is shown in fig. 4 is nand u3. bin. Since most of the data is stored in NAND FLASH, the focus is on parsing nand u3. bin. By analyzing the format of the firmware file, it is known that the embedded file system used by nand u3.bin is Cramfs, and the file system obtained after decompressing the file is shown in fig. 5. The analyzed files are mostly machine codes in binary form, and the codes must be restored firstly for analysis, and then the codes are converted into a code expression form with readability. A method for using a disassembling tool and manual analysis includes the steps of firstly using the disassembling tool to convert machine codes in a binary form into readable Power PC assembly codes, then reading and analyzing object codes manually, carrying out flow analysis on the disassembled assembly level codes, recording relevant information of a changed code flow, and finally sorting and extracting a logic function structure of the object codes.
After the firmware code is read, the next job is to determine the type of operating system that the digital copier is running. Research has revealed that most of the Operating systems used in commercially available digital copiers are Embedded Operating Systems (EOSs). The embedded operating system is used as the management core of the digital copying machine, is responsible for the distribution and scheduling work of all the software and hardware resources of the copying machine, and is system software supporting the normal work of the digital copying machine. The reverse analysis for the embedded operating system is a process of stripping the operating system in the firmware of the digital copier and reversely analyzing the structure, the module and the code of the operating system. The identification of the operating system type in the firmware of the digital copier is divided into three steps of firmware module stripping and reverse analysis, operating system type identification and kernel version identification. A firmware module feature library, an operating system type identification feature library and a kernel version identification feature library generated by analyzing various existing embedded operating systems are needed.
The stripping and reverse analysis of the module are basic reverse processing of the firmware, the processing object of the process is an unknown binary firmware image which is read out in the early stage, the address range division is carried out on the main module in the binary firmware image by combining the support of the module characteristic database, and different module images are transferred and stored on the basis. Aiming at the compressed file, adopting proper decompression software to carry out restoration to the maximum extent; aiming at the file system mapping, a file system restoration method is designed according to a file system storage mechanism to analyze and release the internal data of the file system.
Operating system type identification is primarily predicated on the type of operating system used by the firmware. Through the basic reverse processing of the firmware codes, information related to the operating system can be obtained, and aiming at data and files which are reversely analyzed, the extraction of the type identification characteristics of the operating system is firstly carried out; on the basis of obtaining the type identification characteristics, the operating system screening is carried out by combining the type identification characteristic library, so that the operating systems which do not accord with the screening characteristics are eliminated; and calculating the similarity between the screened operating system and the operating system to be identified in the firmware, sequencing the similarity, and further judging the screening result according to the similarity to obtain an identification result.
The kernel version identification is mainly used for identifying the version of the kernel image of the operating system stripped in the reverse processing process. And matching the functions of the kernel to be recognized and the standard kernel by using a function matching idea in the static library function recognition, and calculating the similarity between the kernel to be recognized and the standard kernel by using the function matching quantity to judge the kernel version. The function matching adopts an FLIRT library function identification method of IDA Pro, combines the existing kernel version identification feature database, firstly loads the kernel function library signature, and carries out first-round matching on the kernel function by using the FLIRT function matching method; then, performing functional structural matching by using an improved structural matching method, and further matching the functions which are not successfully matched; and finally, collecting all the functions successfully matched, calculating the similarity between the kernel to be identified and the standard kernel, and selecting the kernel with the highest similarity with the kernel to be identified in the feature library as an identification result.
After the embedded operating system used by the digital copying machine is judged, the file system type of the digital copying machine is further identified, and all the separable files stored in the storage body are analyzed according to the definition format of the file system. There are various file system types of embedded operating systems, such as Cramfs, Ext2, Ext3, Reiserfs, ufs2, xfs, etc. The file system is divided according to the structure and is based on directory and compression; the file system is divided according to a file storage mode and is based on an index and chain structure; the file system is divided according to the operation mode and the existence form of the file system, and is based on a hard disk, a FLASH and a memory. Different brands of hard disk copy machines use different file systems for storing data and are closely related to the operating systems used by them. Through detailed analysis of the hard disk of the Beijing porcelain copier, the hard disk of Kyocera 3500i has been determined to use the xfs file system.
After the hard disk file system of Kyocera 3500i is determined, all data and files on its hard disk can be parsed by using a parse file system tool for the XFS file system, thereby recovering valuable data on the hard disk. And carrying out detailed analysis according to the analyzed file system partition. Fig. 6 shows the number of partitions recognized by the file system tool for the Kyocera 3500i hard disk, starting from hdb [298.09GB, fiexd ] (hda [298.09GB, fiexd ] is the local physical hard disk identifier), there are 11 partitions in total of hdb5-hdb15, and there are next-level folders and some files under each partition, where the partitions that have value in code cracking and information erasure are the contents of hdb6, hdb10, and hdb 14. The hdb6 partition is expanded as shown in FIG. 7, and it can be seen that there are two folders and 10 files named beginning with 00000001 — which are analyzed to find some data files, preview files and attribute files that are primarily related to the scanned data. The hdb10 partition is expanded as in fig. 8, where user log data, work log data, etc. are primarily stored. Folders and files related to various types of print data are mainly stored under the jbps directory in the hdb14 partition, and are expanded as shown in fig. 9. The folders and files related to the copy data are mainly stored under the rep directory in the hdb14 partition, expanded as shown in fig. 10. Table 1 shows the results of analyzing the valuable document data in each partition and its folder and displaying the analyzed data in a list.
TABLE 1 Kyocera 3500i hard disk file system parsing case
Figure BDA0002104952240000091
TABLE 1 Kyocera 3500i hard disk file system analysis case (continuation Table 1)
Figure BDA0002104952240000101
The storage directory of the scanned file of the Beijing porcelain copier is hdb6\ user \ root \ b000X \ d000X (wherein X in b000X represents the serial number of a folder, and X in d000X represents the serial number of a file), and a main data file is 0000000X _ page _ image.dat (wherein X represents the serial number of the page number of the file) and an attribute file is 0000000X _ page _ attr.dat. After the original picture data is extracted, the display cannot be opened directly, and further analysis work is needed. The experimental analysis shows that the image data of the Beijing porcelain copying machine is in a jpg format and is divided into a plurality of strip-shaped image blocks for discontinuous strip storage. Firstly, extracting the block number of the picture and the height and width of each block of the picture from the attribute file, then extracting image blocks in the data file one by one according to the file characteristics in the jpg format, and finally splicing a plurality of image blocks into a complete picture according to the extraction sequence. Thus, the analysis of one picture is completed.
Aiming at the Beijing porcelain digital copier, detailed analysis is carried out on aspects such as firmware codes, storage formats, operating systems, file structures, file characteristics and the like, extraction and analysis of offline data are realized, picture data are extracted and analyzed, and valuable data such as user logs, work logs and the like are extracted. The image data storage formats of different series of Beijing porcelain copiers are different, and the technical scheme of the invention realizes the extraction and analysis of off-line data; the off-line data extraction and analysis of the Beijing porcelain copying machine are achieved, and the implementation steps of the method also provide reference for obtaining off-line data of copying machines of other brands. The technical scheme of the invention can be used as a data acquisition module of the copying machine independently, can also be embedded into a security check system of the copying machine to provide deep data extraction for the system, and can be used as an object for checking and analyzing to play a data support role in detecting whether the copying machine violates copying or scans confidential sensitive information. The method plays an important role and important security benefits for the security inspection of the operation, the operation security control and the operation information leakage prevention of the checked single-digit digital copier, and has strong practicability and application prospect.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Based on the foregoing method, an embodiment of the present invention further provides a server, including: one or more processors; a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the method described above.
Based on the above method, the embodiment of the present invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the above method.
The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form. In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (8)

1.一种复印机离线数据提取解析方法,其特征在于,1. a copier off-line data extraction and analysis method, is characterized in that, A)读取设备固件代码,并通过逆向分析获取设备目标文件,该目标文件包含工作数据的存储规律;A) read the device firmware code, and obtain the device target file through reverse analysis, and the target file contains the storage rules of the working data; B)分析并提取设备文件格式,获取设备中用户操作系统;B) analyze and extract the device file format, and obtain the user operating system in the device; C)结合文件格式及存储规律,获取设备存储数据的编码信息,并提取设备中有参考价值的离线数据;C) Combine the file format and storage rules, obtain the coding information of the data stored in the device, and extract the offline data with reference value in the device; B)获取设备中用户操作信息,包含通过提取出的设备目标文件识别设备运行操作系统类型;B) obtaining user operation information in the device, including identifying the operating system type of the device through the extracted device target file; 识别设备运行操作系统类型,包含固件模块剥离解析,操作系统类型识别及内核版本识别,其中,固件模块剥离解析中,读取设备目标文件的二进制固件映像,结合模块特征数据库进行地址范围划分,将不同模块映像进行转存;操作系统类型识别中,对操作系统类型识别特征进行抽取,结合类型识别特征库进行筛选,排除不符合筛选特征的操作系统,依据筛选出的操作系统与固件模块待识别操作系统之间的相似度排序结果,获取操作系统类型识别结果;内核版本识别中,利用静态库函数的函数匹配,将待识别内核与标准内核的函数进行匹配,利用函数匹配数量计算两者之间相似度来识别内核版本。Identify the operating system type running on the device, including firmware module stripping analysis, operating system type identification and kernel version identification. In the firmware module stripping analysis, the binary firmware image of the device target file is read, and the address range is divided in combination with the module feature database. Different module images are dumped; in the operating system type identification, the operating system type identification features are extracted, combined with the type identification feature library to filter, and the operating systems that do not meet the screening features are excluded. Based on the selected operating systems and firmware modules to be identified The similarity sorting results between the operating systems are used to obtain the operating system type identification results; in the kernel version identification, the function matching of the static library function is used to match the functions of the kernel to be identified and the standard kernel, and the number of function matching is used to calculate the difference between the two. The similarity between them is used to identify the kernel version. 2.根据权利要求1所述的复印机离线数据提取解析方法,其特征在于,A)读取设备固件代码中,首先识别设备存储部件,并通过逆向分析设备固件代码的组成结构及逻辑功能,获取包含设备存储信息存储规律的目标文件,所述存储规律至少包含固件代码编码方式。2. copier off-line data extraction analysis method according to claim 1, is characterized in that, A) in reading equipment firmware code, first identify equipment storage part, and by reverse analyzing the composition structure and logical function of equipment firmware code, obtain The target file containing the storage rules of the device storage information, and the storage rules at least include the firmware code encoding method. 3.根据权利要求1或2所述的复印机离线数据提取解析方法,其特征在于,A)中,利用反汇编工具对设备存储部件进行反汇编和/或反编译,得到其反汇编和/或反编译代码,获取设备目标文件,该目标文件还包含扫描、复印及打印三个工作状态下的存储协议、通信协议及控制命令。3. copier offline data extraction analysis method according to claim 1 and 2, is characterized in that, in A), utilize disassembly tool to carry out disassembly and/or decompile to equipment storage part, obtain its disassembly and/or Decompile the code to obtain the device target file, which also includes the storage protocol, communication protocol and control commands in the three working states of scanning, copying and printing. 4.根据权利要求2所述的复印机离线数据提取解析方法,其特征在于,针对设备存储部件,通过编程器读取存储固件代码的闪存芯片,获取闪存芯片中二进制文件;通过分析二进制文件及二进制文件所使用的嵌入式系统,得到该二进制文件的文件系统;使用反汇编工具将二进制文件机器代码转换为可读的目标代码,对目标代码进行分析,提取出该目标代码存储规律,该目标代码存储规律包含目标代码逻辑功能结构。4. copier off-line data extraction analysis method according to claim 2, is characterized in that, for equipment storage part, reads the flash memory chip that stores firmware code by programmer, obtains binary file in flash memory chip; By analyzing binary file and binary The embedded system used by the file, obtain the file system of the binary file; use the disassembly tool to convert the binary file machine code into readable object code, analyze the object code, and extract the storage rule of the object code, the object code The storage rules contain the logical functional structure of the object code. 5.根据权利要求1所述的复印机离线数据提取解析方法,其特征在于,将不同模块映像进行转存中,针对压缩文件,采用解压缩软件进行最大程度还原;针对文件系统映像,根据文件系统存储机制对文件系统内部数据进行解析释放。5. The method for extracting and analyzing off-line data of a copier according to claim 1, is characterized in that, in the transfer of different module images, for compressed files, decompression software is adopted to restore to the greatest extent; for file system images, according to the file system The storage mechanism parses and releases the internal data of the file system. 6.根据权利要求1所述的复印机离线数据提取解析方法,其特征在于,利用静态库函数的函数匹配,首先加载内核函数库签名,对内核函数使用FLIRT函数匹配方法进行首轮匹配;然后,对未匹配成功的函数,通过结构化匹配方法进行函数结构化匹配;最终,对匹配成功的所有函数进行收集,计算待识别内核与标准内核之间的相似度,选出静态库函数中与待识别内核相似度最高的内核作为识别结果。6. copier off-line data extraction analysis method according to claim 1, is characterized in that, utilize the function matching of static library function, at first load kernel function library signature, use FLIRT function matching method to carry out first round matching to kernel function; Then, For the functions that are not successfully matched, the structured matching method is used to perform function structural matching; finally, all the functions that are successfully matched are collected, the similarity between the kernel to be identified and the standard kernel is calculated, and the static library functions are selected. Identify the kernel with the highest kernel similarity as the identification result. 7.根据权利要求1所述的复印机离线数据提取解析方法,其特征在于,C)中,根据文件格式解析出设备存储体中所有可析出文件,恢复设备存储体中有参考价值数据,该有参考价值数据类型包含图片类型、设备用户日志和设备工作日志。7. copier offline data extraction analysis method according to claim 1, is characterized in that, in C), according to file format, parse out all extractable files in the device storage body, and there is reference value data in the recovery device storage body, which has Reference value data types include image types, device user logs, and device work logs. 8.一种复印机离线数据提取解析装置,其特征在于,基于权利要求1所述的复印机离线数据提取解析方法实现,包含:分析模块、获取模块和提取模块,其中,8. A copier offline data extraction and analysis device, characterized in that, realized based on the copier offline data extraction and analysis method according to claim 1, comprising: an analysis module, an acquisition module and an extraction module, wherein, 分析模块,用于读取设备固件代码,并通过逆向分析获取设备目标文件,该目标文件包含工作数据的存储规律;The analysis module is used to read the device firmware code, and obtain the device target file through reverse analysis, and the target file contains the storage rules of the working data; 获取模块,用于分析并提取设备文件格式,获取设备中用户操作系统;The acquisition module is used to analyze and extract the file format of the device, and obtain the user operating system in the device; 提取模块,用于结合文件格式及存储规律,获取设备存储数据的编码信息,并提取设备中有参考价值的离线数据。The extraction module is used to obtain the encoding information of the data stored in the device in combination with the file format and storage rules, and extract offline data with reference value in the device.
CN201910549045.7A 2019-06-24 2019-06-24 Method and device for extracting and analyzing offline data of copier Active CN110348240B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910549045.7A CN110348240B (en) 2019-06-24 2019-06-24 Method and device for extracting and analyzing offline data of copier

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910549045.7A CN110348240B (en) 2019-06-24 2019-06-24 Method and device for extracting and analyzing offline data of copier

Publications (2)

Publication Number Publication Date
CN110348240A CN110348240A (en) 2019-10-18
CN110348240B true CN110348240B (en) 2021-02-23

Family

ID=68182888

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910549045.7A Active CN110348240B (en) 2019-06-24 2019-06-24 Method and device for extracting and analyzing offline data of copier

Country Status (1)

Country Link
CN (1) CN110348240B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111259389B (en) * 2020-01-09 2022-08-05 青岛海尔科技有限公司 Operating system protection method, device and storage medium
CN116226885B (en) * 2023-03-07 2024-01-23 达思凯瑞技术(北京)有限公司 Copying machine security check evidence obtaining system and method

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN207115412U (en) * 2017-04-26 2018-03-16 北京立思辰计算机技术有限公司 A kind of duplicator safety check system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102737176A (en) * 2011-09-23 2012-10-17 新奥特(北京)视频技术有限公司 Data security prevention and control file analysis method and device
CN103886234B (en) * 2014-02-27 2017-01-04 浙江诸暨奇创电子科技有限公司 A kind of fail-safe computer based on encryption hard disk and data security control method thereof
CN105718807B (en) * 2016-01-26 2018-08-03 东北大学 Android system and its authentic authentication system based on soft TCM and credible software stack and method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN207115412U (en) * 2017-04-26 2018-03-16 北京立思辰计算机技术有限公司 A kind of duplicator safety check system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
复印机内容分析系统的研究与实现;胡思琦;《北京邮电大学硕士学位论文》;20181230;正文第16-17页 *

Also Published As

Publication number Publication date
CN110348240A (en) 2019-10-18

Similar Documents

Publication Publication Date Title
CN112052749A (en) Archive filing method and device, electronic equipment and computer readable storage medium
US20070206851A1 (en) Information processing apparatus, information processing method, computer readable medium, and computer data signal
CN101539947B (en) Information processing apparatus for tracking changes of images
CN110348240B (en) Method and device for extracting and analyzing offline data of copier
Al-Sabaawi et al. A comparison study of android mobile forensics for retrieving files system
KR102294926B1 (en) Automated system for forming analyzed data by extracting original data
CN116719785A (en) Database management system based on metadata
CN104156669A (en) Computer information evidence obtaining system
JP2007312225A (en) Data processing apparatus, and data processing method and data processing program executed by the apparatus
CN114443800A (en) Electronic document retrieval and authority control system and method based on domestic CPU and OS
CN118733717A (en) File duplication checking method, device, equipment, storage medium and program product
CN107392042A (en) Electric network data monitoring method and device
McKeown et al. Fast forensic triage using centralised thumbnail caches on windows operating systems
KR102698896B1 (en) System of forensic for analyzing target data by selectively sorting and mapping
CN105260423A (en) Duplicate removal method and apparatus for electronic cards
Lee et al. Block based smart carving system for forgery analysis and fragmented file identification
CN116627460A (en) Firmware upgrade method and device
CN112612938B (en) A data processing method, device, storage medium and equipment
JP6303742B2 (en) Image processing apparatus, image processing method, and image processing program
CN107741956B (en) A log search method based on web container configuration file
CN107392060A (en) A kind of hard disk, duplicator safety detection method, system
Booker Data Carving Against Known File Obfuscation Techniques: A Proposed Data Carving Algorithm
CN110347738A (en) Duplicator online data extracts analysis method and device
CN201218946Y (en) Disassembling-free data copying system
Decusatis et al. Methodology for an open digital forensics model based on CAINE

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant