CN115189935B - Intelligent mobile device centralized investigation evidence collection system and investigation evidence collection method based on same - Google Patents

Intelligent mobile device centralized investigation evidence collection system and investigation evidence collection method based on same Download PDF

Info

Publication number
CN115189935B
CN115189935B CN202210792226.4A CN202210792226A CN115189935B CN 115189935 B CN115189935 B CN 115189935B CN 202210792226 A CN202210792226 A CN 202210792226A CN 115189935 B CN115189935 B CN 115189935B
Authority
CN
China
Prior art keywords
evidence obtaining
data
api
investigation
evidence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210792226.4A
Other languages
Chinese (zh)
Other versions
CN115189935A (en
Inventor
吴慧欣
王喆
彭锋
杨梦凡
马琳
孔宇皓
陈凯源
倪梦琪
曹萌迪
朱洋
王留毅
陈继坤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Henan Zhongmeng Electronic Technology Co ltd
North China University of Water Resources and Electric Power
Original Assignee
Henan Zhongmeng Electronic Technology Co ltd
North China University of Water Resources and Electric Power
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Henan Zhongmeng Electronic Technology Co ltd, North China University of Water Resources and Electric Power filed Critical Henan Zhongmeng Electronic Technology Co ltd
Priority to CN202210792226.4A priority Critical patent/CN115189935B/en
Publication of CN115189935A publication Critical patent/CN115189935A/en
Application granted granted Critical
Publication of CN115189935B publication Critical patent/CN115189935B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/18Legal services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Tourism & Hospitality (AREA)
  • Economics (AREA)
  • Technology Law (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Human Resources & Organizations (AREA)
  • Marketing (AREA)
  • Primary Health Care (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses an intelligent mobile equipment centralized investigation evidence obtaining system and an investigation evidence obtaining method based on the same, wherein the system comprises the following components: the intelligent mobile equipment is provided with a evidence obtaining client APP, a center server of a survey evidence obtaining server APP and a data analysis terminal; the central server is connected with the evidence obtaining network and the investigation network at the same time, the intelligent terminal is connected to the evidence obtaining network through a wireless access point in a wireless mode or connected to the evidence obtaining network through a USB wired Ethernet with an isolation function, and the two networks are isolated from each other to prohibit mutual access; the center server is used for receiving the connection of the client in the intelligent mobile equipment, receiving the evidence obtaining data, providing an evidence obtaining data catalog and the evidence obtaining data for the data analysis terminal, and storing the investigation result. The invention can realize high concurrency evidence collection and distributed sample investigation, and has higher investigation evidence collection efficiency.

Description

Intelligent mobile device centralized investigation evidence collection system and investigation evidence collection method based on same
Technical Field
The invention relates to the technical field of judicial investigation and evidence collection, in particular to a centralized investigation and evidence collection system of intelligent mobile equipment and an investigation and evidence collection method based on the same.
Background
In cases of judicial investigation and evidence collection, cases of intelligent equipment for investigation and evidence collection are frequently encountered, and as the capacity of the intelligent equipment is larger and larger, the investigation capability of a common computer is limited, and the merging investigation capability is not strong. At present, investigation and evidence obtaining equipment and programs have low storage capacity and low concurrency, and a large amount of manpower and equipment are required to be subjected to decentralized processing in investigation and evidence obtaining, so that the working efficiency is influenced.
Disclosure of Invention
Aiming at the problem of poor evidence obtaining efficiency of the conventional judicial investigation, the invention provides the intelligent mobile equipment centralized investigation evidence obtaining system and the investigation evidence obtaining method based on the intelligent mobile equipment centralized investigation evidence obtaining system, which can realize high-concurrency evidence obtaining and distributed sample investigation, ensure program compliance and have higher investigation evidence obtaining efficiency.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
in one aspect, the present invention provides a centralized investigation and evidence collection system for intelligent mobile devices, including: the intelligent mobile equipment is provided with a evidence obtaining client APP, a center server of a survey evidence obtaining server APP and a data analysis terminal; the central server is connected with the evidence obtaining network and the investigation network at the same time, the evidence obtaining network is used for connecting the central server and each intelligent terminal, the intelligent terminal is connected to the evidence obtaining network through a wireless access point in a wireless mode or connected to the evidence obtaining network through a USB wired Ethernet with an isolation function, and the two networks are isolated from each other to prohibit mutual access; the investigation network is used for connecting the data analysis terminal with the central server, and the central server can be connected to the Internet through the investigation network; the central server is used for receiving client connection in the intelligent mobile equipment, receiving evidence obtaining data, providing evidence obtaining data catalogues and evidence obtaining data for the data analysis terminal, and storing investigation results; the central server uses NAS, RAID technology and WebDAV protocols to implement centralized, high concurrency survey forensics.
Further, the investigation evidence obtaining server side APP comprises a file storage module, a case information storage module, a file storage interface, a data interface, an evidence obtaining API interface, an investigation API interface, evidence obtaining network services and an evidence obtaining network firewall;
the evidence obtaining network service is used for providing network addressing, address allocation, communication and AP terminal control functions for the evidence obtaining network;
the evidence obtaining network firewall is used for limiting the network connectivity of the terminal in the evidence obtaining network, limiting the terminal access and guaranteeing the safety of the evidence obtaining network and the compliance of evidence obtaining;
the file storage module is used for storing file data;
the case information storage module is used for storing relational data, and comprises: sample information, inspection reports and evidence obtaining service file type data positions are stored in a database in a classified manner, and a classified query function is provided;
the file storage interface is used for packaging file storage functions, shielding storage mode differences and providing file type data storage functions for all APIs;
the evidence obtaining API interface is used for communicating with the evidence obtaining client APP to control the evidence obtaining flow, the evidence obtaining API interface stores the received case information in the case information storage module by calling the data interface function, and the file data of the case are stored in the file storage module through the file storage interface;
the investigation API interface is used for providing data access service for the data analysis terminal, providing cases and sample data for the data analysis terminal, and receiving reports of the data analysis terminal.
Further, the data analysis terminal is a blade server, a plurality of distributed sample investigation nodes are deployed, the distributed sample investigation nodes are accessed into an investigation network, and each node is provided with a sample automatic investigation analysis program.
Further, the evidence obtaining client APP collects files, case and sample information, call records, short messages and address books of the intelligent mobile equipment; the evidence obtaining client APP packages and signs the data and then sends the data to an API interface through an evidence obtaining network; after the evidence obtaining API interface receives the data, the signature and the integrity are verified, the relational data are stored in the case information storage module through the data interface, and the file type data are stored in the file storage module through the file storage interface.
Further, the evidence obtaining API interface comprises a case information API and a sub evidence obtaining API; the case information API comprises a case inquiry function and a sample control function, wherein the case inquiry function is used for returning a case list, case evidence taking notes and requirement information for a evidence taking person to check, the sample control function is used for receiving and verifying the case information filled by the evidence taking person, returning an authentication and signature key, distributing file storage and evidence taking API access rights, preventing unauthorized access and improving safety; the sub-evidence obtaining API comprises an address book evidence obtaining API, a short message evidence obtaining API, a call record evidence obtaining API and a file evidence obtaining API which are respectively used for receiving an address book, a short message, a call record and a file which are sent by the evidence obtaining terminal.
Further, the investigation API interface comprises an authentication API, a case API, a sample and data downloading API and a result feedback API;
the authentication API is used for verifying and identifying investigators and approving the identity and authority of the user;
the case API is used for returning case information and a corresponding report set which are responsible for the investigator according to the access rights of the investigator;
the sample and data downloading API is used for providing a downloading service of the sample information and the evidence obtaining data copy after the secret key encryption for the investigator according to the access right of the control investigator; the system is also used for providing a decryption key of the corresponding copy according to the investigator permission, and recovering the decryption permission after the validity period is exceeded, so that the sample cannot be used;
the result feedback API is used for collecting sample analysis reports made by the investigator and the data analysis terminal.
In another aspect, the invention provides a method for investigation and evidence collection, comprising:
starting a evidence obtaining client APP to start evidence obtaining, enabling the evidence obtaining client APP to access a case information API in an evidence obtaining API interface to inquire about a case, enabling evidence obtaining personnel to select the case to which a sample belongs and then filling information required by the case, and enabling the evidence obtaining client APP to acquire information of intelligent mobile equipment and automatically fill related items;
after the information is filled, submitting the information to a sample control function of a evidence obtaining API interface, and after the sample control function is configured with service, returning secret keys and evidence obtaining parameter related configuration information;
after receiving the configuration information, the evidence obtaining client APP configures evidence obtaining parameters, and after the configuration is completed, the service corresponding to the connection parameters starts the evidence obtaining process;
each time a piece of data is obtained, the evidence obtaining client APP packages, verifies and signs the data and sends the data to a corresponding API in an API interface according to the type, and when all evidence obtaining items are completed, a sample control function informs that the evidence obtaining is completed and the evidence obtaining is completed;
after receiving the case and sample information, the evidence obtaining API interface generates a secret key and authentication information, stores the case and sample information into a central server, configures a file storage interface and API access rights, generates configuration and returns the configuration to the evidence obtaining client APP;
after configuration returns, the evidence obtaining API interface waits for the evidence obtaining client APP to send evidence obtaining data, and if the evidence obtaining API interface receives the evidence obtaining data, the evidence obtaining API interface stores effective data into a file storage module or a case information storage module of the central server after verification and verification;
if the evidence obtaining is overtime, the sample data is invalidated, the sample state is changed into invalid and needs to be reworked, and if the evidence obtaining completion notification notified by the evidence obtaining client APP is received, the state of the sample is changed to be completed;
after the state is changed, the evidence obtaining API interface closes the API access right and the file storage access right, the authentication information is withdrawn, and the evidence obtaining is finished;
after the evidence collection is finished, the central server configures investigation personnel and authority thereof, controls the investigation personnel to access the investigation sample, configures a file storage interface, a data interface and user access authority of an investigation API interface, realizes division of personnel tasks and isolation of authority, and then the personnel with related authority can access the investigation API interface and access evidence collection data by using the data analysis terminal to perform sample analysis work;
when a investigator starts investigation based on a data analysis terminal, firstly, accessing an authentication API by using authentication information to log in, accessing a case API to obtain a case list and a sample list, accessing a sample and a data downloading API by the investigator according to case analysis requirements, downloading sample data and carrying out investigation, forming a report according to information found by the investigation after the investigation is finished, uploading a report result to a result feedback API of a central server after the report is digitally signed, and ending the investigation;
after the result feedback API receives the report, the report is saved, and when all evidence collection analysis works are completed, case authorities can read all the reports, collect the report into a final report and submit the final report to a demander. Compared with the prior art, the invention has the beneficial effects that:
the invention uses the central server, can realize high concurrency evidence collection, the equipment to be evidence collected runs evidence collection software, accesses to the evidence collection network, and writes data into the respective storage areas, thereby greatly reducing the evidence collection time of a large number of equipment. According to the invention, the distributed sample investigation can be conveniently carried out, a plurality of nodes can be used for asynchronously processing samples, the work among the nodes is independent and is not interfered, and the investigation and evidence collection are conveniently carried out. The security is ensured through the network, the authority, the service isolation and the file encryption, and the invention has higher investigation and evidence collection efficiency on the basis of compliance.
Drawings
Fig. 1 is a schematic architecture diagram of an intelligent mobile device centralized investigation evidence collection system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a evidence obtaining flow of an intelligent mobile device centralized investigation evidence obtaining system according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a survey flow of a centralized survey evidence obtaining system of an intelligent mobile device according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a data analysis terminal according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an APP function structure at a server for investigation and evidence collection according to an embodiment of the present invention;
fig. 6 is a schematic diagram of an APP function structure of a evidence obtaining client according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of a data storage structure according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of the functional architecture of a evidence obtaining API interface according to an embodiment of the present invention;
FIG. 9 is a schematic diagram of the functional architecture of an investigation API according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of a evidence obtaining flow chart of a method for investigation and evidence obtaining according to an embodiment of the present invention;
fig. 11 is a schematic diagram of a survey flow chart of a method for survey forensics according to an embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following description of specific embodiments in conjunction with the accompanying drawings:
as shown in fig. 1, an intelligent mobile device centralized investigation evidence obtaining system includes: the intelligent mobile equipment is provided with a evidence obtaining client APP, a center server of a survey evidence obtaining server APP and a data analysis terminal; the central server is connected with the evidence obtaining network and the investigation network at the same time, the evidence obtaining network is used for connecting the central server and each intelligent terminal, the intelligent terminal is connected to the evidence obtaining network through a wireless access point in a wireless mode or connected to the evidence obtaining network through a USB wired Ethernet with an isolation function, and the two networks are isolated from each other to prohibit mutual access; the investigation network is used for connecting the data analysis terminal with the central server, and the central server can be connected to the Internet through the investigation network; the central server is used for receiving client connection in the intelligent mobile equipment, receiving evidence obtaining data, providing evidence obtaining data catalogues and evidence obtaining data for the data analysis terminal, and storing investigation results; the central server uses NAS, RAID technology and WebDAV protocols to implement centralized, high concurrency survey forensics.
Further, the central server is used for guaranteeing high-capacity, high-throughput and reliable central storage by using RAID technology, and the WebDAV protocol is used for realizing data transmission. The control program of the center server (investigation evidence obtaining server side APP) exchanges control data through the HTTP protocol, and the control program controls the access authority of the WebDAV according to the service flow, so that data collection and analysis are realized.
Further, the central server uses a multi-port tera-mega network card to connect the evidence obtaining network and the investigation network, and uses link load balancing to increase network bandwidth and throughput. And connecting a plurality of high-capacity magnetic disks by using a plurality of HBA cards, and connecting a solid state disk by using a PCIe NVME interface as cache acceleration. The disk assembly soft RAID10 or RAIDZ2/RAIDZ3 increases reliability and throughput, and installs a Linux operating system.
And installing a DHCP service in the central server operating system to provide address allocation service for the evidence obtaining network, installing a firewall service to isolate network communication, and installing AP control software to control the AP name and equipment roaming access. And installing an investigation evidence obtaining server APP in the operating system to control evidence obtaining and investigation business.
Specifically, the hardware and software configuration of the central server is as follows:
a) The motherboard uses an ultramicro M12SWA-TF AMD3995 WX/75 WX workstation motherboard.
b) The CPU uses AMD thread tearers 3995WX (64 cores, 128 threads, 2.7G).
c) Memory 256G ECC DDR4 3200Mhz SDRAM*8 is a total of 2T memory.
d) 4, wittin (ADATA) 2TB SSD solid state disk M.2 interface (NVMe protocol) XPG pterosaur S11 Pro directly links with the mainboard NVME interface, and group RAID10 is used as read-write buffer.
e) Western data SN640 series 960G U.2 interface SSD, direct connected motherboard RAID1 stores operating system.
f) Data storage was performed at a Western data (Western Digital) of 18TB HC550 SATA6Gb/s 7200 to 512M. Wherein 4 direct connection mainboards SATA and a hard disk direct connection mode.
g) The method comprises the steps of expanding a hard disk interface by 1-XMegaRAID 9460-16i, connecting a hard disk through, and connecting a 1-mouth with a 4-XHDD.
h) 8 hard disk groups RAID6 are hung at the position of up to/mnt, the available space in RAID6 mode is 108T, and according to 256G capacity of each mobile phone, 1: and 1, calculating output analysis data, and accommodating data of 200 mobile phones.
i) PCIEX8 tera four-port SFP+10G optical fiber server network card Intel82599 chip XL710 tera is provided with a 4 tera SFP+optical module 10G optical fiber multimode module 850nm double-fiber 300-meter module, wherein 2 paths are connected with a evidence obtaining network switch by adopting a load balancing technology, and the rest 2 paths are connected with an analysis network switch by adopting a load balancing technology.
j) The center server installs the investigation evidence obtaining server side APP, installs the DHCP service to provide address allocation service for the evidence obtaining network, and configures the firewall to block three layers of intercommunication capability and external network access capability of the evidence obtaining network.
Further, as shown in fig. 2, the evidence obtaining flow based on the intelligent mobile device centralized investigation evidence obtaining system is as follows:
1. the administrator sets cases through the investigation evidence obtaining server side APP, and the investigation evidence obtaining server side APP establishes a case database and a case folder in the storage space of the central server. The intelligent mobile equipment is connected with the evidence obtaining network wireless access point to complete network connection.
2. And operating a evidence obtaining client APP in the intelligent mobile equipment, accessing a survey evidence obtaining server APP in a central server through the evidence obtaining client APP, and downloading a case list. After the evidence obtaining client APP guides the evidence obtaining personnel to request all available read rights of the intelligent mobile equipment, the evidence obtaining personnel select a case to which the evidence obtaining intelligent mobile equipment belongs from the case list. After the case is selected, the intelligent mobile device acquires basic information of the intelligent mobile device, and evidence obtaining personnel fill in supplementary information of the intelligent mobile device. The evidence obtaining client APP sends the collected information to the investigation evidence obtaining server APP to wait for response through the HTTP protocol.
3. After receiving the equipment information, the investigation evidence obtaining server APP stores the information into a case database or a case folder corresponding to the selected case. According to the unique sample identification number, a sample folder is created in a case directory, an original data folder is created in the sample folder, webDAV authentication information is created, the folder is set to be in a mode of only allowing uploading and continuous uploading, and the evidence obtaining client APP is allowed to write mobile phone data into the folder through the WebDAV protocol. And sending the WebDAV communication address and authentication information back to the evidence obtaining client APP.
4. After receiving the response of the investigation evidence obtaining server side APP, the evidence obtaining client side APP configures WebDAV communication parameters, evidence obtaining data and stores the original data, address book, call record, file storage and short message into corresponding catalogues in the original data folder according to classification.
5. After receiving the file sent by the evidence obtaining client, the investigation evidence obtaining server APP saves the file to a target position, calculates a checksum and stores file information into a sample database.
6. A plurality of intelligent mobile devices to be subjected to evidence collection can carry out evidence collection operation at the same time, and evidence collection flows of all samples are not affected. After the evidence collection of one device is finished, the center server is informed of the end of the evidence collection of the sample through an HTTP request.
Further, as shown in fig. 3, the investigation flow based on the intelligent mobile device centralized investigation evidence collection system is as follows:
1. the data analysis terminal is connected to the central server through the investigation network, and after authentication, the data analysis terminal can check the case list and create the case through the HTTP protocol.
2. And the data analysis terminal downloads the case database, and downloads the sample database and the sample file which are subjected to evidence obtaining according to the information in the case database. The investigator can adjust the downloaded content range according to the performance and capacity of the data analysis terminal.
3. The investigator uses the sample automatic investigation analysis program to analyze the evidence-taking file, and uploads the result to the central server according to the granularity of the sample.
4. After receiving the sample investigation result, the central server saves the result into a folder corresponding to the sample.
5. After all the samples of the case are investigated, the administrator gathers the results of all the samples of the case and outputs a final complete case investigation report.
6. Multiple devices may be investigating the sample at the same time, and there may be multiple case results.
Specifically, the forensic network hardware is configured as follows:
a) MikroTik CRS328-24P-4 S+R4 port tera 24 port POE giga network management route switch, 2 tera SFP+optical module 10G optical fiber multimode module 850nm double-fiber 300 meter module is connected with the central server.
b) 5H 3C MINI A50-E is used as an AP access point, a wireless access point of a evidence obtaining network, and a 10 TP-LINK TL-U8 game live switch is used as a wired network evidence obtaining access point.
Specifically, the survey network hardware configuration is as follows:
a) MikroTik CRS328-4C-20S-4S+RM 24-port gigabit network management routing switch, 2-tera SFP+optical module 10G optical fiber multimode module 850nm double-fiber 300 meter module is connected with a central server.
b) SFP+/10GE is connected to the external network and SFP+/10GE is connected to the distributed cluster switch.
Further, the data analysis terminal is a blade server, each blade machine frame is provided with a plurality of distributed sample investigation nodes, the distributed sample investigation nodes are accessed into an investigation network, and each node is provided with a sample automatic investigation analysis program.
As shown in fig. 4, the central server distributes samples that are not automatically analyzed to idle investigation nodes. And when the node is idle, accessing the central server to acquire case data for analysis. The central server selects an unassigned sample which is not automatically analyzed and sends the unassigned sample to the node sending the request, and sends the sample information, the data and the database to the investigation node.
The investigation node extracts data according to the common problem in evidence collection, stores the related data into a case information base through an HTTP protocol, and builds a relational network, communication permissions, a communication heat map and other data to assist an analyst in decision-making. And giving an automatic investigation report according to the sample information.
And uploading a report through an HTTP protocol after the investigation and analysis of the investigation node are completed, and taking out the next investigation and analysis task.
Through distributed automatic investigation and analysis, the working intensity of investigation and evidence obtaining personnel can be greatly reduced, and the investigation and evidence obtaining personnel can be guided to conduct manual evidence obtaining with pertinence.
Specifically, the distributed sample investigation node is configured as follows:
a) Huawei Fusion X6800 chassis +8 xh620v3 node + four power sources + Xinhua three Mini S1226FX is connected to the investigation network.
b) Each node E5-2603V3+16Gmemory+SAS 300G HDD, and each node network port is connected with a switch.
c) Each node runs a distributed sample automatic investigation analysis program.
Further, as shown in fig. 5, the investigation evidence obtaining server side APP includes a file storage module, a case information storage module, a file storage interface, a data interface, an evidence obtaining API interface, an investigation API interface, an evidence obtaining network service, and an evidence obtaining network firewall;
the evidence obtaining network service is used for providing network addressing, address allocation, communication and AP terminal control functions for the evidence obtaining network;
the evidence obtaining network firewall is used for limiting the network connectivity of the terminal in the evidence obtaining network, limiting the terminal access and guaranteeing the safety of the evidence obtaining network and the compliance of evidence obtaining;
the file storage module is used for storing file data; the method can be realized by NAS, local storage, external storage mounting and object storage;
the case information storage module is used for storing relational data, and comprises: sample information, inspection reports and evidence obtaining business data are stored in a database in a classified manner, and a classified query function is provided; the module may be a database in particular;
the file storage interface is used for packaging file storage functions, shielding storage mode differences and providing file type data storage functions for all APIs; the WebDAV function is generally used, the file storage interface has the functions of authentication and access right control, and only the authorized user is allowed to read/download the file;
the evidence obtaining API interface is used for communicating with the evidence obtaining client APP to control the evidence obtaining flow, the evidence obtaining API interface stores the received case information in the case information storage module through the data interface, and the file data of the case are stored in the file storage module through the file storage interface;
the investigation API interface is used for providing data access service for the data analysis terminal, providing cases and sample data for the data analysis terminal, and receiving reports of the data analysis terminal.
Further, as shown in fig. 6 and fig. 7, the evidence obtaining client APP collects files, case and sample information, call records, short messages and address books of the intelligent mobile device; the evidence obtaining client APP packages and signs the data and then sends the data to an API interface through an evidence obtaining network; after the evidence obtaining API interface receives the data, the signature and the integrity are verified, the relational data are stored in the case information storage module through the data interface, and the file type data are stored in the file storage module through the file storage interface.
Further, as shown in fig. 8, the evidence obtaining API interface includes a case information API, a sub evidence obtaining API; the case information API comprises a case inquiry function and a sample control function, wherein the case inquiry function is used for returning a case list, case evidence taking notes and requirement information for a evidence taking person to check, the sample control function is used for receiving and verifying the case information filled by the evidence taking person, returning an authentication and signature key and distributing file storage and evidence taking API access rights; the sub-evidence obtaining API comprises an address book evidence obtaining API, a short message evidence obtaining API, a call record evidence obtaining API and a file evidence obtaining API which are respectively used for receiving an address book, a short message, a call record and a file which are sent by the evidence obtaining terminal.
Further, as shown in fig. 9, the investigation API interface includes an authentication API, a case API, a sample and data download API, and a result feedback API;
the authentication API is used for verifying and identifying investigators and approving the identity and authority of the user;
the case API is used for returning case information and a corresponding report set which are responsible for the investigator according to the access rights of the investigator;
the sample and data downloading API is used for controlling access rights of investigators and providing a downloading service of sample information and evidence obtaining data copies for the investigators; specifically, the interface is a read-only interface, and sample data is not modified at all; the sample copy provided by the API is encrypted by a secret key, the API provides a decryption secret key of the corresponding copy according to the investigator permission, and after the validity period is exceeded, the API can reclaim the decryption permission so that the sample cannot be used; after leaving the investigation and evidence collection environment, the sample cannot be decrypted because the API cannot be accessed, so that the safety is ensured (the sentence can be put in the embodiment);
the result feedback API is used for collecting sample analysis reports made by the investigator and the data analysis terminal.
On the basis of the above embodiment, as shown in fig. 10 and 11, another aspect of the present invention proposes a method for investigation and evidence collection, including:
starting a evidence obtaining client APP to start evidence obtaining, enabling the evidence obtaining client APP to access a case information API in an evidence obtaining API interface to inquire about a case, enabling evidence obtaining personnel to select the case to which a sample belongs and then filling information required by the case, and enabling the evidence obtaining client APP to acquire information of intelligent mobile equipment and automatically fill related items;
after the information is filled, submitting the information to a sample control function of a evidence obtaining API interface, and after the sample control function is configured with service, returning secret keys and evidence obtaining parameter related configuration information;
after receiving the configuration information, the evidence obtaining client APP configures evidence obtaining parameters, and after the configuration is completed, the evidence obtaining process is started;
each time a piece of data is obtained, the evidence obtaining client APP packages, verifies and signs the data and sends the data to a corresponding API in an API interface according to the type, and when all evidence obtaining items are completed, a sample control function informs that the evidence obtaining is completed and the evidence obtaining is completed;
after receiving the case and sample information, the evidence obtaining API interface generates a secret key and authentication information, stores the case and sample information into a central server, configures a file storage interface and API access rights, generates configuration and returns the configuration to the evidence obtaining client APP;
after configuration returns, the evidence obtaining API interface waits for the evidence obtaining client APP to send evidence obtaining data, and if the evidence obtaining API interface receives the evidence obtaining data, the evidence obtaining API interface stores effective data into a file storage module or a case information storage module of the central server after verification and verification;
if the evidence obtaining is overtime, the sample data is invalidated, the sample state is changed into invalid and needs to be reworked, and if the evidence obtaining completion notification notified by the evidence obtaining client APP is received, the state of the sample is changed to be completed;
after the state is changed, the evidence obtaining API interface closes the API access right and the file storage access right, the authentication information is withdrawn, and the evidence obtaining is finished;
after the evidence collection is finished, the central server configures investigation personnel and authority thereof, controls the investigation personnel to access the investigation sample, configures a file storage interface, a data interface and user access authority of an investigation API interface, realizes division of personnel tasks and isolation of authority, and then the personnel with related authority can access the investigation API interface and access evidence collection data by using the data analysis terminal to perform sample analysis work;
when a investigator starts investigation based on a data analysis terminal, firstly, accessing an authentication API by using authentication information to log in, accessing a case API to obtain a case list and a sample list, accessing a sample and a data downloading API by the investigator according to case analysis requirements, downloading sample data and carrying out investigation, opening the sample data by the investigator, analyzing a sample file and a database in the sample data by using the data analysis terminal to find useful information, forming a report according to the information found by investigation after the investigation is finished, uploading a report result to a result feedback API of a central server after the report is digitally signed, and finishing the investigation;
after the result feedback API receives the report, the report is saved, and when all evidence collection analysis works are completed, case authorities can read all the reports, collect the report into a final report and submit the final report to a demander.
In conclusion, the method comprises the steps of,
1. the invention uses the central server, can realize high concurrency evidence collection, the evidence collection equipment runs evidence collection software, accesses to the evidence collection network, writes data into the respective storage areas, and greatly reduces the evidence collection time of a large number of equipment.
2. The network link load balancing technology can be used by using the central server, and the AP multipoint access technology increases network throughput and deals with large-scale data transmission for investigation and evidence collection.
3. The center server is used, so that the data can be conveniently stored and used, the reliability and the throughput are increased, compared with the distributed evidence obtaining, the center server can ensure the redundant backup of the data by using the RAID disk redundant array technology and improve the throughput, and the high-speed hard disk caching technology is used, so that the throughput can be further improved, and the requirement of large-scale evidence obtaining investigation data reading and writing is met.
4. And a central server is used, so that the distributed manual/automatic sample investigation is convenient. The manual work can use a plurality of nodes to asynchronously process samples, and work among the nodes is independent and is not interfered, so that investigation and evidence collection are conveniently carried out.
5. By means of the central server, the automatic distributed evidence obtaining equipment is convenient to use, samples are pre-analyzed and pre-processed, and the manual investigation evidence obtaining work is guided to be carried out.
The foregoing is merely illustrative of the preferred embodiments of this invention, and it will be appreciated by those skilled in the art that changes and modifications may be made without departing from the principles of this invention, and it is intended to cover such modifications and changes as fall within the true scope of the invention.

Claims (6)

1. An intelligent mobile device centralized survey evidence obtaining system, comprising: the intelligent mobile equipment is provided with a evidence obtaining client APP, a center server of a survey evidence obtaining server APP and a data analysis terminal; the central server is connected with the evidence obtaining network and the investigation network at the same time, the evidence obtaining network is used for connecting the central server with each intelligent mobile device, the intelligent mobile device is connected to the evidence obtaining network through a wireless access point in a wireless mode or connected to the evidence obtaining network through a USB wired Ethernet with an isolation function, and the two networks are isolated from each other to prohibit mutual access; the investigation network is used for connecting the data analysis terminal with the central server, and the central server can be connected to the Internet through the investigation network; the central server is used for receiving client connection in the intelligent mobile equipment, receiving evidence obtaining data, providing evidence obtaining data catalogues and evidence obtaining data for the data analysis terminal, and storing investigation results; the central server uses NAS, RAID technology and WebDAV protocol to realize centralized and high concurrency investigation and evidence collection, and specifically comprises the following steps: the central server uses RAID disk redundant array technology to ensure redundant backup of data and improve throughput; the investigation evidence obtaining server APP exchanges control data through the HTTP protocol, controls the access authority of the WebDAV according to the business process, and realizes data collection and analysis;
the investigation evidence obtaining server side APP comprises a file storage module, a case information storage module, a file storage interface, a data interface, an evidence obtaining API interface, an investigation API interface, evidence obtaining network services and an evidence obtaining network firewall;
the evidence obtaining network service is used for providing network addressing, address allocation, communication and AP terminal control functions for the evidence obtaining network;
the evidence obtaining network firewall is used for limiting the network connectivity of the terminal in the evidence obtaining network, limiting the terminal access and guaranteeing the safety of the evidence obtaining network and the compliance of evidence obtaining;
the file storage module is used for storing file data;
the case information storage module is used for storing relational data, and comprises: sample information, inspection reports and evidence obtaining service file type data positions are stored in a database in a classified manner, and a classified query function is provided;
the file storage interface is used for packaging file storage functions, shielding storage mode differences and providing file type data storage functions for all APIs;
the evidence obtaining API interface is used for communicating with the evidence obtaining client APP to control the evidence obtaining flow, the evidence obtaining API interface stores the received case information in the case information storage module by calling the data interface function, and the file data of the case are stored in the file storage module through the file storage interface;
the investigation API interface is used for providing data access service for the data analysis terminal, providing cases and sample data for the data analysis terminal, and receiving reports of the data analysis terminal.
2. The intelligent mobile device centralized investigation and evidence collection system according to claim 1, wherein the data analysis terminal is a blade server, a plurality of distributed sample investigation nodes are deployed and connected to an investigation network, and each node is provided with a sample automatic investigation and analysis program.
3. The intelligent mobile equipment centralized investigation and evidence collection system according to claim 1, wherein the evidence collection client APP collects files, case and sample information, call records, short messages and address books of the intelligent mobile equipment; the evidence obtaining client APP packages and signs the data and then sends the data to an API interface through an evidence obtaining network; after the evidence obtaining API interface receives the data, the signature and the integrity are verified, the relational data are stored in the case information storage module through the data interface, and the file type data are stored in the file storage module through the file storage interface.
4. The intelligent mobile device centralized survey and evidence obtaining system of claim 3 wherein the evidence obtaining API interface comprises a case information API, a sub evidence obtaining API; the case information API comprises a case inquiry function and a sample control function, wherein the case inquiry function is used for returning a case list, case evidence taking notes and requirement information for a evidence taking person to check, the sample control function is used for receiving and verifying the case information filled by the evidence taking person, returning an authentication and signature key, distributing file storage and evidence taking API access rights, preventing unauthorized access and improving safety; the sub-evidence obtaining API comprises an address book evidence obtaining API, a short message evidence obtaining API, a call record evidence obtaining API and a file evidence obtaining API which are respectively used for receiving an address book, a short message, a call record and a file which are sent by the evidence obtaining terminal.
5. The intelligent mobile device centralized survey and evidence obtaining system of claim 1, wherein the survey API interface comprises an authentication API, a case API, a sample and data download API, and a result feedback API;
the authentication API is used for verifying and identifying investigators and approving the identity and authority of the user;
the case API is used for returning case information and a corresponding report set which are responsible for the investigator according to the access rights of the investigator;
the sample and data downloading API is used for providing a downloading service of the sample information and the evidence obtaining data copy after the secret key encryption for the investigator according to the access right of the control investigator; the system is also used for providing a decryption key of the corresponding copy according to the investigator permission, and recovering the decryption permission after the validity period is exceeded, so that the sample cannot be used;
the result feedback API is used for collecting sample analysis reports made by the investigator and the data analysis terminal.
6. A method of survey forensics based on an intelligent mobile device centralized survey forensics system according to any one of claims 1 to 5 comprising:
starting a evidence obtaining client APP to start evidence obtaining, enabling the evidence obtaining client APP to access a case information API in an evidence obtaining API interface to inquire about a case, enabling evidence obtaining personnel to select the case to which a sample belongs and then filling information required by the case, and enabling the evidence obtaining client APP to acquire information of intelligent mobile equipment and automatically fill related items;
after the information is filled, submitting the information to a sample control function of a evidence obtaining API interface, and after the sample control function is configured with service, returning secret keys and evidence obtaining parameter related configuration information;
after receiving the configuration information, the evidence obtaining client APP configures evidence obtaining parameters, and after the configuration is completed, the service corresponding to the connection parameters starts the evidence obtaining process;
each time a piece of data is obtained, the evidence obtaining client APP packages, verifies and signs the data and sends the data to a corresponding API in an API interface according to the type, and when all evidence obtaining items are completed, a sample control function informs that the evidence obtaining is completed and the evidence obtaining is completed;
after receiving the case and sample information, the evidence obtaining API interface generates a secret key and authentication information, stores the case and sample information into a central server, configures a file storage interface and API access rights, generates configuration and returns the configuration to the evidence obtaining client APP;
after configuration returns, the evidence obtaining API interface waits for the evidence obtaining client APP to send evidence obtaining data, and if the evidence obtaining API interface receives the evidence obtaining data, the evidence obtaining API interface stores effective data into a file storage module or a case information storage module of the central server after verification and verification;
if the evidence obtaining is overtime, the sample data is invalidated, the sample state is changed into invalid and needs to be reworked, and if the evidence obtaining completion notification notified by the evidence obtaining client APP is received, the state of the sample is changed to be completed;
after the state is changed, the evidence obtaining API interface closes the API access right and the file storage access right, the authentication information is withdrawn, and the evidence obtaining is finished;
after the evidence collection is finished, the central server configures investigation personnel and authority thereof, controls the investigation personnel to access the investigation sample, configures a file storage interface, a data interface and user access authority of an investigation API interface, realizes division of personnel tasks and isolation of authority, and then the personnel with related authority can access the investigation API interface and access evidence collection data by using the data analysis terminal to perform sample analysis work;
when a investigator starts investigation based on a data analysis terminal, firstly, accessing an authentication API by using authentication information to log in, accessing a case API to obtain a case list and a sample list, accessing a sample and a data downloading API by the investigator according to case analysis requirements, downloading sample data and carrying out investigation, forming a report according to information found by the investigation after the investigation is finished, uploading a report result to a result feedback API of a central server after the report is digitally signed, and ending the investigation;
after the result feedback API receives the report, the report is saved, and when all evidence collection analysis works are completed, case authorities can read all the reports, collect the report into a final report and submit the final report to a demander.
CN202210792226.4A 2022-07-07 2022-07-07 Intelligent mobile device centralized investigation evidence collection system and investigation evidence collection method based on same Active CN115189935B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210792226.4A CN115189935B (en) 2022-07-07 2022-07-07 Intelligent mobile device centralized investigation evidence collection system and investigation evidence collection method based on same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210792226.4A CN115189935B (en) 2022-07-07 2022-07-07 Intelligent mobile device centralized investigation evidence collection system and investigation evidence collection method based on same

Publications (2)

Publication Number Publication Date
CN115189935A CN115189935A (en) 2022-10-14
CN115189935B true CN115189935B (en) 2023-10-13

Family

ID=83517987

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210792226.4A Active CN115189935B (en) 2022-07-07 2022-07-07 Intelligent mobile device centralized investigation evidence collection system and investigation evidence collection method based on same

Country Status (1)

Country Link
CN (1) CN115189935B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103258149A (en) * 2012-07-27 2013-08-21 天津中启创科技有限公司 Online reading system and method based on cloud computing
CN107563713A (en) * 2017-06-20 2018-01-09 华迪计算机集团有限公司 A kind of electronic document system and its method for operation monitoring
CN108667835A (en) * 2018-05-04 2018-10-16 法信公证云(厦门)科技有限公司 A kind of control remote equipment carries out method, system and the storage medium of network forensics
CN111090779A (en) * 2019-03-01 2020-05-01 王文梅 Cloud storage and retrieval analysis method for case-handling exploration evidence-taking data
CN112016897A (en) * 2020-08-29 2020-12-01 重庆市合川区公安局 Electronic data evidence obtaining system of intelligent terminal equipment and acquisition and uploading method thereof
CN112054911A (en) * 2020-09-11 2020-12-08 杭州安恒信息安全技术有限公司 Intelligent equipment multi-way investigation evidence obtaining device based on Internet of things
CN113114615A (en) * 2021-02-23 2021-07-13 北京联合信任技术服务有限公司 Device, system, method, storage medium, and program product for preventing data hijacking

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110153748A1 (en) * 2009-12-18 2011-06-23 Electronics And Telecommunications Research Institute Remote forensics system based on network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103258149A (en) * 2012-07-27 2013-08-21 天津中启创科技有限公司 Online reading system and method based on cloud computing
CN107563713A (en) * 2017-06-20 2018-01-09 华迪计算机集团有限公司 A kind of electronic document system and its method for operation monitoring
CN108667835A (en) * 2018-05-04 2018-10-16 法信公证云(厦门)科技有限公司 A kind of control remote equipment carries out method, system and the storage medium of network forensics
CN111090779A (en) * 2019-03-01 2020-05-01 王文梅 Cloud storage and retrieval analysis method for case-handling exploration evidence-taking data
CN112016897A (en) * 2020-08-29 2020-12-01 重庆市合川区公安局 Electronic data evidence obtaining system of intelligent terminal equipment and acquisition and uploading method thereof
CN112054911A (en) * 2020-09-11 2020-12-08 杭州安恒信息安全技术有限公司 Intelligent equipment multi-way investigation evidence obtaining device based on Internet of things
CN113114615A (en) * 2021-02-23 2021-07-13 北京联合信任技术服务有限公司 Device, system, method, storage medium, and program product for preventing data hijacking

Also Published As

Publication number Publication date
CN115189935A (en) 2022-10-14

Similar Documents

Publication Publication Date Title
US11449478B2 (en) Blockchain implemented data migration audit trail
US9424432B2 (en) Systems and methods for secure and persistent retention of sensitive information
KR20210040569A (en) Blockchain based data management system and method thereof
CN108027828B (en) Managed file synchronization with stateless synchronization nodes
US9426219B1 (en) Efficient multi-part upload for a data warehouse
CN104603740A (en) Archival data identification
CN103180842A (en) Cloud computing system and data synchronization method therefor
CN104603776A (en) Archival data storage system
EP3553689B1 (en) System and method for automatically securing sensitive data in public cloud using a serverless architecture
CN104063633B (en) A kind of safety auditing system based on filtration drive
CA3039944A1 (en) System and method for automatically securing sensitive data in public cloud using a serverless architecture
JP5968156B2 (en) Job processing system, information processing system, job processing method, information processing method, and program
CN110442561B (en) Block chain-based distributed file storage system and storage method thereof
CN112468537A (en) Block chain network building structure based on local area network environment and data processing method
KR20120044550A (en) Cloud storage server and system by use of virtual nas and method thereof
JP2023551124A (en) self-audit blockchain
CN115189935B (en) Intelligent mobile device centralized investigation evidence collection system and investigation evidence collection method based on same
CN111935068A (en) Big data platform, server side thereof, security authentication system and method
Joe et al. Mixed mode analytics architecture for data deduplication in wireless personal cloud computing
Jogdand et al. CSaaS-a multi-cloud framework for secure file storage technology using open ZFS
KR20110070767A (en) Remote forensics system based on network
Ngo et al. Serverless computing architecture security and quality analysis for back-end development
KR101300093B1 (en) Dual forensic apparatus and method thereof
KR20170095503A (en) Apparatus and Method for Real-time Reconstruction of Transmitted File in Broadband Network Environment
US11803864B2 (en) Distributed ledgers for enhanced chain of custody certification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant