CN112328652A - Method for mining virus-related information based on mobile phone evidence-obtaining electronic data - Google Patents

Method for mining virus-related information based on mobile phone evidence-obtaining electronic data Download PDF

Info

Publication number
CN112328652A
CN112328652A CN202011164405.0A CN202011164405A CN112328652A CN 112328652 A CN112328652 A CN 112328652A CN 202011164405 A CN202011164405 A CN 202011164405A CN 112328652 A CN112328652 A CN 112328652A
Authority
CN
China
Prior art keywords
mobile phone
information
forensics
log
electronic data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011164405.0A
Other languages
Chinese (zh)
Other versions
CN112328652B (en
Inventor
郑友敏
张丽君
刘元生
郑旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Zhongrui Electronic Technology Co ltd
Original Assignee
Fujian Zhongrui Electronic Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Zhongrui Electronic Technology Co ltd filed Critical Fujian Zhongrui Electronic Technology Co ltd
Priority to CN202011164405.0A priority Critical patent/CN112328652B/en
Publication of CN112328652A publication Critical patent/CN112328652A/en
Application granted granted Critical
Publication of CN112328652B publication Critical patent/CN112328652B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2465Query processing support for facilitating data mining operations in structured databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/288Entity relationship models
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/18Legal services; Handling legal documents
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance

Abstract

The invention provides a method for mining virus-related information based on mobile phone evidence-obtaining electronic data, which comprises the following steps: s100, acquiring a plurality of pieces of electronic data information in a mobile phone to be subjected to evidence obtaining; s200, judging whether the electronic data information meets the validity requirement; s300, submitting a simulated login signal to the mobile phone to be subjected to evidence obtaining through an external evidence obtaining terminal; s400: starting a log monitoring process to acquire log changes of the mobile phone to be subjected to evidence obtaining; s500, positioning log information related to the interactive interface in the mobile phone to be subjected to evidence obtaining based on the log change; s600: connecting the background database of the social application of the mobile phone to be subjected to evidence obtaining and the service provider database of the mobile phone to be subjected to evidence obtaining to obtain electronic data information meeting the validity requirement; s700: and carrying out virus-related information mining on the electronic data information meeting the validity requirement. The method can quickly extract useful information in the mobile phone so as to obtain the information related to the virus.

Description

Method for mining virus-related information based on mobile phone evidence-obtaining electronic data
Technical Field
The invention belongs to the technical field of electronic data processing, and particularly relates to a method for mining virus-related information based on mobile phone evidence-obtaining electronic data.
Background
With the increasing use frequency of electronic terminal devices, many crime evidences are naturally stored in electronic form in the storage media of the related electronic terminal devices. The electronic evidence is a new evidence form existing in the electronic terminal equipment and the related peripheral equipment, and is becoming one of important judicial evidences. The highest court in China successively releases judicial interpretations related to the court. The evidence-taking science of the electronic terminal equipment is a subject for providing a court with electronic evidence which can be approved in judicial practice. Evidence obtaining of electronic terminal equipment is a comprehensive and crossed subject, and relates to the subjects of law, scouting, computer science, computer engineering, software engineering, psychology, sociology and the like. The situation that the public security organization uses the electronic terminal device for evidence obtaining in the case investigation process is more and more.
In the prior art, many technical solutions for obtaining evidence of computer systems and devices exist. However, with the rapid development of mobile internet technology, more criminal activities are contacted through mobile devices, especially mobile phones, and accordingly, relevant criminal evidences are stored in the relevant mobile phones in an electronic form. Among them, drug-related crimes are most obviously expressed. In this kind of case, drug crime group members or the first sub-members use the network or wireless communication tools to issue various crime instructions to the directly controlled "horses" in the common expression mode or various crime blackcurrencies, and the instructions reach the offenders through the virtual space of the "horses" layer by layer, or the offenders can make a "plan of fighting" how to implement crimes by means of various instant communication tools in the virtual space, such as WeChat, etc.
The traditional virus-related transaction comprises the most direct money and goods transaction, derived human and goods separation, financial institution transfer poison data, money laundering and other specific means, does not depend on virtual space, and relatively mature countermeasures such as controlled delivery, monitoring abnormal fund flow in the financial institution and the like are correspondingly developed by a detection institution. However, the development of virtual space technology has changed the form of the transaction involving the virus greatly. Therefore, it is necessary to further study how to obtain the virus-related information and electronic data of the virus-related cases under the mobile internet situation.
The chinese patent application with application number CN201910917843 proposes a communication track analysis method for virus-involved persons, which includes S1: acquiring communication record basis and associated data information of suspicious personnel of the information clues related to the virus, and establishing a communication record analysis subject library; s2: according to the communication record basis and the associated data information of the suspected persons of the virus-related information clues obtained in the step S1, performing ticket analysis of the suspected persons of the virus-related information clues according to the activity region, and obtaining the relationship network among the suspected persons of the virus-related information clues, the criminal group information and the activity track of the suspected persons of the virus-related information clues at the time of issuance by comparing the analysis results.
Application No. CN201710975528 discloses a method for automatically mining a service broker, which comprises the following steps: s1: inputting mobile phone forensics data, extracting at least one identity characteristic attribute of an object to be mined from the input mobile phone forensics data, and entering the step S2; s2: calling a corresponding analysis model to perform mining analysis on the object to be mined according to each identity characteristic attribute of the object to be mined extracted in the step S1, obtaining the credibility value of the type of the service middleman corresponding to each identity characteristic attribute, and entering the step S3; s3: and according to the credibility values of the types of the service middlemans corresponding to the identity characteristic attributes of the object to be excavated and the respective weights, which are obtained in the step S2, the credibility values of the types of the objects to be excavated, which belong to a certain service middleman, are comprehensively calculated, and the result that the objects to be excavated belong to a certain service middleman is obtained.
However, the inventors have found that the above prior art techniques can work if the data on the mobile phone is relatively complete after the suspect device, such as a mobile phone, at the crime scene is paid. However, if the data itself is incomplete (which is precisely the most common situation, since criminals often delete information in a timely manner), the above-mentioned prior art does not have to be left; in addition, in the prior art, even though the judicial authority often requires the data service provider to provide data in a matching manner, the mobile phone is usually directly submitted to the data service provider, so that the data service provider cannot definitely know what data the judicial authority needs, and how to legally provide the data increases the data processing amount invisibly, and the possibility of infringing the legal privacy of the citizen exists, and after all, even if the mobile phone is the mobile phone of the criminal suspect, other information irrelevant to the criminal may exist, and the information should be protected. If all the electronic evidence is extracted, the electronic evidence extracted this time may be invalid or partially invalid.
Disclosure of Invention
In order to solve the technical problem, the invention provides a method for mining virus-related information based on mobile phone evidence-obtaining electronic data, which comprises the following steps: s100, acquiring a plurality of pieces of electronic data information in a mobile phone to be subjected to evidence obtaining; s200, judging whether the electronic data information meets the validity requirement; s300, submitting a simulated login signal to the mobile phone to be subjected to evidence obtaining through an external evidence obtaining terminal; s400: starting a log monitoring process to acquire log changes of the mobile phone to be subjected to evidence obtaining; s500, positioning log information related to the interactive interface in the mobile phone to be subjected to evidence obtaining based on the log change; s600: connecting the background database of the social application of the mobile phone to be subjected to evidence obtaining and the service provider database of the mobile phone to be subjected to evidence obtaining to obtain electronic data information meeting the validity requirement; s700: and carrying out virus-related information mining on the electronic data information meeting the validity requirement. The method can quickly extract useful information in the mobile phone so as to obtain the information related to the virus.
According to the technical scheme, the log change information and the relevant time period are acquired based on the simulated login signal, and then the data are sent to the data service provider, so that the data service provider can accurately provide electronic evidence information related to the case.
Specifically, the method for mining the virus-related information based on the electronic data obtained by mobile phone forensics provided by the invention comprises the following steps:
s100: acquiring a plurality of pieces of electronic data information in at least one mobile phone to be forensics, wherein the electronic data information at least comprises one of address book information, call record information and social text information;
s200: judging whether the electronic data information meets the validity requirement, if so, entering a step S700; otherwise, go to step S300:
s300: carrying out data communication with the mobile phone to be forensics through an external forensics terminal, and submitting a simulated login signal to the mobile phone to be forensics, wherein the simulated login signal is used for simulating and opening an interactive interface of the mobile phone to be forensics, and the interactive interface comprises the steps of opening an address list, making a call, sending a short message, opening a social application and sending information;
s400: starting a log monitoring process to acquire log changes of the mobile phone to be subjected to evidence obtaining, wherein the log monitoring process is located in an external monitoring terminal;
s500, positioning log information related to the interactive interface in the mobile phone to be forensics based on the log change;
s600: based on the log information, connecting a background database of the social application of the mobile phone to be subjected to evidence obtaining and a service provider database of the mobile phone to be subjected to evidence obtaining to obtain electronic data information meeting validity requirements;
s700: and carrying out virus-related information mining on the electronic data information meeting the validity requirement.
Since the method of the present invention is used for analyzing information related to a virus, in the above method, before the step S200, the method further includes:
an electronic data information validity database is established in advance, and comprises a key word database of the virus-related information, a timeline database of the virus-related case and an associated number database of the virus-related case.
As an important component of the improvement of the present invention over the prior art, the step S400 of starting the log monitoring process to obtain the log change of the mobile phone to be forensics specifically includes:
s401: after an interactive interface of the mobile phone to be forensics is started based on the simulation login signal, identifying a log process of the mobile phone to be forensics;
s402: acquiring log record information of the mobile phone to be forensics after an interactive interface of the mobile phone to be forensics is simulated and started in a log record file of the mobile phone to be forensics based on a log process of the mobile phone to be forensics;
s403: and performing communication connection on the log monitoring process and the log process of the mobile phone to be forensics, and acquiring log record information after the interactive interface of the mobile phone to be forensics is started in a simulated mode.
Further, the step S500 of locating, based on the log change, log information related to the interactive interface in the mobile phone to be forensics specifically includes:
the log record information of the mobile phone to be forensics after the interactive interface is started in a simulated mode comprises time change information;
and positioning log information related to the interactive interface in the mobile phone to be subjected to evidence obtaining based on the time change information.
The step S600 specifically includes:
inquiring a background database of the social application of the mobile phone to be forensics based on time change information in log record information after the interactive interface of the mobile phone to be forensics is started in a simulated mode, and acquiring electronic data information of the social application of the mobile phone to be forensics, corresponding to the time change information, in the background database.
As another important improvement of the present invention, the step S403 connects the log monitoring process with the log process of the mobile phone to be forensics in a communication manner, specifically including:
and the log monitoring process is in communication connection with the log process of the mobile phone to be proved through a data pipeline technology.
The step S700 is to perform virus-related information mining on the electronic data information meeting the validity requirement, and specifically includes:
and establishing a knowledge graph of the virus-related information through text association and number association, and displaying the knowledge graph in a visual form.
The method of the present invention can be automatically executed by a computer system and a mobile terminal through computer program instructions, and therefore, in a second aspect of the present invention, a non-volatile computer-readable storage medium is provided, on which computer executable program instructions are stored, and the executable program instructions are executed through a terminal device comprising a processor and a memory, so as to implement the aforementioned method for mining the information related to the virus based on the electronic data obtained by mobile phone forensics.
According to the technical scheme, after log change information and relevant time periods are obtained based on the simulated login signals, accurate log data related to the current crime fact and the crime time periods are sent to a data service provider, so that the data service provider can accurately provide electronic evidence information related to the current case; meanwhile, the method of the invention adopts a data channel technology, so that the data transmitted from the mobile phone to be subjected to evidence obtaining only comprises the obtained data related to the drug-related case, and the fact that the legitimate rights and interests of citizens are damaged is avoided.
Further advantages of the invention will be apparent in the detailed description section in conjunction with the drawings attached hereto.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a main flow chart of the method for mining the information related to the virus based on the electronic data obtained by mobile phone forensics according to one embodiment of the invention
FIG. 2 is a block diagram of an execution system for implementing the method of FIG. 1
FIG. 3 is a schematic diagram illustrating the principle of determining whether the electronic data information satisfies the validity requirement in the method of FIG. 1
FIG. 4 is a detailed embodiment of a further detailed implementation step of the method of FIG. 1
Detailed Description
The invention is further described with reference to the following drawings and detailed description.
Referring to fig. 1, it is a main flow chart of the method for mining information related to poison based on electronic data obtained by mobile phone forensics according to an embodiment of the present invention.
Fig. 1 shows a method for mining information related to poison based on electronic data obtained by mobile phone forensics according to an embodiment of the present invention, which mainly comprises 7 main steps S100-S700, wherein each step is implemented as follows:
s100: acquiring a plurality of pieces of electronic data information in at least one mobile phone to be forensics, wherein the electronic data information at least comprises one of address book information, call record information and social text information;
s200: judging whether the electronic data information meets the validity requirement, if so, entering a step S700; otherwise, go to step S300:
s300: carrying out data communication with the mobile phone to be forensics through an external forensics terminal, and submitting a simulated login signal to the mobile phone to be forensics, wherein the simulated login signal is used for simulating and opening an interactive interface of the mobile phone to be forensics, and the interactive interface comprises the steps of opening an address list, making a call, sending a short message, opening a social application and sending information;
s400: starting a log monitoring process to acquire log changes of the mobile phone to be subjected to evidence obtaining, wherein the log monitoring process is located in an external monitoring terminal;
s500, positioning log information related to the interactive interface in the mobile phone to be forensics based on the log change;
s600: based on the log information, connecting a background database of the social application of the mobile phone to be subjected to evidence obtaining and a service provider database of the mobile phone to be subjected to evidence obtaining to obtain electronic data information meeting validity requirements;
s700: and carrying out virus-related information mining on the electronic data information meeting the validity requirement.
In this embodiment, the external evidence obtaining terminal is generally an evidence obtaining device authorized or authenticated by law, and after the basic information of the criminal suspect is mastered, the external evidence obtaining terminal can obtain part of stored information of a mobile phone or other devices (including a PDA, a laptop, a notebook computer, etc.) through a simulated login signal.
The present invention is not developed in view of the prior art in the field of starting an electronic device or logging in an application of the electronic device by sending an analog login signal to the electronic device.
Therefore, the method of the present invention is implemented by applying an external evidence obtaining terminal to a mobile device, and the method of the present invention further requires an external monitoring terminal for receiving the relevant electronic data information obtained from the mobile device.
More specifically, see the block diagram depicted in FIG. 2.
The external evidence obtaining terminal is in data communication with the mobile phone to be obtained and submits a simulated login signal to the mobile phone to be obtained;
and the external monitoring terminal starts a log monitoring process to acquire the log change of the mobile phone to be subjected to evidence collection.
And the external monitoring terminal positions log information related to the interactive interface in the mobile phone to be subjected to evidence obtaining based on the log change.
More specifically, the log record information after the interactive interface of the mobile phone to be forensics is started in a simulated manner includes time change information;
and positioning log information related to the interactive interface in the mobile phone to be subjected to evidence obtaining based on the time change information.
It should be noted that, in fig. 2, the performing communication connection between the log monitoring process and the log process of the to-be-forensics mobile phone specifically includes:
and the log monitoring process is in communication connection with the log process of the mobile phone to be proved through a data pipeline technology.
The data pipeline technology is originally a technology for data transfer between different databases (data sources), such as data backup, data restoration, and the like, and by adopting the data pipeline technology, process blocking or data transmission by using a third-party agent can be avoided. For example, the chinese patent application with application number CN2020107749026 uses a data pipeline technology to read data to be backed up for data backup, where the data pipeline connects different processes for data transmission.
In the invention, in order to realize that the data transmitted from the mobile phone to be subjected to evidence obtaining only contains the obtained data related to the virus-related case and avoid the fact that the legitimate rights and interests of citizens are damaged, the inventor finds that the data can be prevented from being read by other processes by adopting a data pipeline technology, the data reading can be rapidly carried out and the privacy disclosure is avoided.
More preferably, before the embodiment shown in fig. 1-2 is implemented, referring to fig. 3, an electronic data information validity database is also established in advance, where the electronic data information validity database includes a key word database of the virus-related information, a timeline database of the virus-related cases, and an associated number database of the virus-related cases.
The method for establishing the similar database in advance can be realized by specifically applying the web crawler technology and the like in the prior art to the virus-related information source.
For example, the existing virus-related decision books can be analyzed through a big data technology, and the database can be obtained by performing data sharing and fusion through a case source sharing system in a public security system, and the following prior art can be specifically referred to:
[1] application of Hayan and Hai, Hanwei, big data in an intelligent analysis system for toxin-prohibiting information [ J ] Joint academic newspaper of Tianjin vocational colleges, 2017(10):122-126.
[2] Scheiyan. Fujian province forbidding information clue management system design and implementation [ D ].
[3] Development of information system of public security ban department at the beginning of ceremony [ D ]. university of electronic technology, 2011.
[4] The application study of the toxicity-banned intelligence geographic information system [ J ]. proceedings of the Fujian police college, 2009, 23(5):26-30.
[5] Construction of information database of toxicity-forbidden information in forest sea [ J ] Fujian police college academic newspaper 2003, 17(5):50-55.
[6] Wangchun, application of the network information platform in public security anti-virus information [ J ], academic newspaper of railway police academy, 2017(04):66-70.
[7] Xupei research. national contraband information system platform analysis and design [ D ]. harabin university of industry, 2009.
Based on fig. 3, in the method of fig. 1-2, the step S200 of determining whether the electronic data information satisfies the validity requirement includes determining whether the electronic data information satisfies at least one of the following criteria:
(1) at least one piece of time information in the electronic data information is within a predetermined period of time;
(2) the text information in the electronic data information at least comprises a preset keyword;
(3) the communication record information in the electronic data information at least comprises a preset number;
(4) and the social text information in the electronic data information has interactivity.
Wherein, the interactive meaning includes: at least two pieces of social text information sent from different terminals exist in a preset time period.
On the basis of fig. 1-3, see fig. 4.
The step S400 of starting the log monitoring process to acquire the log change of the mobile phone to be forensics specifically includes:
s401: after an interactive interface of the mobile phone to be forensics is started based on the simulation login signal, identifying a log process of the mobile phone to be forensics;
s402: acquiring log record information of the mobile phone to be forensics after an interactive interface of the mobile phone to be forensics is simulated and started in a log record file of the mobile phone to be forensics based on a log process of the mobile phone to be forensics;
s403: and performing communication connection on the log monitoring process and the log process of the mobile phone to be forensics, and acquiring log record information after the interactive interface of the mobile phone to be forensics is started in a simulated mode.
More specifically, referring to the structure diagram in fig. 2, the step S403 connects the log monitoring process to the log process of the to-be-forensics mobile phone in a communication manner, which specifically includes:
and the log monitoring process is in communication connection with the log process of the mobile phone to be proved through a data pipeline technology.
The step S500 of locating, based on the log change, log information related to the interactive interface in the mobile phone to be forensics specifically includes:
the log record information of the mobile phone to be forensics after the interactive interface is started in a simulated mode comprises time change information;
and positioning log information related to the interactive interface in the mobile phone to be subjected to evidence obtaining based on the time change information.
Although not shown, specifically, the step S600 specifically includes:
inquiring a background database of the social application of the mobile phone to be forensics based on time change information in log record information after the interactive interface of the mobile phone to be forensics is started in a simulated mode, and acquiring electronic data information of the social application of the mobile phone to be forensics, corresponding to the time change information, in the background database.
Adopting the simulated login signal to log in a service provider database of the mobile phone to be forensics;
and acquiring address list information and call record information which are matched with the time change information in a service provider database of the mobile phone to be forensics on the basis of the time change information in the log record information after the interactive interface of the mobile phone to be forensics is started in a simulated mode.
Finally, the step S700 performs the information mining on the virus-related information based on the electronic data information meeting the validity requirement, and specifically includes:
and establishing a knowledge graph of the virus-related information through text association and number association, and displaying the knowledge graph in a visual form.
Knowledge graph generation is carried out based on the existing information, various schemes exist in the prior art, and the method is not developed any more. For example, the following documents provide a knowledge-graph visualization of cases:
the warrior, Liuhaishun, Lichunan, etc. the knowledge map construction technology based on criminal cases [ J ]. Zhengzhou university declaration (science version), 2019(3).
According to the technical scheme, after log change information and relevant time periods are obtained based on the simulated login signals, the accurate log data related to the current crime fact and the crime time periods are sent to the data service provider, so that the data service provider can accurately provide electronic evidence information related to the current case; meanwhile, the method of the invention adopts a data channel technology, so that the data transmitted from the mobile phone to be subjected to evidence obtaining only comprises the obtained data related to the drug-related case, and the fact that the legitimate rights and interests of citizens are damaged is avoided.
The prior art referred to in this application is incorporated as part of the present application.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (10)

1. The method for mining the virus-related information based on the electronic data obtained by mobile phone forensics comprises the following steps:
s100: acquiring a plurality of pieces of electronic data information in at least one mobile phone to be forensics, wherein the electronic data information at least comprises one of address book information, call record information and social text information;
s200: judging whether the electronic data information meets the validity requirement, if so, entering a step S700; otherwise, go to step S300:
s300: carrying out data communication with the mobile phone to be forensics through an external forensics terminal, and submitting a simulated login signal to the mobile phone to be forensics, wherein the simulated login signal is used for simulating and opening an interactive interface of the mobile phone to be forensics, and the interactive interface comprises the steps of opening an address list, making a call, sending a short message, opening a social application and sending information;
s400: starting a log monitoring process to acquire log changes of the mobile phone to be subjected to evidence obtaining, wherein the log monitoring process is located in an external monitoring terminal;
s500, positioning log information related to the interactive interface in the mobile phone to be forensics based on the log change;
s600: based on the log information, connecting a background database of the social application of the mobile phone to be subjected to evidence obtaining and a service provider database of the mobile phone to be subjected to evidence obtaining to obtain electronic data information meeting validity requirements;
s700: and carrying out virus-related information mining on the electronic data information meeting the validity requirement.
2. The method for mining the information involved in the virus based on the electronic data obtained by mobile phone forensics of claim 1, wherein:
the step S200 of determining whether the electronic data information satisfies a validity requirement includes determining whether the electronic data information satisfies at least one of the following criteria:
(1) at least one piece of time information in the electronic data information is within a predetermined period of time;
(2) the text information in the electronic data information at least comprises a preset keyword;
(3) the communication record information in the electronic data information at least comprises a preset number;
(4) and the social text information in the electronic data information has interactivity.
3. The method for mining the information involved in the virus based on the electronic data obtained by mobile phone forensics of claim 1, wherein:
before the step S200, the method further includes:
an electronic data information validity database is established in advance, and comprises a key word database of the virus-related information, a timeline database of the virus-related case and an associated number database of the virus-related case.
4. The method for mining the information involved in the virus based on the electronic data obtained by mobile phone forensics of claim 1, wherein:
the step S400 of starting the log monitoring process to acquire the log change of the mobile phone to be forensics specifically includes:
s401: after an interactive interface of the mobile phone to be forensics is started based on the simulation login signal, identifying a log process of the mobile phone to be forensics;
s402: acquiring log record information of the mobile phone to be forensics after an interactive interface of the mobile phone to be forensics is simulated and started in a log record file of the mobile phone to be forensics based on a log process of the mobile phone to be forensics;
s403: and performing communication connection on the log monitoring process and the log process of the mobile phone to be forensics, and acquiring log record information after the interactive interface of the mobile phone to be forensics is started in a simulated mode.
5. The method for mining the information involved in the virus based on the electronic data obtained by mobile phone forensics of claim 4, wherein:
the step S500 of locating, based on the log change, log information related to the interactive interface in the mobile phone to be forensics specifically includes:
the log record information of the mobile phone to be forensics after the interactive interface is started in a simulated mode comprises time change information;
and positioning log information related to the interactive interface in the mobile phone to be subjected to evidence obtaining based on the time change information.
6. The method for mining the information related to the poison based on the electronic data obtained by mobile phone forensics according to the claim 4 or 5, which is characterized in that:
the step S600 specifically includes:
inquiring a background database of the social application of the mobile phone to be forensics based on time change information in log record information after the interactive interface of the mobile phone to be forensics is started in a simulated mode, and acquiring electronic data information of the social application of the mobile phone to be forensics, corresponding to the time change information, in the background database.
7. The method for mining the information related to the poison based on the electronic data obtained by mobile phone forensics according to the claim 4 or 5, which is characterized in that:
the step S600 specifically includes:
adopting the simulated login signal to log in a service provider database of the mobile phone to be forensics;
and acquiring address list information and call record information which are matched with the time change information in a service provider database of the mobile phone to be forensics on the basis of the time change information in the log record information after the interactive interface of the mobile phone to be forensics is started in a simulated mode.
8. The method for mining the information involved in the virus based on the electronic data obtained by mobile phone forensics of claim 4, wherein:
in step S403, the communication connection between the log monitoring process and the log process of the mobile phone to be forensically performed specifically includes:
and the log monitoring process is in communication connection with the log process of the mobile phone to be proved through a data pipeline technology.
9. The method for mining the information involved in the virus based on the electronic data obtained by mobile phone forensics of claim 1, wherein:
the step S700 is to perform virus-related information mining on the electronic data information meeting the validity requirement, and specifically includes:
and establishing a knowledge graph of the virus-related information through text association and number association, and displaying the knowledge graph in a visual form.
10. A non-transitory computer-readable storage medium having stored thereon computer-executable program instructions that are executed by a terminal device comprising a processor and a memory for implementing the method for mining antivirus information based on mobile phone forensics electronic data of any one of claims 1-9.
CN202011164405.0A 2020-10-27 2020-10-27 Method for mining toxic information based on mobile phone evidence obtaining electronic data Active CN112328652B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011164405.0A CN112328652B (en) 2020-10-27 2020-10-27 Method for mining toxic information based on mobile phone evidence obtaining electronic data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011164405.0A CN112328652B (en) 2020-10-27 2020-10-27 Method for mining toxic information based on mobile phone evidence obtaining electronic data

Publications (2)

Publication Number Publication Date
CN112328652A true CN112328652A (en) 2021-02-05
CN112328652B CN112328652B (en) 2022-11-01

Family

ID=74296506

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011164405.0A Active CN112328652B (en) 2020-10-27 2020-10-27 Method for mining toxic information based on mobile phone evidence obtaining electronic data

Country Status (1)

Country Link
CN (1) CN112328652B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103345419A (en) * 2013-07-25 2013-10-09 南京邮电大学 Dynamic evidence obtaining method based on Android platform
KR20140121743A (en) * 2013-04-08 2014-10-16 남기훈 Mobile forensics method with user behavior-based simulation
CN107644106A (en) * 2017-10-17 2018-01-30 厦门市美亚柏科信息股份有限公司 The internuncial method of automatic mining business, terminal device and storage medium
CN109635099A (en) * 2018-12-21 2019-04-16 山东华夏高科信息股份有限公司 Case-involving electronic data evidence obtaining management system
CN110647561A (en) * 2019-09-26 2020-01-03 四川科瑞软件有限责任公司 Communication track analysis method for drug-involved personnel
CN111030816A (en) * 2019-12-27 2020-04-17 厦门市美亚柏科信息股份有限公司 Authentication method and device for access platform of evidence obtaining equipment and storage medium
CN111666569A (en) * 2020-04-24 2020-09-15 宁夏凯信特信息科技有限公司 Electronic data evidence obtaining system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140121743A (en) * 2013-04-08 2014-10-16 남기훈 Mobile forensics method with user behavior-based simulation
CN103345419A (en) * 2013-07-25 2013-10-09 南京邮电大学 Dynamic evidence obtaining method based on Android platform
CN107644106A (en) * 2017-10-17 2018-01-30 厦门市美亚柏科信息股份有限公司 The internuncial method of automatic mining business, terminal device and storage medium
CN109635099A (en) * 2018-12-21 2019-04-16 山东华夏高科信息股份有限公司 Case-involving electronic data evidence obtaining management system
CN110647561A (en) * 2019-09-26 2020-01-03 四川科瑞软件有限责任公司 Communication track analysis method for drug-involved personnel
CN111030816A (en) * 2019-12-27 2020-04-17 厦门市美亚柏科信息股份有限公司 Authentication method and device for access platform of evidence obtaining equipment and storage medium
CN111666569A (en) * 2020-04-24 2020-09-15 宁夏凯信特信息科技有限公司 Electronic data evidence obtaining system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
郑冬亚: "基于Android平台的手机取证方法研究", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 *

Also Published As

Publication number Publication date
CN112328652B (en) 2022-11-01

Similar Documents

Publication Publication Date Title
Chigada et al. Cyberattacks and threats during COVID-19: A systematic literature review
Park et al. Cyber forensics ontology for cyber criminal investigation
CN112445870B (en) Knowledge graph string parallel case analysis method based on mobile phone evidence obtaining electronic data
Somepalli et al. Information security management
Jiang Cybersecurity policies in China
Sommer Evidence from hacking: A few tiresome problems
DiSanto Blurred lines of identity crimes: Intersection of the first amendment and federal identity fraud
Choi et al. Digital forensics and cyber investigation
Edwards et al. Cyber strategies used to combat child sexual abuse material
Drewer et al. Europol’s data protection framework as an asset in the fight against cybercrime
Eboibi et al. Electronic taxation and cybercrimes in Nigeria, Kenya and South Africa: Lessons from Europe and the United States of America
CN112328652B (en) Method for mining toxic information based on mobile phone evidence obtaining electronic data
CN113904828B (en) Method, apparatus, device, medium and program product for detecting sensitive information of interface
CN113923037B (en) Anomaly detection optimization device, method and system based on trusted computing
Bakir Freedom or security? Mass surveillance of citizens
Lee et al. K-FFRaaS: A Generic Model for Financial Forensic Readiness as a Service in Korea
CN114006701A (en) Method, device and equipment for sharing name list and storage medium
CN112581129A (en) Block chain transaction data management method and device, computer equipment and storage medium
Drobotov et al. Forensic Research of the Computer Tools and Systems in the Fight against Cybercrime
Feng et al. A systematic approach of impact of GDPR in PII and privacy
OBAMANU LEGAL ISSUES AND CHALLENGES IN THE ADMISSIBILITY OF DIGITAL FORENSIC EVIDENCE IN COURTS IN NIGERIA
CN112328904B (en) System and method for generating electronic data relationship chain based on social network data chain
CN112328679B (en) Same-topic criminal organization structure analysis method based on mobile phone evidence obtaining electronic data
CN114021032B (en) Network crime information mining method, system and storage medium
Ofoje et al. Computerized Forensic Investigation Technique and Fraud Detection in the Public Sector: Perception of Professional Accountants in Anambra State

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant