CN111159238A - Cache file evidence obtaining method based on IOS (input/output system), terminal equipment and storage medium - Google Patents

Cache file evidence obtaining method based on IOS (input/output system), terminal equipment and storage medium Download PDF

Info

Publication number
CN111159238A
CN111159238A CN201911367993.5A CN201911367993A CN111159238A CN 111159238 A CN111159238 A CN 111159238A CN 201911367993 A CN201911367993 A CN 201911367993A CN 111159238 A CN111159238 A CN 111159238A
Authority
CN
China
Prior art keywords
cache
value corresponding
key value
software
searching
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911367993.5A
Other languages
Chinese (zh)
Inventor
周开军
吴松洋
李哲
张磊
黄剑
畅斌
张辉极
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Meiya Pico Information Co Ltd
Original Assignee
Xiamen Meiya Pico Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Meiya Pico Information Co Ltd filed Critical Xiamen Meiya Pico Information Co Ltd
Priority to CN201911367993.5A priority Critical patent/CN111159238A/en
Publication of CN111159238A publication Critical patent/CN111159238A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24553Query execution of query operations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2282Tablespace storage structures; Management thereof

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computational Linguistics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to a cache file evidence obtaining method based on an IOS system, a terminal device and a storage medium, wherein the method comprises the following steps: searching an address corresponding to the software in the cache file by using the software to be inquired to carry out payment operation; and searching user use data using the software from the cache file according to the address corresponding to the software. The invention provides a forensics method aiming at a cache mechanism of an IOS system, so as to obtain required user use data and provide a solution for mobile phone forensics work of the IOS system.

Description

Cache file evidence obtaining method based on IOS (input/output system), terminal equipment and storage medium
Technical Field
The invention relates to the field of data forensics, in particular to a cache file forensics method based on an IOS (input/output system), terminal equipment and a storage medium.
Background
In recent years, mobile phone applications are more and more popular, and while providing a lot of convenience for life, work and learning of people, criminals also more and more utilize an iPhone mobile phone to spread harmful information, rumors and fraud, at this time, key evidences and information are usually stored in the mobile phone, but the iPhone mobile phone intelligent system has higher security compared with a common smart phone, and it is very difficult to extract information from the mobile phone, which brings a lot of troubles to case detection of public security departments. Therefore, it becomes very important to continuously improve the technical level of iPhone mobile phone evidence collection by applying various advanced data extraction, data recovery and other extraction technologies to research iPhone mobile phone evidence collection.
Disclosure of Invention
In order to solve the above problems, the present invention provides a cache file forensics method based on an IOS system, a terminal device and a storage medium.
The specific scheme is as follows:
a cache file forensics method based on an IOS system comprises the following steps:
s1: searching an address corresponding to the software in the cache file by using the software to be inquired to carry out payment operation;
s2: and searching user use data using the software from the cache file according to the address corresponding to the software.
Further, step S1 specifically includes the following steps:
s11: using the software to carry out payment operation on a preset payment account;
s12: searching the payment account information in a cfurl _ cache _ receiver _ data table of the cache file;
s13: obtaining a key value corresponding to an entry _ ID in a cfurl _ cache _ receiver _ data table according to the searched account information;
s14: searching a key value corresponding to a request _ key in a corresponding cfurl _ cache _ response table according to the key value corresponding to the entry _ ID;
s15: and determining the address corresponding to the software according to the found key value corresponding to the request _ key.
Further, step S2 specifically includes the following steps:
s21: according to the key value corresponding to the request _ key, searching the key values corresponding to all entry _ IDs in the cfurl _ cache _ response table corresponding to the request _ key;
s22: for a key value corresponding to each entry _ ID, searching a key value corresponding to a request _ object in a cfurl _ cache _ blob _ data table, and simultaneously searching a key value corresponding to a receiver _ data in a cfurl _ cache _ receiver _ data table;
s23: obtaining a user ID and a user nickname corresponding to the entry _ ID according to a key value corresponding to the request _ object;
s24: and obtaining the payment account information corresponding to the entry _ ID according to the key value corresponding to the receiver _ data.
An IOS-based system cache file forensics terminal device comprises a processor, a memory and a computer program which is stored in the memory and can run on the processor, wherein the processor executes the computer program to realize the steps of the method of the embodiment of the invention.
A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to an embodiment of the invention as described above.
By adopting the technical scheme, the invention provides a forensics method aiming at the cache mechanism of the IOS system, so as to obtain the required user use data and provide a solution for the mobile phone forensics work of the IOS system.
Drawings
Fig. 1 is a flowchart illustrating a first embodiment of the present invention.
Detailed Description
To further illustrate the various embodiments, the invention provides the accompanying drawings. The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the embodiments. Those skilled in the art will appreciate still other possible embodiments and advantages of the present invention with reference to these figures.
The invention will now be further described with reference to the accompanying drawings and detailed description.
The first embodiment is as follows:
an embodiment of the present invention provides a cache file forensics method based on an IOS system, as shown in fig. 1, including the following steps:
s1: and searching the address (URL) corresponding to the software in the cache file by using the software to be inquired to perform payment operation.
Since the address is not changed frequently by the developer of the software, the address of the software can be obtained by making a payment using the software, and then the user use data of the software can be obtained based on the fixed address.
Step S1 specifically includes the following steps:
s11: and carrying out payment operation on a preset bank account by using the software.
The software can be a payment treasure, a WeChat, bank application software and the like, a preset payment account number is input in a payment page, and the corresponding payment account number can be a name, a WeChat nickname, a bank card number and the like.
S12: and searching the payment account information in a cfurl _ cache _ receiver _ data table of the cache file.
Db, the storage path is usually/private/var/mobile/Containers/Data/md 5 (application package name)/Library/Caches directory, and the file is a SQLite database and can be opened through SQLite visualization management tool SQLite Expert Pro.
Db contains four tables, namely cfurl _ cache _ response, cfurl _ cache _ blob _ data, cfurl _ cache _ receiver _ data and cfurl _ cache _ share _ version, below the database.
Wherein:
(1) the cfurl _ cache _ response table mainly includes an entry _ ID (inter), a storage _ policy (inter), a request _ key (text), and a time _ stamp (inter), where the entry _ ID field is a main key, and the storage _ policy field indicates a cache policy: 0 represents a default caching strategy, namely if the cache does not exist, directly obtaining the cache from the server, and if the cache already exists, directly obtaining the cache from the local; 1 represents directly requesting a server by ignoring local cache data; 2, the cache is used when the cache exists, whether the cache is expired or not; 3 represents that only the local cache is loaded and fails if not; 4 represents directly requesting the server by ignoring the local cache data, the proxy server and other intermediaries; and 5 represents that the cached data must be authenticated by the server to be usable. The request _ key field indicates a URL (address) requested to the server, and the time _ stamp indicates a time when the request is transmitted.
(2) The cfurl _ cache _ BLOB _ data table mainly includes entry _ ID (inter), response _ object (BLOB), and request _ object (BLOB) fields, where the entry _ ID field is a main key, the response _ object field indicates a request object, the type is BLOB, the stored data is an apple-specific storage structure plist file, and URL general request attributes, such as Connection and Content-Length attributes, are recorded. The response _ object field indicates a response object, the type is BLOB, the stored data is an apple-specific storage structure plist file, and parameters required for recording a URL request are recorded.
(3) The cfurl _ cache _ receiver _ data table mainly includes an entry _ ID (inter) field and a receiver _ data (BLOB) field, where the entry _ ID field is a primary key, the response _ object field indicates a URL request result, the type is BLOB, and the stored data is a Json string.
(4) The cfurl _ cache _ schema _ version table mainly includes cfurl _ cache _ schema _ version (inter), wherein the field of cfurl _ cache _ schema _ version represents the version number of the URL cache frame.
S13: and obtaining a key value corresponding to the entry _ ID in the cfurl _ cache _ receiver _ data table according to the searched account information.
The cache.db file in this embodiment is opened through the Navicat Premium software, the data table cfurl _ cache _ receiver _ data storing the address request returned from the server is opened, and the payment account input in the payment operation in step S11 is searched through the data lookup function of the Navicat Premium to obtain the key value corresponding to the entry _ ID.
S14: and searching a key value corresponding to the request _ key in the corresponding cfurl _ cache _ response table according to the key value corresponding to the entry _ ID.
S15: and determining the address corresponding to the software according to the found key value corresponding to the request _ key.
S2: and searching user use data using the software from the cache file according to the address corresponding to the software.
Step S2 specifically includes the following steps:
s21: and searching key values corresponding to all entry _ IDs in the corresponding cfurl _ cache _ response table according to the key values corresponding to the request _ key.
S22: and aiming at the key value corresponding to each entry _ ID, searching the key value corresponding to the request _ object in the cfurl _ cache _ blob _ data table, and simultaneously searching the key value corresponding to the receiver _ data in the cfurl _ cache _ receiver _ data table.
S23: and obtaining the user ID and the user nickname corresponding to the entry _ ID according to the key value corresponding to the request _ object.
In this embodiment, the type of the key value corresponding to the request _ object is BLOB, the stored data is a parameter corresponding to the address request, the data format is a plist file of apple, through opening a tool of the plist file, the key value corresponding to userid represents a user ID for the address request, and the key value corresponding to usernamed represents a user nickname for the address request.
S24: and obtaining the payment account information corresponding to the entry _ ID according to the key value corresponding to the receiver _ data.
The embodiment of the invention provides a forensics method for a cache mechanism of an IOS system, so that required user use data can be obtained, and a solution is provided for mobile phone forensics work of the IOS system.
Example two:
the invention also provides a cache file forensics terminal device based on the IOS system, which comprises a memory, a processor and a computer program which is stored in the memory and can run on the processor, wherein the processor executes the computer program to realize the steps of the method embodiment of the first embodiment of the invention.
Further, as an executable scheme, the terminal device for obtaining evidence based on the IOS system cache file may be a computing device such as a mobile phone and a cloud server. The IOS-based system cache file forensics terminal device can include, but is not limited to, a processor and a memory. It is understood by those skilled in the art that the above-mentioned structure of the terminal device for obtaining evidence based on the IOS system cache file is only an example of the terminal device for obtaining evidence based on the IOS system cache file, and does not constitute a limitation on the terminal device for obtaining evidence based on the IOS system cache file, and may include more or less components than the above-mentioned structure, or combine some components, or different components, for example, the terminal device for obtaining evidence based on the IOS system cache file may further include an input/output device, a network access device, a bus, and the like, which is not limited in this embodiment of the present invention.
Further, as an executable solution, the processor may be a Central Processing Unit (CPU), other general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, a discrete hardware component, and the like. The general-purpose processor may be a microprocessor or the processor may be any conventional processor, and the processor is a control center of the IOS-based system cache file forensics terminal device, and various interfaces and lines are used to connect various parts of the entire IOS-based system cache file forensics terminal device.
The memory can be used for storing the computer program and/or the module, and the processor realizes various functions of the IOS-based system cache file forensics terminal device by running or executing the computer program and/or the module stored in the memory and calling data stored in the memory. The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system and an application program required by at least one function; the storage data area may store data created according to the use of the mobile phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
The invention also provides a computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the steps of the above-mentioned method of an embodiment of the invention.
The module/unit integrated with the IOS-based system cache file evidence obtaining terminal device can be stored in a computer-readable storage medium if the module/unit is implemented in the form of a software functional unit and sold or used as an independent product. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM ), Random Access Memory (RAM), software distribution medium, and the like.
While the invention has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (5)

1. A cache file forensics method based on an IOS system is characterized by comprising the following steps:
s1: searching an address corresponding to the software in the cache file by using the software to be inquired to carry out payment operation;
s2: and searching user use data using the software from the cache file according to the address corresponding to the software.
2. The IOS-based system cache file forensics method of claim 1, wherein: step S1 specifically includes the following steps:
s11: using the software to carry out payment operation on a preset payment account;
s12: searching the payment account information in a cfurl _ cache _ receiver _ data table of the cache file;
s13: obtaining a key value corresponding to an entry _ ID in a cfurl _ cache _ receiver _ data table according to the searched account information;
s14: searching a key value corresponding to a request _ key in a corresponding cfurl _ cache _ response table according to the key value corresponding to the entry _ ID;
s15: and determining the address corresponding to the software according to the found key value corresponding to the request _ key.
3. The IOS-based system cache file forensics method of claim 1, wherein: step S2 specifically includes the following steps:
s21: according to the key value corresponding to the request _ key, searching the key values corresponding to all entry _ IDs in the cfurl _ cache _ response table corresponding to the request _ key;
s22: for a key value corresponding to each entry _ ID, searching a key value corresponding to a request _ object in a cfurl _ cache _ blob _ data table, and simultaneously searching a key value corresponding to a receiver _ data in a cfurl _ cache _ receiver _ data table;
s23: obtaining a user ID and a user nickname corresponding to the entry _ ID according to a key value corresponding to the request _ object;
s24: and obtaining the payment account information corresponding to the entry _ ID according to the key value corresponding to the receiver _ data.
4. The utility model provides a cache file evidence obtaining terminal equipment based on IOS system which characterized in that: comprising a processor, a memory and a computer program stored in the memory and running on the processor, the processor implementing the steps of the method according to any one of claims 1 to 3 when executing the computer program.
5. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 3.
CN201911367993.5A 2019-12-26 2019-12-26 Cache file evidence obtaining method based on IOS (input/output system), terminal equipment and storage medium Pending CN111159238A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911367993.5A CN111159238A (en) 2019-12-26 2019-12-26 Cache file evidence obtaining method based on IOS (input/output system), terminal equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911367993.5A CN111159238A (en) 2019-12-26 2019-12-26 Cache file evidence obtaining method based on IOS (input/output system), terminal equipment and storage medium

Publications (1)

Publication Number Publication Date
CN111159238A true CN111159238A (en) 2020-05-15

Family

ID=70558503

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911367993.5A Pending CN111159238A (en) 2019-12-26 2019-12-26 Cache file evidence obtaining method based on IOS (input/output system), terminal equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111159238A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8931107B1 (en) * 2011-08-30 2015-01-06 Amazon Technologies, Inc. Techniques for generating block level data captures
CN106844106A (en) * 2017-02-06 2017-06-13 四川秘无痕信息安全技术有限责任公司 A kind of method for parsing BlackBerry backup file
CN106980552A (en) * 2017-03-28 2017-07-25 飞天诚信科技股份有限公司 It is a kind of to realize the method and system communicated between Apple Macintosh operating system application
CN108777621A (en) * 2018-05-30 2018-11-09 盘石软件(上海)有限公司 A method of obtaining means of payment Alipay transaction record
CN108846141A (en) * 2018-07-11 2018-11-20 中国建设银行股份有限公司 A kind of offline cache loading method and device
CN109815062A (en) * 2019-02-11 2019-05-28 国网山东省电力公司烟台供电公司 The Android App history screen analyzed based on memory restores and evidence-obtaining system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8931107B1 (en) * 2011-08-30 2015-01-06 Amazon Technologies, Inc. Techniques for generating block level data captures
CN106844106A (en) * 2017-02-06 2017-06-13 四川秘无痕信息安全技术有限责任公司 A kind of method for parsing BlackBerry backup file
CN106980552A (en) * 2017-03-28 2017-07-25 飞天诚信科技股份有限公司 It is a kind of to realize the method and system communicated between Apple Macintosh operating system application
CN108777621A (en) * 2018-05-30 2018-11-09 盘石软件(上海)有限公司 A method of obtaining means of payment Alipay transaction record
CN108846141A (en) * 2018-07-11 2018-11-20 中国建设银行股份有限公司 A kind of offline cache loading method and device
CN109815062A (en) * 2019-02-11 2019-05-28 国网山东省电力公司烟台供电公司 The Android App history screen analyzed based on memory restores and evidence-obtaining system

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
MANGOMADE: "ios网络请求缓存:NSURLCache详解", 《简书》 *
彭建新等: "iOS设备取证技术研究", 《中国人民公安大学学报( 自然科学版)》 *
微微笑的蜗牛: "NSURLCache缓存的位置", 《简书》 *
朗清风: "NSURLCach使用(二)---存储结构", 《CSDN》 *

Similar Documents

Publication Publication Date Title
US11294983B2 (en) Inferred user identity in content distribution
US11106655B2 (en) Asset management system, method, apparatus, and electronic device
US20140143647A1 (en) Method for improving browser cache by reducing duplicate stored content
CN111414407A (en) Data query method and device of database, computer equipment and storage medium
US20130204994A1 (en) Consolidating disparate cloud service data and behavior based on trust relationships between cloud services
CN109829287A (en) Api interface permission access method, equipment, storage medium and device
CN111008348A (en) Anti-crawler method, terminal, server and computer readable storage medium
CN105337928A (en) User identity identification method and apparatus, and safety protection problem generation method and apparatus
CN107463378A (en) A kind of local cache implementation method, storage device and electronic equipment based on note
CN110245116A (en) Reconciliation data processing method, device, equipment and computer readable storage medium
CN113392158A (en) Service data processing method and device and data center
CN112925954A (en) Method and apparatus for querying data in a graph database
CN109271564A (en) Declaration form querying method and equipment
CN107332661A (en) The method of data encryption
CN112035676B (en) User operation behavior knowledge graph construction method and device
CN107528822B (en) Service execution method and device
WO2023217086A1 (en) Resource file updating method and apparatus, and device and readable storage medium
US20170169044A1 (en) Property retrieval apparatus, method and system
RU2677563C2 (en) Information display method, terminal and server
CN110781500A (en) Data wind control system and method
CN111159238A (en) Cache file evidence obtaining method based on IOS (input/output system), terminal equipment and storage medium
CN113836331A (en) Image query method, device and storage medium
CN109002710A (en) A kind of detection method, device and computer readable storage medium
CN113761581A (en) Authority control method and device in block chain and electronic equipment
US9811669B1 (en) Method and apparatus for privacy audit support via provenance-aware systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200515

RJ01 Rejection of invention patent application after publication