KR20230045208A - Device and method for collecting digital evidence - Google Patents

Abstract

Various embodiments of the present disclosure relate to a device and method for collecting digital evidence using blockchain to secure the evidentiary ability of digital evidence. By removing the dynamic content of illegal web pages, reliability is ensured so that the same content can be obtained from any web collection node, and the integrity and identity of the digital evidence can be guaranteed by storing the obtained digital evidence in the blockchain. Various other embodiments are possible.

Description

Digital evidence collection device and method {DEVICE AND METHOD FOR COLLECTING DIGITAL EVIDENCE}

Various embodiments of the present disclosure relate to an apparatus and method for collecting digital evidence based on blockchain technology.

Most web pages use a combination of static and dynamic content. The static content refers to data that shows the same content regardless of who requests the server at any time. The dynamic content refers to data in which a web page displayed on a screen changes depending on who requests the server when and how. The dynamic content may be, for example, customized information for each user, such as an advertisement recommended according to a usage pattern, a customized channel, and an internet map that changes depending on a location from which the user accesses the dynamic content.

Blockchain technology is a distributed computing technology that makes data into blocks and connects each block with a chain so that information cannot be modified. It is one of the technologies that can safely store and manage data. The basic structure for the blockchain technology is in the form of a block collection in which blocks are sequentially connected, and is based on a peer to peer (P2P) network. Network participants go through a process of exchanging, verifying, and/or validating transaction information for a certain period of time, and only transaction information that has been mutually agreed upon can be made into one block. The network participant can connect the newly created block to the previous block chain, make a copy of it, and distribute and store it in the digital equipment of each network participant. The network participants may use technologies such as hash functions, digital signatures, or consensus algorithms for secure transaction information exchange. Data of various lengths that are not specified may be converted into strings of a certain length by passing through a hash function. Since the hash value of the original data, which is the input of the hash function, is completely changed even with a slight modification, forgery or falsification can be easily determined. Since the hash function is a one-way conversion, original data, which is an input value, cannot be restored using a hash value that is a result of the hash function. Blockchain technology can maintain a linked list in the form of a chain by signing a block using a hash value and recording the hash value of the previous block in the next block. Since a specific block made based on the blockchain technology is connected to other blocks, it is not easy to forge or falsify. For this reason, blockchain technology can be used in various public and private areas that require proof of integrity for data sources.

Digital evidence is information that has value as evidence stored or transmitted in digital form. Unlike physical evidence, there are files, images, videos, sounds, and network packets exchanged through networks that are invisible but stored in electronic devices.

Unlike other evidence, digital evidence is easy to delete and change. Just opening a file can unintentionally change the properties of a file, compromising its identity and integrity as digital evidence. In particular, due to the dynamic content inserted into the web page, even if the digital evidence is obtained from the same web page, the contents shown on the screen may be different each time access is made, so the authenticity of the obtained digital evidence may be questioned. In other words, even though the essential content of illegal content has not changed, it can be regarded as forged or altered due to minor changes.

In addition, digital evidence must be reliable in all stages of evidence acquisition, analysis, and destruction, and trust in hardware and software used in all processes must be prioritized.

Various embodiments of the present disclosure may provide a digital evidence collection apparatus and method for collecting digital information so that evidence capability can be recognized.

Various embodiments of the present disclosure provide a digital evidence collection apparatus and method for collecting digital evidence using blockchain technology after removing dynamic content included in an illegal webpage.

Various embodiments provide a digital evidence collection device and method that enables the same digital information to be collected from more than half of web collection nodes in recording digital information in a blockchain.

According to an embodiment of the present disclosure, a digital evidence collection device collects first webpage data for displaying at least one webpage on a screen from a web server, and collects dynamic content data included in the first webpage data. A deep web format (DWT: Deep Web Tar) collects second web page data from the web server using at least one DWT generation node configured to generate a file and access information that is one of the reference information included in the DWT file, and one of the reference information Based on the parsing rule file, parsing is performed to remove dynamic content data included in the second web page data to obtain a HyperText Markup Language (HTML) file from which dynamic content is removed, and the HTML A plurality of collecting nodes configured to inspect whether the first digital evidence file included in the DWT file is forged or falsified based on a file, and verify whether the DWT file is falsified or tampered with based on the inspection result; and configured to store at least one of a DWT file verified that it has not been forged or tampered with by the plurality of collection nodes among the DWT files or a hash value of the verified DWT file in a block created by blockization using blockchain technology and a block generating node, wherein the reference information included in the DWT file includes a second digital evidence file including a static file existing in the at least one webpage, and a dynamic file included in the at least one webpage. metadata for the at least one webpage and the parsing rule file configured to remove content, the metadata including: a hash value of the first digital evidence file; and the hash value of the file, the hash value of the parsing rule file, creation time information of the first digital evidence file, and the access information that is the access address of the at least one web page.

In addition, according to an embodiment of the present disclosure, a method for collecting digital evidence by a device removes dynamic content data included in first webpage data for displaying at least one webpage collected from a web server on a screen. An operation of obtaining a first digital evidence file by performing parsing to include the first digital evidence file and reference information considered for obtaining the first digital evidence file in a deep web format (DWT: Deep Web Tar) file, collecting second web page data from the web server using access information, which is one of the reference information included in the generated DWT file, and collecting the second web page data An operation of obtaining a HyperText Markup Language (HTML) file from which dynamic content is removed by performing parsing to remove dynamic content data included in the reference information based on a parsing rule file, which is one of the reference information; An operation of checking whether the first digital evidence file included in the DWT file is forged or falsified based on an HTML file, an operation of verifying whether or not the DWT file is forged or falsified based on the inspection result, and the DWT file and storing at least one of a DWT file verified to have not been forged or tampered with or a hash value of the verified DWT file in a block created by blockization using blockchain technology, wherein the DWT file The reference information included in the second digital evidence file including a static file existing in the at least one webpage, the parsing rule file configured to remove dynamic content included in the at least one webpage, and the at least one It includes metadata about one web page, wherein the metadata includes a hash value of the first digital evidence file, a hash value of the static file included in the second digital evidence file, and a hash value of the parsing rule file. , the creation time information of the first digital evidence file and the access information that is the access address of the at least one web page.

According to various embodiments proposed in the present disclosure, by collecting digital information from which dynamic content is removed by applying block chain technology as digital evidence, it is possible to secure reliability as evidence, as well as ensure integrity or identity of evidence. can do.

1 illustrates the overall configuration of a digital evidence collection device according to various embodiments of the present disclosure.
2 is a structure of a Deep Web Tar (DWT) file according to various embodiments of the present disclosure.
3 illustrates an example DWT file according to various embodiments of the present disclosure.
4 illustrates a result of removing dynamic content from a webpage according to various embodiments of the present disclosure.
5 is a flowchart schematically illustrating a process of collecting, verifying, and storing digital evidence in a blockchain according to various embodiments of the present disclosure.
6A and 6B are flowcharts illustrating operations of verifying integrity of a DWT file by an ingestion node according to various embodiments of the present disclosure.
7 is a flowchart illustrating a block generation process according to various embodiments of the present disclosure.
8 is a block structure according to various embodiments of the present disclosure.
9 is an example of a block structure according to various embodiments of the present disclosure.

Hereinafter, various embodiments will be described in detail with reference to the accompanying drawings. In the following description, specific details such as detailed configurations and elements are provided merely to facilitate a general understanding of embodiments of the present disclosure. Accordingly, it should be apparent to those skilled in the art that various changes and modifications of the embodiments described herein may be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and structures may be omitted for clarity and conciseness.

1 illustrates the overall configuration of a digital evidence collection device according to various embodiments of the present disclosure.

Referring to FIG. 1, according to an embodiment, a digital evidence collection apparatus 100 includes at least one deep web tar (DWT) generation node 110, a plurality of collection nodes 120, and at least one block generation node ( 130) may be included.

According to an embodiment, the DWT generation node 110 , the collection node 120 , and the block generation node 130 may be peers of the P2P network 140 . The P2P network 140 is a self-organizing system composed of autonomous entities having equal qualifications for the purpose of sharing distributed resources without a centralized service concept.

According to one embodiment, the DWT generation node 110 and the collection node 120 may operate in a different network from the block generation node 130. The block generating node 130 may be included in a blockchain. The DWT creation node 110 and the collection node 120 operate in such a way that a DWT file is created in a separate layer outside the blockchain, verified, and the result is recorded in the blockchain. Speed and scalability can be improved.

According to an embodiment, the DWT generation node 110 may operate in a network different from a network to which the collection node 120 and the block generation node 130 belong.

According to an embodiment, the P2P network 140 may be one of networks such as WiFi (Wireless Fidelity), LAN (Local Area Network), WAN (Wide Area Network), and the Internet, but the scope of the present disclosure is limited thereto. It is not. The P2P network 140 includes Ethernet, Global System for Mobile Communications (GSM), Enhanced Data GSM Environment (EDGE), Code Division Multiple Access (CDMA), Time Division Multiplexing Access (TDMA), 5G, LTE Advanced (LTE), It may be implemented using any of various wired or wireless communication protocols such as LTE Advance (LTE-A), Bluetooth, VoIP, WiMAX, and Wireless Broadband (WiBro). The P2P network 140 may include a connection of network elements such as hubs, bridges, routers, switches, or gateways. The P2P network 140 may include one or more connected networks, eg, a multi-network environment, including a public network such as the Internet and a private network such as a secure corporate private network. Access in the P2P network 140 may be provided through one or more wired or wireless access networks. Furthermore, the P2P network 140 may support an Internet of Things (IoT) network that exchanges and processes information between distributed components such as things.

According to an embodiment, the DWT generation node 110, the collection node 120, and the block generation node 130 may physically operate in the same electronic device. For example, the DWT generation node 110a and the collection node 120a can physically operate in the same electronic device, and the collection node 120b and the block generation node 130b can physically operate in the same electronic device. there is. For example, the DWT generation node 110c, the collection node 120c, and the block generation node 130c may physically operate in the same electronic device. The electronic devices may include devices capable of performing various types of computing and communication functions. The electronic device may be, for example, a desktop computer, a smart phone, a tablet PC (personal computer), a laptop, a PDA (personal digital assistants), or a wearable device.

According to one embodiment, the DWT creation node 110 may initiate an operation when a predetermined event occurs. The predetermined event may be, for example, a report on illegal content by an investigator/investigation agency or a natural person or an illegal content identifier. The DWT creation node 110 may start collecting illegal contents upon receiving such an event.

According to one embodiment, the DWT generation node 110 may obtain user input. Based on user input, the DWT creation node 110 obtains information about a web page on which illegal content is posted, accesses the Internet address of the web page on which illegal content is posted, and performs operations required to create a DWT file. can be done The structure of the DWT file will be described below with reference to FIG. 2 .

According to one embodiment, the DWT file may be propagated through the P2P network 140 for block generation and verification.

According to one embodiment, DWT files may be propagated using the Gossip Protocol. The gossip protocol is based on a rumor spreading method, in which one node of a network transmits information (gossip) to a neighboring node. Some distributed systems use gossip protocols so that data is distributed to all members of the peer-to-peer network 140.

According to one embodiment, the aggregation node 120 may obtain the DWT file using a gossip protocol.

According to an embodiment, the DWT creation node 110 may distribute link information for downloading the DWT file instead of the DWT file in consideration of the capacity of the DWT file.

According to an embodiment, the collection node 120 may extract a first digital evidence file, a second digital evidence file, a parsing rule file, and DWT metadata bundled in the DWT file by decompressing the DWT file.

According to one embodiment, the collection node 120 may obtain the Internet address of a web page on which illegal content is posted from DWT metadata. The collecting node 120 may collect illegal contents by accessing the obtained Internet address.

According to one embodiment, the collection node 120 may use a special browser to collect illegal content. Many illegal websites are highly anonymous and are served through the Dark Web or the Deep Web, which are not accessible by general search engines. The dark web or the deep web can be accessed through a dedicated browser, for example, a TOR (The Onion Router) browser. Compared to the response speed of the normal web (Surface Web), the response speed of the dark web is relatively slow. The slow response speed of the dark web is due to onion routing, which must be used in order to access the dark web. In the onion routing, a client does not directly communicate with a server, but communicates with another client through tunneling.

According to one embodiment, the collection node 120 may set a session timeout time of a web browser used to collect illegal content relatively shorter than a default value. In order to avoid tracking, illegal web pages have the characteristics of providing services only for a certain period of time, providing services irregularly, and changing Internet addresses from time to time. Due to this characteristic, there may be a case in which a server matching the Internet address of the already acquired illegal content may not be found. Even in this case, the web browser of the collection node 120 does not return from the server until the time set as the default value of the session timeout elapses. will wait for a response from If the response waiting time of the web browser of the collection node 120 is shortened and set, the collection speed can be shortened by quickly determining accessible addresses and non-accessible addresses.

According to an embodiment, the collection node 120 accesses the Internet address of an illegal webpage obtained from DWT metadata, downloads the illegal webpage, and parses the downloaded illegal webpage included in the DWT file. A rule file can be applied to create an HTML file from which dynamic content is removed.

According to an embodiment, the collecting node 120 may calculate the hash value of the HTML file from which the dynamic content is removed and the hash value of the first digital evidence file included in the DWT file, respectively. The collection node 120 compares the hash value of the HTML file from which the dynamic content is removed, the hash value of the first digital evidence file included in the DWT file, and the "HTMLHash" attribute value obtained from DWT metadata, and obtains three values. If the hash values of do not match, it can be determined that the DWT file is not available. The collection node 120 compares the hash value of the static file collected from the illegal web page with the “StaticHash” attribute value obtained from the DWT metadata, and if they do not match, it may be determined that the DWT file is not available. The collection node 120 calculates the hash value of the parsing rule file included in the DWT file, compares it with the “ParseHash” attribute value obtained from the DWT metadata, and if it does not match, the DWT file is not available can judge

The collecting node 120 acquires the creation time of the first digital evidence file included in the DWT file, compares it with the "Datetime" attribute value obtained from the DWT metadata, and if it does not match, the DWT file is not available. It can be judged that it is not.

According to an embodiment, the aggregation node 120 may promote the aggregation node 120 that has contributed to the P2P network 140 for a certain period of time to a verification node, or designate a manager as a verification node to verify the DWT file.

A detailed verification procedure will be conceptually described below with reference to FIGS. 6A and 6B.

According to one embodiment, the block generating node 130 may participate as a node in a blockchain system.

According to one embodiment, the DWT generation node 110 and the collection node 120 may also participate as nodes in the blockchain system.

According to one embodiment, the blockchain system may be a permissioned blockchain for investigation. The blockchain system can be divided into a permissionless blockchain and a permissioned blockchain depending on whether or not the participation of nodes participating in the blockchain is restricted. The permissionless blockchain may be called a public blockchain. The permissioned blockchain may be classified as a private blockchain or a consortium blockchain according to an operating method. In the permissionless blockchain, a plurality of nodes may compete with each other to generate a block in order to receive an incentive, and a proof-of-work based consensus algorithm may be used for the generated block. In the permissioned blockchain, a consensus algorithm different in nature from that used in the non-permissioned blockchain system may be applied. In the permissioned blockchain, a node with the qualification to create a block is pre-determined, a committee composed of the nodes is formed, and a consensus block is created through an agreement between the members of the committee. It is also possible to use a method of propagating to other nodes.

According to one embodiment, the block generation node 130 monitors the network between blockchain nodes, and if it is agreed that the DWT file is available, the DWT file is added to an existing block or a new block is created, and the creation A block can be combined and stored in a block chain, and the block data can be shared with at least one other block chain node. According to another embodiment, the network block generation node 130 may store the hash value of the DWT file and/or the link information of the DWT file as block data instead of the DWT file in consideration of network overload.

2 is a structure of a DWT file according to various embodiments of the present disclosure.

Referring to FIG. 2 , according to an embodiment, a DWT file 200 includes a first digital evidence file 210, a second digital evidence file 220, a parsing rule file 230, and/or DWT metadata 240. ) may be included.

According to one embodiment, the DWT creation node 110 converts the first digital evidence file 210, the second digital evidence file 220, the parsing rule file 230 and/or the DWT metadata 240 to the tar command. can be combined into a single file.

According to an embodiment, the first digital evidence file 210 may be a result of removing dynamic content from an HTML file of a web page on which illegal content is displayed. The dynamic content refers to data in which the contents of a webpage displayed on a screen are changed at random, by a user's location, device, or time accessing the webpage. If the dynamic content of illegal web pages is not removed, even if the plurality of collection nodes 120, 120a, 120b, 120c access the same Internet address to collect illegal content, the results collected by each collection node will be different. can

According to one embodiment, the second digital evidence file 220 may be a static file included in a web page on which illegal content is displayed. The static file refers to data that shows the same contents on the screens of all users regardless of who accesses the web page at any time. The static file may be, for example, an image file, a video file, JavaScript, or Cascading Style Sheets (CSS).

According to an embodiment, the DWT creation node 110 may configure a plurality of static files into one second digital evidence file 220 using the tar command.

According to one embodiment, the parsing rule file 230 may be a file defining rules for removing dynamic content from a web page.

According to one embodiment, the parsing rule file 230 may be defined by receiving a user input in describing rules for classifying content to be included in the first digital evidence file 210 and content not to be included in the first digital evidence file 210 . According to another embodiment, the parsing rule file 230 may be automatically generated without user input by analyzing a syntax pattern in describing rules.

According to an embodiment, the parsing rule file 230 may use a data format in the form of attribute-value pairs in describing rules. The parsing rule file 230 may use, for example, JSON ((JavaScript Object Notation). The JSON is a format that expresses data objects in the form of attribute-value pairs on the web and in computer programs. The JSON is developed based on JavaScript, and can be used in multiple programming languages because it is language-independent.The JSON is text-based, so it is easy to write and has good readability.The JSON is data exchange between a web browser and a web server is mainly used in

According to one embodiment, the DWT metadata 240 may include the Internet address of the original web page of the first digital evidence file 210 .

According to one embodiment, the DWT metadata 240 may include hash values for files included in the DWT file 200 . For example, the DWT metadata 240 includes hash values for the first digital evidence file 210, hash values for static files included in the second digital evidence file 220, and parsing rule file 230. It may contain a hash value for

According to one embodiment, the DWT metadata 240 may include time information when the first digital evidence file 210 was created. The time information may be information proving that the created first digital evidence file 210 existed at the time described as the value of the time information attribute.

According to one embodiment, the one or more hash values included in the DWT metadata 240 and the time information when the first digital evidence file 210 was created are the first digital evidence file 210 of the DWT file 200, the second 2 It may be a tool for detecting forgery or falsification of the digital evidence file 220 and the parsing rule file 230, and may be used to verify the integrity of the DWT file 200 to be described later with reference to FIGS. 6A and 6B.

3 illustrates an example DWT file according to various embodiments of the present disclosure.

Referring to FIG. 3 , the name of the DWT file 300 shown as an example is “2021-04-20T05:11:42Z_SHA256.DWT”. The extension of the DWT file 300 may be DWT. However, as described with reference to FIG. 2 , since the DWT file 200 may be a result of using the command tar, the file magic number of the DWT file 300 may be the same as the file magic number of tar. .

The DWT file 300 may include at least one of a first digital evidence file 310, a second digital evidence file 320, a parsing rule file 330, and/or DWT metadata 340. The parsing rule file 330 and the DWT metadata 340 may be implemented as JSON. The JSON is established as the IETF "RFC 7159 (The "JavaScript Object Notation (JSON) Data Interchange Format) standard and the "ECMA-404 (The "JSON" Data Interchange Syntax) standard. As a data exchange format in most web-based applications, the above JSON can be used instead of XML, which has the problem of increasing message size. The JSON follows the syntax format of JavaScript, but is also used with programming languages such as C, C++, C#, Java, and Python, so that it can be used as an independent language in terms of platform and programming language. The data structure is composed of a pair of a property (name) and a value (value), and expresses a data object in the form of “property: value”. String is supported as the data type of the property (name), and number, string, object, array, and boolean are supported as the data type of the value. , or an empty value (null) is supported. An array is expressed using square brackets ([ ]), an object is expressed using braces ({ }) as a set of property/value pairs, and a comma (,) is used to separate objects. .

The DWT metadata 340 expresses the Internet address of the illegal web page in the form of an attribute called “Address” and a value called “example.onion”.

The first digital evidence file 310 is a result of applying the parsing rule file 330 to an HTML document downloaded by accessing “example.onion”, and is in HTML format.

The second digital evidence file 320 is a file that downloads static files existing in “example.onion” and bundles them into one using the tar command.

For the parsing rule file 330, BeautifuleSoup, a Python library, was used to select only desired parts from the result of scraping the entire HTML document. Looking at the parsing rule file 330, elements to be included in the first digital evidence file 310 in “example.onion” are defined as “IncludeRules”, and elements to be removed are defined as “ExcludeRules” put Elements to be removed are mainly advertisements and banners. When an upper HTML tree node is removed with an attribute value of “ExcludeRules”, and there is an HTML tree node that must be included in the first digital evidence file among lower nodes of the removed HTML tree node, the HTML tree node is “IncludeRules” It can be persisted using attribute values.

The “Datetime” attribute value of the DWT metadata 340 represents the time when the first digital evidence file 310 was created.

The “” attribute value of the DWT metadata 340 is a hash value calculated by taking the first digital evidence file 310 as an input.

The “StaticHash” attribute value of the DWT metadata 340 is a hash value for static files included in the second digital evidence file 320, and may be listed in an array size equal to the number of the static files.

The “ParseHash” attribute value of the DWT metadata 340 is a hash value of the parsing rule file 330.

4 illustrates a result of removing dynamic content from a webpage according to various embodiments of the present disclosure.

Referring to FIG. 4 , dynamic content included in an illegal web page may be removed using a parsing rule file 330 .

According to an embodiment, 400a may be a screen viewed by collection node 1 (120a), 400b may be a screen viewed by collection node 2 (120b), and 400c may be a screen viewed by collection node 3 (120c).

According to an embodiment, collection node 1 (120a), collection node 2 (120b), and collection node 3 (120c) may collect web pages by accessing the same Internet address.

According to an embodiment, the original HTML 410a collected by the collection node 1 120a may include an advertisement 411a. The original HTML 410b collected by the collecting node 2 120b may include an advertisement 411b. The original HTML 410c collected by the collecting node 3 120c may include an advertisement 411c. The advertisements 411a to 411c may be different, and accordingly, the screens output to collection nodes may also be different.

According to an embodiment, the collection node 1 120a may acquire HTML 420a from which dynamic content is removed by applying the parsing rule file 330 to original HTML 410a. The collection node 2 120b may obtain HTML 420b from which dynamic content is removed by applying the parsing rule file 330 to the original HTML 410b. The collection node 3 120c may obtain HTML 420c from which dynamic content is removed by applying the parsing rule file 330 to the original HTML 410c.

According to an embodiment, although the original HTMLs 410a to 410c are different, as a result of applying the same parsing rule file 330 , the HTMLs 420a to 420c from which dynamic content is removed may be the same.

5 is a flowchart schematically illustrating a process of collecting, verifying, and storing digital evidence in a blockchain according to various embodiments of the present disclosure.

Referring to FIG. 5 , in operation 501 according to an embodiment, the DWT creation node 110 may collect a webpage and obtain a first digital evidence file from which dynamic content included in the webpage is removed.

In operation 503 according to an embodiment, the DWT generation node 110 may generate the DWT file 200 to include a first digital evidence file and reference information considered for obtaining the first digital evidence file. The reference information includes a second digital evidence file including a static file included in a web page, a parsing rule file used to remove dynamic content included in the web page, and DWT metadata for the DWT file 200. can include The DWT metadata includes access information including the access address of the web page, time information when the first digital evidence file was created, a hash value of the first digital evidence file, and a static file included in the second digital evidence file. It may include a hash value of, and a hash value of the parsing rule file.

At operation 505 according to one embodiment, the aggregation node 120 may obtain the newly created DWT file 200 . The collecting node 120 may collect the webpage by accessing the access address of the webpage described in the DWT metadata of the DWT file 200 .

In operation 507 according to an embodiment, the collection node 120 applies the parsing rule file 230 included in the DWT file 200 to the collected webpage to generate an HTML file from which dynamic content is removed. .

In operation 509 according to an embodiment, the collection node 120 compares the HTML file generated in operation 507 with the first digital evidence file included in the DWT file 200, and the first digital evidence file included in the DWT file 200. Digital evidence files can be checked for forgery or alteration. At this time, the hash value of the first digital evidence file and generated time information may be used.

In operation 511 according to an embodiment, the collection node 120 may verify whether the DWT file 200 is forged or tampered with. A detailed description of the verification procedure will be described later with reference to FIGS. 6A and 6B.

In operation 513 according to an embodiment, the block generation node 130 aggregates the verification results from the plurality of collecting nodes 120 participating in the verification task for the DWT file 200, and the DWT file 200 is counterfeit. Alternatively, if it is verified that it has not been tampered with, at least one of the DWT file 200 or the hash value of the DWT file 200 may be stored in a block created by blockization using blockchain technology.

6A and 6B are flowcharts illustrating operations of verifying integrity of a DWT file by an ingestion node according to various embodiments of the present disclosure.

Referring to FIGS. 6A and 6B , in operation 601 according to an embodiment, the collecting node 120 may be notified that a new DWT file 200 has been created.

At operation 603 according to one embodiment, the aggregation node 120 may obtain the generated DWT file 200 .

In operation 605 according to an embodiment, the collection node 120 may decompress the obtained DWT file 200 .

In operation 607 according to an embodiment, the collection node 120 obtains the first digital evidence file 210, the second digital evidence file 220, the parsing rules file 230 and/or the DWT metadata 240. can do.

In operation 609 according to an embodiment, the collection node 120 may obtain the Internet address of the original webpage of the first digital evidence file 210 from the DWT metadata 240 .

In operation 611 according to an embodiment, the aggregation node 120 may access the obtained Internet address.

In operation 613 according to an embodiment, the collection node 120 may collect web pages from the accessed Internet address.

In operation 615 according to an embodiment, the collection node 120 may generate an HTML file from which dynamic content is removed by applying the parsing rule file 230 to the collected webpage.

In operation 617 according to an embodiment, the collection node 120 may calculate a hash value for the HTML file generated in operation 615 .

In operation 619 according to an embodiment, the collection node 120 may calculate a hash value for the first digital evidence file 210 of the DWT file 200 .

In operation 621 according to an embodiment, the collection node 120 may acquire the “HTMLHash” attribute value described in the DWT metadata 240 .

According to various embodiments, the order of a series of operations 617 to 621 for obtaining a hash value may not be limited. For example, operation 621 may be performed before operation 617 or operation 619, and operation 619 may be performed before operation 617.

In operation 623 according to an embodiment, the collection node 120 includes the HTML hash value calculated in operation 617, the hash value of the first digital evidence file 210 calculated in operation 619, and “HTMLHash” obtained in operation 621. By comparing the attribute values, if the three hash values match, operation 625 may be performed. If the three hash values do not match, the collection node 120 determines that at least one of the first digital evidence file 210 or the DWT metadata 240 is forged or tampered with and performs operation 645. .

In operation 625 according to an embodiment, the collection node 120 may calculate a hash value of the static file collected in operation 613 . For example, when there are a plurality of static files, the collection node 120 may calculate hash values corresponding to the static files as many as the number of static files.

In operation 627 according to an embodiment, the collection node 120 may obtain a “StaticHash” attribute value described in the DWT metadata 240 . The “StaticHash” means a hash value for a static file included in the second digital evidence file 220 of the DWT file 200.

In operation 629 according to an embodiment, the collection node 120 compares the hash value calculated in operation 625 with the “StaticHash” attribute value obtained in operation 627, and if they match, operation 631 may be performed. Operation 645 may be performed. For example, when there are a plurality of hash values to be compared by the collection node 120, and even one of the hash values does not match, the collection node 120 generates the DWT metadata 240 or at least one static value. Upon determining that the file has been forged or tampered with, operation 645 may be performed.

According to various embodiments, prior to operation 629, the collection node 120 directly calculates a hash value for a static file included in the second digital evidence file 220 acquired from the DWT file 200, and calculates it in operation 625. You can add a step to compare with one hash value.

In operation 631 according to an embodiment, the collection node 120 may calculate a hash value of the parsing rule file 230 .

In operation 633 according to an embodiment, the collection node 120 may obtain a “ParseHash” attribute value described in the DWT metadata 240 .

In operation 635 according to an embodiment, the collection node 120 compares the hash value of the parsing rule file 230 calculated in operation 631 with the “ParseHash” attribute value obtained in operation 633, and if they match, operation 637 is performed. can do. If the hash values do not match, the collection node 120 may determine that at least one of the parsing rule file 230 and the DWT metadata 240 is forged or tampered with, and may perform operation 645 .

In operation 637 according to an embodiment, the collection node 120 may obtain a file creation time of the first digital evidence file 210 . The inode is a structure that contains information about the file itself, including the size of the file, the number of links to the file, the size of the file, the creation time of the file, the time of the last use of the file, the time of the last modification of the file, and the ownership information of the file. . The collection node 120 may obtain a file creation time of the first digital evidence file 210 using the inode structure.

In operation 639 according to an embodiment, the collection node 120 may acquire a “Datetime” attribute value described in the DWT metadata 240 .

In operation 641 according to an embodiment, the collection node 120 compares the file creation time of the first digital evidence file 210 obtained in operation 637 with the “Datetime” attribute value obtained in operation 639, and if they match, the operation 643 can be performed. If the file creation time information does not match, the collection node 120 may determine that at least one of the first digital evidence file 210 or the DWT metadata 240 is forged or tampered with, and perform operation 645. there is.

In operation 643 according to an embodiment, the collection node 120 may determine that the DWT file 200 is valid as digital evidence. Since the DWT file 200 has passed the verifications of operations 623, 629, 635, and 641, the collection node 120 may determine that the DWT file 200 is not forged or tampered with.

In operation 645 according to an embodiment, the collection node 120 determines that the DWT file 200 is unavailable as digital evidence ( Invalid) can be determined.

According to an embodiment, the collection node 120 performs the step of verifying the hash value of the first digital evidence file 210, the step of verifying the hash value of the second digital evidence file 220, and the step of verifying the hash value of the parsing rule file 230. Although the verification of the DWT file 200 is performed in the order of the first digital evidence file 210 and the verification of the file generation time of the first digital evidence file 210, according to various embodiments, the collection node 120 performs a different order from the above order. verification can proceed. For example, the collection node 120 may prioritize the hash value verification step of the parsing rule file 230 to the hash value verification step of the first digital evidence file 210 .

According to one embodiment, the collection node 120 may be installed with a client program for performing a verification function on the DWT file 200 described in this disclosure.

7 is a flowchart illustrating a block generation process according to various embodiments of the present disclosure.

Referring to FIG. 7 , when an event of discovering illegal content 701 occurs according to an embodiment, a DWT creation node 710 may create a new DWT file 715 .

According to an embodiment, the collection nodes 720a to 720c may obtain the generated DWT file 715 and perform integrity verification on the DWT file 715 using it. The integrity verification procedures 721a to 721c are the same as those described above with reference to FIGS. 6A and 6B.

According to an embodiment, in operation 723a, as a result of performing verification 721a, the collection node 720a may determine that the DWT file 715 is available.

According to an embodiment, in operation 723b, the collection node 720b may determine that the DWT file 715 is unavailable as a result of the verification operation 721b.

According to an embodiment, in operation 723c, as a result of performing verification 721c, the collection node 720c may determine that the DWT file 715 is available.

According to an embodiment, the aggregation nodes 720a to 720c may disclose verification results to the P2P network 140 .

According to an embodiment, the block generation node 730 may determine whether to store the DWT file 715 in block data based on whether the DWT file 715 is agreed to be available while monitoring the P2P network 140. .

In operation 731 according to an embodiment, the block generation node 730 may use Byzantine Fault Tolerance in reflecting multiple consensus. The block generation node 730 may perform operation 733 when more than 2/3 of the collection nodes 720a to 720c participating in the verification are determined to be valid, and otherwise perform operation 735 to The DWT file 715 can be discarded. In another embodiment, the block generation node 730 may perform operation 733 when more than half of the collection nodes 720a to 720c participating in the verification are determined to be valid, and otherwise, operation 735 can be performed.

In operation 733 according to an embodiment, the block generation node 730 may store the DWT file 715 in a block created by blockization using blockchain technology.

8 is a block structure according to various embodiments of the present disclosure.

Referring to FIG. 8 , the structure of a block 800 generated by the block generation node 130 according to an embodiment may be the same as a block structure used in a general blockchain.

According to one embodiment, the magic number 801 may be a fixed value as a network identifier. The block size 803 may be the size of a block. A block header can consist of 6 items. Version 805 may be a version of software. The previous block hash 807 may be the SHA256 hash of the chained previous block header. The root hash 809 may be a hash value located at the root 809g of the tree when all DWT hash values stored in the block 800 are configured in the form of a binary tree (809a to 809g). The root hash 809 may be updated whenever block data is added.

The time 811 is a value of seconds that have elapsed since UTC 1970-01-01, and may be updated every few seconds.

Difficulty 813 may be a difficulty target used for proof-of-work of the blockchain.

The nonce 815 is a random number found in the block generation process, and block mining is to change this number so that a hash value that meets the difficulty target is calculated.

According to an embodiment, the DWT File Counter 817 may be the number of hash values of DWT files 200 or the number of DWT files 200 stored in block data.

According to one embodiment, in a general blockchain, the hash value of the DWT file 200 may be stored instead of the transaction information in block data 819 to 825 in which transaction information is stored.

According to one embodiment, a plurality of DWT files 200 may be stored in one block 800 . For example, due to the nature of illegal websites that frequently change Internet addresses to avoid tracking by investigative agencies, when the evidence of digital evidence must be secured as quickly as possible, the block 800 must be generated quickly, so the block ( 800), a relatively small number of DWT files 200 may be stored in one.

9 is an example of a block structure according to various embodiments of the present disclosure.

Referring to FIG. 9, block headers 801 to 815 and DWT File Counter 817 of blocks 900a to 900c generated by the block generation node 130 according to an embodiment are the same as the block header of FIG. 8 ( 801 to 815) and DWT File Counter (817).

According to an embodiment, objects stored in the block data 901 to 907, 911 to 917, and 921 to 927 may vary according to the file transfer sharing environment of the P2P network 140.

If the P2P network 140 uses, for example, a file sharing program such as Torrent, the block generating node 130 adds the hash information of the DWT file 200 to the block data 901 to 907 and the DWT file. The block 900a may be created by storing the magnet link address of 200.

According to an embodiment, when the load of the P2P network 140 due to the capacity of the DWT file is not considered, the block generating node 130 includes the hash information of the DWT file 200 and the block data 911 to 917. The block 900b may be created by storing the DWT file 200 as it is. According to another embodiment, the block generation node 130 may generate the block 900c by storing the DWT file 200 as it is in the block data 921 to 927 .

Although this disclosure has been particularly shown and described with reference to particular embodiments, various changes may be made in form and detail without departing from the spirit and scope of the disclosure as defined by the appended claims and equivalents thereto. It will be understood by those skilled in the art.

Electronic devices according to various embodiments disclosed in this document may be devices of various types. The electronic device may include, for example, a portable communication device (eg, a smart phone), a computer device, a portable multimedia device, a portable medical device, a camera, a wearable device, or a home appliance. An electronic device according to an embodiment of the present document is not limited to the aforementioned devices.

Various embodiments of this document and terms used therein are not intended to limit the technical features described in this document to specific embodiments, but should be understood to include various modifications, equivalents, or substitutes of the embodiments. In connection with the description of the drawings, like reference numbers may be used for like or related elements. The singular form of a noun corresponding to an item may include one item or a plurality of items, unless the relevant context clearly dictates otherwise. In this document, "A or B", "at least one of A and B", "at least one of A or B", "A, B or C", "at least one of A, B and C", and "A Each of the phrases such as "at least one of , B, or C" may include any one of the items listed together in that phrase, or all possible combinations thereof. Terms such as "first", "second", or "first" or "secondary" may simply be used to distinguish a given component from other corresponding components, and may be used to refer to a given component in another aspect (eg, importance or order) is not limited. A (e.g., first) component is said to be "coupled" or "connected" to another (e.g., second) component, with or without the terms "functionally" or "communicatively." When mentioned, it means that the certain component may be connected to the other component directly (eg by wire), wirelessly, or through a third component.

The term "module" used in various embodiments of this document may include a unit implemented in hardware, software, or firmware, and is interchangeable with terms such as, for example, logic, logical blocks, parts, or circuits. can be used as A module may be an integrally constructed component or a minimal unit of components or a portion thereof that performs one or more functions. For example, according to one embodiment, the module may be implemented in the form of an application-specific integrated circuit (ASIC).

Various embodiments of this document describe software (eg, software including one or more instructions stored in a storage medium (eg, internal memory (or external memory)) readable by a machine (eg, an electronic device)). program). For example, a processor of a device (eg, an electronic device) may call at least one command among one or more commands stored from a storage medium and execute it. This means that the device may call the call The one or more instructions may include code generated by a compiler or code executable by an interpreter. A storage medium with a storage medium may be provided in the form of a non-transitory storage medium, where 'non-transitory' is a device in which the storage medium is tangible and transmits a signal (e.g., electromagnetic wave). This term does not distinguish between the case where data is semi-permanently stored in the storage medium and the case where it is temporarily stored.

According to one embodiment, the method according to various embodiments disclosed in this document may be included and provided in a computer program product. Computer program products may be traded between sellers and buyers as commodities. A computer program product is distributed in the form of a device-readable storage medium (e.g. compact disc read only memory (CD-ROM)), or through an application store (e.g. Play Store™) or on two user devices (e.g. It can be distributed (eg downloaded or uploaded) online, directly between smart phones. In the case of online distribution, at least part of the computer program product may be temporarily stored or temporarily created in a device-readable storage medium such as a manufacturer's server, an application store server, or a relay server's memory.

According to various embodiments, each component (eg, module or program) of the above-described components may include a single object or a plurality of entities, and some of the plurality of entities may be separately disposed in other components. there is. According to various embodiments, one or more components or operations among the aforementioned corresponding components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (eg modules or programs) may be integrated into a single component. In this case, the integrated component may perform one or more functions of each of the plurality of components identically or similarly to those performed by a corresponding component of the plurality of components prior to the integration. . According to various embodiments, the actions performed by a module, program, or other component are executed sequentially, in parallel, iteratively, or heuristically, or one or more of the actions are executed in a different order, or omitted. or one or more other actions may be added.

Claims (20)

In the digital evidence collection device,
A first digital evidence file is obtained by collecting first webpage data for displaying at least one webpage on a screen from a web server and performing parsing to remove dynamic content data included in the first webpage data. At least one DWT generating node configured to obtain a deep web format (DWT) file to include the first digital evidence file and reference information considered for obtaining the first digital evidence file. ;
Second webpage data is collected from the web server using access information, which is one of the reference information included in the DWT file, and included in the second webpage data based on a parsing rule file, which is one of the reference information. A hypertext markup language (HTML) file from which dynamic content is removed is obtained by parsing to remove the dynamic content data, and the first digital evidence included in the DWT file based on the HTML file. a plurality of collecting nodes configured to inspect whether a file is forged or falsified, and to verify whether the DWT file is forged or tampered with based on the inspection result; and
configured to store at least one of a DWT file verified that it has not been forged or tampered with by the plurality of collection nodes among the DWT files or a hash value of the verified DWT file in a block created by blockization using blockchain technology Includes a block generation node,
Here, the reference information included in the DWT file is a second digital evidence file including a static file existing in the at least one webpage, and the parsing configured to remove dynamic content included in the at least one webpage. Includes a rule file and metadata about the at least one web page,
The metadata may include a hash value of the first digital evidence file, a hash value of the static file included in the second digital evidence file, a hash value of the parsing rule file, creation time information of the first digital evidence file, and The digital evidence collection device comprising the access information that is the access address of the at least one web page. According to claim 1,
When the plurality of collection nodes examine whether the first digital evidence file is forged or tampered with, a first hash value that is a hash value of the first digital evidence file is calculated, and a hash value that is a hash value of the HTML file from which the dynamic content is removed. A second hash value is calculated, the first hash value and the second hash value are compared with a third hash value included in the metadata, which is the hash value of the first digital evidence file, and the first hash value is calculated. and the second hash value and the third hash value all match, determining that the DWT file including the first digital evidence file is valid as digital evidence. According to claim 1,
When the plurality of collecting nodes examine whether the first digital evidence file is forged or tampered with, a creation time of the first digital evidence file is obtained, and the first digital evidence file, which is included in the metadata, is checked. and determining that the DWT file including the first digital evidence file is valid as a digital evidence when compared with the creation time information and matching the first digital evidence file. According to claim 1,
When the plurality of collection nodes verify whether the DWT file is forged or tampered with, a hash value of a static file included in the second web page data is calculated, and among hash values included in the metadata, the second and determining that the DWT file including the second digital evidence file is valid as digital evidence when the hash value of a static file included in the digital evidence file is matched. According to claim 1,
When the plurality of collection nodes verify whether the DWT file is forged or tampered with, a hash value of the parsing rule file is calculated and compared with the hash value of the parsing rule file among hash values included in the metadata. If matched, determine that the DWT file including the first digital evidence file is valid as digital evidence. According to claim 1,
The block generating node stores the link information of the file sharing address where the verified DWT file can be obtained instead of the verified DWT file in the block created by the block chain considering the load of the block chain network. evidence collection device. According to claim 1,
The block generating node stores a DWT file, which is determined to be valid as digital evidence by a collection node of at least a certain percentage of all collection nodes participating in the verification of the DWT file, in the block created by the blockization, a digital evidence collection device. . According to claim 1,
When the at least one DWT generation node creates the parsing rule file, rules for elements to be included and not to be included in the first digital evidence file are automatically generated without user input, digital evidence collection Device. According to claim 1,
The plurality of collection nodes set the session timeout time of the web browser relatively shorter than the default value in consideration of the high variability of Internet addresses due to the nature of illegal webpages. According to claim 1,
The at least one DWT generation node, the plurality of collection nodes, and/or the block generation node may physically operate in the same device. In the digital evidence collection method,
obtaining a first digital evidence file by performing parsing to remove dynamic content data included in first webpage data for displaying at least one webpage collected from a web server on a screen;
generating a Deep Web Tar (DWT) file to include the first digital evidence file and reference information considered for obtaining the first digital evidence file;
collecting second web page data from the web server using access information that is one of the reference information included in the generated DWT file;
Parsing to remove the dynamic content data included in the collected second web page data is performed based on a parsing rule file, which is one of the reference information, to remove the dynamic content. HyperText Markup Language (HTML) ) operation of acquiring a file;
checking whether the first digital evidence file included in the DWT file is forged or altered based on the HTML file;
verifying whether the DWT file is forged or tampered with based on the inspection result;
Storing at least one of a DWT file verified that it has not been forged or tampered with among the DWT files or a hash value of the verified DWT file in a block created by blockization using blockchain technology,
Here, the reference information included in the DWT file is a second digital evidence file including a static file existing in the at least one webpage, and the parsing configured to remove dynamic content included in the at least one webpage. Includes a rule file and metadata about the at least one web page,
The metadata may include a hash value of the first digital evidence file, a hash value of the static file included in the second digital evidence file, a hash value of the parsing rule file, creation time information of the first digital evidence file, and The digital evidence collection method comprising the access information that is the access address of the at least one web page. According to claim 11,
The operation of checking whether the first digital evidence file is forged or tampered with,
A first hash value, which is the hash value of the first digital evidence file, is calculated, and a second hash value, which is the hash value of the HTML file from which the dynamic content is removed, is calculated, and the first hash value and the second hash value are combined with the meta A third hash value included in the data, which is a hash value of the first digital evidence file, is compared, and if the first hash value, the second hash value, and the third hash value all match, the first digital evidence file. and determining that the DWT file including the file is valid as digital evidence. According to claim 11,
The operation of checking whether the first digital evidence file is forged or tampered with,
The creation time of the first digital evidence file is acquired, compared with the creation time information of the first digital evidence file included in the metadata, and if the same, the DWT file including the first digital evidence file. A method for collecting digital evidence, further comprising an operation of determining that the digital evidence is valid. According to claim 11,
The operation of verifying whether the DWT file is forged or tampered with,
The hash value of the static file included in the second web page data is calculated, compared with the hash value of the static file included in the second digital evidence file among the hash values included in the metadata, and if the hash value of the static file included in the second digital evidence file matches, the 2. A digital evidence collection method comprising determining that the DWT file including the digital evidence file is valid as digital evidence. According to claim 11,
The operation of verifying whether the DWT file is forged or tampered with,
The hash value of the parsing rule file is calculated, compared with the hash value of the parsing rule file among hash values included in the metadata, and if the same, the DWT file including the first digital evidence file is a digital evidence. A method for collecting digital evidence, further comprising an operation of determining that it is valid as According to claim 11,
Digital evidence further comprising an operation of storing link information of a file sharing address where the verified DWT file can be obtained instead of the verified DWT file in the block created by the block chain considering the load of the blockchain network. collection method. According to claim 11,
The saving operation is
and storing a DWT file, which is determined to be valid as a digital evidence, by collection nodes of at least a certain percentage of all collection nodes participating in the verification of the DWT file, in the block created by the blockization. According to claim 11,
The digital evidence collection method of claim 1, further comprising automatically generating rules for elements to be included and not to be included in the first digital evidence file when generating the parsing rule file, without user input. According to claim 11,
A digital evidence collection method that sets the browser's session timeout relatively shorter than the default value, considering the high variability of Internet addresses due to the nature of illegal webpages. According to claim 11,
At least one DWT generation node configured to generate the DWT file, a plurality of collection nodes configured to verify whether the DWT file is forged or tampered with, and/or a block generation node configured to store the block created by the blockization are physically A digital evidence collection method that can operate on the same device as

Images