CN116226885B - Copying machine security check evidence obtaining system and method - Google Patents
Copying machine security check evidence obtaining system and method Download PDFInfo
- Publication number
- CN116226885B CN116226885B CN202310236755.0A CN202310236755A CN116226885B CN 116226885 B CN116226885 B CN 116226885B CN 202310236755 A CN202310236755 A CN 202310236755A CN 116226885 B CN116226885 B CN 116226885B
- Authority
- CN
- China
- Prior art keywords
- data
- copying machine
- file
- module
- hard disk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000008569 process Effects 0.000 claims abstract description 19
- 238000007689 inspection Methods 0.000 claims description 29
- 238000004458 analytical method Methods 0.000 claims description 19
- 238000005192 partition Methods 0.000 claims description 16
- 230000006835 compression Effects 0.000 claims description 14
- 238000007906 compression Methods 0.000 claims description 14
- 238000005516 engineering process Methods 0.000 claims description 9
- 101100226366 Arabidopsis thaliana EXT3 gene Proteins 0.000 claims description 5
- 208000034420 multiple type III exostoses Diseases 0.000 claims description 5
- 238000012360 testing method Methods 0.000 claims description 5
- 230000006837 decompression Effects 0.000 claims description 3
- 230000009466 transformation Effects 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 2
- 238000011084 recovery Methods 0.000 abstract description 4
- 238000013075 data extraction Methods 0.000 abstract description 3
- 238000011835 investigation Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 10
- 238000012015 optical character recognition Methods 0.000 description 8
- 235000010724 Wisteria floribunda Nutrition 0.000 description 6
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000007639 printing Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
- G06F21/608—Secure printing
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention provides a copying machine security check evidence obtaining system and method, comprising a data acquisition module, a data identification module and a data output module, wherein the data acquisition module is used for acquiring log records and copying contents of a copying machine and transmitting the acquired log records and copying contents to the data identification module, and the data identification module adopts a picture character identification process to identify the acquired copying contents and the log records and then adopts keywords to search to obtain identification results; and the data output module receives the identification result of the data identification module and collates the identification result into information to generate and output a report. The invention can extract and analyze the existing files or deleted files existing on the hard disk of different copiers by carrying out investigation, evidence collection, data recovery and data extraction processes on the hard disk data of different copiers, thereby preventing data leakage in advance and making risk management and control.
Description
Technical Field
The invention relates to the technical field of copiers, in particular to a system and a method for checking and obtaining evidence of a copier.
Background
Because the copying machine with the file storage function is the same as a computer used in practice, the copying machine has the risk of data leakage and disclosure. The method for revealing the stored data of the copying machine comprises the following steps: the method comprises the steps of replacing a hard disk during maintenance of the copying machine, scrapping the copying machine (complete machine scrapping treatment), accessing (downloading) files on the copying machine through a local area network, sending the files to a PC (personal computer) from an operation panel of the copying machine, copying the files in the copying machine through an external USB flash disk Copy, stealing the copying machine (or the hard disk), scanning and sending faxes from the copying machine and the like. Thus requiring confidentiality checks for this type of device.
However, since there are many types of copiers, different storage hard disk technologies are adopted for each type of copiers, and difficulty is generated in reading the complete data of the hard disk, no effective tool is available in the prior art for extracting and analyzing the hard disk data of different copiers, and therefore a system and a method for performing security inspection for different copiers are needed.
Disclosure of Invention
The invention aims to provide a security check evidence obtaining system and method of a copying machine, so as to solve the problems in the prior art.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows:
the system comprises a data acquisition module, a data identification module and a data output module, wherein the data acquisition module is used for acquiring log records and copy contents of the copying machine and transmitting the acquired log records and copy contents to the data identification module, and the data identification module adopts a picture character identification process to identify the acquired copy contents and log records and then adopts keywords to search so as to obtain identification results; and the data output module receives the identification result of the data identification module and collates the identification result into information to generate and output a report.
Preferably, the data acquisition module comprises an offline checking sub-module and an online checking sub-module, wherein the offline checking sub-module is connected with a storage hard disk of the copying machine through an external interface and acquires log records and copying contents in the storage hard disk; the online checking sub-module is connected through a copying machine I P and acquires the existing stored log record and copy content of the copying machine in real time.
Preferably, the off-line checking sub-module reads and analyzes the storage hard disk partition through a hard disk data acquisition algorithm, reads and analyzes a hard disk partition file system, acquires data related to the storage data in the storage hard disk, analyzes the data into a picture file which can be normally previewed, and acquires an operation log file used by the copying machine; the online checking submodule acquires and downloads the existing stored picture data and the existing operation log information of the copying machine, and further checks and analyzes the acquired data to judge whether the copying machine is in a safe use mode or has the risk of data leakage or has the real evidence of data leakage in real time.
Preferably, the data obtaining module further includes a data decoding submodule, where the data decoding submodule specifically includes:
tracking and recording image input and output of the copying machine, analyzing the image file format, establishing a coding model, and designing a decoding algorithm; specific images, graphics, documents, drawings and photos are designed as test source data, the test source data are processed by image processing software, and analogized with output data obtained on a storage component after the source data are input into a copier, and identifiable pictures or characters are obtained by means of common image compression coding modes including arithmetic coding, run-length coding, transformation coding and wavelet coding, reverse analysis and establishment of a graphic image information coding model and decoding and error correction software algorithm used by the copier.
Preferably, the data recognition module comprises a copy content recognition sub-module and a log information recognition sub-module, wherein the copy content recognition sub-module adopts a picture recognition technology to convert acquired picture characters into text characters and automatically stores the text characters into a database; searching the identified text words according to preset keywords to obtain a search result; simultaneously acquiring an original picture in which the keyword is located in the search result; and the log information identification sub-module obtains the resolvable copy log information, then carries out log information violation marking, and combines the marked log information violation marking with the search result to be transmitted to the data output module.
Another object of the present invention is to provide a method for obtaining evidence by security check of a copier, which is implemented based on the security check and evidence obtaining system of the copier, and includes the following steps:
s1, connecting a copying machine to be checked by adopting a data acquisition module, reading a copying log and copying file content of the copying machine to be checked, converting the acquired copying log and copying file content into identifiable picture texts, and transmitting the identifiable picture texts to the data identification module;
s2, the data identification module identifies the obtained copy log and the copy file content by adopting a character identification and picture identification method, and performs keyword retrieval; meanwhile, marking illegal information on the copy log;
and S3, obtaining a keyword retrieval result, combining the copy log violation information marking content and outputting the keyword retrieval result to a data output module, and generating a final inspection report.
Preferably, the step S1 specifically includes:
s11, confirming that the copying machine to be checked is off-line checking or on-line checking, if the copying machine to be checked is off-line checking, directly accessing a storage hard disk of the copying machine to be checked through an external interface, and entering a step S12; if the online inspection is performed, connecting the copying machine to be inspected through an IP network, and entering step S13;
s12, using a sector-level binary editing tool to read and analyze the obtained hard disk data of the copier by utilizing a data bottom layer analysis technology, and transmitting the read copy file content and log information to the data identification module;
s13, directly acquiring, downloading and checking the existing stored picture data and the existing operation log information of the copying machine to be checked, and directly transmitting the read copy file content and the read log information to the data identification module.
More preferably, step S12 further includes determining a type of a file system of the copier, including one of EXT3, UFS and FAT, before the acquired hard disk data of the copier is read and analyzed by using a sector-level binary editing tool by using a data bottom layer analysis technique; and then selecting a corresponding file reading mode for reading analysis.
More preferably, the content of the copy document read in step S12 is parsed into identifiable picture text, which specifically includes: and judging the compression mode of the content of the copy file, including any one of JBIG, MH, MR, MMR and JPEG compression, and selecting a corresponding compression mode analysis mode for decompression analysis.
The beneficial effects of the invention are as follows:
the invention provides a security check evidence obtaining system and a security check evidence obtaining method for a copying machine, which are used for extracting and analyzing existing files or deleted files existing on hard disks of different types of copying machines through investigation evidence obtaining, data recovery and data extraction processes on the hard disk data of different copying machines, so that whether the confidential data exist or not is confirmed, the data leakage can be prevented in advance, and risk management and control are performed.
Drawings
FIG. 1 is a schematic diagram of a method for obtaining evidence for privacy inspection of a copier provided in example 2;
FIG. 2 is a schematic diagram showing the hard disk partition in the Fuji music copier DocuCentral-IV C2263 of example 2;
FIG. 3 is a file display name obtained after the hard disk bytes in FIG. 2 are inverted;
FIG. 4 is a diagram of the original data of the hard disk 0 sector in Fuji schale copier DocuCentral-IV C2275;
FIG. 5 is a schematic diagram of the offline inspection flow provided in example 3;
FIG. 6 is a schematic of the on-line inspection flow provided in example 3;
FIG. 7 is a schematic diagram of a copier security check forensic system login interface;
FIG. 8 is a schematic diagram of a user newly created task interface in the copier security check evidence collection system;
FIG. 9 is a schematic diagram of a file list obtained after recognizing a file using OCR;
FIG. 10 is a schematic diagram of a job log interface for a Canon copier acquired by a copier security check evidence obtaining system;
FIG. 11 is a schematic diagram of a keyword search setup interface;
FIG. 12 is a schematic diagram of a generated inspection report.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the detailed description is presented by way of example only and is not intended to limit the invention.
Example 1
The embodiment provides a security check evidence obtaining system of a copying machine, which comprises a data acquisition module, a data identification module and a data output module, wherein the data acquisition module is used for acquiring log records and copying contents of the copying machine and transmitting the acquired log records and copying contents to the data identification module, and the data identification module adopts a picture character identification process to identify the acquired copying contents and the log records and then adopts keywords to search so as to obtain identification results; and the data output module receives the identification result of the data identification module and collates the identification result into information to generate and output a report.
The data acquisition module in the embodiment comprises an offline inspection sub-module and an online inspection sub-module, wherein the offline inspection sub-module is connected with a storage hard disk of a copying machine through an external interface and acquires log records and copying contents in the storage hard disk; the online checking sub-module is connected through a copying machine I P and acquires the existing stored log record and copy content of the copying machine in real time.
The off-line checking sub-module reads and analyzes the storage hard disk partition through a hard disk data acquisition algorithm, reads and analyzes a hard disk partition file system, acquires data related to the storage data in the storage hard disk, analyzes the data into a picture file which can be normally previewed, and acquires an operation log file used by the copying machine; the online checking submodule acquires and downloads the existing stored picture data and the existing operation log information of the copying machine, and further checks and analyzes the acquired data to judge whether the copying machine is in a safe use mode or has the risk of data leakage or has the real evidence of data leakage in real time.
The data acquisition module in this embodiment further includes a data decoding submodule, where the data decoding submodule specifically includes:
tracking and recording image input and output of the copying machine, analyzing the image file format, establishing a coding model, and designing a decoding algorithm; specific images, graphics, documents, drawings and photos are designed as test source data, image processing software is utilized to process the source data, analogy is carried out on the source data and output data obtained on a storage component after the source data is input into a copying machine, and identifiable pictures or characters are obtained by means of common image compression coding modes including arithmetic coding, run-length coding, transformation coding and wavelet coding, reverse analysis and establishment of a graphic image information coding model and decoding and error correction software algorithm used by the copying machine.
The data identification module in the embodiment comprises a copy content identification sub-module and a log information identification sub-module, wherein the copy content identification sub-module adopts a picture identification technology to convert acquired picture characters into text characters and automatically stores the text characters into a database; searching the identified text words according to preset keywords to obtain a search result; simultaneously acquiring an original picture in which the keyword is located in the search result; and the log information identification sub-module obtains the resolvable copy log information, then carries out log information violation marking, and combines the marked log information violation marking with the search result to be transmitted to the data output module.
Example 2
The embodiment provides a method for obtaining evidence by copying machine security check, which is realized based on the copying machine security check evidence obtaining system described in the embodiment 1, and comprises the following steps:
s1, connecting a copying machine to be checked by adopting a data acquisition module, reading a copying log and copying file content of the copying machine to be checked, converting the acquired copying log and copying file content into identifiable picture texts and transmitting the identifiable picture texts to the data identification module, wherein the method specifically comprises the following steps of:
s11, firstly, confirming that the copying machine to be checked is off-line checking or on-line checking, if the copying machine to be checked is off-line checking, directly accessing a storage hard disk of the copying machine to be checked through an external interface, and entering a step S12; if the online inspection is performed, connecting the copying machine to be inspected through a I P network, and entering a step S13;
s12, determining the brand of the copying machine to be checked and the corresponding file system type, using a sector-level binary editing tool to read and analyze the obtained hard disk data of the copying machine by utilizing a data bottom layer analysis technology, and transmitting the read copy file content and log information to the data identification module;
for example, the hard disk in the Fuji schle copier DocuCentral-IV C2263 adopts the partition designed by the hard disk, the 0 sector of the hard disk is shown in fig. 2 and is stored reversely according to double bytes, so that when reading, the double bytes in the hard disk need to be converted reversely by a program, the converted file name can be normally displayed, as shown in fig. 3, and then reading is performed.
The original data of the hard disk 0 sector in the other Fuji schale copier DocuCentral-IV C2275 is not double-byte reversed, and can be directly read as shown in fig. 4.
The reading mode is that: and positioning the head of the partition through a partition table of 0 sector, confirming the type of FAT files adopted by the partition, and then reading the files in the hard disk by adopting a corresponding reading method to obtain the files.
For another toshiba copier, the EXT3 file system is adopted, and for the important metadata of the EXT3 file system, including superblocks, block descriptor tables, inodes and directory entries, each element has a relatively fixed structure, and the elements are positioned into some structures, so that the whole file system is analyzed, and the specific recovery flow comprises: sequentially reading superblocks, block group descriptor tables, root directory inodes and root directories, obtaining inodes of files or directories, reading the file or directory inodes, reading file or directory data blocks, and finally storing file contents to complete a file reading process.
In addition, the UFS file type is adopted, for example, the RICOH Aficio MP 5000B/4000B series of a light-management copying machine, the hard disk partition file system type adopts the UFS file type comprising Superblock, cylinder group desciptior, inode and Directory Entry, and the analysis of the UFS file system is to clearly understand the structure of the four metadata, and then the operations are circularly carried out according to Superblock, cylinder group desciptior, inode and Directory Entry, so that the files in the hard disk are extracted.
The content of the copy file read in step S12 is parsed into identifiable picture text, which specifically includes: and judging the compression mode of the content of the copy file, including any one of JBIG, MH, MR, MMR and JPEG compression, and selecting a corresponding compression mode analysis mode for decompression analysis.
For a copying machine with a JBIG coding mode, such as a Canon copying machine, a 'Canon JBIG opening plug-in, exe' program is required to decompress and format convert the picture, and then JBIG is converted into a PDF, JPG or TIF file which can be directly checked.
For JPEG compression mode, such as light-regulating copying machine, the file content can be directly read and stored as jpg suffix file, thus realizing normal browsing;
for MMR compression formats, such as Fuji schlemen copying machine and Sharpy copying machine, a structure is needed to be made on the attribute information and the file content of the file, the attribute of the file header and the content part are made into a structure which meets the requirements according to the attribute information of the file, the tiff format header of the file is constructed, and then the header and the MMR theme content are combined to generate a file with the suffix of tif, so that normal browsing can be realized.
In addition, the picture storage format of the TOSHIBA copier also comprises a RK1 format file, wherein the RK1 format file is an encrypted file which is copied and stored in an electronic archive, and for the file, the restored data cannot be directly decoded, a virtual Web Server environment of the TOSHIBA copier is constructed by means of a client tool TOSHIBA e-STUDIO File Downloader of the TOSHIBA copier, and the RK1 file is decrypted by means of the tool TOSHIBA e-STUDIO FileDownloader and is converted into a browsable PDF or TIFF file.
S13, directly acquiring, downloading and checking the existing stored picture data and the existing operation log information of the copying machine to be checked, and directly transmitting the read copy file content and the read log information to the data identification module.
For on-line inspection, the process of disassembling and assembling the machine can be omitted, and the data of the copying machine can be downloaded only by inputting the IP address, the login account number and the password of the copying machine from the computer through the network interface of the copying machine.
Some of the data files of the copying machine are deleted files by the operation panel of the copying machine or the web management client of the copying machine, and some of the deleted files can be restored, and some of the files are not restored because the original data of the hard disk is filled with zeros after the data is deleted. In this regard, the system provided in the present invention can recover data to the maximum extent, and adopts the principle that: after the data is deleted, the file system marks only the metadata part of the file as deleted, and the content stored by the data is marked as available space, and the originally stored content part is not destroyed, so that a recoverable room is left.
For acquiring job Log content, including printing/copying logs, fax logs, error logs, startup and shutdown logs and the like, log storage formats are different according to different copiers, such as Canon copiers, log information of which is basically stored in Log text, and the Log information can be directly analyzed into readable Log information; for Fuji schle copying machine, the log storage address is located under the system\log\cj\hist\00 directory of the third partition, and the operation log information of the copying machine can be obtained by processing the files.
Of course, some copiers do not store log information on the hard disk, such as a photo-managing copier and a toshiba copier, and cannot directly obtain log operation information from the hard disk. Their log information is stored in the operating system of the copier, which is operated in an embedded storage environment, such as a memory chip fixed on the main board of the copier, so that the memory chip needs to be read to acquire the log information.
S2, the data identification module adopts OCR character recognition and picture recognition methods to identify the obtained copy logs and copy file contents, and keyword retrieval is carried out; meanwhile, illegal information marking is carried out on the copy log, namely after searching for corresponding keywords, the copy log is marked red and marked with color;
and S3, obtaining a keyword retrieval result, combining the copy log violation information marking content and outputting the keyword retrieval result to a data output module, and generating a final inspection report.
Example 3
The embodiment provides a specific implementation process of the copier inspection, and the specific process is as follows:
firstly, whether off-line inspection or on-line inspection is adopted is judged, if the off-line inspection is adopted, the inspection process is carried out according to the flow shown in fig. 5, the hard disk is taken out from the copying machine, the hard disk is connected to a security inspection evidence obtaining system of the copying machine, the system is operated, and a newly built evidence obtaining task starts to carry out inspection.
If the inspection is on line, the inspection process is carried out according to the flow shown in fig. 6, the copying machine is connected through a network, the system is operated, and the inspection is started by newly creating a evidence collection task.
When the security check evidence obtaining system of the copying machine is operated, firstly, a system login is needed, a login interface is shown in fig. 7, login personnel need to input a login user name and a password, and a subsequent operation process can be carried out after operation permission is obtained.
The authority of the login personnel is divided into two types, wherein one type is a common user, namely, after login, the login personnel can only carry out a secret check task, and the secret check task comprises the steps of adding an operation task, setting equipment information, setting keywords, checking logs, modifying login passwords and the like; the other is a system administrator, and the rights comprise rights of the common user and rights of information of the common user.
The interface of the new task of the user is shown in fig. 8, and comprises refreshing, scanning, inquiring, deleting and resetting functions, wherein refreshing refers to rescanning the hard disk information accessed from the USB interface, and aims at an offline checking process; scanning refers to scanning information of a copier in the same local area network, aiming at an online checking process; deletion and reset are for deleting specified task information or clearing filling items in the view after the task information fills in errors.
When the task information is filled, the task name, the task executor, the data source and the equipment information are required to be filled, the offline inspection is taken as an example according to the specific selection of the inspection source, the hard disk source is selected, then the accessed hard disk information is refreshed, the corresponding hard disk data is selected, the system can automatically match the equipment information, if the equipment information cannot be automatically matched, the fact that the hard disk information is not stored in the database is indicated, and the equipment information can be manually input.
After the equipment information is successfully acquired, the next operation is carried out, and the system can select a corresponding data file analysis method according to the equipment type to automatically analyze the file information in the hard disk, wherein the file information comprises a FAT file system, an EXT file or a UFS file.
In the process of analyzing the file system, because OCR (optical character recognition) is involved, an OCR-recognized driving file must be installed in advance, and after the file is read, an obtained file list is shown in fig. 9, wherein the file list comprises normal files, scattered files, deleted files and job logs, and for the normal files, any one of the files is clicked, the following operations can be performed:
parsing a file system, refreshing, previewing artwork, viewing file attributes, saving a single file, saving all files, OCR recognizing a single file, OCR recognizing all files, and viewing job log functions.
Refreshing: re-analyzing the hard disk file system to re-acquire the hard disk file;
previewing original pictures: displaying the files in the appointed hard disk by using a PDF reader;
viewing file attributes: displaying attribute information of the file;
and (3) preserving: storing the specified file to a default or custom address;
OCR recognition: the picture is used for identifying a single file or all files into a modifiable document by utilizing OCR technology.
And for scattered and deleted files, analyzing the file system of the hard disk, and recovering the deleted files, wherein the operation is basically the same as that of normal files.
For job logs: the hard disk is analyzed to obtain an operation log of the copying machine, and the operation log is displayed in the system, for example, the job log of the Canon copying machine, as shown in FIG. 10.
After the analysis of the file is completed, keyword search is adopted, a keyword search setting interface is shown in fig. 11, keywords can be set, keywords are input, the system automatically searches the identified documents in the database, the documents of the keywords are checked, and after the search is completed, the search result is displayed.
Based on the above-described search result, an inspection report is generated, and as shown in fig. 12, it can be seen from the inspection report whether or not the keyword is contained in the copier file, and whether or not there is a compromise.
By adopting the technical scheme disclosed by the invention, the following beneficial effects are obtained:
the invention provides a security check evidence obtaining system and method for a copying machine, which are used for extracting and analyzing existing files or deleted files existing on hard disks of different copying machines through investigation evidence obtaining, data recovery and data extraction processes on hard disk data of different copying machines, so that data leakage is prevented in advance, and risk management and control are performed.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which is also intended to be covered by the present invention.
Claims (5)
1. The system is characterized by comprising a data acquisition module, a data identification module and a data output module, wherein the data acquisition module is used for acquiring log records and/or copy contents of the copying machine and transmitting the acquired log records and/or copy contents to the data identification module, and the data identification module adopts a picture character identification process to identify the acquired copy contents and the log records and then adopts keywords to search to obtain identification results; the data output module receives the identification result of the data identification module, and collates the identification result into information to generate a report and output;
the data acquisition module further comprises a data decoding submodule, and the data decoding submodule specifically comprises:
tracking and recording image input and output of the copying machine, analyzing the image file format, establishing a coding model, and designing a decoding algorithm; designing specific images, graphics, documents, drawings and photos as test source data, processing the test source data by using image processing software, analogizing with output data obtained on a storage component after the source data are input into a copier, and establishing a graphic image information coding model and a decoding error correction software algorithm used by the copier by means of common image compression coding modes including arithmetic coding, run-length coding, transformation coding and wavelet coding and reverse analysis so as to obtain identifiable pictures or characters;
the system can realize the method for obtaining evidence by the security check of the copying machine, the method comprises the following steps,
s1, connecting a copying machine to be checked by adopting a data acquisition module, reading a copying log and/or copying file content of the copying machine to be checked, converting the acquired copying log and copying file content into identifiable picture texts, and transmitting the identifiable picture texts to the data identification module; the step S1 specifically includes:
s11, confirming that the copying machine to be checked is off-line checking or on-line checking, if the copying machine to be checked is off-line checking, directly accessing a storage hard disk of the copying machine to be checked through an external interface, and entering a step S12; if the online inspection is performed, connecting the copying machine to be inspected through an IP network, and entering step S13;
s12, using a sector-level binary editing tool to read and analyze the obtained hard disk data of the copier by utilizing a data bottom layer analysis technology, analyzing the read copy file content into identifiable picture text, and transmitting the identifiable picture text to the data identification module;
s13, directly acquiring, downloading and checking the existing stored picture data and the existing operation log information of the copying machine to be checked, and directly transmitting the read copy file content and the read log information to the data identification module;
s2, the data identification module identifies the obtained copy log and the copy file content by adopting a character identification and picture identification method, and performs keyword retrieval; meanwhile, marking illegal information on the copy log;
s3, obtaining a keyword retrieval result, combining the copy log violation information marking content and outputting the keyword retrieval result to the data output module, and generating a final inspection report;
step S12, judging the type of a file system of the copying machine, including one of EXT3, UFS and FAT, before reading and analyzing the obtained hard disk data of the copying machine by utilizing a data bottom layer analysis technology and using a sector-level binary editing tool; then selecting a corresponding file reading mode for reading analysis;
for the copying machine file system with the double bytes reversed in the original data of the 0 sector of the hard disk, when the copying machine file system is read, the double bytes in the hard disk are required to be reversed and converted through a program, and after the converted file names can be normally displayed, the files in the hard disk are read to obtain the files;
for a copying machine file system with the original data of the 0 sector of the hard disk not subjected to double byte inversion, positioning to the head of the partition through a 0 sector partition table, confirming the FAT file type adopted by the partition, and then reading the file in the hard disk by adopting a corresponding reading method to obtain the file;
for the EXT3 file system, sequentially reading superblocks, block descriptor tables, root directory inodes and root directories, obtaining inodes of files or directories, reading the files or directory inodes, reading file or directory data blocks, and finally storing file contents to finish a file reading process;
for the UFS file system, the Superblock, cylinder group desciptior, inode and Directory Entry included in the UFS file system are cleared, and then the files in the hard disk are extracted according to the Superblock, cylinder group desciptior, inode and Directory Entry loop operation.
2. The system for obtaining evidence by security check of copier according to claim 1, wherein the data obtaining module comprises an offline checking sub-module and an online checking sub-module, the offline checking sub-module is connected with a storage hard disk of the copier through an external interface, and obtains log records and/or copy contents in the storage hard disk; the online checking sub-module is connected with the copying machine through the IP, and obtains the existing stored log record and/or copy content of the copying machine in real time.
3. The system for obtaining evidence by security check of copier as claimed in claim 2, wherein said sub-module for offline check reads and analyzes the storage hard disk partition through the hard disk data obtaining algorithm, reads and analyzes the file system of the hard disk partition, obtains the data related to the storage data in the storage hard disk, and analyzes the data into a picture file which can be normally previewed, and obtains the operation log file of the copier; the online checking submodule acquires and downloads the existing stored picture data and the existing operation log information of the copying machine, and further checks and analyzes the acquired data to judge whether the copying machine is in a safe use mode or has the risk of data leakage or has the real evidence of data leakage in real time.
4. The system for obtaining evidence by security check of copier as set forth in claim 1, wherein said data recognition module includes a copy content recognition sub-module and a log information recognition sub-module, said copy content recognition sub-module converting the obtained picture words into text words by picture recognition technology and automatically storing them in a database; searching the identified text words according to preset keywords to obtain a search result; simultaneously acquiring an original picture in which the keyword is located in the search result; and the log information identification sub-module obtains the resolvable copy log information, then carries out log information violation marking, and combines the marked log information violation marking with the search result to be transmitted to the data output module.
5. The security check and forensic system according to claim 1 wherein the copy document read in step S12 is parsed into identifiable picture text, specifically comprising: and judging the compression mode of the content of the copy file, including any one of JBIG, MH, MR, MMR and JPEG compression, and selecting a corresponding compression mode analysis mode for decompression analysis.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310236755.0A CN116226885B (en) | 2023-03-07 | 2023-03-07 | Copying machine security check evidence obtaining system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310236755.0A CN116226885B (en) | 2023-03-07 | 2023-03-07 | Copying machine security check evidence obtaining system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116226885A CN116226885A (en) | 2023-06-06 |
| CN116226885B true CN116226885B (en) | 2024-01-23 |
Family
ID=86582253
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310236755.0A Active CN116226885B (en) | 2023-03-07 | 2023-03-07 | Copying machine security check evidence obtaining system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116226885B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5798844A (en) * | 1993-07-23 | 1998-08-25 | Ricoh Company, Ltd. | Duplicator having function concerning specific mark put on recording sheet and image forming apparatus having function of processing confidential documents |
| CN1445711A (en) * | 2002-03-20 | 2003-10-01 | 富士施乐株式会社 | Image read apparatus and copier |
| CN107392060A (en) * | 2017-07-03 | 2017-11-24 | 北京立思辰计算机技术有限公司 | A kind of hard disk, duplicator safety detection method, system |
| CN207115412U (en) * | 2017-04-26 | 2018-03-16 | 北京立思辰计算机技术有限公司 | A kind of duplicator safety check system |
| CN110348240A (en) * | 2019-06-24 | 2019-10-18 | 中国人民解放军战略支援部队信息工程大学 | Duplicator off-line data extracts analysis method and device |
-
2023
- 2023-03-07 CN CN202310236755.0A patent/CN116226885B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5798844A (en) * | 1993-07-23 | 1998-08-25 | Ricoh Company, Ltd. | Duplicator having function concerning specific mark put on recording sheet and image forming apparatus having function of processing confidential documents |
| CN1445711A (en) * | 2002-03-20 | 2003-10-01 | 富士施乐株式会社 | Image read apparatus and copier |
| CN207115412U (en) * | 2017-04-26 | 2018-03-16 | 北京立思辰计算机技术有限公司 | A kind of duplicator safety check system |
| CN107392060A (en) * | 2017-07-03 | 2017-11-24 | 北京立思辰计算机技术有限公司 | A kind of hard disk, duplicator safety detection method, system |
| CN110348240A (en) * | 2019-06-24 | 2019-10-18 | 中国人民解放军战略支援部队信息工程大学 | Duplicator off-line data extracts analysis method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116226885A (en) | 2023-06-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6694042B2 (en) | Methods for determining contents of media | |
| Garfinkel | Automating disk forensic processing with SleuthKit, XML and Python | |
| US7761427B2 (en) | Method, system, and computer program product for processing and converting electronically-stored data for electronic discovery and support of litigation using a processor-based device located at a user-site | |
| US7925609B2 (en) | Information processing apparatus, information processing system, information processing method, and computer readable storage medium | |
| US20100246962A1 (en) | Information processing system, information processing method, image processing apparatus, program, and recording medium | |
| KR101491446B1 (en) | Methods for extracting pingerprint of publication, apparatus for extracting pingerprint of publication, system for identifying publication using fingerprint and method for identifying publication using fingerprint | |
| JP2008097517A (en) | Document management system | |
| JP2004240969A (en) | Storage system for document digitally created and signed | |
| US20080243818A1 (en) | Content-based accounting method implemented in image reproduction devices | |
| CN104517045A (en) | Method for creating protected digital file | |
| JP6938318B2 (en) | Information processing equipment, information processing methods and programs | |
| WO2004092902A2 (en) | Electronic discovery apparatus, system, method, and electronically stored computer program product | |
| Hutchins | Testing software tools of potential interest for digital preservation activities at the national library of australia | |
| CN116226885B (en) | Copying machine security check evidence obtaining system and method | |
| JP2004185312A (en) | Document managing device | |
| US7602979B2 (en) | Information processing method and apparatus | |
| JP4827543B2 (en) | Image processing method and apparatus | |
| Cohen | Digital still camera forensics | |
| JP2007164632A (en) | Information processor, and information processing method and program | |
| Clausen | Handling file formats | |
| Dang-Nguyen et al. | Practical analyses of how common social media platforms and photo storage services handle uploaded images | |
| Sonnekus | A comparison of open source and proprietary digital forensic software | |
| Decusatis et al. | Methodology for an open digital forensics model based on CAINE | |
| JP6098134B2 (en) | Server apparatus, program, and image display system | |
| Laptev et al. | Method for Effective PDF Files Manipulation Detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |