CN112260835B - Block chain-based online process evidence obtaining and storing method - Google Patents
Block chain-based online process evidence obtaining and storing method Download PDFInfo
- Publication number
- CN112260835B CN112260835B CN202010960600.8A CN202010960600A CN112260835B CN 112260835 B CN112260835 B CN 112260835B CN 202010960600 A CN202010960600 A CN 202010960600A CN 112260835 B CN112260835 B CN 112260835B
- Authority
- CN
- China
- Prior art keywords
- evidence
- data
- evidence obtaining
- forensics
- block chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000012795 verification Methods 0.000 claims description 32
- 230000003321 amplification Effects 0.000 claims description 7
- 238000003199 nucleic acid amplification method Methods 0.000 claims description 7
- 238000012790 confirmation Methods 0.000 claims description 5
- 239000000284 extract Substances 0.000 claims description 3
- 239000000725 suspension Substances 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 abstract description 4
- 230000000694 effects Effects 0.000 abstract description 2
- 238000004806 packaging method and process Methods 0.000 abstract 1
- 230000006399 behavior Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/128—Restricting unauthorised execution of programs involving web programs, i.e. using technology especially used in internet, generally interacting with a web browser, e.g. hypertext markup language [HTML], applets, java
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/04—Protocols for data compression, e.g. ROHC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The invention relates to the technical field of evidence collection of a block chain, in particular to an online process evidence collection and collection method based on the block chain, which comprises the following steps: a user initiates a process forensics request; the server provides a virtual machine, a forensics console and an operation desktop of the virtual machine, and a user operates the virtual machine; saving the operation desktop image at a certain frequency; the operation desktop graph is formed into a video, and the video is associated with the start-stop time stamp to serve as evidence obtaining data; storing the certificate: packaging the evidence data and the security certificate to form a compressed data packet; signing and storing the compressed data packet, extracting the digital fingerprint, associating a timestamp with the digital fingerprint, signing to form certificate storing data, and broadcasting the certificate storing data to a block chain network where a server is located; the forensics node in the blockchain network anchors the broadcasted blocks to the public blockchain. The substantial effects of the invention are as follows: the method can realize the evidence collection of the remote operation online process, carry out evidence collection and evidence storage on the infringement behavior of the dynamic webpage or the application program, and provide support for subsequent right maintenance.
Description
Technical Field
The invention relates to the technical field of evidence collection of block chains, in particular to an online process evidence collection and collection method based on a block chain.
Background
Network infringement refers to infringement behavior which occurs in a network environment and is a form of knowledge infringement. However, due to the particularity of the internet, the network infringement is always a difficult problem of maintaining rights and obtaining evidence of related rights such as copyright and the like. At present, for evidence collection on a network, the public evidence collection department or the evidence collection mechanism can only be reserved through a line, and the evidence collection is carried out through field operation, so that the time and the labor are consumed. The block chain data storage certificate is to store data to a block chain, so that the purposes of tamper resistance, traceability and trustable data source are achieved. The development of the block chain technology brings a new development opportunity for network forensics. Although the technology for carrying out evidence storage on static web pages exists, such as chinese patent CN109102437A, published 2018, 12 and 28, a method and a system for automatically obtaining evidence of web pages based on block chains, the method includes: the method comprises the steps that a law enforcement department terminal receives network reporting information, evidence data collection is conducted according to a webpage link aimed at by the reporting information, and a unique identification code is generated for the evidence data; generating fingerprint information corresponding to the evidence data; storing the evidence data into a data server; and writing the identification code and the fingerprint information into the block chain, and recording the position information of the identification code and the fingerprint information in the block chain. The authentication department terminal acquires original fingerprint information and evidence data according to the position information and the identification code, and generates new fingerprint information of the evidence data; and comparing the original fingerprint information with the new fingerprint information to realize identification. Although the technical scheme only needs to automatically collect and fix the evidence once, the links and the processing time for forming the evidence can be effectively reduced. However, the technical scheme cannot be used for obtaining evidence of dynamic web pages, namely web page contents which can be looked up only by logging in an account or even a member account, and infringement behaviors generated by computer application software.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: the problem that the on-line evidence obtaining and storing technology for the dynamic web page or the dynamic process is lacked at present. The method can realize the online evidence collection of the dynamic webpage infringement and expand the application range of the online evidence collection.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows: an online process forensics and forensics method based on a blockchain comprises the following steps: obtaining a evidence: a user initiates a process forensics request to a server; the method comprises the steps that a server inquires whether an idle virtual machine exists at present, if the idle virtual machine exists, the idle virtual machine is distributed to a user, if the idle virtual machine does not exist, a new virtual machine is distributed to the user, a forensics console and an operation desktop of the virtual machine are provided for the user, forensics numbers are distributed, the forensics console is used for starting/finishing forensics, and the user is remotely connected with and operates the virtual machine; the method comprises the steps that a user starts to obtain evidence, and a server stores an operation desktop image in the process of operating a virtual machine by the user at a certain frequency until the user finishes obtaining the evidence or reaches a preset upper limit of evidence obtaining duration; storing the stored operation desktop images according to a time sequence to form a video, and associating the video with a start-stop timestamp thereof to serve as evidence obtaining data; storing the certificate: the server generates a security certificate for the evidence data, the security certificate comprises an evidence obtaining number and a timestamp, and the evidence data and the security certificate are packaged to form a compressed data packet; signing the compressed data packet and storing the signed compressed data packet in a server, simultaneously extracting the digital fingerprint of the compressed data packet, associating a timestamp with the digital fingerprint and signing to form certificate storing data, and broadcasting the certificate storing data to a block chain network where the server is located; a number of the forensic data forms a block, and the forensic nodes in the blockchain network anchor the broadcasted block to the public blockchain. The virtual machines are networked and capable of installing application software. A user remotely operates a virtual machine, after required software is installed, evidence obtaining is started, a browser is opened to browse a website or an application program is opened, operation is continued after an account is logged in, infringement content is displayed on an operation desktop of the virtual machine, at the moment, a server stores an operation desktop screenshot through a certain frequency, the infringement content in the website or the application software is recorded, and accordingly evidence obtaining of dynamic webpages or application software can be achieved. And then extracting a digital fingerprint of the evidence data, which is usually a secure hash value, verifying and signing by the block chain node, and broadcasting the digital fingerprint to the block chain for storage, so that the purposes of credibility, unremovable and untrustable are achieved, the evidence storage of the evidence data is completed, and support is provided for right maintenance.
Preferably, the forensics console further provides forensics area amplification, when the user clicks the forensics area amplification, the user is prompted to select the amplification area in a frame mode, and after the user selects the area, the content of the area is amplified to a set size and is recovered after the preset time. When the infringement content is displayed on the virtual machine operation desktop to be small, the infringement content is amplified to a set size through local amplification, the infringement content is clearly displayed, and the infringement evidence obtaining is guaranteed to be successfully completed and effectively available.
Preferably, when the user finishes evidence obtaining, the server converts the stored operation desktop image into a video to provide video preview playing for the user, the evidence obtaining console displays confirmation evidence obtaining and evidence obtaining again, if the user clicks the evidence obtaining again, the operation desktop of the virtual machine is returned, and if the user clicks the confirmation evidence obtaining, the video is associated with the start and stop time stamp of the video to serve as evidence obtaining data. Providing video preview enables a user to confirm whether evidence collection has been successfully completed, and if evidence collection has not been completed correctly, evidence collection can be performed again in time.
Preferably, in the process of obtaining evidence by the user, the server generates a random code each time the user clicks the mouse, displays the random code and the number for obtaining evidence under a mouse pointer, displays the random code and the number for obtaining evidence for a preset duration, stores the operation desktop image of the virtual machine into the image along with the storage of the server, stores all generated random codes in sequence after associating time stamps with the server to form a random code array, and encrypts and incorporates the signature of the random code array into the data for obtaining evidence. Random clicking of the mouse can cause the unique evidence obtaining number and the unique random code to be displayed, namely, the watermark randomly mixed in the evidence obtaining picture is actually formed, the difficulty of tampering the evidence obtaining picture can be improved, the method can also be used for verifying whether tampering and deletion exist in the evidence obtaining picture, and the safety and reliability of evidence obtaining data are improved.
Preferably, the forensics node of the blockchain network verifies the broadcasted forensic data, if the difference between the timestamp in the forensic data and the current time of the forensics node is within a preset threshold range, the forensic data passes the verification, and if the forensic data passes the verification and does not contain the signature of the forensics node, the forensics node signs the forensic data, and broadcasts the forensics data added with the signature to the current blockchain network. The preset threshold range is determined by the broadcasting time, the signature algorithm calculation time and the number of the evidence obtaining nodes in the current block chain network. If the verification is passed, the evidence obtaining node in the block chain network is shown to finish verification and signature of the evidence data in the specified time, and the authenticity of the evidence data can be guaranteed.
Preferably, when the forensic node verifies the broadcasted forensic data, the forensic node obtains the forensic data from the server, randomly selects a video segment in a preset selection segment, identifies whether an operation desktop image in the segment has a random code and a forensic number displayed below a mouse pointer, if so, stores a timestamp of the operation desktop image to form a timestamp sequence, and stores the timestamp sequence and a video segment start-stop timestamp in a local place after associating; and if the verification is passed and the evidence data does not contain the signature of the evidence obtaining node, attaching the time stamp sequence and the video segment start-stop time stamp to the evidence data, signing the evidence data, and broadcasting the evidence data to the current block chain network. And identifying whether the random code and the evidence obtaining number displayed below the mouse pointer exist in the operation desktop image, and forming a time stamp sequence for storing the identification result, so that the evidence obtaining data can be partially verified collectively, and the reliability of the evidence storing data is improved.
Preferably, when the random code and the forensic number are displayed below the mouse pointer, the virtual machine also displays a preset standard solid icon for quick identification. The pure color icons can accelerate the recognition speed and improve the efficiency of storing the certificate.
Preferably, the block chain network comprises an auditing node, after the auditing node receives the evidence data signed by all evidence obtaining nodes, the auditing node verifies whether the difference between the time stamp associated with the signature contained in the evidence data and the current time is within a preset threshold range, if not, the verification fails, otherwise, the verifying node verifies whether the time stamp sequences attached to the evidence obtaining nodes in the same preset section are the same, if not, the verification fails, otherwise, the verification succeeds; if the verification fails, prompting the user to perform process forensics again, if the verification succeeds, verifying the signature of the node, using the forensics data signed by all forensics nodes as blocks and broadcasting the blocks to a block chain network, and storing the blocks by the network node; the auditing node extracts the digital fingerprints of the tiles and anchors them to the public tile chain. The auditing node can find the error of the evidence storing process during verification by verifying the timestamp and the timestamp sequence, improve the authenticity and the credibility of the evidence storing data, and can inform the user of evidence obtaining and storing again in time.
Preferably, the process name of the running virtual machine is displayed in a semi-transparent suspension mode on the operation desktop, and the position of the area displaying the process name can be changed through mouse dragging. By displaying the running process of the virtual machine, the method can prove that the counterfeit script is not run in the virtual machine, and improve the reliability of evidence obtaining and evidence storing data.
Preferably, when the user starts to collect the evidence, the virtual machine displays the evidence collection number on the operation desktop and continues for a preset time, and when the user finishes collecting the evidence, the evidence collection number is displayed again and continues for the preset time.
Preferably, the forensics console also provides a forensics pause, and when the user clicks the forensics pause, the server pauses saving the operating desktop image until the user clicks the forensics pause again. The evidence obtaining pause is convenient for the user to operate.
The substantial effects of the invention are as follows: the remote operation online process evidence collection can be realized, the evidence collection and the evidence storage are carried out on the infringement behavior of the dynamic webpage or the application program, the right can conveniently and rapidly complete the evidence collection and the evidence fixation of the infringement, support is provided for subsequent right maintenance, and the protection of the rights of related knowledge including copyright is promoted.
Drawings
FIG. 1 is a flowchart illustrating an online process evidence obtaining and evidence storing method according to an embodiment.
Fig. 2 is a schematic diagram of a verification process of a two-blockchain forensics node and an audit node according to an embodiment.
Detailed Description
The following provides a more detailed description of the present invention, with reference to the accompanying drawings.
The first embodiment is as follows:
an online process forensics and forensics method based on a blockchain, as shown in fig. 1, includes:
obtaining a evidence:
a user initiates a process forensics request to a server; the server inquires whether an idle virtual machine exists at present, if the idle virtual machine exists, the idle virtual machine is allocated to the user, and if the idle virtual machine does not exist, the new virtual machine is allocated to the user. The virtual machines are networked and capable of installing application software.
The method comprises the steps of providing a forensics console and an operation desktop of the virtual machine for a user, distributing forensics numbers, enabling the forensics console to be used for starting/ending forensics, and enabling the user to remotely connect and operate the virtual machine. And displaying the running process name of the virtual machine in a semitransparent suspension manner on the operation desktop, wherein the position of the area for displaying the process name can be changed by dragging a mouse. When the user clicks the evidence obtaining area to be amplified, the user is prompted to select the amplified area, and after the user selects the area, the content of the area is amplified to a set size and is recovered after the preset time. When the user clicks the evidence obtaining pause, the server pauses the saving of the operation desktop image until the user clicks the evidence obtaining pause again.
And the user starts to obtain evidence, and the server stores the operation desktop image in the process of operating the virtual machine by the user at a certain frequency until the user finishes obtaining the evidence or reaches the preset upper limit of evidence obtaining time. When the user begins to collect evidence, the virtual machine displays the evidence collection number on the operation desktop and continuously presets the duration, and when the user finishes collecting evidence, the evidence collection number is displayed again and continuously presets the duration.
And storing the stored images of the operation desktop according to a time sequence to form a video, providing video preview play for a user, displaying, confirming and obtaining evidence again by the evidence obtaining console, returning to the operation desktop of the virtual machine if the user clicks to obtain evidence again, and associating the video with the start-stop time stamp of the video as evidence obtaining data if the user clicks to confirm and obtain evidence.
Storing the certificate:
the server generates a security certificate for the evidence data, the security certificate comprises an evidence obtaining number and a timestamp, and the evidence data and the security certificate are packaged to form a compressed data packet; and signing the compressed data packet and storing the signed compressed data packet in a server, simultaneously extracting the digital fingerprint of the compressed data packet, associating a timestamp with the digital fingerprint and signing to form certificate storing data, and broadcasting the certificate storing data to a block chain network where the server is located.
The evidence data form blocks, and the evidence obtaining nodes in the block chain network anchor the broadcasted blocks to the public block chain. The method comprises the steps that a user remotely operates a virtual machine, after required software is installed, evidence collection is started, a browser is opened to browse a website or an application program is opened, operation is continued after an account is logged in, infringement content is displayed on an operation desktop of the virtual machine, at the moment, a server stores an operation desktop screenshot through a certain frequency, infringement content in the website or the application software is recorded, and accordingly evidence collection of dynamic webpages or application software can be achieved. And then extracting a digital fingerprint of the evidence data, which is usually a secure hash value, verifying and signing by the block chain node, and broadcasting the digital fingerprint to the block chain for storage, so that the purposes of credibility, unremovable and untrustable are achieved, the evidence storage of the evidence data is completed, and support is provided for right maintenance.
The server stores all the evidence obtaining records of the user, and the user checks and downloads the compressed data packet through the evidence obtaining records. And if the digital fingerprint of the compressed data packet can be found, and the difference between the timestamp of the digital fingerprint stored in the public block chain and the timestamp of the compressed data packet is within a preset threshold range, the compressed data packet is proved to be not modified. And decompressing the compressed data packet to obtain the video for evidence obtaining.
This embodiment is forensics through remote operation's online process, and it is also very convenient to the forensics process to ordinary user. And the dynamic web page, namely the web page which can display the corresponding content only by logging in the user account or the member account, and the infringement behavior of the application program on the computer or the mobile phone are subjected to evidence collection and evidence deposit. For the evidence obtaining of the mobile phone application program, the virtual machine established by the server is a mobile phone simulator, such as an android simulator.
The second embodiment:
in the embodiment, a server generates a random code each time a user clicks a mouse in the process of obtaining evidence by the user, displays the random code, a number for obtaining evidence and a preset standard solid color icon for quick identification below a mouse pointer, and displays a continuous preset time length as shown in fig. 2. And storing the operation desktop image of the virtual machine into the picture along with the server, simultaneously storing all generated random codes in sequence after associating the time stamps with the server to form a random code array, and encrypting the signature of the random code array and then incorporating the signature into the evidence obtaining data. Random clicking of the mouse will cause the unique forensic number and the random code to be displayed, i.e. in fact a watermark is formed which is randomly mixed in the forensic picture.
The evidence obtaining node of the block chain network verifies the broadcasted evidence data, if the difference between the timestamp in the evidence data and the current time of the evidence obtaining node is within the preset threshold range, the verification is passed, if the verification is passed and the evidence data does not contain the signature of the evidence obtaining node, the evidence obtaining node signs the evidence data, and the evidence data added with the signature is broadcasted to the current block chain network. And if the verification is passed, the evidence obtaining node in the blockchain network completes verification and signature of the evidence data within the specified time.
When the evidence obtaining node verifies the broadcasted evidence storing data, the evidence obtaining node obtains the evidence obtaining data from the server, randomly selects a video segment in a preset selection segment, identifies whether an operation desktop image in the segment has a random code and an evidence obtaining number displayed below a mouse pointer, if so, stores a timestamp of the operation desktop image to form a timestamp sequence, and stores the timestamp sequence and a start-stop timestamp of the video segment after being associated locally; and if the verification is passed and the evidence data does not contain the signature of the evidence obtaining node, attaching the time stamp sequence and the video segment start-stop time stamp to the evidence data, signing the evidence data, and broadcasting the evidence data to the current block chain network.
The block chain network comprises auditing nodes, and after the auditing nodes receive evidence storage data signed by all evidence obtaining nodes, the auditing nodes verify whether the difference between a time stamp related to a signature contained in the evidence storage data and the current time is within a preset threshold range, if not, the verification fails, otherwise, the verification verifies whether the time stamp sequences attached to the evidence obtaining nodes in the same preset section are the same, if not, the verification fails, otherwise, the verification succeeds; if the verification fails, prompting the user to perform process forensics again, if the verification succeeds, verifying the signatures of the nodes, broadcasting the forensics data signed by all the forensics nodes as blocks to a block chain network, and storing the blocks by the network nodes; the auditing node extracts the digital fingerprints of the tiles and anchors them to the public tile chain. The remaining steps are the same as in the first embodiment, that is, this embodiment can be implemented together with the first embodiment.
The above embodiment is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and other variations and modifications may be made without departing from the technical scope of the claims.
Claims (8)
1. An online process evidence obtaining and evidence storing method based on a block chain is characterized by comprising the following steps:
obtaining a evidence:
a user initiates a process forensics request to a server;
the method comprises the steps that a server inquires whether an idle virtual machine exists at present, if the idle virtual machine exists, the idle virtual machine is distributed to a user, if the idle virtual machine does not exist, a new virtual machine is distributed to the user, a forensics console and an operation desktop of the virtual machine are provided for the user, forensics numbers are distributed, the forensics console is used for starting/finishing forensics, and the user is remotely connected with and operates the virtual machine;
the method comprises the steps that a user starts to collect evidence, and a server stores an operation desktop image in the process that the user operates a virtual machine at a certain frequency until the user finishes collecting evidence or reaches a preset evidence collection time upper limit;
storing the stored operation desktop images according to a time sequence to form a video, and associating the video with a start-stop timestamp thereof to serve as evidence obtaining data;
in the process of evidence obtaining of a user, the user clicks a mouse every time, the server generates a random code, the random code and an evidence obtaining number are displayed below a mouse pointer, the duration time is displayed, when an operation desktop image of the virtual machine is stored along with the server, the operation desktop image is stored in a picture, meanwhile, the server stores all generated random codes in sequence after associating timestamps to form a random code array, and signatures of the random code array are encrypted and then are included in evidence obtaining data;
storing the certificate:
the server generates a security certificate for the evidence data, the security certificate comprises an evidence obtaining number and a timestamp, and the evidence data and the security certificate are packaged to form a compressed data packet;
signing the compressed data packet and storing the signed compressed data packet in a server, simultaneously extracting the digital fingerprint of the compressed data packet, associating a timestamp with the digital fingerprint and signing to form certificate storing data, and broadcasting the certificate storing data to a block chain network where the server is located;
the evidence data form blocks, and the evidence obtaining nodes in the block chain network anchor the broadcasted blocks to the public block chain.
2. The on-line evidence obtaining and evidence storing method based on block chain as claimed in claim 1,
the forensics control console also provides forensics area amplification, when a user clicks the forensics area for amplification, the user is prompted to select the amplification area in a frame mode, and after the user selects the area, the content of the area is amplified to a set size and is recovered after the preset time is continued.
3. The on-line process forensics and forensics method based on the blockchain according to claim 1 or 2,
when the user finishes evidence obtaining, the server converts the stored operation desktop image into a video, video preview playing is provided for the user, the evidence obtaining console displays confirmation evidence obtaining and evidence obtaining again, if the user clicks the confirmation evidence obtaining, the virtual machine operation desktop is returned, and if the user clicks the confirmation evidence obtaining, the video is associated with the start-stop time stamp of the video to serve as evidence obtaining data.
4. The on-line evidence obtaining and evidence storing method based on block chain as claimed in claim 1,
the evidence obtaining node of the block chain network verifies the broadcasted evidence storing data, if the difference between the timestamp in the evidence storing data and the current time of the evidence obtaining node is within a preset threshold range, the verification is passed, if the verification is passed and the evidence storing data does not contain the signature of the evidence obtaining node, the evidence obtaining node signs the evidence storing data, and the evidence storing data added with the signature is broadcasted to the current block chain network.
5. The on-line process evidence obtaining and evidence storing method based on block chain as claimed in claim 4,
when the evidence obtaining node verifies the broadcasted evidence storing data, the evidence obtaining node obtains the evidence obtaining data from the server, randomly selects a video segment in a preset selection segment, identifies whether an operation desktop image in the segment has a random code and an evidence obtaining number displayed below a mouse pointer, if so, stores a time stamp of the operation desktop image to form a time stamp sequence, and stores the time stamp sequence and a start and stop time stamp of the video segment after the time stamp sequence is associated with the start and stop time stamp of the video segment;
and if the verification is passed and the evidence data does not contain the signature of the evidence obtaining node, attaching the time stamp sequence and the video segment start-stop time stamp to the evidence data, signing the evidence data, and broadcasting the evidence data to the current block chain network.
6. The on-line evidence obtaining and evidence storing method based on block chain as claimed in claim 5,
the block chain network comprises auditing nodes, and after the auditing nodes receive evidence storage data signed by all evidence obtaining nodes, the auditing nodes verify whether the difference between a time stamp related to a signature contained in the evidence storage data and the current time is within a preset threshold range, if not, the verification fails, otherwise, the verification verifies whether the time stamp sequences attached to the evidence obtaining nodes in the same preset section are the same, if not, the verification fails, otherwise, the verification succeeds;
if the verification fails, prompting the user to carry out process forensics again, if the verification succeeds, enabling the auditing node to sign the forensics data signed by all forensics nodes, serving the forensics data as blocks and broadcasting the blocks to a block chain network, and storing the blocks by the network node;
the auditing node extracts the digital fingerprints of the tiles and anchors them to the public tile chain.
7. The on-line process forensics and forensics method based on the blockchain according to claim 1 or 2,
and displaying the running process name of the virtual machine in a semitransparent suspension manner on the operation desktop, wherein the position of the area for displaying the process name can be changed by dragging a mouse.
8. The on-line process evidence obtaining and evidence storing method based on block chain as claimed in claim 4,
and when the virtual machine displays the random code and the evidence obtaining number below the mouse pointer, the virtual machine also displays a preset standard pure-color icon for quick identification.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010960600.8A CN112260835B (en) | 2020-09-14 | 2020-09-14 | Block chain-based online process evidence obtaining and storing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010960600.8A CN112260835B (en) | 2020-09-14 | 2020-09-14 | Block chain-based online process evidence obtaining and storing method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112260835A CN112260835A (en) | 2021-01-22 |
CN112260835B true CN112260835B (en) | 2022-06-24 |
Family
ID=74232919
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010960600.8A Active CN112260835B (en) | 2020-09-14 | 2020-09-14 | Block chain-based online process evidence obtaining and storing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112260835B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112989428B (en) * | 2021-05-08 | 2021-08-03 | 浙江数秦科技有限公司 | Rapid encryption storage method for alliance link data |
CN113378218B (en) * | 2021-06-02 | 2022-03-18 | 浙江数秦科技有限公司 | Intellectual property data storage and authentication method based on block chain |
CN113360824A (en) * | 2021-06-30 | 2021-09-07 | 四川效率源信息安全技术股份有限公司 | Webpage evidence obtaining and data extracting method based on Chrome browser debugging protocol |
CN113487444A (en) * | 2021-07-01 | 2021-10-08 | 浙江数秦科技有限公司 | Navigation system is planted to big-arch shelter based on block chain technique |
CN115174571A (en) * | 2022-06-28 | 2022-10-11 | 蚂蚁区块链科技(上海)有限公司 | Block chain-based method and device for recording screen and obtaining evidence |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103095700A (en) * | 2013-01-10 | 2013-05-08 | 公安部第三研究所 | Electronic data forensics system and forensics control method based on virtual desktop |
CN105933415A (en) * | 2016-04-21 | 2016-09-07 | 国家计算机网络与信息安全管理中心 | Virtual machine online screen record method in cloud computing environment based on VNC agent and virtual machine online screen record system thereof |
CN108959416A (en) * | 2018-06-08 | 2018-12-07 | 浙江数秦科技有限公司 | A kind of web data automatic evidence-collecting based on block chain and deposit card method |
CN111079101A (en) * | 2019-12-20 | 2020-04-28 | 支付宝(杭州)信息技术有限公司 | Method and device for obtaining evidence of infringement based on block chain, electronic equipment and storage medium |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103678106A (en) * | 2012-09-19 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Method and device for content recording |
-
2020
- 2020-09-14 CN CN202010960600.8A patent/CN112260835B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103095700A (en) * | 2013-01-10 | 2013-05-08 | 公安部第三研究所 | Electronic data forensics system and forensics control method based on virtual desktop |
CN105933415A (en) * | 2016-04-21 | 2016-09-07 | 国家计算机网络与信息安全管理中心 | Virtual machine online screen record method in cloud computing environment based on VNC agent and virtual machine online screen record system thereof |
CN108959416A (en) * | 2018-06-08 | 2018-12-07 | 浙江数秦科技有限公司 | A kind of web data automatic evidence-collecting based on block chain and deposit card method |
CN111079101A (en) * | 2019-12-20 | 2020-04-28 | 支付宝(杭州)信息技术有限公司 | Method and device for obtaining evidence of infringement based on block chain, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN112260835A (en) | 2021-01-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112260835B (en) | Block chain-based online process evidence obtaining and storing method | |
CN110535660B (en) | Evidence obtaining service system based on block chain | |
CN101075866B (en) | Method and system for loading message on Internet | |
JP4898082B2 (en) | Software authentication method, software authentication program | |
US20040255123A1 (en) | Data embedding method and viewing confirmation method | |
US20080016357A1 (en) | Method of securing a digital signature | |
CN113378236B (en) | Evidence data online security notarization platform and security method | |
US20090316894A1 (en) | Method and apparatus for checking consistency between digital contents | |
JP2003309550A (en) | Data operation method | |
CN1936780A (en) | Information processing apparatus, verification processing apparatus, and control methods thereof | |
CN111814141B (en) | Off-line process evidence obtaining and storing method based on block chain | |
CN108171019B (en) | Anti-counterfeiting verification method, anti-counterfeiting verification system, anti-counterfeiting verification device and storage medium | |
JP2007028015A (en) | Program, system and method for time stamp verification, and time stamp generation request method | |
CN111860727A (en) | Two-dimensional code generation method, verification method, device and computer-readable storage medium | |
US7058810B2 (en) | Data terminal equipment | |
JP2002259346A (en) | System/device for protecting copyright, recording medium with copyright protection program recorded and copyright protection program | |
CN101883085A (en) | Method for generating and acquiring authorized application list information, corresponding device and system | |
US20030093552A1 (en) | Data communication system, data communication method, and computer-readable recording medium for recording program applied to data communication system | |
JP2008097301A (en) | File management server, program thereof and file management method | |
KR101855905B1 (en) | Video export processing server, video export web server and video export management system, and digital video integraty verification method for encrypted videos | |
JP4971275B2 (en) | Streaming delivery system and streaming delivery method | |
EP0980179A1 (en) | Method of appending information to image and method of extracting information from image | |
JP4855589B2 (en) | Data terminal equipment | |
CN112668990B (en) | Electronic contract online signing method based on process deposit certificate | |
JP2005012490A (en) | Digital signature system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A blockchain-based online process forensics and evidence storage method Effective date of registration: 20220825 Granted publication date: 20220624 Pledgee: Bank of Beijing Limited by Share Ltd. Hangzhou branch Pledgor: ZHEJIANG SHUQIN TECHNOLOGY CO.,LTD. Registration number: Y2022330001899 |