CN111786811B - Portable on-site electronic data evidence obtaining terminal and device - Google Patents
Portable on-site electronic data evidence obtaining terminal and device Download PDFInfo
- Publication number
- CN111786811B CN111786811B CN202010449487.7A CN202010449487A CN111786811B CN 111786811 B CN111786811 B CN 111786811B CN 202010449487 A CN202010449487 A CN 202010449487A CN 111786811 B CN111786811 B CN 111786811B
- Authority
- CN
- China
- Prior art keywords
- evidence obtaining
- equipment
- target
- network topology
- forensics
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/22—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The invention provides a portable on-site electronic data evidence obtaining device, which comprises an encryption communication component, a network topology signal detection component and an edge computing equipment communication interface, wherein the encryption communication component is used for acquiring an encrypted communication signal; the edge computing equipment is connected with at least one edge computing equipment through a communication interface, receives a response signal of the target evidence obtaining equipment to a network topology detection signal and analyzes the response signal, displays an equipment network topology graph containing the target evidence obtaining equipment on a human-computer interaction display interface, and changes a feedback signal of the current target evidence obtaining equipment of the edge computing equipment, so that the state of the current target evidence obtaining equipment in the equipment network topology graph on the human-computer interaction display interface is changed into an activated state, and based on the equipment network topology graph, the next target evidence obtaining equipment is prompted. The invention can accurately position the topological connection structure of the on-site target evidence obtaining equipment, carry out on-site electronic data evidence obtaining based on the visualization of the topological connection diagram and ensure the accuracy and the comprehensiveness of the evidence obtaining process.
Description
Technical Field
The invention belongs to the technical field of electronic data processing, and particularly relates to a portable on-site electronic data evidence obtaining terminal and device.
Background
As the frequency of computer use increases, there are naturally many crime evidences that are stored electronically in the associated computer storage media. Electronic evidence is a new form of evidence that exists in computers and related peripherals and is becoming one of the more important judicial evidences. The highest court in China successively releases judicial interpretations related to the court. Science of computer forensics is a discipline that provides forensic practice with electronic evidence that is acceptable. Computer forensics is a comprehensive and crossed subject, and relates to the subjects of law, scouting, computer science, computer engineering, software engineering, psychology, sociology and the like. The conditions that public security organs use computer forensics methods in case investigation processes are more and more, basically, economic cases need to apply the computer forensics methods, and some criminal cases need to investigate case-related computers.
The invention discloses a portable computer evidence obtaining machine which is provided by the Chinese patent application with the application number of CN201910588294.7, and comprises a box body, wherein the middle part of the bottom end of the inner wall of the box body is fixedly connected with the bottom end of a placing box, two buffer springs which are distributed at equal intervals are fixedly arranged on one side of the inner wall of the box body, one ends of the two buffer springs are fixedly connected with one side of the placing box, and the other side of the inner wall of the box body is fixedly connected with one side of a buffer block; it is fixed to the machine main part of collecting evidence through placing the box, and fixed elastic cord is fixed to it again, and buffer block, buffer spring and sponge protection piece cooperation are protected the machine main part of collecting evidence, make this computer machine of collecting evidence have protect function, protect the machine main part of collecting evidence, the protection personnel property. The invention mainly introduces the related architecture of hardware, and does not relate to the specific on-site evidence obtaining;
the Chinese patent application with the application number of CN201910451770.0 provides a rapid electronic evidence obtaining method and a system, wherein the information of the owner of the equipment to be proved is input into the evidence obtaining front-end equipment and is sent to an evidence obtaining server; the forensics server updates the basic installation package according to the information of the equipment holder, dynamically generates a special installation package of the forensics equipment, and sends the address of the special installation package to forensics front-end equipment; the evidence obtaining front-end equipment generates a two-dimensional code according to the received special installation package address; the evidence obtaining device downloads and runs the evidence obtaining app through scanning the two-dimensional code, electronic evidence obtaining is carried out on the evidence obtaining device through the evidence obtaining app, and evidence obtaining data are sent to the evidence obtaining server. According to the invention, the intelligent mobile phone to be subjected to evidence obtaining is not required to be directly connected with the evidence obtaining system through a mobile phone data line, and a USB debugging mode of the intelligent mobile phone to be subjected to evidence obtaining is not required to be started; the electronic data forensics app for the Android system smart phone can realize dynamic packaging of a server side, and no information needs to be input into forensics equipment. This patent relates to a forensic method for a particular forensic device.
In addition, the chinese patent application with application number CN201811283492.4 relates to a method and an apparatus for determining the reliability of a document timestamp in the field of electronic data forensics and identification, and the method can effectively determine whether the timestamp information of a document is tampered, can conveniently detect a large number of documents, improves the reliability of document electronic data, and fills the blank of a method for determining the reliability of a document timestamp.
However, for field electronic data forensics, there are usually a large number of electronic devices on the field, and forensics personnel cannot know in what sequence which devices are selected for forensics, and selecting forensics devices randomly may result in incomplete forensics; empirically determined forensics orders may result in clutter and irrelevance of the data acquired. The prior art does not provide a clear technical scheme for how to realize effective, comprehensive and stable evidence obtaining of electronic equipment with a large field quantity.
Disclosure of Invention
In order to solve the technical problem, the invention provides a portable field electronic data evidence obtaining device which comprises an encryption communication component, a network topology signal detection component and an edge computing device communication interface. The portable on-site electronic data evidence obtaining device is connected with at least one edge computing device through the edge computing device communication interface, the network topology detection signal component sends a network topology detection signal to the target evidence obtaining device, and the edge computing device receives and analyzes a response signal of the target evidence obtaining device to the network topology detection signal and displays the device network topology graph containing the target evidence obtaining device on the human-computer interaction display interface; after target data in the target evidence obtaining equipment is obtained, a feedback signal is sent to the edge computing equipment; and the edge computing equipment changes the state of the current target evidence obtaining equipment in an equipment network topological graph on the man-machine interaction display interface into an activated state based on the feedback signal, and prompts the next target evidence obtaining equipment based on the equipment network topological graph. Based on the technical scheme of the invention, when a large number of devices to be subjected to evidence obtaining on site are faced, the evidence obtaining sequence can be determined and visualized display can be carried out based on the network topology connection diagram obtained by the edge computing device, the evidence obtaining process is ensured to be complete and reliable, and the obtained data is carried out in order.
Specifically, the invention firstly provides a portable field electronic data evidence obtaining device, which comprises an encryption communication component, a network topology signal detection component and an edge computing device communication interface; the portable on-site electronic data evidence obtaining device is provided with a human-computer interaction display interface;
as one of the advantages of the invention, the portable onsite electronic data forensics device is connected with at least one edge computing device through the edge computing device communication interface, and the edge computing device is connected with a target forensics device;
after the first arrival at the site, the forensics may empirically or randomly select one of the devices as the current target forensics device and then connect the edge computing device to the current target forensics device;
then, sending a network topology detection signal to the current target forensics device through the network topology detection signal component, and receiving and analyzing a response signal of the current target forensics device to the network topology detection signal by the edge computing device;
the edge computing equipment is internally provided with a plurality of network topology detection models, a network topology connection diagram can be analyzed through the network topology detection models based on response signals of the network topology detection signals, and the equipment network topology diagram containing the target evidence obtaining equipment is displayed on the human-computer interaction display interface.
The current network topology map is at least a topology structure map containing the current target forensics device, and in the topology structure map, each device has network communication with the current target forensics device, so that interactive data communication is likely to exist, and therefore, the devices in the structure map should be acquired as a whole during forensics, and disorder caused by disordered acquisition of data is avoided.
The forensic process is then started. The portable on-site electronic data evidence obtaining device is in data communication with the target evidence obtaining equipment through the encryption communication assembly to obtain target data in the target evidence obtaining equipment;
after the target data in the target evidence obtaining equipment is obtained, the target data is communicated with a remote time stamp authentication center through the encryption communication assembly, after a third party authentication time stamp is obtained, the target data is associated with the third party authentication time stamp and then is stored in an encryption disk independent of the portable field electronic data evidence obtaining device, and after the storage is successful, a feedback signal is sent to the edge computing equipment;
the acquisition of electronic data must have objective public trust, where forensics time is one of the key factors, and therefore, third party authentication is required when acquiring and storing data.
And the edge computing equipment changes the state of the current target evidence obtaining equipment in an equipment network topological graph on the man-machine interaction display interface into an activated state based on the feedback signal, and prompts the next target evidence obtaining equipment based on the equipment network topological graph.
In the invention, the initial states of all the devices in the device network topological graph are all non-activated states, and if the evidence obtaining of a certain device is finished, the device is activated until the states of all the devices in the device network topological graph are all activated states.
As another advantage of the present invention, the edge computing device receiving and analyzing the response signal of the target forensics device to the network topology detection signal further includes:
and if the target forensics equipment does not respond to the network topology detection signal, judging whether the current equipment is detected to have network topology hidden setting or not.
If the current equipment does not have the network topology hiding setting, judging that the current equipment is independent equipment; otherwise, canceling the network topology hiding setting.
And if the current equipment is judged to be independent equipment, the portable field electronic data evidence obtaining device directly carries out data communication with the current equipment.
Such steps further ensure the integrity of the forensics process and avoid the possibility that some criminal computers intentionally conceal evidence.
Sending a network topology detection signal to the target forensics device through the network topology detection signal component, which specifically includes:
and configuring various data messages in advance, and injecting the data messages into the target evidence obtaining equipment as network topology detection signals.
A method for detecting network topology by data packet injection includes a discovery method based on SNMP (Simple network management Protocol), a discovery method based on ICMP (Internet control message Protocol), a discovery method based on ARP (Address Resolution Protocol), a discovery method based on OSPF (open shortest path first) Protocol, and a discovery method based on LLDP (Link layer discovery Protocol).
And if the current target evidence obtaining equipment obtains the evidence completely, acquiring data of the next target evidence obtaining equipment in the current network topology structure chart. At this time, network topology detection is not necessary, and therefore, after the network topology detection signal assembly is closed and the portable field electronic data forensics device and the edge computing device are disconnected from the current target forensics device, the portable field electronic data forensics device is connected with the next target forensics device to acquire target data in the next target forensics device; and after the next target evidence obtaining device obtains evidence, setting the next target evidence obtaining device to be in an activated state.
If all the devices in the current network topology structure diagram are in the activated state, which means that all the devices in the current network topology structure diagram are already subjected to forensics, a new target forensics device needs to be selected again, and the network topology detection and analysis are enabled to complete the new network topology structure diagram. Therefore, if the states of all the devices in the device network topological graph are activated states, selecting another device which is not in the device network topological graph on site as a new current target forensics device, and displaying the device network topological graph containing the new current target forensics device on the human-computer interaction display interface.
The device of the invention can be designed into a portable terminal for the forensics personnel to carry. The terminal may be configured with a standard edge computing device communication interface to be compatible with a variety of edge computing devices. Because the edge computing device can realize various model configurations locally, and can update the model configurations from the cloud, the method can adapt to the electronic data forensics process of various crime scenes without reconfiguring the terminal.
Further advantages of the invention will be apparent from the detailed description of embodiments which follows, when considered in conjunction with the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a schematic diagram of the configuration of a portable on-site electronic data forensics apparatus in accordance with one embodiment of the invention;
FIG. 2 is a diagram of a network topology structure according to an embodiment of the present invention;
FIG. 3 is a flow chart of forensics performed by a current forensics device according to an embodiment of the invention;
fig. 4 is a schematic overall flow chart for implementing electronic data forensics by using the technical scheme of the invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, the present invention will be further described with reference to the accompanying drawings and examples. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict. The invention is further described with reference to the following drawings and detailed description.
Fig. 1 is a schematic structural diagram of a portable field electronic data evidence obtaining device according to an embodiment of the present invention.
The portable in-situ electronic data forensics device of fig. 1 comprises an encryption communication component, a network topology signal detection component and an edge computing device communication interface;
the portable on-site electronic data evidence obtaining device is provided with a human-computer interaction display interface;
displaying the equipment network topological graph containing the target evidence obtaining equipment on the human-computer interaction display interface;
the portable field electronic data evidence obtaining device is connected with at least one edge computing device through the edge computing device communication interface, and the edge computing device is connected with a target evidence obtaining device.
In fig. 1, after the target data in the target forensics device is acquired, the target data is communicated with a remote timestamp authentication center through the encryption communication component, and after a third party authentication timestamp is acquired, the target data is associated with the third party authentication timestamp and then stored in an encryption disk independent from the portable field electronic data forensics device.
On the basis of fig. 1, referring to fig. 2, a schematic diagram of a device network topology diagram including the target forensics device is displayed on the human-computer interaction display interface.
Sending a network topology detection signal to the target forensics device through the network topology detection signal component, and receiving and analyzing a response signal of the target forensics device to the network topology detection signal by the edge computing device;
and displaying the equipment network topological graph containing the target evidence obtaining equipment on the human-computer interaction display interface based on the analysis.
There are various methods for implementing network topology detection based on network topology detection signals, and data packets conforming to the field situation can be injected into the network of the detected device by design, and the topology connection situation of the network device can be obtained by analyzing the feedback information.
Specifically, as a method for representing the relationship between the logical connection and the physical connection of the network equipment, the network topology can be used for a network administrator to intuitively master the operation condition of the current network equipment, accurately position fault points in the network and provide basic data for accurately analyzing problems in the network, thereby pertinently optimizing the network and improving the performance of the network. It can be said that the automatic discovery of network topology is the technical key to realize intelligent network management system, and is the basis for forming intelligent and network management software.
In this embodiment, the method for discovering the network topology includes:
(1) a discovery method based on SNMP (Simple network management protocol). The method mainly uses SNMP protocol to access MIB base in network equipment such as exchanger and router to obtain corresponding information. One of the outstanding advantages of SNMP is that when the network changes, the information in MIB will change, and the whole process of information acquisition is quite fast, so that the speed of topology discovery is also increased, and the result is reliable and the system and network overhead is small. However, the main problem of topology discovery using SNMP is that not every network device provides SNMP network management service, and even if SNMP service is provided, the MIB may not hold enough useful information. Another problem is the interpretation of the MIB values that many manufacturers add private information to the MIB in order to better describe the functionality of their own products, although some basic information about the devices is defined standardized in the MIB.
(2) Discovery method based on ICMP (Internet control message Protocol). The method utilizes ping data packets to perform topology discovery. Ping is one of the earliest and most widely used tools in IP networks, and mainly uses ICMP echo reNy message to detect whether a host is reachable, and also can deduce "how far" a node has according to us by calculating round trip delay. Since smaller packets are used, the overhead of Ping is smaller. We can Ping each possible IP address to determine if they correspond to reachable network nodes. When sending a Ping message to an reachable node, the response is usually very fast (tens of microseconds), but when sending a Ping message to an unreachable node, the timeout will be after a set interval, which is usually 2 seconds, so in this case using Ping is quite inefficient, especially less efficient when sending Ping messages to a large number of pending IP addresses for topology discovery purposes. Because the detection period of ping operation is long, the network load is also large, and the method is not suitable for real-time topology discovery.
(3) A discovery method based on an ARP (Address Resolution Protocol). The method has high finding efficiency and wide application range, but if the network is too large, the records in the ARP table can be continuously updated, and all the exchange routing equipment in the network can not be contained.
(4) A discovery method based on OSPF (OpenShortestPath Firs, priority open shortest Path) protocol. The information stored in the link state database in OSPF can be used to calculate network routes by summarizing a graph of nodes representing the network from various link state records. The internal nodes in the node graph are OSPF routers and transit networks, the peripheral nodes are peripheral networks, summary networks and external destination sites, and the connected arcs are various links with different measurement modes. Therefore, the network management maintenance system can also access the related OSPF routing table information stored in a certain router in each area of the autonomous system, so as to construct the network topology map of the whole autonomous system. The method has the advantages of high speed and high performance. But the implementation difficulty is large, the search can be limited within a certain range, and all devices must support the 0SPF protocol.
(5) A discovery method based on LLDP (Link layer discovery Protocol) Protocol. LLDP is a vendor-independent two-layer protocol that allows network devices to advertise their device identification and capabilities in the local subnet. In brief, LLDP is a proximity discovery protocol. It defines a standard method for ethernet network devices, such as switches, routers and wlan access points, to advertise their presence to other nodes in the network and to maintain discovery information for each neighboring device. Detailed information such as device configuration and device identification may be advertised using the protocol. In particular, LLDP defines a general advertisement information set, a protocol for transmitting advertisements and a method for storing received advertisement information.
Sending a network topology detection signal to the target forensics device through the network topology detection signal component, and receiving and analyzing a response signal of the target forensics device to the network topology detection signal by the edge computing device;
based on the analysis, displaying the equipment network topological graph containing the target evidence obtaining equipment on the human-computer interaction display interface;
the portable field electronic data evidence obtaining device is in data communication with the target evidence obtaining equipment through the encryption communication assembly, and target data in the target evidence obtaining equipment are obtained.
Fig. 3-4 are specific flow charts of on-site electronic data forensics using the device.
Referring to fig. 3, after the forensics arrive at the site, one field device may be randomly selected as the current initiating target forensics device without any prior knowledge.
Then, the portable on-site electronic data forensics device is connected with at least one edge computing device through the edge computing device communication interface, and the edge computing device is connected with a target forensics device;
sending a network topology detection signal to the target forensics device through the network topology detection signal component, and receiving and analyzing a response signal of the target forensics device to the network topology detection signal by the edge computing device;
based on the analysis, displaying the equipment network topological graph containing the target evidence obtaining equipment on the human-computer interaction display interface;
the portable field electronic data evidence obtaining device is in data communication with the target evidence obtaining equipment through the encryption communication assembly, and target data in the target evidence obtaining equipment are obtained.
After target data in the target evidence obtaining equipment is obtained, the target data is communicated with a remote time stamp authentication center through the encryption communication assembly, after a third party authentication time stamp is obtained, the target data is stored in an encryption disk independent of the portable field electronic data evidence obtaining device after being associated with the third party authentication time stamp, and after the storage is successful, a feedback signal is sent to the edge computing equipment;
and the edge computing equipment changes the state of the current target evidence obtaining equipment in an equipment network topological graph on the man-machine interaction display interface into an activated state based on the feedback signal, and prompts the next target evidence obtaining equipment based on the equipment network topological graph.
Then, referring to fig. 4, after the portable field electronic data forensics device and the edge computing device are disconnected from the current target forensics device, the portable field electronic data forensics device is connected with the next target forensics device, and target data in the next target forensics device is acquired.
And if the states of all the devices in the device network topological graph are activated states, selecting another device which is not in the device network topological graph on site as a new current target evidence obtaining device, and displaying the device network topological graph containing the new current target evidence obtaining device on the human-computer interaction display interface.
And after the portable on-site electronic data evidence obtaining device is connected with the next target evidence obtaining device, the network topology detection signal assembly is closed.
In the above embodiment, in order to avoid missing evidence, if the target forensics device does not respond to the network topology detection signal, it is determined whether a network topology concealment setting exists in the current device.
If the current equipment does not have the network topology hiding setting, judging that the current equipment is independent equipment; otherwise, canceling the network topology hiding setting.
And if the current equipment is judged to be independent equipment, the portable field electronic data evidence obtaining device directly carries out data communication with the current equipment.
Therefore, by adopting the technical scheme of the invention, when the on-site evidence collection of a large number of target devices to be collected is carried out, the orderly process of the evidence collection process can be ensured, the evidence collection process can be visually shown, and the evidence omission can be avoided.
The invention can accurately position the topological connection structure of the on-site target evidence obtaining equipment, carry out on-site electronic data evidence obtaining based on the visualization of the topological connection diagram, ensure the accuracy and the comprehensiveness of the evidence obtaining process, ensure the completeness and the reliability of the evidence obtaining process and obtain the orderly data.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (10)
1. A portable field electronic data evidence obtaining device comprises an encryption communication component, a network topology signal detection component and an edge computing device communication interface;
the method is characterized in that:
the portable on-site electronic data evidence obtaining device is provided with a human-computer interaction display interface;
the portable on-site electronic data forensics device is connected with at least one edge computing device through the edge computing device communication interface, and the edge computing device is connected with a target forensics device;
sending a network topology detection signal to the target forensics device through the network topology detection signal component, and receiving and analyzing a response signal of the target forensics device to the network topology detection signal by the edge computing device;
based on the analysis, displaying a device network topological graph containing the target evidence obtaining device on the human-computer interaction display interface;
the portable on-site electronic data evidence obtaining device is in data communication with the target evidence obtaining equipment through the encryption communication assembly to obtain target data in the target evidence obtaining equipment;
after target data in the target evidence obtaining equipment is obtained, the target data is communicated with a remote time stamp authentication center through the encryption communication assembly, after a third party authentication time stamp is obtained, the target data is stored in an encryption disk independent of the portable field electronic data evidence obtaining device after being associated with the third party authentication time stamp, and after the storage is successful, a feedback signal is sent to the edge computing equipment;
and the edge computing equipment changes the state of the current target evidence obtaining equipment in an equipment network topological graph on the man-machine interaction display interface into an activated state based on the feedback signal, and prompts the next target evidence obtaining equipment based on the equipment network topological graph.
2. The portable onsite electronic data forensics device of claim 1, wherein:
based on the analysis, displaying a device network topology map containing the target forensics device on the human-computer interaction display interface, specifically comprising:
the device network topological graph displays all other devices which are in communication topological connection with the current target evidence obtaining device;
in an initial state, the states of all devices in the device network topology map are inactive states.
3. The portable onsite electronic data forensics device of claim 1, wherein:
sending a network topology detection signal to the target forensics device through the network topology detection signal component, and receiving and analyzing a response signal of the target forensics device to the network topology detection signal by the edge computing device, which specifically includes:
the edge computing device comprises a plurality of network topology detection models based on one or a combination of the following methods:
a discovery method based on simple network management protocol SNMP;
a discovery method based on the ICMP;
a discovery method based on address resolution protocol ARP;
an OSPF discovery method based on a priority open shortest path protocol;
discovery method based on link layer discovery protocol LLDP.
4. A portable onsite electronic data forensics device as claimed in claim 1 or 3, wherein:
the edge computing device receives and analyzes a response signal of the target forensics device to the network topology detection signal, and further includes:
and if the target forensics equipment does not respond to the network topology detection signal, judging whether the current equipment is detected to have network topology concealment setting or not.
5. The portable onsite electronic data forensics device of claim 1, wherein:
sending a network topology detection signal to the target forensics device through the network topology detection signal component, which specifically includes:
and configuring various data messages in advance, and injecting the data messages into the target evidence obtaining equipment as network topology detection signals.
6. The portable on-site electronic data forensics device of claim 4, wherein:
if the target forensics device does not respond to the network topology detection signal, judging whether network topology concealment setting exists in the current device, and further comprising:
if the current equipment does not have the network topology hiding setting, judging that the current equipment is independent equipment; otherwise, canceling the network topology hiding setting.
7. The portable onsite electronic data forensics device of claim 6, wherein:
and if the current equipment is judged to be independent equipment, the portable field electronic data evidence obtaining device directly carries out data communication with the current equipment.
8. The portable on-site electronic data forensics device of claim 1, wherein:
the edge computing device changes the state of the current target evidence obtaining device in the device network topological graph on the human-computer interaction display interface into an activated state based on the feedback signal, and further comprises the following steps after prompting the next target evidence obtaining device based on the device network topological graph:
and after the portable field electronic data evidence obtaining device and the edge computing equipment are disconnected with the current target evidence obtaining equipment, connecting the portable field electronic data evidence obtaining device with the next target evidence obtaining equipment to obtain target data in the next target evidence obtaining equipment.
9. The portable on-site electronic data forensics device of claim 2, wherein:
and if the states of all the devices in the device network topological graph are activated states, selecting another device which is not in the device network topological graph on site as a new current target evidence obtaining device, and displaying the device network topological graph containing the new current target evidence obtaining device on the human-computer interaction display interface.
10. The portable onsite electronic data forensics device of claim 8, wherein:
connecting the portable field electronic data evidence obtaining device with the next target evidence obtaining device to obtain the target data in the next target evidence obtaining device, and further comprising:
and after the portable on-site electronic data evidence obtaining device is connected with the next target evidence obtaining device, closing the network topology detection signal assembly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010449487.7A CN111786811B (en) | 2020-05-25 | 2020-05-25 | Portable on-site electronic data evidence obtaining terminal and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010449487.7A CN111786811B (en) | 2020-05-25 | 2020-05-25 | Portable on-site electronic data evidence obtaining terminal and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111786811A CN111786811A (en) | 2020-10-16 |
| CN111786811B true CN111786811B (en) | 2022-07-08 |
Family
ID=72753278
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010449487.7A Active CN111786811B (en) | 2020-05-25 | 2020-05-25 | Portable on-site electronic data evidence obtaining terminal and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111786811B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008070415A2 (en) * | 2006-11-14 | 2008-06-12 | Deepdive Technologies Inc. | Networked information collection apparatus and method |
| CN102932145A (en) * | 2011-08-12 | 2013-02-13 | 西安秦码软件科技有限公司 | Collaborative network electronic evidence obtaining technology based on third-party signature |
| CN103259878A (en) * | 2013-04-18 | 2013-08-21 | 山东省计算中心 | MAC address capture method for specific target user of wireless local area network |
| CN204650512U (en) * | 2015-03-31 | 2015-09-16 | 北京中超伟业信息安全技术有限公司 | A kind of security forensics system based on server architecture |
| CN105139322A (en) * | 2015-07-02 | 2015-12-09 | 盘石软件(上海)有限公司 | Distributed electronic data evidence collecting system and distributed electronic data evidence collecting method |
| CN105991334A (en) * | 2015-02-28 | 2016-10-05 | 中国移动通信集团广西有限公司 | Network topology self-discovering method and device |
| CN106909697A (en) * | 2017-04-20 | 2017-06-30 | 中车株洲电力机车研究所有限公司 | A kind of equipment searches system |
| CN109981280A (en) * | 2017-12-28 | 2019-07-05 | 史成鹏 | A kind of electronic data evidence obtaining method and system |
| CN110689270A (en) * | 2019-09-30 | 2020-01-14 | 广州竞远安全技术股份有限公司 | Information security evaluation method and device based on multi-factor verification and computer |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100299430A1 (en) * | 2009-05-22 | 2010-11-25 | Architecture Technology Corporation | Automated acquisition of volatile forensic evidence from network devices |
-
2020
- 2020-05-25 CN CN202010449487.7A patent/CN111786811B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008070415A2 (en) * | 2006-11-14 | 2008-06-12 | Deepdive Technologies Inc. | Networked information collection apparatus and method |
| CN102932145A (en) * | 2011-08-12 | 2013-02-13 | 西安秦码软件科技有限公司 | Collaborative network electronic evidence obtaining technology based on third-party signature |
| CN103259878A (en) * | 2013-04-18 | 2013-08-21 | 山东省计算中心 | MAC address capture method for specific target user of wireless local area network |
| CN105991334A (en) * | 2015-02-28 | 2016-10-05 | 中国移动通信集团广西有限公司 | Network topology self-discovering method and device |
| CN204650512U (en) * | 2015-03-31 | 2015-09-16 | 北京中超伟业信息安全技术有限公司 | A kind of security forensics system based on server architecture |
| CN105139322A (en) * | 2015-07-02 | 2015-12-09 | 盘石软件(上海)有限公司 | Distributed electronic data evidence collecting system and distributed electronic data evidence collecting method |
| CN106909697A (en) * | 2017-04-20 | 2017-06-30 | 中车株洲电力机车研究所有限公司 | A kind of equipment searches system |
| CN109981280A (en) * | 2017-12-28 | 2019-07-05 | 史成鹏 | A kind of electronic data evidence obtaining method and system |
| CN110689270A (en) * | 2019-09-30 | 2020-01-14 | 广州竞远安全技术股份有限公司 | Information security evaluation method and device based on multi-factor verification and computer |
Non-Patent Citations (4)
| Title |
|---|
| "基于广义数据挖掘的计算机取证技术";米佳等;《中国人民公安大学学报(自然科学版)》;20060930;全文 * |
| "基于需求的网络电子取证过程模型";刘尊;《计算机应用与软件》;20051112;全文 * |
| "计算机取证过程分析与研究";滑斌等;《电脑知识与技术》;20170715;全文 * |
| "路由器取证研究";韩马剑;《信息网络安全》;20160910;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111786811A (en) | 2020-10-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110661669B (en) | Network topology automatic discovery method of network equipment based on ICMP, TCP and UDP protocols | |
| CN110113345B (en) | Automatic asset discovery method based on flow of Internet of things | |
| CN109768880B (en) | Remote visual network topology monitoring method for power monitoring system | |
| CN101981546B (en) | Root cause analysis method targeting information technology (IT) device not to acquire event information, device and program | |
| CN103947156B (en) | Method, apparatus and communication network for root cause analysis | |
| CN114584401B (en) | Tracing system and method for large-scale network attack | |
| CN111934922B (en) | Method, device, equipment and storage medium for constructing network topology | |
| US20020124079A1 (en) | System for inference of presence of network infrastructure devices | |
| CN111447089B (en) | Terminal asset identification method and device and computer readable storage medium | |
| US7519504B2 (en) | Method and apparatus for representing, managing and problem reporting in surveillance networks | |
| CN110313147A (en) | Data processing method, device and system | |
| CN104169937A (en) | Opportunistic system scanning | |
| CN104113443A (en) | Network equipment detection method, device and cloud detection system | |
| CN104618521A (en) | Node de-duplication in a network monitoring system | |
| CN110138731B (en) | Network anti-attack method based on big data | |
| CN107465621B (en) | Router discovery method, SDN controller, router and network system | |
| CN102571416A (en) | Positioning method and device for virtual machine | |
| CN110391932B (en) | Multi-device media data management system and method and robot device | |
| CN104639351A (en) | Processing system and method for constructing network structure deployment diagram | |
| CN104410642B (en) | Equipment access cognitive method based on ARP protocol | |
| CN111786811B (en) | Portable on-site electronic data evidence obtaining terminal and device | |
| CN114189348A (en) | Asset identification method suitable for industrial control network environment | |
| CN103684841A (en) | Network management server and link discovery comparison method | |
| Li et al. | A framework for searching Internet-wide devices | |
| CN109274551A (en) | A kind of accurate efficient industry control resource location method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |