CN114491493A - Data evidence obtaining method and device, electronic equipment and storage medium - Google Patents

Data evidence obtaining method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114491493A
CN114491493A CN202111638776.2A CN202111638776A CN114491493A CN 114491493 A CN114491493 A CN 114491493A CN 202111638776 A CN202111638776 A CN 202111638776A CN 114491493 A CN114491493 A CN 114491493A
Authority
CN
China
Prior art keywords
vulnerability
evidence obtaining
authority
data
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111638776.2A
Other languages
Chinese (zh)
Inventor
屈云轩
蔡骏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qi'an Pangu Shanghai Information Technology Co ltd
Original Assignee
Qi'an Pangu Shanghai Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qi'an Pangu Shanghai Information Technology Co ltd filed Critical Qi'an Pangu Shanghai Information Technology Co ltd
Priority to CN202111638776.2A priority Critical patent/CN114491493A/en
Publication of CN114491493A publication Critical patent/CN114491493A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/18Legal services

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Tourism & Hospitality (AREA)
  • General Physics & Mathematics (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Primary Health Care (AREA)
  • Strategic Management (AREA)
  • Human Resources & Organizations (AREA)
  • General Business, Economics & Management (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides a data forensics method, a device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring a vulnerability existing in evidence obtaining equipment and a vulnerability utilization strategy generated based on the vulnerability; using the vulnerability exploiting strategy to promote the access authority to the target authority; and reading a system key file in the evidence obtaining equipment based on the target authority. According to the method provided by the invention, the authority for reading the system key file in the evidence obtaining equipment is obtained by utilizing the vulnerability of the evidence obtaining equipment and the vulnerability utilization strategy, so that the key data of the system is obtained, the capability of extracting and analyzing the electronic data is improved, and a powerful help is provided for the subsequent evidence analysis.

Description

Data evidence obtaining method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of electronic evidence obtaining technologies, and in particular, to a data evidence obtaining method and apparatus, an electronic device, and a storage medium.
Background
Obtaining evidence from file data in electronic devices is currently one of the most common ways to obtain evidence.
In the related technology, for the evidence obtaining mode of the Android (Android) device system file, the Android debugging Bridge (Android Debug Bridge, Adb) is used for realizing, and Adb shell or Adb pull and other commands are used for directly extracting related data from the Android device. However, due to the protection mechanism and other isolation mechanisms of the Android device and the mobile phone system, the evidence obtaining mode can only access public data of part of systems, and cannot access system key files of the Android device, so that key evidence is difficult to obtain, and the evidence obtaining capability is greatly limited.
Disclosure of Invention
Aiming at the problems in the related art, the invention provides a data forensics method, a data forensics device, electronic equipment and a storage medium, which are used for solving the problem that a system key file cannot be accessed.
The invention provides a data forensics method, which comprises the following steps:
acquiring a vulnerability existing in evidence obtaining equipment and a vulnerability utilization strategy generated based on the vulnerability;
using the vulnerability exploiting strategy to promote the access authority to the target authority;
and reading a system key file in the evidence obtaining equipment based on the target authority.
According to the data forensics method provided by the invention, the acquiring of the loophole existing in the forensics equipment and the loophole utilization strategy generated based on the loophole comprise the following steps:
acquiring system information of an operating system in the evidence obtaining equipment;
according to the system information, selecting a vulnerability matched with the system information in a vulnerability database and a vulnerability utilization strategy generated based on the vulnerability; wherein, the leak library comprises: the method comprises the steps of obtaining the vulnerabilities existing in the evidence obtaining equipment and vulnerability utilization strategies generated respectively based on the vulnerabilities.
According to the data evidence obtaining method provided by the invention, the selection of the vulnerability matched with the system information in the vulnerability database and the vulnerability utilization strategy generated based on the vulnerability according to the system information comprises the following steps:
and searching the hole library for the hole which is not repaired according to the system information, and selecting a hole utilization strategy corresponding to the searched hole.
According to the data forensics method provided by the invention, the using of the vulnerability exploitation strategy to promote the access right to the target right comprises the following steps:
executing the exploit policy;
and when the vulnerability is successfully utilized by executing the vulnerability utilization strategy, the access authority is promoted to the target authority based on the vulnerability utilization strategy.
According to the data forensics method provided by the invention, reading the system key file in the forensics device based on the target authority comprises the following steps:
displaying all files corresponding to the target authority on a display interface of the evidence obtaining equipment based on the target authority;
and reading the system key file corresponding to the selection operation in all the files according to the selection operation of the user.
According to the data forensics method provided by the invention, after the system key file in the forensics device is read based on the target authority, the method further comprises the following steps:
storing the system key file to a target path;
or sending the system key file to an external device.
The invention also provides a data forensics device, comprising:
the system comprises an acquisition module, a verification module and a verification module, wherein the acquisition module is used for acquiring vulnerabilities existing in evidence obtaining equipment and vulnerability utilization strategies generated based on the vulnerabilities;
the promotion module is used for promoting the access authority to the target authority by using the vulnerability utilization strategy;
and the reading module is used for reading the system key file in the evidence obtaining equipment based on the target authority.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the steps of the data forensics method.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the data forensics method as described in any one of the above.
The invention also provides a computer program product comprising a computer program which, when executed by a processor, carries out the steps of the data forensics method as described in any one of the above.
According to the data forensics method, the loopholes existing in forensics equipment and a loophole utilization strategy generated based on the loopholes are obtained; using a vulnerability utilization strategy to promote the access authority to the target authority; based on the target authority, the system key file in the evidence obtaining device is read, the authority for reading the system key file in the evidence obtaining device is obtained by utilizing the loophole and loophole utilization strategy of the evidence obtaining device, the system key data is obtained, the electronic data extraction and analysis capability is improved, and powerful help is provided for subsequent evidence analysis.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a data forensics method according to the present invention;
FIG. 2 is a second schematic flow chart of the data forensics method according to the present invention;
FIG. 3 is a third schematic flow chart of a data forensics method according to the present invention;
FIG. 4 is a fourth flowchart illustrating a data forensics method according to the present invention;
FIG. 5 is a fifth flowchart illustrating a data forensics method according to the present invention;
FIG. 6 is a sixth schematic flow chart of a data forensics method according to the present invention;
FIG. 7 is a schematic structural diagram of a data forensics apparatus according to the present invention;
fig. 8 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The data forensics method provided by the invention is explained in detail by some embodiments and application scenarios thereof with reference to the attached drawings.
The invention provides a data forensics method, which can be applied to a scene of electronic data forensics and is used for acquiring loopholes existing in forensics equipment and a loophole utilization strategy generated based on the loopholes; using the vulnerability exploiting strategy to promote the access authority to the target authority; and reading a system key file in the evidence obtaining equipment based on the target authority. According to the method provided by the invention, the authority for reading the system key file in the evidence obtaining equipment is obtained by utilizing the vulnerability of the evidence obtaining equipment and the vulnerability utilization strategy, so that the key data of the system is obtained, the capability of extracting and analyzing the electronic data is improved, and a powerful help is provided for the subsequent evidence analysis.
Fig. 1 is a schematic flow chart of a data forensics method provided by the present invention, as shown in fig. 1, the method includes steps 110 to 130, where:
and step 110, acquiring the vulnerability existing in the evidence obtaining equipment and a vulnerability utilization strategy generated based on the vulnerability.
It should be noted that the data forensics method provided by the invention can be applied to the scene of electronic data forensics. The execution subject of the method may be a data forensics device, such as an electronic device, or a control module in the data forensics device for executing the data forensics method.
Optionally, the forensics device may be an Android system-based electronic device, such as a mobile phone, a tablet computer, a desktop computer, or the like.
Optionally, the vulnerability represents a flaw in the hardware, software, specific implementation of the protocol, or security policy of the operating system, such that an attacker can access or destroy the operating system without authorization. The exploit policy represents a policy that may obtain the permissions of the operating system for the vulnerability.
And step 120, using the vulnerability exploiting strategy to promote the access authority to the target authority.
Optionally, the access rights represent rights that the user may access the operating system of the forensic device.
Optionally, the target permission represents a permission for a user to access the forensic device to acquire a system key file of the forensic device; wherein, the target authority includes: system (system) rights or root (root) rights of the device are forensics.
It should be noted that the access right of the ordinary user to the forensic device can obtain limited data in the forensic device, for example, only public data can be obtained, but not key files in the forensic device system; therefore, the general user needs to raise its own access right to a target right, such as a system right and a root right, so as to acquire a critical file in the system of the forensic device.
And step 130, reading a system key file in the evidence obtaining equipment based on the target authority.
Optionally, the system key file represents key data in the forensics device; wherein the system key file comprises at least one of the following items: system configuration, user account, token.
Specifically, the access right of the user is promoted to a target right, and the user acquires the target right for accessing the evidence obtaining equipment, so that the system key file in the evidence obtaining equipment is read according to the target right.
According to the data forensics method, the loopholes existing in forensics equipment and a loophole utilization strategy generated based on the loopholes are obtained; using a vulnerability utilization strategy to promote the access authority to the target authority; based on the target authority, the system key file in the evidence obtaining device is read, the authority for reading the system key file in the evidence obtaining device is obtained by utilizing the loophole and loophole utilization strategy of the evidence obtaining device, the system key data is obtained, the electronic data extraction and analysis capability is improved, and powerful help is provided for subsequent evidence analysis.
Fig. 2 is a second schematic flowchart of the data forensics method provided by the present invention, as shown in fig. 2, the method includes steps 210-240, wherein:
step 210, obtaining system information of an operating system in the evidence obtaining device.
Optionally, the system information of the operating system comprises at least one of: the version number of the operating system and the security patch information of the operating system; wherein the operating system security patch information indicates a date when the operating system last repaired the patch.
Step 220, selecting a vulnerability matched with the system information in a vulnerability database and a vulnerability utilization strategy generated based on the vulnerability according to the system information; wherein, the leak library comprises: the method comprises the steps of obtaining the vulnerabilities existing in the evidence obtaining equipment and vulnerability utilization strategies generated respectively based on the vulnerabilities.
Optionally, the number of vulnerabilities in the vulnerability library includes at least one, and each vulnerability corresponds to at least one operating system version number respectively.
Optionally, if the vulnerabilities in the vulnerability database are repaired, the repaired vulnerabilities correspond to vulnerability repair dates respectively.
It should be noted that the leak library includes a local leak library and a network leak library; the local vulnerability database is stored in the evidence obtaining equipment and used for representing vulnerabilities of the evidence obtaining equipment; the network vulnerability library is stored in the server and used for indicating that the evidence obtaining equipment is connected to the network vulnerability library through a network to obtain vulnerabilities.
Optionally, selecting a vulnerability matched with vulnerability information in a vulnerability library according to an operating system version and operating system security patch information of an operating system in the evidence obtaining equipment; and obtaining a vulnerability utilization strategy generated by the vulnerability according to the matched vulnerability.
Specifically, firstly, according to the version of the operating system in the evidence obtaining equipment, selecting a vulnerability with the same version of the operating system corresponding to the vulnerability in the vulnerability library, and showing that the vulnerability is matched with the version of the operating system in the evidence obtaining equipment; secondly, selecting a vulnerability corresponding to each vulnerability in the vulnerability database with a vulnerability repair date later than the security patch information of the operating system of the evidence obtaining equipment according to the security patch information of the operating system in the evidence obtaining equipment; and finally, obtaining a vulnerability utilization strategy generated by the vulnerability according to the vulnerability obtained by selecting and matching.
In practice, according to the version of the operating system and the security patch information of the operating system in the evidence obtaining device, matching is performed in the local vulnerability library, and if the local vulnerability library is not matched with the proper vulnerability and vulnerability utilization strategy, matching is performed from the network vulnerability library until the proper vulnerability and vulnerability utilization strategy is matched.
And step 230, using the vulnerability exploiting strategy to promote the access authority to the target authority.
And 240, reading a system key file in the evidence obtaining equipment based on the target authority.
Optionally, for the description and explanation of the step 230-240, reference may be made to the description and explanation of the portion in the step 120-130, and the same technical effect can be achieved, and in order to avoid repetition, the description is not repeated here.
According to the data forensics method, the system information of the operating system in the forensics equipment is obtained, the system information of the operating system is matched with the loopholes in the loophole library, and the loophole matched with the system information of the operating system and a loophole utilization strategy generated by the loophole are obtained, so that the critical data of the system are obtained by utilizing the loophole and loophole utilization strategy of the forensics equipment, the capability of electronic data extraction and analysis is improved, and powerful help is provided for subsequent evidence analysis.
Optionally, the implementation of step 220 may include: and searching the unrepaired vulnerabilities in the vulnerability database according to the system information, and selecting vulnerability utilization strategies corresponding to the searched vulnerabilities.
Specifically, according to system information of an operating system in the evidence obtaining equipment, unrepaired vulnerabilities are retrieved from a vulnerability library, vulnerabilities matched with the system information are selected from the unrepaired vulnerabilities, and a vulnerability exploiting strategy corresponding to the retrieved vulnerabilities is selected.
Fig. 3 is a third schematic flowchart of a data forensics method provided by the present invention, as shown in fig. 3, the method includes steps 310-340, wherein:
step 310, acquiring the vulnerability existing in the evidence obtaining equipment and a vulnerability utilization strategy generated based on the vulnerability.
And 320, executing the vulnerability exploiting strategy.
And 330, when the vulnerability is successfully utilized by executing the vulnerability exploiting strategy, promoting the access authority to the target authority based on the vulnerability exploiting strategy.
Optionally, a vulnerability exploitation strategy is executed, and when the vulnerability corresponding to the vulnerability exploitation strategy is successfully exploited by executing the vulnerability exploitation strategy, the access authority is promoted to the target authority, namely the access authority of the system key file is obtained; when the vulnerability corresponding to the vulnerability exploitation strategy is not successfully exploited by executing the vulnerability exploitation strategy, the fact that the access authority is not promoted to the target authority is indicated, namely the access authority of the system key file is not obtained.
And 340, reading a system key file in the evidence obtaining equipment based on the target authority.
According to the data evidence obtaining method provided by the invention, the vulnerability existing in evidence obtaining equipment and the vulnerability utilization strategy corresponding to the vulnerability are obtained, the vulnerability utilization strategy is executed, the vulnerability is successfully utilized by executing the vulnerability utilization strategy, the access authority of obtaining the key files of the system is promoted, the key data of the system is obtained, the capability of extracting and analyzing electronic data is promoted, and powerful help is provided for the subsequent evidence analysis.
Fig. 4 is a fourth schematic flowchart of a data forensics method provided by the present invention, as shown in fig. 4, the method includes steps 410-440, wherein:
step 410, acquiring the vulnerability existing in the evidence obtaining equipment and a vulnerability utilization strategy generated based on the vulnerability.
And step 420, using the vulnerability exploiting strategy to promote the access right to the target right.
And 430, displaying all files corresponding to the target authority on a display interface of the evidence obtaining equipment based on the target authority.
Optionally, according to the obtained target authority, all files of the operating system corresponding to the target authority are obtained, and all files may be displayed on a display interface of the forensics device.
Step 440, reading the system key file corresponding to the selection operation in all the files according to the selection operation of the user.
Optionally, the user selects a system key file of the operating system from all files according to all files displayed on a display interface of the evidence obtaining device; and reading the system critical file according to the selected system critical file of the operating system.
According to the data forensics method provided by the invention, the target authority of the forensics equipment is obtained, then all files corresponding to the target authority are displayed on the display interface of the forensics equipment, and a user selects the corresponding system key files in a targeted manner according to all the displayed files, so that the key data of the system is obtained, the capability of electronic data extraction and analysis is improved, and powerful help is provided for subsequent evidence analysis.
Fig. 5 is a fifth schematic flowchart of a data forensics method provided by the present invention, as shown in fig. 5, the method includes steps 510-540, wherein:
step 510, acquiring the vulnerability existing in the evidence obtaining equipment and a vulnerability utilization strategy generated based on the vulnerability.
And step 520, using the vulnerability exploiting strategy to promote the access authority to the target authority.
Step 530, reading a system key file in the evidence obtaining device based on the target authority.
Optionally, for the description and explanation of the step 510-530, reference may be made to the description and explanation of the portion in the step 110-130, and the same technical effect can be achieved, and in order to avoid repetition, the description is not repeated here.
Step 540, storing the system key file to a target path; or sending the system key file to an external device.
Optionally, the target path represents a storage path for storing the system critical file to the forensics device.
Optionally, the acquired system key file is stored in a target path of the evidence obtaining device, and then the stored system key file is sent to the external device in a mode of an Adb pull command, a socket and the like, or the system key file of the evidence obtaining device is sent to the external device in a mode of directly connecting the evidence obtaining device and the external device.
According to the data forensics method provided by the invention, the acquired system key file of the forensics equipment is stored to the target path, or the system key file is sent to the external equipment, so that the acquisition of the system key data is realized, the key information of the system is analyzed subsequently, the electronic data extraction and analysis capability is improved, and the powerful help is provided for the subsequent evidence analysis.
Fig. 6 is a sixth schematic flowchart of a data forensics method provided by the present invention, as shown in fig. 6, the method includes steps 601-610, wherein:
step 601, system information of an operating system in the evidence obtaining device is obtained.
Step 602, searching for vulnerabilities in a vulnerability database in a matching manner. According to the system information of an operating system in the evidence obtaining equipment, firstly, matching and searching unrepaired vulnerabilities in a local vulnerability library, and if proper vulnerabilities and vulnerability utilization strategies are not matched in the local vulnerability library, then, matching is carried out in a network vulnerability library.
Step 603, judging whether the vulnerability is successfully matched. If the appropriate vulnerability is matched, go to step 605, otherwise go to step 604.
And step 604, feeding back failure information. And displaying the fed back failure information on a display interface of the evidence obtaining equipment.
Step 605, executing the vulnerability exploiting policy corresponding to the vulnerability. And obtaining a vulnerability utilization strategy corresponding to the vulnerability according to the matched vulnerability, and executing the vulnerability utilization strategy.
Step 606, determine whether the vulnerability is successfully exploited. When the execution of the exploit policy succeeds in exploiting the exploit, go to step 607, otherwise go to step 604.
Step 607, obtain the target authority. When the vulnerability is successfully utilized by executing the vulnerability utilization strategy, acquiring the target permission of the evidence obtaining equipment, wherein the target permission is the permission for reading the key file of the system.
Step 608, a file corresponding to the target authority of the system is obtained. And reading all files which can be read by the target authority of the system according to the target authority, and displaying all files corresponding to the target authority on a display interface of the evidence obtaining equipment.
In step 609, a system critical file is obtained. And displaying all files corresponding to the target authority according to a display interface of the evidence obtaining equipment, and selecting the corresponding files by a user, so that the system key files corresponding to the selection operation in all the files are read according to the selection operation of the user.
Step 610, storing or sending the system key file to the external device. And storing the system key file to a target path of the evidence obtaining equipment, or sending the system key file to external equipment for subsequently analyzing the key information of the system.
According to the evidence obtaining method provided by the invention, system information of evidence obtaining equipment is matched with vulnerability information and a vulnerability exploitation strategy in a vulnerability library, a vulnerability exploitation strategy corresponding to a vulnerability is executed, and when the corresponding vulnerability is successfully exploited by the vulnerability exploitation strategy, a target authority is obtained; according to the target authority, all files which can be read by the target authority of the system are read, and then the corresponding files are operated according to the selection of the user to obtain the system key files, so that the system key data are obtained, the electronic data extraction and analysis capability is improved, and powerful help is provided for subsequent evidence analysis.
The following describes the data evidence obtaining device provided by the present invention, and the data evidence obtaining device described below and the data evidence obtaining method described above can be referred to correspondingly.
Fig. 7 is a schematic structural diagram of a data forensics apparatus provided by the present invention, and as shown in fig. 7, the data forensics apparatus 700 includes: an obtaining module 701, a lifting module 702 and a reading module 703; wherein the content of the first and second substances,
an obtaining module 701, configured to obtain a vulnerability existing in a forensic device and a vulnerability exploiting policy generated based on the vulnerability;
an upgrade module 702, configured to upgrade an access right to a target right using the vulnerability exploiting policy;
a reading module 703, configured to read a system key file in the forensics device based on the target permission.
According to the data evidence obtaining device, the loophole existing in evidence obtaining equipment and a loophole utilization strategy generated based on the loophole are obtained; using a vulnerability utilization strategy to promote the access authority to the target authority; based on the target authority, the system key file in the evidence obtaining device is read, the authority for reading the system key file in the evidence obtaining device is obtained by utilizing the loophole and loophole utilization strategy of the evidence obtaining device, the system key data is obtained, the electronic data extraction and analysis capability is improved, and powerful help is provided for subsequent evidence analysis.
Optionally, the obtaining module 701 is specifically configured to:
acquiring system information of an operating system in the evidence obtaining equipment;
according to the system information, selecting a vulnerability matched with the system information in a vulnerability database and a vulnerability utilization strategy generated based on the vulnerability; wherein, the leak library comprises: the method comprises the steps of obtaining the vulnerabilities existing in the evidence obtaining equipment and vulnerability utilization strategies generated respectively based on the vulnerabilities.
Optionally, the obtaining module 701 is specifically configured to:
and searching the hole library for the hole which is not repaired according to the system information, and selecting a hole utilization strategy corresponding to the searched hole.
Optionally, the lifting module 702 is specifically configured to:
executing the exploit policy;
and when the vulnerability is successfully utilized by executing the vulnerability utilization strategy, the access authority is promoted to the target authority based on the vulnerability utilization strategy.
Optionally, the reading module 703 is specifically configured to:
displaying all files corresponding to the target authority on a display interface of the evidence obtaining equipment based on the target authority;
and reading the system key file corresponding to the selection operation in all the files according to the selection operation of the user.
Optionally, the data forensics apparatus 700 further includes:
storing the system key file to a target path;
or sending the system key file to an external device.
Fig. 8 is a schematic structural diagram of an electronic device provided in the present invention, and as shown in fig. 8, the electronic device 800 may include: a processor (processor)810, a communication Interface 820, a memory 830 and a communication bus 840, wherein the processor 810, the communication Interface 820 and the memory 830 communicate with each other via the communication bus 840. Processor 810 may call logic instructions in memory 830 to perform a data forensics method comprising: acquiring a vulnerability existing in evidence obtaining equipment and a vulnerability utilization strategy generated based on the vulnerability; using the vulnerability exploiting strategy to promote the access authority to the target authority; and reading a system key file in the evidence obtaining equipment based on the target authority.
In addition, the logic instructions in the memory 830 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, the computer program product including a computer program, the computer program being storable on a non-transitory computer-readable storage medium, the computer program, when executed by a processor, being capable of executing the data forensics method provided by the above methods, the method including: acquiring a vulnerability existing in evidence obtaining equipment and a vulnerability utilization strategy generated based on the vulnerability; using the vulnerability exploiting strategy to promote the access authority to the target authority; and reading a system key file in the evidence obtaining equipment based on the target authority.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program, which when executed by a processor, implements a method for data forensics provided by the above methods, the method comprising: acquiring a vulnerability existing in evidence obtaining equipment and a vulnerability utilization strategy generated based on the vulnerability; using the vulnerability exploiting strategy to promote the access authority to the target authority; and reading a system key file in the evidence obtaining equipment based on the target authority.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A method of data forensics, the method comprising:
acquiring a vulnerability existing in evidence obtaining equipment and a vulnerability utilization strategy generated based on the vulnerability;
using the vulnerability exploiting strategy to promote access authority to target authority;
and reading a system key file in the evidence obtaining equipment based on the target authority.
2. The data forensics method according to claim 1, wherein the obtaining of the vulnerability existing in the forensics device and the vulnerability exploitation policy generated based on the vulnerability comprises:
acquiring system information of an operating system in the evidence obtaining equipment;
according to the system information, selecting a vulnerability matched with the system information in a vulnerability database and a vulnerability utilization strategy generated based on the vulnerability; wherein, the leak library comprises: the method comprises the steps of obtaining the vulnerabilities existing in the evidence obtaining equipment and vulnerability utilization strategies generated respectively based on the vulnerabilities.
3. The data forensics method according to claim 2, wherein the selecting, according to the system information, a vulnerability matched with the system information in a vulnerability database and a vulnerability exploitation policy generated based on the vulnerability includes:
and searching the hole library for the hole which is not repaired according to the system information, and selecting a hole utilization strategy corresponding to the searched hole.
4. The data forensics method according to claim 1, wherein the using the exploit policy to promote access rights to target rights comprises:
executing the exploit policy;
and when the vulnerability is successfully utilized by executing the vulnerability utilization strategy, the access authority is promoted to the target authority based on the vulnerability utilization strategy.
5. The data forensics method according to claim 1, wherein the reading of the system key file in the forensics device based on the target authority comprises:
displaying all files corresponding to the target authority on a display interface of the evidence obtaining equipment based on the target authority;
and reading the system key file corresponding to the selection operation in all the files according to the selection operation of the user.
6. The data forensics method according to claim 1, wherein after reading a system critical file in the forensics device based on the target permission, the method further comprises:
storing the system key file to a target path;
or sending the system key file to an external device.
7. A data forensics apparatus, the apparatus comprising:
the system comprises an acquisition module, a verification module and a verification module, wherein the acquisition module is used for acquiring vulnerabilities existing in evidence obtaining equipment and vulnerability utilization strategies generated based on the vulnerabilities;
the promotion module is used for promoting the access authority to the target authority by using the vulnerability utilization strategy;
and the reading module is used for reading the system key file in the evidence obtaining equipment based on the target authority.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the steps of the data forensics method of any of claims 1 to 6.
9. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the data forensics method of any of claims 1 to 6.
10. A computer program product comprising a computer program, wherein the computer program when executed by a processor implements the steps of a data forensics method according to any one of claims 1 to 6.
CN202111638776.2A 2021-12-29 2021-12-29 Data evidence obtaining method and device, electronic equipment and storage medium Pending CN114491493A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111638776.2A CN114491493A (en) 2021-12-29 2021-12-29 Data evidence obtaining method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111638776.2A CN114491493A (en) 2021-12-29 2021-12-29 Data evidence obtaining method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114491493A true CN114491493A (en) 2022-05-13

Family

ID=81508333

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111638776.2A Pending CN114491493A (en) 2021-12-29 2021-12-29 Data evidence obtaining method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114491493A (en)

Similar Documents

Publication Publication Date Title
US11361083B1 (en) Method and apparatus for securing embedded device firmware
US9953162B2 (en) Rapid malware inspection of mobile applications
US9032520B2 (en) Remote security self-assessment framework
CN109376078B (en) Mobile application testing method, terminal equipment and medium
Ntantogian et al. Evaluating the privacy of Android mobile applications under forensic analysis
US20130160126A1 (en) Malware remediation system and method for modern applications
US8640233B2 (en) Environmental imaging
EP3552098A1 (en) Operating system update management for enrolled devices
CN110929264B (en) Vulnerability detection method and device, electronic equipment and readable storage medium
US11099889B2 (en) Method-call-chain tracking method, electronic device, and computer readable storage medium
CN110417718B (en) Method, device, equipment and storage medium for processing risk data in website
CN112231702B (en) Application protection method, device, equipment and medium
CN112861191B (en) Application program monitoring method and device
TW201901515A (en) Blocking unauthorized application methods and devices using the method
CN104951714A (en) Constellation based on device binding
CN108600259B (en) Authentication and binding method of equipment, computer storage medium and server
CN109522683B (en) Software tracing method, system, computer equipment and storage medium
US9842018B2 (en) Method of verifying integrity of program using hash
CN111290747B (en) Method, system, equipment and medium for creating function hook
US8464343B1 (en) Systems and methods for providing security information about quick response codes
CN114491493A (en) Data evidence obtaining method and device, electronic equipment and storage medium
CN113886894A (en) Digital signature method and digital signature device
JP2021111384A (en) System and method for protecting against unauthorized memory dump modification
JP5941745B2 (en) Application analysis apparatus, application analysis system, and program
CN111190619A (en) Android evidence obtaining method based on firmware updating protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination