CN115189935A - Intelligent mobile device centralized investigation and evidence obtaining system and investigation and evidence obtaining method based on same - Google Patents

Intelligent mobile device centralized investigation and evidence obtaining system and investigation and evidence obtaining method based on same Download PDF

Info

Publication number
CN115189935A
CN115189935A CN202210792226.4A CN202210792226A CN115189935A CN 115189935 A CN115189935 A CN 115189935A CN 202210792226 A CN202210792226 A CN 202210792226A CN 115189935 A CN115189935 A CN 115189935A
Authority
CN
China
Prior art keywords
evidence obtaining
api
data
investigation
sample
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210792226.4A
Other languages
Chinese (zh)
Other versions
CN115189935B (en
Inventor
吴慧欣
王喆
彭锋
杨梦凡
马琳
孔宇皓
陈凯源
倪梦琪
曹萌迪
朱洋
王留毅
陈继坤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan Zhongmeng Electronic Technology Co ltd
North China University of Water Resources and Electric Power
Original Assignee
Henan Zhongmeng Electronic Technology Co ltd
North China University of Water Resources and Electric Power
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan Zhongmeng Electronic Technology Co ltd, North China University of Water Resources and Electric Power filed Critical Henan Zhongmeng Electronic Technology Co ltd
Priority to CN202210792226.4A priority Critical patent/CN115189935B/en
Publication of CN115189935A publication Critical patent/CN115189935A/en
Application granted granted Critical
Publication of CN115189935B publication Critical patent/CN115189935B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/18Legal services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Tourism & Hospitality (AREA)
  • Economics (AREA)
  • Technology Law (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Human Resources & Organizations (AREA)
  • Marketing (AREA)
  • Primary Health Care (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses an intelligent mobile device centralized investigation and evidence obtaining system and an investigation and evidence obtaining method based on the same, wherein the system comprises: the system comprises a plurality of intelligent mobile devices provided with evidence obtaining client side APPs, a central server provided with investigation evidence obtaining server side APPs and a data analysis terminal; the central server is connected with a forensics network and an investigation network simultaneously, the intelligent terminal is connected to the forensics network through a wireless access point in a wireless mode or connected to the forensics network through a USB wired Ethernet with an isolation function, and the two networks are isolated from each other and forbid mutual access; the central server is used for receiving client connection in the intelligent mobile device and receiving evidence obtaining data, and is also used for providing an evidence obtaining data catalog and evidence obtaining data for the data analysis terminal and storing investigation results. The invention can realize high-concurrency evidence obtaining and distributed sample investigation and has higher investigation evidence obtaining efficiency.

Description

Intelligent mobile device centralized investigation and evidence obtaining system and investigation and evidence obtaining method based on same
Technical Field
The invention relates to the technical field of judicial investigation and evidence obtaining, in particular to an intelligent mobile device centralized investigation and evidence obtaining system and an investigation and evidence obtaining method based on the same.
Background
In the case of judicial investigation and evidence collection, cases requiring a large amount of investigation and evidence collection intelligent equipment are frequently encountered, and as the capacity of the intelligent equipment is increased, the investigation capability of a common computer is limited, and the combined investigation capability is not strong. At present, investigation evidence obtaining equipment and program storage capacity are not high, concurrency is not strong, a large amount of manpower and equipment are needed to dispersedly process the equipment to be proved in the investigation evidence obtaining process, and working efficiency is affected.
Disclosure of Invention
The invention provides an intelligent mobile device centralized investigation and evidence obtaining system and an investigation and evidence obtaining method based on the same, aiming at the problem of poor evidence obtaining efficiency of the existing judicial investigation, and the system and the method can realize high-concurrency evidence obtaining and distributed sample investigation, ensure program compliance and have higher investigation and evidence obtaining efficiency.
In order to achieve the purpose, the invention adopts the following technical scheme:
the invention provides an intelligent mobile device centralized investigation and evidence obtaining system on one hand, which comprises: the system comprises a plurality of intelligent mobile devices provided with evidence obtaining client side APPs, a central server provided with investigation evidence obtaining server side APPs and a data analysis terminal; the central server is simultaneously connected with a forensics network and an investigation network, the forensics network is used for connecting the central server with each intelligent terminal, the intelligent terminals are connected to the forensics network through wireless access points in a wireless mode or connected to the forensics network through a USB wired Ethernet with an isolation function, and the two networks are isolated from each other and forbid mutual access; the survey network is used for connecting the data analysis terminal with the central server, and the central server can be connected to the Internet through the survey network; the central server is used for receiving client connection in the intelligent mobile equipment and receiving forensics data, providing a forensics data catalog and forensics data for the data analysis terminal, and storing a survey result; the central server uses NAS, RAID technology and WebDAV protocols to achieve centralized and highly concurrent investigation and forensics.
Furthermore, the investigation and evidence collection server side APP comprises a file storage module, a case information storage module, a file storage interface, a data interface, an evidence collection API interface, an investigation API interface, an evidence collection network service and an evidence collection network firewall;
the evidence obtaining network service is used for providing network addressing, address distribution, communication and AP terminal control functions for an evidence obtaining network;
the evidence obtaining network firewall is used for limiting the network connectivity of the terminal in the evidence obtaining network, limiting the terminal access and ensuring the safety and the compliance of the evidence obtaining network;
the file storage module is used for storing file type data;
the case information storage module is used for storing relational data and comprises: sample information, inspection reports and evidence obtaining service file type data positions are stored in a database in a classified mode, and a classified query function is provided;
the file storage interface is used for packaging a file storage function, shielding storage mode differences and providing a file type data storage function for each API;
the evidence obtaining API interface is used for communicating with an evidence obtaining client APP to control an evidence obtaining process, the evidence obtaining API interface stores the received case information in the case information storage module by calling a data interface function, and the file type data of the case is stored in the file storage module through the file storage interface;
the investigation API interface is used for providing data access service for the data analysis terminal, providing case and sample data for the data analysis terminal and receiving a report of the data analysis terminal.
Further, the data analysis terminal is a blade server, a plurality of distributed sample investigation nodes are deployed and accessed to an investigation network, and each node is provided with an automatic sample investigation analysis program.
Further, the evidence obtaining client APP collects file, case and sample information, call records, short messages and address lists of the intelligent mobile device; the evidence obtaining client APP packages and signs the data and then sends the data to an evidence obtaining API interface through an evidence obtaining network; and after the evidence obtaining API interface receives the data, the signature and the integrity are verified, the relational data are stored into the case information storage module through the data interface, and the file type data are stored into the file storage module through the file storage interface.
Further, the evidence obtaining API interface comprises a case information API and a sub evidence obtaining API; the case information API comprises a case inquiry function and a sample control function, wherein the case inquiry function is used for returning a case list, case evidence obtaining cautionary items and requirement information for the evidence obtaining personnel to check, the sample control function is used for receiving and verifying case information filled by the evidence obtaining personnel, returning an authentication and signature secret key, and distributing file storage and evidence obtaining API access authority to prevent unauthorized access and improve safety; the sub-evidence obtaining API comprises an address book evidence obtaining API, a short message evidence obtaining API, a call record evidence obtaining API and a file evidence obtaining API, and is respectively used for receiving the address book, the short message, the call record and the file sent by the evidence obtaining terminal.
Further, the investigation API interface comprises an authentication API, a case API, a sample and data downloading API and a result feedback API;
the authentication API is used for verifying and identifying investigators and approving the identity and the authority of the user;
the case API is used for returning case information and a corresponding report set which are responsible for the investigators according to the access rights of the investigators;
the sample and data downloading API is used for providing downloading services of sample information and evidence obtaining data copies encrypted by the secret key for the investigators according to the access authority of the investigators; the system is also used for providing a decryption secret key corresponding to the copy according to the authority of the investigator, and when the authority exceeds the valid period, the decryption authority is recovered, so that the sample cannot be used;
and the result feedback API is used for collecting sample analysis reports made by investigators and data analysis terminals.
In another aspect, the present invention provides a method for investigation and evidence collection, including:
starting a forensics client APP to begin forensics, accessing a case information API in a forensics API interface by the forensics client APP to inquire cases, selecting cases to which samples belong by forensics personnel and then filling information required by the cases, and simultaneously acquiring information of intelligent mobile equipment by the forensics client APP and automatically filling related items;
after the information is filled, submitting the information to a sample control function of the evidence obtaining API interface, and after the sample control function is configured with service, returning a secret key and evidence obtaining parameter related configuration information;
after receiving the configuration information, the evidence obtaining client APP configures evidence obtaining parameters, and after configuration is completed, the service corresponding to the parameters starts an evidence obtaining process;
each data is subjected to evidence obtaining, the APP at the evidence obtaining client side packages, verifies and signs the data, and sends the data to a corresponding API in an API interface according to types;
after receiving the case and sample information, the evidence obtaining API generates a secret key and authentication information, stores the case and sample information into a central server, configures a file storage interface and API access authority, generates configuration and returns the configuration to an evidence obtaining client APP;
after configuration is returned, the evidence obtaining API waits for the evidence obtaining client APP to send evidence obtaining data, if the evidence obtaining API receives the evidence obtaining data, valid data is stored to a file storage module or case information storage module of the central server after verification and verification are carried out;
if the evidence collection is overtime, the sample data is invalidated, the state of the sample is changed into the invalidated state, the redo is needed, and if the evidence collection completion notification notified by the evidence collection client APP is received, the state of the sample is changed into the completed state;
after the state is changed, the evidence obtaining API closes the API access authority and the file storage access authority, cancels the authentication information and finishes evidence obtaining;
after the evidence is obtained, the central server configures the investigators and the authorities thereof, controls the investigators to access the investigated samples, configures the user access authorities of the file storage interface, the data interface and the investigation API interface, realizes the division of labor and the isolation of the authorities of personnel tasks, and then the personnel with the related authorities can use the data analysis terminal to access the investigation API interface and access the evidence obtaining data to carry out sample analysis work;
when an investigator starts investigation based on a data analysis terminal, firstly, logging in by using authentication information access authentication Application Program Interface (API), accessing the API to obtain a case list and a sample list, accessing the sample and a data download API by the investigator according to the case analysis requirement, downloading sample data and carrying out investigation, forming a report according to information found by the investigation after the investigation is finished, uploading a report result to a result feedback API of a central server after the report is digitally signed, and finishing the investigation;
and after receiving the report, the result feedback API stores the report, and after all evidence-taking analysis work is completed, case supervisors can read all reports, summarize the reports into a final report and submit the final report to a demand side. Compared with the prior art, the invention has the following beneficial effects:
the invention uses the central server, can realize high-concurrency evidence obtaining, the equipment to be obtained runs the evidence obtaining software, accesses to the evidence obtaining network, and writes data into respective storage area, thereby greatly reducing the evidence obtaining time of the equipment in large batch. Based on the invention, distributed sample investigation can be conveniently carried out, a plurality of nodes can be used for asynchronously processing samples, the work among the nodes is independent and not interfered, and investigation and evidence collection can be conveniently carried out. The security is ensured through the network, the authority, the service isolation and the file encryption, and the method has higher investigation and evidence obtaining efficiency on the basis of compliance.
Drawings
Fig. 1 is a schematic structural diagram of a centralized investigation and evidence collection system of an intelligent mobile device according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating a forensics flow of an intelligent mobile device centralized survey forensics system according to an embodiment of the present disclosure;
fig. 3 is a schematic view of an investigation flow of an intelligent mobile device centralized investigation and evidence obtaining system according to an embodiment of the present invention;
FIG. 4 is a schematic view of a processing flow of a data analysis terminal according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an APP functional structure of an investigation and forensics server side according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a functional structure of an APP of a forensics client according to an embodiment of the present invention;
FIG. 7 is a diagram illustrating a data storage structure according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of a functional structure of a forensics API interface according to an embodiment of the present invention;
FIG. 9 is a schematic diagram illustrating a functional structure of an API interface according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of a forensic flow of a method of investigation and forensic analysis according to an embodiment of the present invention;
fig. 11 is a schematic view of a survey flow of a method for surveying evidence collection according to an embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
as shown in fig. 1, an intelligent mobile device centralized investigation and evidence obtaining system includes: the system comprises a plurality of intelligent mobile devices provided with evidence obtaining client side APPs, a central server provided with investigation evidence obtaining server side APPs and a data analysis terminal; the central server is simultaneously connected with a forensics network and an investigation network, the forensics network is used for connecting the central server with each intelligent terminal, the intelligent terminals are connected to the forensics network through wireless access points in a wireless mode or connected to the forensics network through a USB wired Ethernet with an isolation function, and the two networks are isolated from each other and forbid mutual access; the survey network is used for connecting the data analysis terminal with the central server, and the central server can be connected to the Internet through the survey network; the central server is used for receiving client connection in the intelligent mobile equipment and receiving evidence obtaining data, providing an evidence obtaining data catalog and evidence obtaining data for the data analysis terminal and storing investigation results; the central server uses NAS, RAID technology and WebDAV protocols to achieve centralized and highly concurrent investigation and evidence collection.
Furthermore, the central server uses RAID technology to ensure large capacity, high throughput and reliable central storage, and uses WebDAV protocol to realize data transmission. And a control program (an APP at the investigation and evidence obtaining server side) of the central server exchanges control data through an HTTP (hyper text transport protocol), and the control program controls the access authority of the WebDAV according to the service flow to realize the collection and analysis of the data.
Furthermore, the central server uses a plurality of ten-gigabit network cards to connect the evidence obtaining network and the investigation network, and uses link load balancing to increase the network bandwidth and throughput. A plurality of HBA cards are used for connecting a plurality of large-capacity disks, and PCIe NVME interfaces are used for connecting solid state disks to serve as cache acceleration. And (3) constructing a soft RAID10 or RAIDZ2/RAIDZ3 on the disk to increase the reliability and the throughput, and installing a Linux operating system.
And a DHCP service is installed in the operating system of the central server to provide an address distribution service for the evidence obtaining network, a firewall service is installed to isolate network communication, and AP control software is installed to control the name of the AP and equipment roaming access. And an investigation evidence obtaining server side APP is installed in the operating system to control evidence obtaining and investigation business.
Specifically, the hardware and software configuration of the central server is as follows:
a) The mainboard uses ultramicro M12SWA-TF AMD3995WX \ 75WX workstation mainboard.
b) The CPU uses AMD thread tearer 3995WX (64 cores, 128 threads, 2.7G).
c) Memory 256G ECC DDR4 3200Mhz sdram 8 is a total of 2T memory.
d) 4 Wistar (ADATA) 2TB SSD solid state disk M.2 interface (NVMe protocol) XPG pterosaur S11 Pro is directly connected with a mainboard NVME interface, and the group RAID10 is used as a read-write cache.
e) 2 Western data SN640 series 960G U.2 interface SSD, and is directly connected with a mainboard group RAID1 to store an operating system.
f) 8 Western data (Western Digital) 18TB HC550 SATA6Gb/s 7200 to 512M for data storage. 4 of them are directly connected to the main board SATA and the hard disk direct mode.
g) 1 MegaRAID 9460-16i expands hard disk interfaces, the hard disks are directly connected, and 1 interface is connected with 4 HDDs.
h) 8 hard disk groups RAID6, hanging to/mnt, wherein the available space under the RAID6 mode is 108T, and the capacity of each mobile phone is 256G, 1:1 output analysis data calculation, which can contain data of 200 mobile phones.
i) The 1 PCIEX8 ten million four-port SFP +10G optical fiber server network card Intel82599 chip XL710 million is equipped with 4 ten million SFP + optical module 10G optical fiber multimode module 850nm double-fiber 300-meter module, wherein 2 paths are connected with the evidence obtaining network switch by adopting load balancing technology, and the rest 2 paths are connected with the analysis network switch by adopting load balancing technology.
j) The central server installs an investigation evidence obtaining server side APP, installs a DHCP service to provide an address distribution service for an evidence obtaining network, and configures a firewall to block three-layer mutual communication capability and external network access capability of the evidence obtaining network.
Further, as shown in fig. 2, the forensic process based on the intelligent mobile device centralized investigation forensic system is as follows:
1. the administrator sets up the case through investigation forensics server side APP, and investigation forensics server side APP newly builds case database and case folder in central server memory space. The intelligent mobile equipment is connected with the evidence obtaining network wireless access point to complete network connection.
2. And operating a forensics client side APP in the intelligent mobile equipment, and downloading the case list through an investigation forensics server side APP in the forensics client side APP access center server. After the evidence obtaining client APP guides the evidence obtaining personnel to request all the obtained reading authorities of the intelligent mobile equipment, the evidence obtaining personnel selects cases to which the obtained intelligent mobile equipment belongs from the case list. After the case is selected, the intelligent mobile device obtains basic information of the intelligent mobile device, and the evidence obtaining personnel fills in supplementary information of the intelligent mobile device. And the evidence obtaining client side APP sends the collected information to the investigation evidence obtaining server side APP through an HTTP protocol to wait for response.
3. After the investigation evidence-taking server side APP receives the equipment information, the information is stored in a case database or a case folder corresponding to the selected case. According to the unique identification number of the sample, creating a sample folder in a case directory, creating an original data folder in the sample folder, creating WebDAV authentication information, setting the folder to be in a mode of only allowing uploading and continuous transmission, and allowing the evidence obtaining client APP to write the mobile phone data into the folder through a WebDAV protocol. And sending the WebDAV communication address and the authentication information back to the evidence obtaining client APP.
4. After receiving the APP response of the investigation and evidence collection server side, the evidence collection client side APP configures WebDAV communication parameters, collects evidence data, and stores original data, an address list, call records, file storage and short messages to corresponding directories in an original data folder according to classification.
5. After the investigation evidence obtaining server side APP receives the file sent by the evidence obtaining client side, the file is stored to a target position, the checksum is calculated, and the file information is stored in a sample database.
6. A plurality of intelligent mobile devices of waiting to collect evidence can carry out the operation of collecting evidence simultaneously, and each sample flow of collecting evidence does not influence each other. And after the evidence obtaining of one device is finished, the center server is informed of the sample evidence obtaining end through the HTTP request.
Further, as shown in fig. 3, the investigation flow based on the intelligent mobile device centralized investigation and evidence obtaining system is as follows:
1. the data analysis terminal is connected to the central server through a survey network, and after authentication, a case list can be checked through an HTTP protocol and cases can be created.
2. And the data analysis terminal downloads the case database and downloads the sample database and the sample files which are already subjected to evidence obtaining according to the information in the case database. The investigator can adjust the downloaded content range according to the performance and capacity of the data analysis terminal.
3. And (4) analyzing the evidence-obtaining file by using an automatic sample investigation analysis program by the investigator, and uploading the result to the central server according to the sample as granularity.
4. And after receiving the sample investigation result, the central server stores the result into a folder corresponding to the sample.
5. And after all the samples of the case are investigated, the administrator summarizes the results of all the samples of the case and outputs a final complete case investigation report.
6. Multiple devices can simultaneously investigate the sample, and the case result can be multiple.
Specifically, the forensic network hardware is configured as follows:
a) MikroTik CRS328-24P-4S + RM 4 port ten million 24 port POE gigabit network management routing switch, 2 ten million SFP + optical module 10G optical fiber multimode module 850nm double-fiber 300 meter module and central server.
b) 5 H3C MINI A50-E as AP access point, as the wireless access point of the network of collecting evidence, 10 TP-LINK TL-U8 recreation live broadcast switch is as wired network access point of collecting evidence.
Specifically, the network hardware configuration was investigated as follows:
a) MikroTik CRS328-4C-20S-4S + RM 24 port gigabit network management routing switch, and 2 gigabit SFP + optical module 10G optical fiber multimode module 850nm double-fiber 300 meter module are connected with a central server.
b) And 1 SFP +/10GE is connected to the external network, and 1 SFP +/10GE is connected to the distributed cluster switch.
Furthermore, the data analysis terminal is a blade server, each blade machine frame is deployed with a plurality of distributed sample investigation nodes, the distributed sample investigation nodes are accessed to an investigation network, and each node is provided with an automatic sample investigation analysis program.
As shown in fig. 4, the central server allocates samples that are not automatically analyzed to the idle survey nodes. And when the node is idle, the access center server acquires case data for analysis. The central server selects an unallocated sample which is not automatically analyzed and sends the sample to a node sending a request, and the sample information, data and a database are sent to a survey node.
The investigation node extracts data according to the common problems in evidence collection, stores the related data into a case information base through an HTTP protocol, and constructs data such as a relation network, a communication permission and a communication heat map to assist an analyst in decision making. And giving an automatic investigation report according to the sample information.
And after the survey and analysis of the survey nodes are finished, uploading a report through an HTTP (hyper text transport protocol), and getting the next survey and analysis task.
Through distributed automatic investigation and analysis, the working intensity of investigation and evidence obtaining personnel can be greatly reduced, and the investigation and evidence obtaining personnel are guided to carry out manual evidence obtaining with pertinence.
Specifically, the distributed sample survey node is configured as follows:
a) The Huawei Fusion X6800 chassis +8 × xh620v3 node + quad power supply + xinhua tri Mini S1226FX is connected to the survey network.
b) Each node E5-2603V3 +16G memory + SAS300G HDD, each node network port is connected with the switch.
c) Each node runs a distributed sample automatic survey analysis program.
Further, as shown in fig. 5, the APP at the investigation and forensics server side includes a file storage module, a case information storage module, a file storage interface, a data interface, a forensics API interface, an investigation API interface, a forensics network service, and a forensics network firewall;
the evidence obtaining network service is used for providing network addressing, address distribution, communication and AP terminal control functions for an evidence obtaining network;
the evidence obtaining network firewall is used for limiting the network connectivity of the terminal in the evidence obtaining network, limiting the terminal access and ensuring the safety and the compliance of the evidence obtaining network;
the file storage module is used for storing file type data; the method can be realized by NAS, local storage, external storage mounting and object storage;
the case information storage module is used for storing relational data and comprises: sample information, inspection reports and evidence obtaining service data are stored in a database in a classified mode, and a classified query function is provided; the module may be a database;
the file storage interface is used for packaging a file storage function, shielding storage mode differences and providing a file type data storage function for each API; generally, a WebDAV function is used, a file storage interface has the functions of authentication and access authority control, and only authorized users are allowed to read/download files;
the evidence obtaining API is used for communicating with an evidence obtaining client APP to control an evidence obtaining process, the evidence obtaining API stores received case information in a case information storage module through a data interface, and file type data of cases are stored in a file storage module through a file storage interface;
the investigation API interface is used for providing data access service for the data analysis terminal, providing case and sample data for the data analysis terminal and receiving a report of the data analysis terminal.
Further, as shown in fig. 6 and 7, the forensics client APP collects file, case and sample information, call records, short messages and address lists of the intelligent mobile device; the evidence obtaining client APP packages and signs the data and then sends the data to an evidence obtaining API interface through an evidence obtaining network; and after the evidence obtaining API interface receives the data, the signature and the integrity are verified, the relational data are stored into the case information storage module through the data interface, and the file type data are stored into the file storage module through the file storage interface.
Further, as shown in fig. 8, the forensics API interface includes a case information API, a sub-forensics API; the case information API comprises a case inquiry function and a sample control function, wherein the case inquiry function is used for returning a case list, case evidence obtaining cautionary items and requirement information for the evidence obtaining personnel to check, and the sample control function is used for receiving and verifying the case information filled by the evidence obtaining personnel, returning an authentication and signature secret key, and distributing file storage and evidence obtaining API access rights; the sub-evidence obtaining API comprises an address book evidence obtaining API, a short message evidence obtaining API, a call record evidence obtaining API and a file evidence obtaining API, and is respectively used for receiving the address book, the short message, the call record and the file sent by the evidence obtaining terminal.
Further, as shown in fig. 9, the investigation API interface includes an authentication API, a case API, a sample and data download API, and a result feedback API;
the authentication API is used for verifying and identifying investigators and approving the identity and the authority of the user;
the case API is used for returning case information and a corresponding report set which are responsible for the investigators according to the access rights of the investigators;
the sample and data downloading API is used for controlling the access authority of the investigators and providing downloading services of sample information and evidence obtaining data copies for the investigators; specifically, the interface is a read-only interface, and no modification is made to sample data; the sample copy provided by the API is encrypted by the secret key, the API provides a decryption secret key corresponding to the copy according to the authority of the investigator, and when the validity period is exceeded, the API can recover the decryption authority, so that the sample cannot be used; after leaving the investigation and evidence obtaining environment, the sample cannot be decrypted because the API cannot be accessed, thereby ensuring the security (the statement can be put into the embodiment);
and the result feedback API is used for collecting sample analysis reports made by investigators and data analysis terminals.
On the basis of the above embodiments, as shown in fig. 10 and fig. 11, another aspect of the present invention provides an investigation and forensics method, including:
starting an evidence obtaining client side APP to obtain evidence, accessing a case information API in an evidence obtaining API interface by the evidence obtaining client side APP to inquire cases, selecting cases to which samples belong by evidence obtaining personnel, filling information required by the cases, and simultaneously obtaining information of the intelligent mobile equipment by the evidence obtaining client side APP to automatically fill related items;
after the information is filled, submitting the information to a sample control function of the evidence obtaining API interface, and after the sample control function is configured with service, returning a secret key and evidence obtaining parameter related configuration information;
after receiving the configuration information, the evidence obtaining client APP configures evidence obtaining parameters, and starts an evidence obtaining process after configuration is completed;
each data is subjected to evidence obtaining, the APP at the evidence obtaining client side packages, verifies and signs the data, and sends the data to a corresponding API in an API interface according to types;
after receiving the case and sample information, the evidence obtaining API generates a secret key and authentication information, stores the case and sample information into a central server, configures a file storage interface and API access authority, generates configuration and returns the configuration to an evidence obtaining client APP;
after configuration is returned, the evidence obtaining API waits for the evidence obtaining client APP to send evidence obtaining data, if the evidence obtaining API receives the evidence obtaining data, valid data is stored to a file storage module or case information storage module of the central server after verification and verification are carried out;
if the evidence collection is overtime, the sample data is invalidated, the state of the sample is changed into the invalidated state, the redo is needed, and if the evidence collection completion notification notified by the evidence collection client APP is received, the state of the sample is changed into the completed state;
after the state is changed, the evidence obtaining API closes the API access authority and the file storage access authority, cancels the authentication information and finishes evidence obtaining;
after the evidence is obtained, the central server configures the investigators and the authorities thereof, controls the investigators to access the investigated samples, configures the user access authorities of the file storage interface, the data interface and the investigation API interface, realizes the division of labor and the isolation of the authorities of personnel tasks, and then the personnel with the related authorities can use the data analysis terminal to access the investigation API interface and access the evidence obtaining data to carry out sample analysis work;
when a surveyor starts to survey based on the data analysis terminal, firstly, logging in by using the authentication information access authentication API, accessing the case API to obtain a case list and a sample list, accessing the sample and the data download API by the surveyor according to the case analysis requirement, downloading sample data and conducting survey, opening the sample data by the surveyor, analyzing the sample file and the database in the sample data by using the data analysis terminal to search for useful information, forming a report according to information found by the survey after the survey is finished, uploading a report result to a result feedback API of a central server after the report is digitally signed, and finishing the survey;
and after receiving the report, the result feedback API stores the report, and after all evidence-taking analysis work is completed, case supervisors can read all reports, summarize the reports into a final report and submit the final report to a demand side.
In summary,
1. the invention uses the central server, can realize high-concurrency evidence obtaining, the evidence obtaining equipment runs the evidence obtaining software, accesses to the evidence obtaining network, and respectively writes data into respective storage areas, thereby greatly reducing the evidence obtaining time of the equipment in large batch.
2. The central server can use a network link load balancing technology and an AP multipoint access technology to increase network throughput and respond to large-scale data transmission for investigation and evidence collection.
3. The central server is used, so that data can be conveniently stored and used, the reliability and the throughput are increased, compared with distributed evidence obtaining, the central server can use a Redundant Array of Independent Disks (RAID) technology to ensure the redundant backup of the data and simultaneously improve the throughput, and the high-speed hard disk caching technology can further improve the throughput and meet the requirement of large-scale evidence obtaining investigation data reading and writing.
4. Distributed manual/automated sample investigation is facilitated using a central server. The manual work can use a plurality of nodes to asynchronously process the sample, the work among the nodes is independent and not interfered, and the investigation and evidence collection are conveniently carried out.
5. By means of the central server, automatic distributed evidence obtaining equipment is conveniently used, samples are pre-analyzed and preprocessed, and manual investigation evidence obtaining work is guided to be developed.
The above shows only the preferred embodiments of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.

Claims (7)

1. The utility model provides an intelligent mobile device surveys forensics system of concentrating which characterized in that includes: the system comprises a plurality of intelligent mobile devices provided with evidence obtaining client side APPs, a central server provided with investigation and evidence obtaining server side APPs and a data analysis terminal; the central server is simultaneously connected with a forensics network and an investigation network, the forensics network is used for connecting the central server with each intelligent terminal, the intelligent terminals are connected to the forensics network through wireless access points in a wireless mode or connected to the forensics network through a USB wired Ethernet with an isolation function, and the two networks are isolated from each other and forbid mutual access; the survey network is used for connecting the data analysis terminal with the central server, and the central server can be connected to the Internet through the survey network; the central server is used for receiving client connection in the intelligent mobile equipment and receiving evidence obtaining data, providing an evidence obtaining data catalog and evidence obtaining data for the data analysis terminal and storing investigation results; the central server uses NAS, RAID technology and WebDAV protocols to achieve centralized and highly concurrent investigation and evidence collection.
2. The system of claim 1, wherein the APP at the investigation and forensics server comprises a file storage module, a case information storage module, a file storage interface, a data interface, a forensics API interface, an investigation API interface, a forensics network service, and a forensics network firewall;
the evidence obtaining network service is used for providing network addressing, address distribution, communication and AP terminal control functions for an evidence obtaining network;
the evidence obtaining network firewall is used for limiting the network connectivity of the terminal in the evidence obtaining network, limiting the terminal access and ensuring the safety and the compliance of the evidence obtaining network;
the file storage module is used for storing file type data;
the case information storage module is used for storing relational data and comprises: sample information, inspection reports and evidence obtaining service file type data positions are stored in a database in a classified mode, and a classified query function is provided;
the file storage interface is used for packaging a file storage function, shielding storage mode differences and providing a file type data storage function for each API;
the evidence obtaining API interface is used for communicating with an evidence obtaining client APP to control an evidence obtaining process, the evidence obtaining API interface stores received case information in a case information storage module by calling a data interface function, and file type data of a case is stored in a file storage module through a file storage interface;
the investigation API interface is used for providing data access service for the data analysis terminal, providing case and sample data for the data analysis terminal and receiving a report of the data analysis terminal.
3. The system according to claim 1, wherein the data analysis terminal is a blade server, a plurality of distributed sample survey nodes are deployed and connected to a survey network, and each node is installed with an automatic sample survey analysis program.
4. The system of claim 2, wherein the forensics client APP collects file, case and sample information, call records, short messages and address lists of the intelligent mobile device; the evidence obtaining client APP packages and signs the data and then sends the data to an evidence obtaining API interface through an evidence obtaining network; and after the evidence obtaining API interface receives the data, the signature and the integrity are verified, the relational data are stored into the case information storage module through the data interface, and the file type data are stored into the file storage module through the file storage interface.
5. The system of claim 4, wherein the forensics API interface comprises a case information API, a sub-forensics API; the case information API comprises a case inquiry function and a sample control function, wherein the case inquiry function is used for returning a case list, case evidence obtaining cautionary items and requirement information for the evidence obtaining personnel to check, the sample control function is used for receiving and verifying case information filled by the evidence obtaining personnel, returning an authentication and signature secret key, and distributing file storage and evidence obtaining API access authority to prevent unauthorized access and improve safety; the sub-evidence obtaining API comprises an address book evidence obtaining API, a short message evidence obtaining API, a call record evidence obtaining API and a file evidence obtaining API, and is respectively used for receiving the address book, the short message, the call record and the file sent by the evidence obtaining terminal.
6. The system of claim 1, wherein the survey API interface comprises an authentication API, a case API, a sample and data download API, and a result feedback API;
the authentication API is used for verifying and identifying investigators and approving the identity and the authority of the user;
the case API is used for returning case information and a corresponding report set which are responsible for the investigators according to the access rights of the investigators;
the sample and data downloading API is used for providing downloading services of sample information and evidence obtaining data copies encrypted by the secret key for the investigators according to the access authority of the investigators; the system is also used for providing a decryption key corresponding to the copy according to the authority of the investigator, and when the validity period is exceeded, the decryption authority is recovered, so that the sample cannot be used;
and the result feedback API is used for collecting sample analysis reports made by investigators and data analysis terminals.
7. An investigation and forensics method of an intelligent mobile device centralized investigation and forensics system based on any one of claims 1-6, comprising:
starting a forensics client APP to begin forensics, accessing a case information API in a forensics API interface by the forensics client APP to inquire cases, selecting cases to which samples belong by forensics personnel and then filling information required by the cases, and simultaneously acquiring information of intelligent mobile equipment by the forensics client APP and automatically filling related items;
after the information is filled, submitting the information to a sample control function of the evidence obtaining API interface, and after the sample control function is configured with service, returning a secret key and evidence obtaining parameter related configuration information;
after receiving the configuration information, the evidence obtaining client APP configures evidence obtaining parameters, and after configuration is completed, the service corresponding to the parameters starts an evidence obtaining process;
each data is subjected to evidence obtaining, the APP at the evidence obtaining client side packages, verifies and signs the data, and sends the data to a corresponding API in an API interface according to types;
after receiving the case and sample information, the evidence obtaining API generates a secret key and authentication information, stores the case and sample information into a central server, configures a file storage interface and API access authority, generates configuration and returns the configuration to an evidence obtaining client APP;
after configuration is returned, the evidence obtaining API waits for the evidence obtaining client APP to send evidence obtaining data, if the evidence obtaining API receives the evidence obtaining data, valid data is stored to a file storage module or case information storage module of the central server after verification and verification are carried out;
if the evidence collection is overtime, the sample data is invalidated, the state of the sample is changed into the invalidated state, the redo is needed, and if the evidence collection completion notification notified by the evidence collection client APP is received, the state of the sample is changed into the completed state;
after the state is changed, the evidence obtaining API closes the API access authority and the file storage access authority, cancels the authentication information and finishes evidence obtaining;
after the evidence is obtained, the central server configures the investigators and the authorities thereof, controls the investigators to access the investigated samples, configures the user access authorities of the file storage interface, the data interface and the investigation API interface, realizes the division of labor and the isolation of the authorities of personnel tasks, and then the personnel with the related authorities can use the data analysis terminal to access the investigation API interface and access the evidence obtaining data to carry out sample analysis work;
when an investigator starts investigation based on a data analysis terminal, firstly, logging in by using authentication information access authentication Application Program Interface (API), accessing the API to obtain a case list and a sample list, accessing the sample and a data download API by the investigator according to the case analysis requirement, downloading sample data and carrying out investigation, forming a report according to information found by the investigation after the investigation is finished, uploading a report result to a result feedback API of a central server after the report is digitally signed, and finishing the investigation;
and after receiving the report, the result feedback API stores the report, and after all evidence-taking analysis work is finished, case supervisors can read all reports, summarize the reports into a final report and submit the final report to a demand side.
CN202210792226.4A 2022-07-07 2022-07-07 Intelligent mobile device centralized investigation evidence collection system and investigation evidence collection method based on same Active CN115189935B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210792226.4A CN115189935B (en) 2022-07-07 2022-07-07 Intelligent mobile device centralized investigation evidence collection system and investigation evidence collection method based on same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210792226.4A CN115189935B (en) 2022-07-07 2022-07-07 Intelligent mobile device centralized investigation evidence collection system and investigation evidence collection method based on same

Publications (2)

Publication Number Publication Date
CN115189935A true CN115189935A (en) 2022-10-14
CN115189935B CN115189935B (en) 2023-10-13

Family

ID=83517987

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210792226.4A Active CN115189935B (en) 2022-07-07 2022-07-07 Intelligent mobile device centralized investigation evidence collection system and investigation evidence collection method based on same

Country Status (1)

Country Link
CN (1) CN115189935B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110153748A1 (en) * 2009-12-18 2011-06-23 Electronics And Telecommunications Research Institute Remote forensics system based on network
CN103258149A (en) * 2012-07-27 2013-08-21 天津中启创科技有限公司 Online reading system and method based on cloud computing
CN107563713A (en) * 2017-06-20 2018-01-09 华迪计算机集团有限公司 A kind of electronic document system and its method for operation monitoring
CN108667835A (en) * 2018-05-04 2018-10-16 法信公证云(厦门)科技有限公司 A kind of control remote equipment carries out method, system and the storage medium of network forensics
CN111090779A (en) * 2019-03-01 2020-05-01 王文梅 Cloud storage and retrieval analysis method for case-handling exploration evidence-taking data
CN112016897A (en) * 2020-08-29 2020-12-01 重庆市合川区公安局 Electronic data evidence obtaining system of intelligent terminal equipment and acquisition and uploading method thereof
CN112054911A (en) * 2020-09-11 2020-12-08 杭州安恒信息安全技术有限公司 Intelligent equipment multi-way investigation evidence obtaining device based on Internet of things
CN113114615A (en) * 2021-02-23 2021-07-13 北京联合信任技术服务有限公司 Device, system, method, storage medium, and program product for preventing data hijacking

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110153748A1 (en) * 2009-12-18 2011-06-23 Electronics And Telecommunications Research Institute Remote forensics system based on network
CN103258149A (en) * 2012-07-27 2013-08-21 天津中启创科技有限公司 Online reading system and method based on cloud computing
CN107563713A (en) * 2017-06-20 2018-01-09 华迪计算机集团有限公司 A kind of electronic document system and its method for operation monitoring
CN108667835A (en) * 2018-05-04 2018-10-16 法信公证云(厦门)科技有限公司 A kind of control remote equipment carries out method, system and the storage medium of network forensics
CN111090779A (en) * 2019-03-01 2020-05-01 王文梅 Cloud storage and retrieval analysis method for case-handling exploration evidence-taking data
CN112016897A (en) * 2020-08-29 2020-12-01 重庆市合川区公安局 Electronic data evidence obtaining system of intelligent terminal equipment and acquisition and uploading method thereof
CN112054911A (en) * 2020-09-11 2020-12-08 杭州安恒信息安全技术有限公司 Intelligent equipment multi-way investigation evidence obtaining device based on Internet of things
CN113114615A (en) * 2021-02-23 2021-07-13 北京联合信任技术服务有限公司 Device, system, method, storage medium, and program product for preventing data hijacking

Also Published As

Publication number Publication date
CN115189935B (en) 2023-10-13

Similar Documents

Publication Publication Date Title
US7418702B2 (en) Concurrent web based multi-task support for control management system
CN103475682B (en) File transfer method and file transfer equipment
JP2022062705A (en) Computer-implemented methods, computer systems and programs for generating blockchain-implemented data migration audit trail (blockchain-implemented data migration audit trail)
CN102307210A (en) Data downloading system and data management and downloading method thereof
CN106302609A (en) A kind of access method and device
US11645424B2 (en) Integrity verification in cloud key-value stores
CN110865841A (en) System and method for upgrading ECU software in engineering machinery vehicle
CN110442561B (en) Block chain-based distributed file storage system and storage method thereof
CN103716174A (en) Test log acquisition system and method for the same
CN109508236A (en) A kind of big data cloud computing operating system
US20120078946A1 (en) Systems and methods for monitoring files in cloud-based networks
CN105095103A (en) Storage device management method and device used for cloud environment
KR20120044550A (en) Cloud storage server and system by use of virtual nas and method thereof
CN114969066A (en) Enterprise management data interaction system and method based on big data regulation and control
CN113836237A (en) Method and device for auditing data operation of database
Xiong et al. Design and implementation of microservices gateway based on spring cloud zuul
CN108200110A (en) A kind of data processing method, apparatus and system
CN109446164A (en) The large data sets of space planning are at method, system and device
CN115189935B (en) Intelligent mobile device centralized investigation evidence collection system and investigation evidence collection method based on same
CN109507922B (en) Port data acquisition method based on intelligent Internet of things
CN110674382A (en) Data access method and device and data access system
US9092397B1 (en) Development server with hot standby capabilities
CN103164410B (en) The method of the storage of a kind of file and operation, storage device and system
CN110430098B (en) Data processing system
CN204288515U (en) A kind of Intelligent management system for vehicles based on cloud computing platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant