CN112328652B - Method for mining toxic information based on mobile phone evidence obtaining electronic data - Google Patents
Method for mining toxic information based on mobile phone evidence obtaining electronic data Download PDFInfo
- Publication number
- CN112328652B CN112328652B CN202011164405.0A CN202011164405A CN112328652B CN 112328652 B CN112328652 B CN 112328652B CN 202011164405 A CN202011164405 A CN 202011164405A CN 112328652 B CN112328652 B CN 112328652B
- Authority
- CN
- China
- Prior art keywords
- information
- mobile phone
- log
- electronic data
- forensics
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 238000005065 mining Methods 0.000 title claims abstract description 27
- 231100000331 toxic Toxicity 0.000 title description 5
- 230000002588 toxic effect Effects 0.000 title description 5
- 241000700605 Viruses Species 0.000 claims abstract description 44
- 230000002452 interceptive effect Effects 0.000 claims abstract description 38
- 230000008859 change Effects 0.000 claims abstract description 34
- 238000012544 monitoring process Methods 0.000 claims abstract description 28
- 238000004891 communication Methods 0.000 claims description 21
- 230000008569 process Effects 0.000 claims description 20
- 238000005516 engineering process Methods 0.000 claims description 17
- 238000004088 simulation Methods 0.000 claims description 3
- 230000000007 visual effect Effects 0.000 claims description 3
- 230000002155 anti-virotic effect Effects 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 description 8
- 239000003814 drug Substances 0.000 description 5
- 229940079593 drug Drugs 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 239000002574 poison Substances 0.000 description 2
- 231100000614 poison Toxicity 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 101100284396 Drosophila melanogaster Hayan gene Proteins 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000010420 art technique Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000002401 inhibitory effect Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000004900 laundering Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 231100000419 toxicity Toxicity 0.000 description 1
- 230000001988 toxicity Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
- 230000001755 vocal effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2465—Query processing support for facilitating data mining operations in structured databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/284—Relational databases
- G06F16/288—Entity relationship models
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/18—Legal services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/302—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
Landscapes
- Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Technology Law (AREA)
- Signal Processing (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Tourism & Hospitality (AREA)
- Marketing (AREA)
- Health & Medical Sciences (AREA)
- General Business, Economics & Management (AREA)
- Primary Health Care (AREA)
- Human Resources & Organizations (AREA)
- General Health & Medical Sciences (AREA)
- Economics (AREA)
- Strategic Management (AREA)
- Fuzzy Systems (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Software Systems (AREA)
- Computational Linguistics (AREA)
- Evolutionary Computation (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention provides a method for mining virus-related information based on mobile phone evidence-obtaining electronic data, which comprises the following steps: s100, acquiring a plurality of pieces of electronic data information in a mobile phone to be subjected to evidence obtaining; s200, judging whether the electronic data information meets the validity requirement; s300, submitting a simulated login signal to the mobile phone to be subjected to evidence obtaining through an external evidence obtaining terminal; s400: starting a log monitoring process to acquire log changes of the mobile phone to be subjected to evidence obtaining; s500, positioning log information related to the interactive interface in the mobile phone to be subjected to evidence obtaining based on the log change; s600: connecting the background database of the social application of the mobile phone to be subjected to evidence obtaining and the service provider database of the mobile phone to be subjected to evidence obtaining to obtain electronic data information meeting the validity requirement; s700: and carrying out virus-related information mining on the electronic data information meeting the validity requirement. The method can quickly extract useful information in the mobile phone so as to obtain the information related to the virus.
Description
Technical Field
The invention belongs to the technical field of electronic data processing, and particularly relates to a method for mining virus-related information based on mobile phone evidence-obtaining electronic data.
Background
With the increasing frequency of electronic terminal devices, there are naturally many crime evidences stored in electronic form in the storage medium of the electronic terminal device. The electronic evidence is a new evidence form existing in the electronic terminal equipment and the related peripheral equipment, and is becoming one of important judicial evidences. The highest court in China successively releases judicial interpretations related to the court. The evidence-taking science of the electronic terminal equipment is a subject for providing a court with electronic evidence which can be approved in judicial practice. Evidence obtaining of electronic terminal equipment is a comprehensive and crossed subject, and relates to the subjects of law, scouting, computer science, computer engineering, software engineering, psychology, sociology and the like. The situation that the public security organization uses the electronic terminal device for evidence obtaining in the case investigation process is more and more.
In the prior art, many technical solutions for obtaining evidence of computer systems and devices exist. However, with the rapid development of mobile internet technology, more criminal activities are contacted through mobile devices, especially mobile phones, and accordingly, relevant criminal evidences are stored in the relevant mobile phones in an electronic form. Among them, drug-related crimes are most obviously expressed. In the case, drug crime group owners or chief criminals use a network or a wireless communication tool to issue various crime instructions to the directly controlled horses in a common expression mode or various crime blackwords, the instructions reach the criminals through the virtual space of the horses at different levels, or the criminals use various instant communication tools in the virtual space to plan the criminals 'operation plan' by means of discussion such as WeChat and the like.
The traditional virus-related transaction comprises the most direct money and goods transaction, derived human and goods separation, financial institution transfer poison data, money laundering and other specific means, does not depend on virtual space, and relatively mature countermeasures such as controlled delivery, monitoring abnormal fund flow in the financial institution and the like are correspondingly developed by a detection institution. However, the development of virtual space technology has changed the form of the transaction involved in virus greatly. Therefore, it is necessary to further study how to obtain the virus-related information and electronic data of the virus-related cases under the mobile internet situation.
The chinese patent application with application number CN201910917843 proposes a communication track analysis method for virus-involved people, which includes S1: acquiring communication record basis and associated data information of suspicious personnel of the information clues related to the virus, and establishing a communication record analysis subject library; s2: according to the communication record basis and the associated data information of the suspected persons of the threads of the toxic information obtained in the step S1, performing ticket analysis of the suspected persons of the threads of the toxic information according to the activity region, and obtaining the relationship network, criminal group information and the activity track of the suspected persons of the threads of the toxic information at the time of case issue according to the comparison analysis result.
Application No. CN201710975528 discloses a method for automatically mining a service broker, which comprises the following steps: s1: inputting mobile phone forensics data, extracting at least one identity characteristic attribute of an object to be mined from the input mobile phone forensics data, and entering the step S2; s2: calling a corresponding analysis model to perform mining analysis on the object to be mined according to each identity characteristic attribute of the object to be mined extracted in the step S1, obtaining the credibility value of the type of the service middleman corresponding to each identity characteristic attribute, and entering the step S3; s3: and according to the credibility values of the types of the service middlers corresponding to the identity characteristic attributes of the object to be mined and the respective weights, which are obtained in the S2, the credibility values of the types of the objects to be mined, which belong to certain service middlers, are comprehensively calculated, and the result that the objects to be mined belong to certain service middlers is obtained.
However, the inventors have found that the above prior art techniques can work if the data on the mobile phone is relatively complete after the suspect device, such as a mobile phone, at the crime scene is paid. However, if the data itself is incomplete (which is precisely the most common situation, since criminals often delete information in a timely manner), the above-mentioned prior art does not have to be left; in addition, in the prior art, even though the judicial authority often requires the data service provider to provide data in a matching manner, the mobile phone is usually directly submitted to the data service provider, so that the data service provider cannot definitely know what data the judicial authority needs, and how to legally provide the data increases the data processing amount invisibly, and the possibility of infringing the legal privacy of the citizen exists, and after all, even if the mobile phone is the mobile phone of the criminal suspect, other information irrelevant to the criminal may exist, and the information should be protected. If all of the electronic evidences are extracted, the electronic evidences extracted this time may be invalid or partially invalid.
Disclosure of Invention
In order to solve the technical problem, the invention provides a method for mining information concerning viruses based on electronic data obtained by mobile phone forensics, which comprises the following steps: s100, acquiring a plurality of pieces of electronic data information in a mobile phone to be subjected to evidence obtaining; s200, judging whether the electronic data information meets the validity requirement; s300, submitting a simulated login signal to the mobile phone to be subjected to evidence obtaining through an external evidence obtaining terminal; s400: starting a log monitoring process to acquire log changes of the mobile phone to be subjected to evidence obtaining; s500, positioning log information related to an interactive interface in the mobile phone to be subjected to evidence obtaining based on the log change; s600: connecting the background database of the social application of the mobile phone to be subjected to evidence obtaining and the service provider database of the mobile phone to be subjected to evidence obtaining to obtain electronic data information meeting validity requirements; s700: and carrying out virus-related information mining on the electronic data information meeting the validity requirement. The method can quickly extract useful information in the mobile phone so as to obtain the information related to the virus.
According to the technical scheme, the log change information and the relevant time period are acquired based on the simulated login signal, and then the data are sent to the data service provider, so that the data service provider can accurately provide electronic evidence information related to the case.
Specifically, the method for mining the information concerning the virus based on the electronic data obtained by the mobile phone comprises the following steps:
s100: acquiring a plurality of pieces of electronic data information in at least one mobile phone to be forensics, wherein the electronic data information at least comprises one of address book information, call record information and social text information;
s200: judging whether the electronic data information meets the validity requirement, if so, entering a step S700; otherwise, go to step S300:
s300: carrying out data communication with the mobile phone to be forensics through an external forensics terminal, and submitting a simulated login signal to the mobile phone to be forensics, wherein the simulated login signal is used for simulating and opening an interactive interface of the mobile phone to be forensics, and the interactive interface comprises the steps of opening an address list, making a call, sending a short message, opening a social application and sending information;
s400: starting a log monitoring process to acquire log changes of the mobile phone to be subjected to evidence obtaining, wherein the log monitoring process is located in an external monitoring terminal;
s500, positioning log information related to the interactive interface in the mobile phone to be forensics based on the log change;
s600: based on the log information, connecting a background database of the social application of the mobile phone to be subjected to evidence obtaining and a service provider database of the mobile phone to be subjected to evidence obtaining to obtain electronic data information meeting validity requirements;
s700: and performing virus-related information mining on the electronic data information meeting the validity requirement.
Since the method of the present invention is used for analyzing information related to a virus, in the above method, before the step S200, the method further includes:
an electronic data information validity database is established in advance, and comprises a key word database of the virus-related information, a timeline database of the virus-related case and an associated number database of the virus-related case.
As an important component of the improvement of the present invention over the prior art, the step S400 of starting the log monitoring process to obtain the log change of the mobile phone to be forensics specifically includes:
s401: after an interactive interface of the mobile phone to be subjected to evidence collection is started in a simulation mode based on the simulated login signal, a log process of the mobile phone to be subjected to evidence collection is identified;
s402: acquiring log record information of the mobile phone to be forensics after an interactive interface of the mobile phone to be forensics is simulated and started in a log record file of the mobile phone to be forensics based on a log process of the mobile phone to be forensics;
s403: and performing communication connection on the log monitoring process and the log process of the mobile phone to be forensics, and acquiring log record information after the interactive interface of the mobile phone to be forensics is started in a simulated mode.
Further, the step S500 of locating, based on the log change, log information related to the interactive interface in the mobile phone to be forensics specifically includes:
the log record information after the interactive interface of the mobile phone to be subjected to evidence obtaining is simulated and started comprises time change information;
and positioning log information related to the interactive interface in the mobile phone to be subjected to evidence obtaining based on the time change information.
The step S600 specifically includes:
inquiring a background database of the social application of the mobile phone to be forensics based on time change information in log record information after the interactive interface of the mobile phone to be forensics is started in a simulated mode, and acquiring electronic data information of the social application of the mobile phone to be forensics, corresponding to the time change information, in the background database.
As another important improvement of the present invention, the step S403 connects the log monitoring process with the log process of the mobile phone to be forensics in a communication manner, specifically including:
and the log monitoring process is in communication connection with the log process of the mobile phone to be proved through a data pipeline technology.
The step S700 is to perform virus-related information mining on the electronic data information meeting the validity requirement, and specifically includes:
and establishing a knowledge graph of the virus-related information through text association and number association, and displaying the knowledge graph in a visual form.
The method of the invention can be automatically executed by a computer system and a mobile terminal through computer program instructions, therefore, in a second aspect of the invention, a nonvolatile computer readable storage medium is provided, on which computer executable program instructions are stored, and the executable program instructions are executed through a terminal device comprising a processor and a memory, so as to realize the method for mining the virus-related information based on the mobile phone evidence obtaining electronic data.
According to the technical scheme, after log change information and relevant time periods are obtained based on the simulated login signals, accurate log data related to the current crime fact and the crime time periods are sent to a data service provider, so that the data service provider can accurately provide electronic evidence information related to the current case; meanwhile, the method of the invention adopts a data channel technology, so that the data transmitted from the mobile phone to be subjected to evidence obtaining only comprises the obtained data related to the drug-related case, and the fact that the legitimate rights and interests of citizens are damaged is avoided.
Further advantages of the invention will be apparent from the detailed description of embodiments which follows, when considered in conjunction with the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required in the embodiments will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a main flow chart of the method for mining the information related to the virus based on the electronic data obtained by mobile phone forensics according to one embodiment of the invention
FIG. 2 is a schematic diagram of modules of an execution system for implementing the method of FIG. 1
FIG. 3 is a schematic diagram illustrating the principle of determining whether the electronic data information satisfies the validity requirement in the method of FIG. 1
FIG. 4 is a detailed embodiment of a further detailed implementation step of the method of FIG. 1
Detailed Description
The invention is further described with reference to the following drawings and detailed description.
Referring to fig. 1, it is a main flow chart of the method for mining information concerning viruses based on mobile phone forensics electronic data according to an embodiment of the present invention.
Fig. 1 shows a method for mining information related to poison based on electronic data obtained by mobile phone forensics according to an embodiment of the present invention, which mainly comprises 7 main steps S100-S700, wherein each step is implemented as follows:
s100: acquiring a plurality of pieces of electronic data information in at least one mobile phone to be subjected to evidence obtaining, wherein the electronic data information at least comprises one of address list information, call record information and social text information;
s200: judging whether the electronic data information meets the validity requirement, if so, entering a step S700; otherwise, the process advances to step S300:
s300: carrying out data communication with the mobile phone to be forensics through an external forensics terminal, and submitting a simulated login signal to the mobile phone to be forensics, wherein the simulated login signal is used for simulating and opening an interactive interface of the mobile phone to be forensics, and the interactive interface comprises the steps of opening an address list, making a call, sending a short message, opening a social application and sending information;
s400: starting a log monitoring process to acquire log changes of the mobile phone to be subjected to evidence obtaining, wherein the log monitoring process is located in an external monitoring terminal;
s500, positioning log information related to the interactive interface in the mobile phone to be forensics based on the log change;
s600: based on the log information, connecting a background database of the social application of the mobile phone to be subjected to evidence obtaining and a service provider database of the mobile phone to be subjected to evidence obtaining to obtain electronic data information meeting validity requirements;
s700: and performing virus-related information mining on the electronic data information meeting the validity requirement.
In this embodiment, the external forensics terminal is generally a forensics device that is authorized or authenticated by a judicial authority, and after the basic information of the criminal suspect is grasped, the external forensics terminal may obtain part of stored information of a mobile phone or other devices (including a PDA, a laptop, a notebook computer, and the like) through a simulated login signal.
The present invention is not developed in view of the prior art in the field of starting an electronic device or logging in an application of the electronic device by sending an analog login signal to the electronic device.
Therefore, the method of the present invention is implemented by applying an external evidence obtaining terminal to a mobile device, and the method of the present invention further requires an external monitoring terminal for receiving the relevant electronic data information obtained from the mobile device.
More specifically, see the block diagram depicted in FIG. 2.
The external evidence obtaining terminal is in data communication with the mobile phone to be obtained and submits a simulated login signal to the mobile phone to be obtained;
and starting a log monitoring process by the external monitoring terminal to acquire the log change of the mobile phone to be subjected to evidence collection.
And the external monitoring terminal positions log information related to the interactive interface in the mobile phone to be subjected to evidence obtaining based on the log change.
More specifically, the log record information after the interactive interface of the mobile phone to be forensics is started in a simulated manner includes time change information;
and positioning log information related to the interactive interface in the mobile phone to be subjected to evidence obtaining based on the time change information.
It should be noted that, in fig. 2, the performing communication connection between the log monitoring process and the log process of the to-be-forensics mobile phone specifically includes:
and the log monitoring process is in communication connection with the log process of the mobile phone to be proved through a data pipeline technology.
The data pipeline technology is originally a technology for data transfer between different databases (data sources), such as data backup, data restoration, and the like, and by adopting the data pipeline technology, process blocking or data transmission by using a third-party agent can be avoided. For example, the chinese patent application with application number CN2020107749026 uses a data pipeline technology to read data to be backed up for data backup, where the data pipeline connects different processes for data transmission.
In the invention, in order to realize that the data transmitted from the mobile phone to be subjected to evidence obtaining only contains the obtained data related to the virus-related case and avoid the fact that the legitimate rights and interests of citizens are damaged, the inventor finds that the data can be prevented from being read by other processes by adopting a data pipeline technology, the data reading can be rapidly carried out and the privacy disclosure is avoided.
More preferably, before the embodiment shown in fig. 1-2 is implemented, referring to fig. 3, an electronic data information validity database is also established in advance, where the electronic data information validity database includes a key word database of the virus-related information, a timeline database of the virus-related cases, and an associated number database of the virus-related cases.
The method for establishing the similar database in advance can be realized by specifically applying the web crawler technology and the like in the prior art to the virus-related information source.
For example, the existing virus-related decision books can be analyzed through a big data technology, and the database can be obtained by performing data sharing and fusion through a case source sharing system in a public security system, and the following prior art can be specifically referred to:
[1] application of Hayan and Hai, hanwei, big data in an intelligent analysis system for toxin-prohibiting information [ J ] Joint academic newspaper of Tianjin vocational colleges, 2017 (10): 122-126.
[2] Scheiyan. Fujian province forbidding information clue management system design and implementation [ D ].
[3] Development of information system of ministry of public security and drug contraband department at junior of ceremony [ D ] university of electronic technology, 2011.
[4] The application of the system and research [ J ] in Fujian police college academic, 2009, 23 (5): 26-30.
[5] Construction of Linhai theory toxicity-inhibiting information database [ J ] Fujian police college bulletin, 2003, 17 (5): 50-55.
[6] Wangchun, application of the network information platform in public security anti-virus information [ J ], academic newspaper of railway police academy, 2017 (04): 66-70.
[7] Xupei research. National contraband information system platform analysis and design [ D ]. Harabin university of industry, 2009.
Based on fig. 3, in the method of fig. 1-2, the step S200 of determining whether the electronic data information satisfies the validity requirement includes determining whether the electronic data information satisfies at least one of the following criteria:
(1) At least one piece of time information in the electronic data information is within a predetermined period of time;
(2) Text information in the electronic data information at least comprises a preset keyword;
(3) The communication record information in the electronic data information at least comprises a preset number;
(4) And the social text information in the electronic data information has interactivity.
Wherein, the interactive meaning includes: at least two pieces of social text information sent from different terminals exist in a preset time period.
On the basis of fig. 1-3, see fig. 4.
The step S400 of starting the log monitoring process to acquire the log change of the to-be-forensics mobile phone specifically includes:
s401: after an interactive interface of the mobile phone to be forensics is started based on the simulation login signal, identifying a log process of the mobile phone to be forensics;
s402: acquiring log record information of the mobile phone to be forensics after an interactive interface of the mobile phone to be forensics is simulated and started in a log record file of the mobile phone to be forensics based on a log process of the mobile phone to be forensics;
s403: and performing communication connection on the log monitoring process and the log process of the mobile phone to be subjected to evidence obtaining, and obtaining log record information after the interactive interface of the mobile phone to be subjected to evidence obtaining is simulated and opened.
More specifically, referring to the structure diagram in fig. 2, the step S403 connects the log monitoring process to the log process of the to-be-forensics mobile phone in a communication manner, which specifically includes:
and performing communication connection between the log monitoring process and the log process of the mobile phone to be subjected to evidence collection through a data pipeline technology.
The step S500 of locating, based on the log change, log information related to the interactive interface in the mobile phone to be forensics specifically includes:
the log record information of the mobile phone to be forensics after the interactive interface is started in a simulated mode comprises time change information;
and positioning log information related to the interactive interface in the mobile phone to be subjected to evidence obtaining based on the time change information.
Although not shown, specifically, the step S600 specifically includes:
inquiring a background database of the social application of the mobile phone to be forensically based on time change information in log record information after the interactive interface of the mobile phone to be forensically started is simulated, and acquiring electronic data information of the social application of the mobile phone to be forensically corresponding to the time change information in the background database.
Adopting the simulated login signal to log in a service provider database of the mobile phone to be subjected to evidence collection;
and acquiring address list information and call record information which are matched with the time change information in a service provider database of the mobile phone to be forensics on the basis of the time change information in the log record information after the interactive interface of the mobile phone to be forensics is started in a simulated mode.
Finally, the step S700 performs the mining of the information concerning the virus based on the electronic data information satisfying the validity requirement, and specifically includes:
and establishing a knowledge graph of the virus-related information through text association and number association, and displaying the knowledge graph in a visual form.
Knowledge graph generation is carried out based on the existing information, various schemes exist in the prior art, and the method is not developed any more. For example, the following documents provide a knowledge-graph visualization of cases:
the warrior data, liuhaishun, li Chun nan, etc. the knowledge map construction technology based on criminal case [ J ]. Zhengzhou university press (Lei Zhi edition), 2019 (3).
According to the technical scheme, after log change information and relevant time periods are obtained based on the simulated login signals, the accurate log data related to the current crime fact and the crime time periods are sent to the data service provider, so that the data service provider can accurately provide electronic evidence information related to the current case; meanwhile, the method of the invention adopts a data channel technology, so that the data transmitted from the mobile phone to be subjected to evidence obtaining only comprises the obtained data related to the drug-related case, and the fact that the legitimate rights and interests of citizens are damaged is avoided.
The prior art referred to in this application is incorporated as part of the present application.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that various changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (7)
1. A method for mining the information of virus involved based on the electronic data of evidence obtained by mobile phone is characterized in that,
the method is implemented by applying an external evidence obtaining terminal to mobile equipment;
the method comprises the following steps:
s100: acquiring a plurality of pieces of electronic data information in at least one mobile phone to be forensics, wherein the electronic data information at least comprises one of address book information, call record information and social text information;
s200: judging whether the electronic data information meets the validity requirement, if so, entering a step S700; otherwise, go to step S300;
s300: carrying out data communication with the mobile phone to be forensics through the external forensics terminal, and submitting a simulated login signal to the mobile phone to be forensics, wherein the simulated login signal is used for simulating and starting an interactive interface of the mobile phone to be forensics, and the interactive interface comprises the steps of opening an address list, making a call, sending a short message, opening a social application and sending information;
s400: starting a log monitoring process to acquire log changes of the mobile phone to be subjected to evidence obtaining, wherein the log monitoring process is located in an external monitoring terminal;
s500, positioning log information related to the interactive interface in the mobile phone to be forensics based on the log change;
s600: based on the log information, connecting a background database of the social application of the mobile phone to be subjected to evidence obtaining and a service provider database of the mobile phone to be subjected to evidence obtaining to obtain electronic data information meeting validity requirements;
s700: based on the electronic data information meeting the validity requirement, carrying out virus-related information mining on the electronic data information;
the step S400 of starting the log monitoring process to acquire the log change of the mobile phone to be forensics specifically includes:
s401: after an interactive interface of the mobile phone to be forensics is started based on the simulation login signal, identifying a log process of the mobile phone to be forensics;
s402: acquiring log record information of the mobile phone to be forensics after an interactive interface of the mobile phone to be forensics is simulated and started in a log record file of the mobile phone to be forensics based on a log process of the mobile phone to be forensics;
s403: the log monitoring process is in communication connection with the log process of the mobile phone to be subjected to evidence collection through a data pipeline technology, and log recording information of the mobile phone to be subjected to evidence collection after an interactive interface of the mobile phone to be subjected to evidence collection is simulated and started is obtained;
the step S600 specifically includes:
inquiring a background database of the social application of the mobile phone to be forensically based on time change information in log record information after the interactive interface of the mobile phone to be forensically started is simulated, and acquiring electronic data information of the social application of the mobile phone to be forensically corresponding to the time change information in the background database.
2. The method for mining the information involved in the virus based on the electronic data obtained by mobile phone forensics of claim 1, wherein:
the step S200 of determining whether the electronic data information satisfies the validity requirement includes determining whether the electronic data information satisfies at least one of the following criteria:
(1) At least one piece of time information in the electronic data information is within a predetermined time period;
(2) The text information in the electronic data information at least comprises a preset keyword;
(3) The communication record information in the electronic data information at least comprises a preset number;
(4) And the social text information in the electronic data information has interactivity.
3. The method for mining the information involved in the virus based on the electronic data obtained by mobile phone forensics of claim 1, wherein:
before the step S200, the method further includes:
an electronic data information validity database is established in advance, and comprises a key word database of the virus-related information, a timeline database of the virus-related case and an associated number database of the virus-related case.
4. The method for mining the information involved in the virus based on the electronic data obtained by mobile phone forensics of claim 1, wherein:
the step S500 of locating, based on the log change, log information related to the interactive interface in the mobile phone to be forensics specifically includes:
the log record information after the interactive interface of the mobile phone to be subjected to evidence obtaining is simulated and started comprises the time change information;
and positioning log information related to the interactive interface in the mobile phone to be subjected to evidence obtaining based on the time change information.
5. The method for mining information concerning viruses based on electronic data obtained by mobile phone forensics as claimed in claim 1, wherein:
the step S600 specifically includes:
adopting the simulated login signal to log in a service provider database of the mobile phone to be forensics;
and acquiring address list information and call record information which are matched with the time change information in a service provider database of the mobile phone to be forensics on the basis of the time change information in the log record information after the interactive interface of the mobile phone to be forensics is started in a simulated mode.
6. The method for mining the information involved in the virus based on the electronic data obtained by mobile phone forensics of claim 1, wherein:
the step S700 is to perform virus-related information mining on the electronic data information meeting the validity requirement, and specifically includes:
and establishing a knowledge graph of the virus-related information through text association and number association, and displaying the knowledge graph in a visual mode.
7. A non-transitory computer-readable storage medium having stored thereon computer-executable program instructions that are executed by a terminal device comprising a processor and a memory for implementing the method for mining antivirus information based on mobile phone forensics electronic data of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011164405.0A CN112328652B (en) | 2020-10-27 | 2020-10-27 | Method for mining toxic information based on mobile phone evidence obtaining electronic data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011164405.0A CN112328652B (en) | 2020-10-27 | 2020-10-27 | Method for mining toxic information based on mobile phone evidence obtaining electronic data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112328652A CN112328652A (en) | 2021-02-05 |
| CN112328652B true CN112328652B (en) | 2022-11-01 |
Family
ID=74296506
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011164405.0A Active CN112328652B (en) | 2020-10-27 | 2020-10-27 | Method for mining toxic information based on mobile phone evidence obtaining electronic data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112328652B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111030816A (en) * | 2019-12-27 | 2020-04-17 | 厦门市美亚柏科信息股份有限公司 | Authentication method and device for access platform of evidence obtaining equipment and storage medium |
| CN111666569A (en) * | 2020-04-24 | 2020-09-15 | 宁夏凯信特信息科技有限公司 | Electronic data evidence obtaining system |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20140121743A (en) * | 2013-04-08 | 2014-10-16 | 남기훈 | Mobile forensics method with user behavior-based simulation |
| CN103345419A (en) * | 2013-07-25 | 2013-10-09 | 南京邮电大学 | Dynamic evidence obtaining method based on Android platform |
| CN107644106B (en) * | 2017-10-17 | 2020-10-09 | 厦门市美亚柏科信息股份有限公司 | Method, terminal device and storage medium for automatically mining service middleman |
| CN109635099A (en) * | 2018-12-21 | 2019-04-16 | 山东华夏高科信息股份有限公司 | Case-involving electronic data evidence obtaining management system |
| CN110647561A (en) * | 2019-09-26 | 2020-01-03 | 四川科瑞软件有限责任公司 | Communication track analysis method for drug-involved personnel |
-
2020
- 2020-10-27 CN CN202011164405.0A patent/CN112328652B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111030816A (en) * | 2019-12-27 | 2020-04-17 | 厦门市美亚柏科信息股份有限公司 | Authentication method and device for access platform of evidence obtaining equipment and storage medium |
| CN111666569A (en) * | 2020-04-24 | 2020-09-15 | 宁夏凯信特信息科技有限公司 | Electronic data evidence obtaining system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112328652A (en) | 2021-02-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Park et al. | Cyber forensics ontology for cyber criminal investigation | |
| US20190121969A1 (en) | Graph Model for Alert Interpretation in Enterprise Security System | |
| CN112445870B (en) | Knowledge graph string parallel case analysis method based on mobile phone evidence obtaining electronic data | |
| CN112581129A (en) | Block chain transaction data management method and device, computer equipment and storage medium | |
| Ariu et al. | Machine learning in computer forensics (and the lessons learned from machine learning in computer security) | |
| CN113254964A (en) | Log security certificate storage method and device, electronic equipment and storage medium | |
| Somepalli et al. | Information security management | |
| CN113987508A (en) | Vulnerability processing method, device, equipment and medium | |
| CN113918938A (en) | User entity behavior analysis method and system of continuous immune safety system | |
| Edwards et al. | Cyber strategies used to combat child sexual abuse material | |
| Gupta | Addressing big data security issues and challenges | |
| Drewer et al. | Europol’s data protection framework as an asset in the fight against cybercrime | |
| CN112328652B (en) | Method for mining toxic information based on mobile phone evidence obtaining electronic data | |
| CN116662987A (en) | Service system monitoring method, device, computer equipment and storage medium | |
| Lee et al. | K-FFRaaS: A Generic Model for Financial Forensic Readiness as a Service in Korea | |
| CN113904828B (en) | Method, apparatus, device, medium and program product for detecting sensitive information of interface | |
| CN113923037B (en) | Anomaly detection optimization device, method and system based on trusted computing | |
| Iorliam | Cybersecurity in Nigeria: A Case Study of Surveillance and Prevention of Digital Crime | |
| Bakir | Freedom or security? Mass surveillance of citizens | |
| US9934543B2 (en) | Secure traveler framework | |
| Feng et al. | A systematic approach of impact of GDPR in PII and privacy | |
| Chechulin et al. | Cybercrime investigation model | |
| OBAMANU | Legal issues and challenges in the admissibility of digital forensic evidence in courts in Nigeria | |
| CN112328904B (en) | System and method for generating electronic data relationship chain based on social network data chain | |
| Kaushik et al. | Perspectives on Ethical Hacking and Penetration Testing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |