WO2020249112A1 - Method and system for digital evidence fixing and network forensics on basis of memory forensics and blockchain - Google Patents

Method and system for digital evidence fixing and network forensics on basis of memory forensics and blockchain Download PDF

Info

Publication number
WO2020249112A1
WO2020249112A1 PCT/CN2020/095945 CN2020095945W WO2020249112A1 WO 2020249112 A1 WO2020249112 A1 WO 2020249112A1 CN 2020095945 W CN2020095945 W CN 2020095945W WO 2020249112 A1 WO2020249112 A1 WO 2020249112A1
Authority
WO
WIPO (PCT)
Prior art keywords
blockchain
forensics
memory
evidence
electronic
Prior art date
Application number
PCT/CN2020/095945
Other languages
French (fr)
Chinese (zh)
Inventor
王连海
张淑慧
Original Assignee
山东省计算中心(国家超级计算济南中心)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 山东省计算中心(国家超级计算济南中心) filed Critical 山东省计算中心(国家超级计算济南中心)
Priority to AU2020290622A priority Critical patent/AU2020290622A1/en
Publication of WO2020249112A1 publication Critical patent/WO2020249112A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/18Legal services

Definitions

  • the present disclosure belongs to the technical field of electronic forensics, and relates to a method and system for electronic evidence fixation and network forensics based on internal memory forensics and blockchain.
  • Computer forensics is the process of identifying, storing, analyzing, and submitting electronic evidence in a manner consistent with laws and regulations using principles and methods in related disciplines such as computers, communications, and electronics. Since its inception in China, computer forensics has been in development for more than ten years, and has been recognized by government law enforcement agencies, practitioners in the legal profession, and law enforcement personnel in actual work. In the commercial field, more and more companies have begun to attach importance to the application of computer forensics technology for internal enterprise investigations and IT audits. It can be said that computer forensics technology is a rapidly developing research field with good application prospects. Especially after the new criminal Procedure Law in 2012 independently stipulated the legal status of "electronic data", the importance of computer forensics technology became more prominent.
  • the object that computer forensics needs to obtain is electronic data.
  • An important feature of electronic evidence, which is different from other physical evidence, is its vulnerability, which is mainly manifested in two aspects: on the one hand, because electronic data is stored in magnetic media or electronic components, Some of the characteristics of these media make the electronic data easy to be artificially damaged, so there are very strict restrictions on the preservation of evidence materials; on the other hand, electronic data can be easily modified or deleted, and this operation is often incomplete Recovered, even if it can be recovered, will have a great impact on the validity of the data.
  • Electronic evidence can only be recognized by the court if it follows a legal process and can be proved its authenticity, especially online forensics (Live Forensics is to obtain the target computer's memory, disk, etc. without shutting down the target computer or electronic equipment.
  • online forensics Live Forensics is to obtain the target computer's memory, disk, etc. without shutting down the target computer or electronic equipment.
  • the inventor found that the data and status on various networks change instantly, so how to prove the authenticity of the obtained electronic evidence Sex becomes very difficult.
  • there are also problems such as DNS spoofing and untrustworthiness of forensics personnel. Therefore, we can only rely on professional electronic evidence judicial authentication institutions and notary institutions to obtain such evidence.
  • FIG. 1 it shows the routine network electronic evidence collection process. Due to the characteristics of electronic data being easily tampered with, the process of obtaining and fixing the evidence in the routine forensic process must be carried out by a third-party institution (forensic appraisal agency). The user goes from collecting evidence (step 1) to fixing the evidence (step 3) by the judicial appraisal agency. It is necessary to sign an authentication agreement with the forensic authentication agency, entrust the forensic authentication agency to perform forensic authentication (step 2), the forensic authentication agency conducts judicial authentication based on the fixed electronic evidence (step 4), and issues a judicial authentication report to the user (step 5) . In the above process, the process from step 1 to step 3 generally takes at least a few days.
  • one or more embodiments of the present disclosure provide a method and system for fixing electronic evidence and network forensics based on memory forensics and blockchain, using computers to obtain webpages and various network APP electronic data online ,
  • a method for fixing electronic evidence based on an internal pass and a blockchain there is provided a method for fixing electronic evidence based on an internal pass and a blockchain.
  • a method for fixing electronic evidence based on memory card and blockchain includes:
  • Run forensic tools obtain electronic data, and generate operation logs. At the same time, use internal forensics technology to obtain computer memory information and fix evidence;
  • the verification of the legality of the execution code of the forensic tool is to verify that the execution code of the forensic tool has not been modified.
  • the method also includes: when the obtained electronic evidence needs to be authenticated, sending the electronic evidence, memory information and the corresponding blockchain address to the terminal of the judicial authentication agency.
  • a computer-readable storage medium is provided.
  • a computer-readable storage medium stores a plurality of instructions, and the instructions are adapted to be loaded by a processor of an electronic device and execute the method for fixing electronic evidence based on memory card and blockchain.
  • an electronic device is provided.
  • An electronic device comprising a processor and a computer-readable storage medium, the processor is used to implement each instruction; the computer-readable storage medium is used to store a plurality of instructions, the instructions are suitable for being loaded by the processor and executing the one A method of fixing electronic evidence based on internal deposit and withdrawal and blockchain.
  • an electronic evidence fixed terminal based on an internal pass and a blockchain.
  • An electronic evidence fixing terminal based on memory card and blockchain based on the said method for fixing electronic evidence based on memory card and blockchain, includes:
  • the forensic tool download module is configured to download credible forensic tools through the blockchain network
  • the legitimacy verification module is configured to interact with the blockchain network to verify the legitimacy of the code executed by the forensic tool;
  • the evidence fixation module is configured to run forensic tools, obtain electronic data, and generate operation logs. At the same time, it uses internal forensics technology to obtain computer memory information and fix evidence;
  • the blockchain upload module is configured to generate hash values for electronic data, operation logs, and memory information, upload them to the blockchain network, and receive the corresponding blockchain addresses returned.
  • the electronic evidence fixing terminal further includes a communication module configured to send the electronic evidence, the memory information and the corresponding blockchain address to the terminal of the judicial authentication agency when the obtained electronic evidence needs to be authenticated.
  • a network forensics method based on internal access forensics and blockchain is provided.
  • the verification of the legality of the electronic data, the operation log and the memory information is to verify that the electronic data, the operation log and the memory information have not been modified.
  • the method further includes: sending a judicial authentication report to the user terminal.
  • a computer-readable storage medium is provided.
  • a computer-readable storage medium stores a plurality of instructions, and the instructions are suitable for being loaded by a processor of an electronic device and executing the aforementioned method for network forensics based on memory forensics and blockchain.
  • an electronic device is provided.
  • An electronic device comprising a processor and a computer-readable storage medium, the processor is used to implement each instruction; the computer-readable storage medium is used to store a plurality of instructions, the instructions are suitable for being loaded by the processor and executing the one A network forensics method based on internal memory forensics and blockchain.
  • a network forensics terminal based on internal deposit and withdrawal and blockchain.
  • a network forensics terminal based on internal memory forensics and blockchain based on the described network forensic method based on internal memory forensics and blockchain, includes:
  • the block chain address receiving module is configured to receive the block chain address sent by the electronic evidence fixed terminal;
  • the legitimacy verification module is configured to query the information on the blockchain based on the blockchain address and verify the legitimacy of electronic data, operation logs and memory information;
  • the first authentication module is configured to use memory forensics technology to analyze the memory information after the verification is passed, extract the system status when the electronic evidence is obtained, and verify the consistency of the system status with the electronic evidence and operation log;
  • the second identification module is configured to use memory analysis to verify whether the forensic tool is hooked or injected during operation, and to verify the reliability of its operating environment;
  • the report generation module is configured to generate forensic identification reports.
  • the network forensics terminal further includes a communication module configured to send a judicial authentication report to the user terminal.
  • a network forensics method based on internal access forensics and blockchain is provided.
  • a network forensics method based on internal memory forensics and blockchain is implemented in a network forensics system and includes:
  • the electronic evidence fixed terminal downloads credible forensic tools through the blockchain network; interacts with the blockchain network to verify the legality of the forensic tool's execution code; runs the forensic tool to obtain electronic data, and generate operation logs, and use internal forensic technology to obtain Computer memory information for evidence fixation; generate hash values for electronic data, operation logs and memory information respectively, upload them to the blockchain network, and receive the corresponding blockchain address returned; when the electronic evidence obtained needs to be authenticated , Send the electronic evidence, memory information and the corresponding blockchain address to the terminal of the judicial authentication agency;
  • the terminal of the judicial appraisal institution receives the blockchain address sent by the fixed terminal of the electronic evidence; queries the information on the blockchain according to the blockchain address to verify the legality of the electronic data, operation log and memory information; after the verification is passed, the internal memory forensic technology is adopted Analyze the memory information, extract the system status when the electronic evidence is obtained, and verify the consistency of the system status with the electronic evidence and operation log; use memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment; generate justice Identification report.
  • a network forensics system based on memory forensics and blockchain.
  • a network forensics system based on internal and external forensics and blockchain based on the described network forensic method based on internal and external forensics and blockchain, the system includes: electronic evidence fixed terminal and judicial authentication agency terminal;
  • the electronic evidence fixed terminal downloads a credible forensic tool through the blockchain network; interacts with the blockchain network to verify the legality of the forensic tool's execution code; runs the forensic tool to obtain electronic data and generate an operation log, while using memory Forensics technology obtains computer memory information and fixes evidence; generates hash values for electronic data, operation logs, and memory information respectively, uploads them to the blockchain network, and receives the corresponding blockchain address returned; when needed, the electronic evidence obtained When conducting authentication, send the electronic evidence, memory information and its corresponding blockchain address to the terminal of the judicial authentication agency;
  • the judicial authentication agency terminal receives the blockchain address sent by the electronic evidence fixed terminal; queries the information on the blockchain according to the blockchain address to verify the legitimacy of the electronic data, operation log and memory information; after the verification is passed, use Internal forensics technology analyzes memory information, extracts the system status when electronic evidence is obtained, and verifies the consistency of the system status with the electronic evidence and operation log; uses memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment ; Generate a forensic appraisal report.
  • the present disclosure provides a method and system for fixing electronic evidence and network forensics based on memory forensic and blockchain.
  • the electronic evidence is fixed and forwarded, avoiding the delay in obtaining evidence.
  • Figure 1 is a schematic diagram of the routine law enforcement evidence collection process
  • Fig. 2 is a flow chart of a method for fixing electronic evidence based on memory card and blockchain according to one or more embodiments
  • Figure 3 is a schematic diagram of a law enforcement evidence collection process according to one or more embodiments
  • Fig. 4 is a flowchart of a method for network forensics based on memory forensics and blockchain according to one or more embodiments
  • Fig. 5 is a flowchart of another network forensics method based on memory forensics and blockchain according to one or more embodiments.
  • each block in the flowchart or block diagram may represent a module, program segment, or part of code, and the module, program segment, or part of code may include one or more for implementing the various embodiments. Executable instructions for the specified logic function.
  • the functions noted in the block may also occur in a different order than that noted in the drawings. For example, two blocks shown in succession may actually be executed substantially in parallel, or they may sometimes be executed in the reverse order, depending on the functions involved.
  • each block in the flowchart and/or block diagram, and the combination of the blocks in the flowchart and/or block diagram can be implemented using a dedicated hardware-based system that performs the specified functions or operations. Or it can be implemented using a combination of dedicated hardware and computer instructions.
  • an electronic evidence fixing and network forensics method based on internal deposit and withdrawal and blockchain.
  • a method for fixing electronic evidence based on memory card and blockchain is provided.
  • a method for fixing electronic evidence based on memory card and blockchain includes:
  • S102 Interact with the blockchain network to verify the legality of the execution code of the forensic tool
  • S103 Run forensic tools to obtain electronic data and generate operation logs. At the same time, internal forensic technology is used to obtain computer memory information to fix evidence;
  • S104 Generate hash values for electronic data, operation logs, and memory information, upload them to the blockchain network, and receive the corresponding blockchain addresses returned.
  • a special forensic tool is obtained and downloaded from the blockchain network; a trusted special forensic tool is downloaded from the blockchain network on a computer, and the forensic tool is run.
  • the forensics tools in this disclosure all use existing computer forensics tools.
  • step S102 of this embodiment the forensic tool interacts with the blockchain before running, and the verification of the legality of the execution code of the forensic tool is to verify that the execution code of the forensic tool has not been modified.
  • steps S103 and S104 of this embodiment the specific steps include:
  • This forensics tool uses this forensics tool to obtain web page information and electronic data of various APPs, fix evidence, generate audit logs for each step of operation and operation results, and use hash functions to generate hash values for fixed evidence and logs.
  • the hash value/fixed evidence/audit log is uploaded to the blockchain network.
  • Memory Forensics Acquire and analyze the temporary data stored in the physical memory of computers and related smart devices when they are running, and extract valuable data.
  • the memory is the area where the operating system and various software exchange data. Data is easy to lose (Volatile), and usually the data disappears soon after shutdown.
  • the Windows/Linux system access forensic method previously applied by the applicant is used to obtain and analyze computer memory information.
  • step S103 of this embodiment the forensic tool is run
  • step S104 of this embodiment the forensic tool uses the hash function to generate hash values for the acquired electronic evidence, operation log, and memory mirroring information, respectively, and hash values of the evidence, operation log and its hash value, and memory mirroring information. Value, uploaded to the blockchain.
  • the blockchain returns the blockchain address to the forensics tool.
  • the method also includes: when the obtained electronic evidence needs to be authenticated, sending the electronic evidence, memory information and the corresponding blockchain address to the terminal of the judicial authentication agency.
  • the fixed evidence is provided to the judicial authentication agency, and the judicial authentication agency conducts judicial authentication based on the electronic evidence and the information of the blockchain: using memory forensics technology to obtain security
  • the system has not been illegally invaded, and other behaviors that may affect the authenticity of the evidence are excluded, and blockchain technology is used to ensure that the data in the entire process has not been modified.
  • Judicial authentication institutions shall issue judicial authentication reports based on the authentication results.
  • one or more embodiments of the present disclosure change the "fixed link of evidence" in the original network data forensic process from a work that must be done by a third-party organization to any individual or unit. That is, from the original process of "finding electronic evidence-entrusting a third party to provide judicial fixation services and appraisal services-third parties for evidence fixation-third parties for judicial firmness and issuing judicial appraisal reports" to "finding electronic evidence-evidence fixation services" -Entrust a third party to conduct judicial identification-The third party conducts judicial identification and issues a judicial identification report".
  • One or more embodiments of the present disclosure avoid the problem of delay in obtaining evidence. Since the current network data collection methods are not credible, the evidence can only be fixed by judicial authentication agencies or notary agencies. Since the discovery of electronic evidence leads to a third-party agency for evidence fixation, business entrustment (including price negotiation, seals between the two parties), business arrangement, evidence fixation and other stages need to be carried out, which takes a period of time. However, website data and social APP Data changes rapidly, which often results in that the data to be collected has been modified when collecting evidence, and the required evidence cannot be obtained.
  • the method of obtaining is more credible, making the obtained evidence easier to be accepted by the court.
  • a computer-readable storage medium is provided.
  • a computer-readable storage medium stores a plurality of instructions, and the instructions are adapted to be loaded by a processor of an electronic device and execute the method for fixing electronic evidence based on memory card and blockchain.
  • an electronic device is provided.
  • An electronic device comprising a processor and a computer-readable storage medium, the processor is used to implement each instruction; the computer-readable storage medium is used to store a plurality of instructions, the instructions are suitable for being loaded by the processor and executing the one A method of fixing electronic evidence based on internal deposit and withdrawal and blockchain.
  • the device executes the methods or processes described in the various embodiments of the present disclosure.
  • the computer program product may include a computer-readable storage medium, which carries computer-readable program instructions for executing various aspects of the present disclosure.
  • the computer-readable storage medium may be a tangible device that can hold and store instructions used by the instruction execution device.
  • the computer-readable storage medium may be, for example, but not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing.
  • Computer-readable storage media include: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM) Or flash memory), static random access memory (SRAM), portable compact disk read-only memory (CD-ROM), digital versatile disk (DVD), memory stick, floppy disk, mechanical encoding device, such as a printer with instructions stored thereon
  • RAM random access memory
  • ROM read-only memory
  • EPROM erasable programmable read-only memory
  • flash memory flash memory
  • SRAM static random access memory
  • CD-ROM compact disk read-only memory
  • DVD digital versatile disk
  • memory stick floppy disk
  • mechanical encoding device such as a printer with instructions stored thereon
  • the computer-readable storage medium used here is not interpreted as a transient signal itself, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (for example, light pulses through fiber optic cables), or through wires Transmission of electrical signals.
  • the computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to various computing/processing devices, or downloaded to an external computer or external storage device via a network, such as the Internet, a local area network, a wide area network, and/or a wireless network.
  • the network may include copper transmission cables, optical fiber transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers.
  • the network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network, and forwards the computer-readable program instructions for storage in the computer-readable storage medium in each computing/processing device .
  • the computer program instructions used to perform the operations of the present disclosure may be assembly instructions, instruction set architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or in one or more programming languages
  • Source code or object code written in any combination of, the programming language includes object-oriented programming languages-such as C++, etc., and conventional procedural programming languages-such as "C" language or similar programming languages.
  • Computer-readable program instructions can be executed entirely on the user's computer, partly on the user's computer, executed as a stand-alone software package, partly on the user's computer and partly executed on a remote computer, or entirely on the remote computer or server carried out.
  • the remote computer can be connected to the user's computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computer (for example, using an Internet service provider to access the Internet connection).
  • LAN local area network
  • WAN wide area network
  • an electronic circuit such as a programmable logic circuit, a field programmable gate array (FPGA), or a programmable logic array (PLA), can be customized by using the status information of the computer-readable program instructions.
  • the computer-readable program instructions are executed to implement various aspects of the present disclosure.
  • an electronic evidence fixed terminal based on an internal pass and a blockchain.
  • An electronic evidence fixing terminal based on memory card and blockchain based on the said method for fixing electronic evidence based on memory card and blockchain, includes:
  • the forensic tool download module is configured to download credible forensic tools through the blockchain network
  • the legitimacy verification module is configured to interact with the blockchain network to verify the legitimacy of the code executed by the forensic tool;
  • the evidence fixation module is configured to run forensic tools, obtain electronic data, and generate operation logs. At the same time, it uses internal forensics technology to obtain computer memory information and fix evidence;
  • the blockchain upload module is configured to generate hash values for electronic data, operation logs, and memory information, upload them to the blockchain network, and receive the corresponding blockchain addresses returned.
  • the electronic evidence fixing terminal further includes a communication module configured to send the electronic evidence, the memory information and the corresponding blockchain address to the terminal of the judicial authentication agency when the obtained electronic evidence needs to be authenticated.
  • a network forensics method based on internal access forensics and blockchain is provided.
  • a network forensics method based on internal deposit and withdrawal and blockchain which is implemented in the terminal of a judicial authentication agency, includes:
  • S202 Query the information on the blockchain according to the blockchain address, and verify the legality of the electronic data, operation log and memory information;
  • S203 After the verification is passed, use internal forensics technology to analyze the memory information, extract the system state when the electronic evidence is obtained, and verify the consistency of the system state with the electronic evidence and operation log;
  • S204 Use memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment;
  • the verification of the legality of the electronic data, the operation log and the memory information is to verify that the electronic data, the operation log and the memory information have not been modified.
  • the judicial authentication agency terminal does the following tasks:
  • the method further includes: sending a judicial authentication report to the user terminal.
  • a computer-readable storage medium is provided.
  • a computer-readable storage medium stores a plurality of instructions, and the instructions are suitable for being loaded by a processor of an electronic device and executing the aforementioned method for network forensics based on memory forensics and blockchain.
  • an electronic device is provided.
  • An electronic device comprising a processor and a computer-readable storage medium, the processor is used to implement each instruction; the computer-readable storage medium is used to store a plurality of instructions, the instructions are suitable for being loaded by the processor and executing the one A network forensics method based on internal memory forensics and blockchain.
  • the device executes the methods or processes described in the various embodiments of the present disclosure.
  • the computer program product may include a computer-readable storage medium, which carries computer-readable program instructions for executing various aspects of the present disclosure.
  • the computer-readable storage medium may be a tangible device that can hold and store instructions used by the instruction execution device.
  • the computer-readable storage medium may be, for example, but not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing.
  • Computer-readable storage media include: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM) Or flash memory), static random access memory (SRAM), portable compact disk read-only memory (CD-ROM), digital versatile disk (DVD), memory stick, floppy disk, mechanical encoding device, such as a printer with instructions stored thereon
  • RAM random access memory
  • ROM read-only memory
  • EPROM erasable programmable read-only memory
  • flash memory flash memory
  • SRAM static random access memory
  • CD-ROM compact disk read-only memory
  • DVD digital versatile disk
  • memory stick floppy disk
  • mechanical encoding device such as a printer with instructions stored thereon
  • the computer-readable storage medium used here is not interpreted as a transient signal itself, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (for example, light pulses through fiber optic cables), or through wires Transmission of electrical signals.
  • the computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to various computing/processing devices, or downloaded to an external computer or external storage device via a network, such as the Internet, a local area network, a wide area network, and/or a wireless network.
  • the network may include copper transmission cables, optical fiber transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers.
  • the network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network, and forwards the computer-readable program instructions for storage in the computer-readable storage medium in each computing/processing device .
  • the computer program instructions used to perform the operations of the present disclosure may be assembly instructions, instruction set architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or in one or more programming languages
  • Source code or object code written in any combination of, the programming language includes object-oriented programming languages-such as C++, etc., and conventional procedural programming languages-such as "C" language or similar programming languages.
  • Computer-readable program instructions can be executed entirely on the user's computer, partly on the user's computer, executed as a stand-alone software package, partly on the user's computer and partly executed on a remote computer, or entirely on the remote computer or server carried out.
  • the remote computer can be connected to the user's computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computer (for example, using an Internet service provider to access the Internet connection).
  • LAN local area network
  • WAN wide area network
  • an electronic circuit such as a programmable logic circuit, a field programmable gate array (FPGA), or a programmable logic array (PLA), can be customized by using the status information of the computer-readable program instructions.
  • the computer-readable program instructions are executed to implement various aspects of the present disclosure.
  • a network forensics terminal based on internal deposit and withdrawal and blockchain.
  • a network forensics terminal based on internal memory forensics and blockchain based on the described network forensic method based on internal memory forensics and blockchain, includes:
  • the block chain address receiving module is configured to receive the block chain address sent by the electronic evidence fixed terminal;
  • the legitimacy verification module is configured to query the information on the blockchain based on the blockchain address and verify the legitimacy of electronic data, operation logs and memory information;
  • the first authentication module is configured to use memory forensics technology to analyze the memory information after the verification is passed, extract the system status when the electronic evidence is obtained, and verify the consistency of the system status with the electronic evidence and operation log;
  • the second identification module is configured to use memory analysis to verify whether the forensic tool is hooked or injected during operation, and to verify the reliability of its operating environment;
  • the report generation module is configured to generate forensic identification reports.
  • the network forensics terminal further includes a communication module configured to send a judicial authentication report to the user terminal.
  • a network forensics method based on internal access forensics and blockchain is provided.
  • a network forensics method based on internal memory forensics and blockchain which is implemented in a network forensics system, includes:
  • Step S101 The fixed terminal of electronic evidence downloads a credible forensics tool through the blockchain network; Step S102: Contact
  • Block chain network interaction to verify the legality of the execution code of the forensic tool
  • Step S103 Run a forensic tool to obtain electronic data and generate an operation log. At the same time, internal forensic technology is used to obtain computer memory information, and evidence is fixed;
  • Step S104 Generate hash values for electronic data, operation logs and memory information respectively, upload them to the blockchain network, and receive the corresponding blockchain addresses returned;
  • the electronic evidence fixed terminal sends the electronic evidence, memory information and its corresponding blockchain address to the terminal of the judicial authentication agency;
  • Step S201 the terminal of the judicial authentication agency receives the blockchain address sent by the fixed terminal of the electronic evidence
  • Step S202 The terminal of the judicial authentication agency queries the information on the blockchain according to the blockchain address, and verifies the legality of the electronic data, operation log and memory information;
  • Step S203 After the judicial authentication agency passes the verification through the terminal, it uses memory forensics technology to analyze the memory information, extracts the system status when the electronic evidence is obtained, and verifies the consistency of the system status with the electronic evidence and operation log;
  • Step S204 The terminal of the judicial authentication agency uses memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment;
  • Step S205 the judicial authentication agency terminal generates a judicial authentication report.
  • the network forensics process based on internal memory forensics and blockchain technology is adopted.
  • the user collects and fixes electronic data including computer memory on demand with the support of blockchain technology (step 1), and then fixes the evidence, and then Entrust a judicial authentication agency to conduct judicial authentication on electronic evidence as needed (step 2).
  • the judicial authentication agency conducts judicial authentication based on the data, memory data and electronic evidence on the blockchain, and verifies that the electronic evidence has not been modified after acquisition and acquisition (Step 3), and issue a judicial report to the user (Step 4).
  • a network forensics system based on memory forensics and blockchain.
  • a network forensics system based on internal and external forensics and blockchain based on the described network forensic method based on internal and external forensics and blockchain, the system includes: electronic evidence fixed terminal and judicial authentication agency terminal;
  • the electronic evidence fixed terminal downloads a credible forensic tool through the blockchain network; interacts with the blockchain network to verify the legality of the forensic tool's execution code; runs the forensic tool to obtain electronic data and generate an operation log, while using memory Forensics technology obtains computer memory information and fixes evidence; generates hash values for electronic data, operation logs, and memory information respectively, uploads them to the blockchain network, and receives the corresponding blockchain address returned; when needed, the electronic evidence obtained When conducting authentication, send the electronic evidence, memory information and its corresponding blockchain address to the terminal of the judicial authentication agency;
  • the judicial authentication agency terminal receives the blockchain address sent by the electronic evidence fixed terminal; queries the information on the blockchain according to the blockchain address to verify the legitimacy of the electronic data, operation log and memory information; after the verification is passed, use Internal forensics technology analyzes memory information, extracts the system status when electronic evidence is obtained, and verifies the consistency of the system status with the electronic evidence and operation log; uses memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment ; Generate a forensic appraisal report.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Tourism & Hospitality (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • Databases & Information Systems (AREA)
  • Marketing (AREA)
  • Human Resources & Organizations (AREA)
  • General Business, Economics & Management (AREA)
  • Economics (AREA)
  • Technology Law (AREA)
  • Primary Health Care (AREA)
  • Bioethics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A method and system for digital evidence fixing and network forensics on the basis of memory forensics and a blockchain. The method comprises: a digital evidence fixing terminal downloading a credible forensic tool by means of a blockchain network (S101); verifying the legitimacy of executable codes of the forensic tool (S102); running the forensic tool to obtain digital data, generating an operation log, acquiring computer memory information by using the memory forensics technique and performing evidence fixing (S103); generating a hash value and uploading the same to the blockchain network, and receiving a returned corresponding blockchain address (S104); sending the address to a judicial expertise unit terminal; the judicial expertise unit terminal receiving the blockchain address sent by the digital evidence fixing terminal (S201); querying to obtain information on the blockchain and verifying the legitimacy thereof (S202); analyzing the memory information by using the memory forensics technique, extracting a system state when the digital evidence is obtained and verifying the consistency thereof (S203); determining, by using the memory analysis, whether the forensic tool has been hooked or injected when running, and verifying the reliability of the operating environment thereof (S204); and generating a judicial expertise report (S205).

Description

基于内存取证和区块链的电子证据固定和网络取证方法及系统Electronic evidence fixation and network evidence collection method and system based on internal deposit and withdrawal evidence and blockchain 技术领域Technical field
本公开属于电子取证的技术领域,涉及一种基于内存取证和区块链的电子证据固定和网络取证方法及系统。The present disclosure belongs to the technical field of electronic forensics, and relates to a method and system for electronic evidence fixation and network forensics based on internal memory forensics and blockchain.
背景技术Background technique
本部分的陈述仅仅是提供了与本公开相关的背景技术信息,不必然构成在先技术。The statements in this section merely provide background information related to the present disclosure, and do not necessarily constitute prior art.
现代信息技术给人们的工作和生活带来便利的同时,也不可避免地引发了各种负面问题,尤其是利用网络和信息而引发的各类犯罪行为呈现逐年增长的多发态势,诸如窃取国家机密、泄露个人隐私、盗窃网银密码、网络诈骗、黑客攻击之类的事件层出不穷,与之相关联的刑事、民事、行政案件或纠纷也大幅增长。为适应对这类案件或纠纷的诉讼需要,计算机取证(数字取证、电子取证)应运而生。While modern information technology has brought convenience to people’s work and life, it has inevitably caused various negative problems. In particular, various types of crimes triggered by the use of the Internet and information are increasing year by year, such as stealing state secrets. Incidents such as the disclosure of personal privacy, theft of online banking passwords, online fraud, hacking, etc., have also seen a significant increase in criminal, civil, and administrative cases or disputes associated with them. In order to meet the needs of litigation for such cases or disputes, computer forensics (digital forensics, electronic forensics) came into being.
计算机取证是用计算机、通信、电子等相关学科中的原理和方法,按照符合法律规范的方式进行识别、保存、分析和提交电子证据的过程。计算机取证自在中国落地伊始,至今发展已有十几年,在实际工作中已经被政府执法部门、法律界从业者和广大执法人员认可。在商业领域,也有越来越多的企业开始重视应用计算机取证技术进行企业内部调查和IT审计。可以说,计算机取证技术是一个迅速发展的研究领域,有着良好的应用前景。特别是在2012年新的刑事诉讼法对“电子数据”的法律地位加以独立规定后,计算机取证技术的重要性显得更为突出。Computer forensics is the process of identifying, storing, analyzing, and submitting electronic evidence in a manner consistent with laws and regulations using principles and methods in related disciplines such as computers, communications, and electronics. Since its inception in China, computer forensics has been in development for more than ten years, and has been recognized by government law enforcement agencies, practitioners in the legal profession, and law enforcement personnel in actual work. In the commercial field, more and more companies have begun to attach importance to the application of computer forensics technology for internal enterprise investigations and IT audits. It can be said that computer forensics technology is a rapidly developing research field with good application prospects. Especially after the new Criminal Procedure Law in 2012 independently stipulated the legal status of "electronic data", the importance of computer forensics technology became more prominent.
计算机取证需要获取的对象是电子数据,电子证据不同于其他物证的一个重要特点是其脆弱性,主要表现在两个方面:一方面由于电子数据都是存储于磁介质或电子元器件中,而这些介质本身的一些特性使得电子数据容易被人为地损坏,因而对证据材料的保存就有十分严格的约束;另一方面电子数据可以很容易地被修改或删除,而这种操作往往是不可完全恢复的,即便可以恢复,也会对这些数据的证据有效性产生极大的影响。The object that computer forensics needs to obtain is electronic data. An important feature of electronic evidence, which is different from other physical evidence, is its vulnerability, which is mainly manifested in two aspects: on the one hand, because electronic data is stored in magnetic media or electronic components, Some of the characteristics of these media make the electronic data easy to be artificially damaged, so there are very strict restrictions on the preservation of evidence materials; on the other hand, electronic data can be easily modified or deleted, and this operation is often incomplete Recovered, even if it can be recovered, will have a great impact on the validity of the data.
电子证据只有遵循合法的流程、并能被证明其真实性才能被法院认可,特别是在线取证方式(在线取证Live Forensics是在不关闭目标计算机或电子设备的情况下,获得目标计算机内存、磁盘等存储介质中的电子数据,并进行分析呈现的取证方式)下,然而,发明人在研发过程中发现,由于各类网络上的数据及状态瞬间万变,使得如何证明所获得的电子证据的真实性变得非常困难。同时还存在着DNS欺骗、取证人员不可信等问题,因此现在只能依 靠专业的电子证据司法鉴定机构和公证机构来获取这些证据。Electronic evidence can only be recognized by the court if it follows a legal process and can be proved its authenticity, especially online forensics (Live Forensics is to obtain the target computer's memory, disk, etc. without shutting down the target computer or electronic equipment. However, during the research and development process, the inventor found that the data and status on various networks change instantly, so how to prove the authenticity of the obtained electronic evidence Sex becomes very difficult. At the same time, there are also problems such as DNS spoofing and untrustworthiness of forensics personnel. Therefore, we can only rely on professional electronic evidence judicial authentication institutions and notary institutions to obtain such evidence.
如图1所示,显示了常规网络电子证据取证流程。由于电子数据易被篡改的特点,常规取证过程中的证据获取固定过程必须需要第三方机构(司法鉴定机构)进行,用户从收集证据(步骤1)到司法鉴定机构进行证据固定(步骤3),需要经过与司法鉴定机构协商签订鉴定协议,委托司法鉴定机构进行司法鉴定(步骤2),司法鉴定机构根据固定的电子证据进行司法鉴定(步骤4),并给用户出具司法鉴定报告(步骤5)。在上述流程中步骤1到步骤3这个过程一般至少需要几天的时间,由于网络上或各类网络APP上的数据时刻在变化,当司法鉴定机构固定电子证据时,往往数据已发生了很大的变化,贻误了取证时机。此外,在委托司法鉴定机构进行证据固定时,由于当时还没有与律师或法院沟通,证据需求还不是非常明确,委托司法鉴定机构进行司法鉴定时往往具有一定的盲目性,会浪费一定的时间和金钱。As shown in Figure 1, it shows the routine network electronic evidence collection process. Due to the characteristics of electronic data being easily tampered with, the process of obtaining and fixing the evidence in the routine forensic process must be carried out by a third-party institution (forensic appraisal agency). The user goes from collecting evidence (step 1) to fixing the evidence (step 3) by the judicial appraisal agency. It is necessary to sign an authentication agreement with the forensic authentication agency, entrust the forensic authentication agency to perform forensic authentication (step 2), the forensic authentication agency conducts judicial authentication based on the fixed electronic evidence (step 4), and issues a judicial authentication report to the user (step 5) . In the above process, the process from step 1 to step 3 generally takes at least a few days. Because the data on the network or various network APPs is constantly changing, when the judicial appraisal agency fixes the electronic evidence, the data is often very large. The change in the situation has delayed the opportunity to obtain evidence. In addition, when entrusting a judicial authentication agency to fix evidence, since there was no communication with the lawyer or the court at that time, the evidence requirements were not very clear. When the judicial authentication agency is entrusted to conduct judicial authentication, it is often blind, which will waste a certain amount of time and time. money.
综上所述,常规网络电子证据取证流程由于取证不及时来带来了想获取的数据往往被删除等现实问题,需要一种更可信的方法来解决当前的取证问题。To sum up, the conventional network electronic evidence collection process does not come in time for evidence collection, which brings about practical problems such as the data that you want to obtain is often deleted. A more credible method is needed to solve the current evidence collection problem.
发明内容Summary of the invention
针对现有技术的不足,本公开的一个或多个实施例提供了一种基于内存取证和区块链的电子证据固定和网络取证方法及系统,使用计算机在线获取网页以及各类网络APP电子数据,利用内存取证技术、区块链技术和专门取证工具确保了电子数据获取来源、获取过程的可信,使得获取的电子证据难以篡改。In view of the shortcomings of the prior art, one or more embodiments of the present disclosure provide a method and system for fixing electronic evidence and network forensics based on memory forensics and blockchain, using computers to obtain webpages and various network APP electronic data online , The use of internal forensics technology, blockchain technology and special forensics tools to ensure the credibility of the source and process of obtaining electronic data, making the obtained electronic evidence difficult to tamper with.
根据本公开的一个或多个实施例的一个方面,提供一种基于内存取证和区块链的电子证据固定方法。According to one aspect of one or more embodiments of the present disclosure, there is provided a method for fixing electronic evidence based on an internal pass and a blockchain.
一种基于内存取证和区块链的电子证据固定方法,该方法包括:A method for fixing electronic evidence based on memory card and blockchain, the method includes:
通过区块链网络下载可信的取证工具;Download credible forensics tools through the blockchain network;
与区块链网络交互,验证取证工具执行代码合法性;Interact with the blockchain network to verify the legality of the execution code of the forensic tool;
运行取证工具,获取电子数据,并生成操作日志,同时采用内存取证技术获取计算机内存信息,进行证据固定;Run forensic tools, obtain electronic data, and generate operation logs. At the same time, use internal forensics technology to obtain computer memory information and fix evidence;
分别将电子数据、操作日志和内存信息生成hash值,上传至区块链网络,并接收返回的对应的区块链地址。Generate hash values of electronic data, operation logs and memory information respectively, upload them to the blockchain network, and receive the corresponding blockchain addresses returned.
进一步地,在该方法中,所述验证取证工具执行代码合法性为验证取证工具的执行代码未被修改过。Further, in this method, the verification of the legality of the execution code of the forensic tool is to verify that the execution code of the forensic tool has not been modified.
进一步地,该方法还包括:在需要对获得的电子证据进行鉴定时,将电子证据、内存信息和其对应的区块链地址发送至司法鉴定机构终端。Further, the method also includes: when the obtained electronic evidence needs to be authenticated, sending the electronic evidence, memory information and the corresponding blockchain address to the terminal of the judicial authentication agency.
根据本公开的一个或多个实施例的一个方面,提供一种计算机可读存储介质。According to an aspect of one or more embodiments of the present disclosure, a computer-readable storage medium is provided.
一种计算机可读存储介质,其中存储有多条指令,所述指令适于由电子设备的处理器加载并执行所述的一种基于内存取证和区块链的电子证据固定方法。A computer-readable storage medium stores a plurality of instructions, and the instructions are adapted to be loaded by a processor of an electronic device and execute the method for fixing electronic evidence based on memory card and blockchain.
根据本公开的一个或多个实施例的一个方面,提供一种电子设备。According to an aspect of one or more embodiments of the present disclosure, an electronic device is provided.
一种电子设备,其包括处理器和计算机可读存储介质,处理器用于实现各指令;计算机可读存储介质用于存储多条指令,所述指令适于由处理器加载并执行所述的一种基于内存取证和区块链的电子证据固定方法。An electronic device comprising a processor and a computer-readable storage medium, the processor is used to implement each instruction; the computer-readable storage medium is used to store a plurality of instructions, the instructions are suitable for being loaded by the processor and executing the one A method of fixing electronic evidence based on internal deposit and withdrawal and blockchain.
根据本公开的一个或多个实施例的一个方面,提供一种基于内存取证和区块链的电子证据固定终端。According to an aspect of one or more embodiments of the present disclosure, there is provided an electronic evidence fixed terminal based on an internal pass and a blockchain.
一种基于内存取证和区块链的电子证据固定终端,基于所述的一种基于内存取证和区块链的电子证据固定方法,包括:An electronic evidence fixing terminal based on memory card and blockchain, based on the said method for fixing electronic evidence based on memory card and blockchain, includes:
取证工具下载模块,被配置为通过区块链网络下载可信的取证工具;The forensic tool download module is configured to download credible forensic tools through the blockchain network;
合法性验证模块,被配置为与区块链网络交互,验证取证工具执行代码合法性;The legitimacy verification module is configured to interact with the blockchain network to verify the legitimacy of the code executed by the forensic tool;
证据固定模块,被配置为运行取证工具,获取电子数据,并生成操作日志,同时采用内存取证技术获取计算机内存信息,进行证据固定;The evidence fixation module is configured to run forensic tools, obtain electronic data, and generate operation logs. At the same time, it uses internal forensics technology to obtain computer memory information and fix evidence;
区块链上传模块,被配置为分别将电子数据、操作日志和内存信息生成hash值,上传至区块链网络,并接收返回的对应的区块链地址。The blockchain upload module is configured to generate hash values for electronic data, operation logs, and memory information, upload them to the blockchain network, and receive the corresponding blockchain addresses returned.
进一步地,该电子证据固定终端还包括通信模块,被配置为在需要对获得的电子证据进行鉴定时,将电子证据、内存信息和其对应的区块链地址发送至司法鉴定机构终端。Further, the electronic evidence fixing terminal further includes a communication module configured to send the electronic evidence, the memory information and the corresponding blockchain address to the terminal of the judicial authentication agency when the obtained electronic evidence needs to be authenticated.
根据本公开的一个或多个实施例的一个方面,提供一种基于内存取证和区块链的网络取证方法。According to one aspect of one or more embodiments of the present disclosure, a network forensics method based on internal access forensics and blockchain is provided.
一种基于内存取证和区块链的网络取证方法,该方法在司法鉴定机构终端中实现,包括:A network forensics method based on internal deposit and withdrawal and blockchain, which is implemented in the terminal of a judicial authentication agency, including:
接收电子证据固定终端发送的区块链地址;The blockchain address sent by the fixed terminal to receive the electronic evidence;
根据区块链地址查询区块链上的信息,验证电子数据、操作日志和内存信息的合法性;Query the information on the blockchain according to the blockchain address, verify the legality of electronic data, operation logs and memory information;
验证通过后,采用内存取证技术分析内存信息,提取电子证据获取时系统状态,并验证系统状态与电子证据和操作日志的相符性;After the verification is passed, use internal forensics technology to analyze the memory information, extract the system status when the electronic evidence is obtained, and verify the consistency of the system status with the electronic evidence and operation log;
采用内存分析验证取证工具运行时是否被hook或注入,并验证其运行环境可靠性;Use memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment;
生成司法鉴定报告。Generate forensic identification reports.
进一步地,所述验证电子数据、操作日志和内存信息的合法性为验证电子数据、操作日志和内存信息未被修改过。Further, the verification of the legality of the electronic data, the operation log and the memory information is to verify that the electronic data, the operation log and the memory information have not been modified.
进一步地,该方法还包括:将司法鉴定报告发送至用户终端。Further, the method further includes: sending a judicial authentication report to the user terminal.
根据本公开的一个或多个实施例的一个方面,提供一种计算机可读存储介质。According to an aspect of one or more embodiments of the present disclosure, a computer-readable storage medium is provided.
一种计算机可读存储介质,其中存储有多条指令,所述指令适于由电子设备的处理器加载并执行所述的一种基于内存取证和区块链的网络取证方法。A computer-readable storage medium stores a plurality of instructions, and the instructions are suitable for being loaded by a processor of an electronic device and executing the aforementioned method for network forensics based on memory forensics and blockchain.
根据本公开的一个或多个实施例的一个方面,提供一种电子设备。According to an aspect of one or more embodiments of the present disclosure, an electronic device is provided.
一种电子设备,其包括处理器和计算机可读存储介质,处理器用于实现各指令;计算机可读存储介质用于存储多条指令,所述指令适于由处理器加载并执行所述的一种基于内存取证和区块链的网络取证方法。An electronic device comprising a processor and a computer-readable storage medium, the processor is used to implement each instruction; the computer-readable storage medium is used to store a plurality of instructions, the instructions are suitable for being loaded by the processor and executing the one A network forensics method based on internal memory forensics and blockchain.
根据本公开的一个或多个实施例的一个方面,提供一种基于内存取证和区块链的网络取证终端。According to one aspect of one or more embodiments of the present disclosure, there is provided a network forensics terminal based on internal deposit and withdrawal and blockchain.
一种基于内存取证和区块链的网络取证终端,基于所述的一种基于内存取证和区块链的网络取证方法,包括:A network forensics terminal based on internal memory forensics and blockchain, based on the described network forensic method based on internal memory forensics and blockchain, includes:
区块链地址接收模块,被配置为接收电子证据固定终端发送的区块链地址;The block chain address receiving module is configured to receive the block chain address sent by the electronic evidence fixed terminal;
合法性验证模块,被配置为根据区块链地址查询区块链上的信息,验证电子数据、操作日志和内存信息的合法性;The legitimacy verification module is configured to query the information on the blockchain based on the blockchain address and verify the legitimacy of electronic data, operation logs and memory information;
第一鉴定模块,被配置为验证通过后,采用内存取证技术分析内存信息,提取电子证据获取时系统状态,并验证系统状态与电子证据和操作日志的相符性;The first authentication module is configured to use memory forensics technology to analyze the memory information after the verification is passed, extract the system status when the electronic evidence is obtained, and verify the consistency of the system status with the electronic evidence and operation log;
第二鉴定模块,被配置为采用内存分析验证取证工具运行时是否被hook或注入,并验证其运行环境可靠性;The second identification module is configured to use memory analysis to verify whether the forensic tool is hooked or injected during operation, and to verify the reliability of its operating environment;
报告生成模块,被配置为生成司法鉴定报告。The report generation module is configured to generate forensic identification reports.
进一步地,该网络取证终端还包括通信模块,被配置为将司法鉴定报告发送至用户终端。Further, the network forensics terminal further includes a communication module configured to send a judicial authentication report to the user terminal.
根据本公开的一个或多个实施例的一个方面,提供一种基于内存取证和区块链的网络取证方法。According to one aspect of one or more embodiments of the present disclosure, a network forensics method based on internal access forensics and blockchain is provided.
一种基于内存取证和区块链的网络取证方法,该方法在网络取证系统中实现,包括:A network forensics method based on internal memory forensics and blockchain. The method is implemented in a network forensics system and includes:
电子证据固定终端通过区块链网络下载可信的取证工具;与区块链网络交互,验证取证工具执行代码合法性;运行取证工具,获取电子数据,并生成操作日志,同时采用内存取证技术获取计算机内存信息,进行证据固定;分别将电子数据、操作日志和内存信息生成hash值,上传至区块链网络,并接收返回的对应的区块链地址;在需要对获得的电子证据进行鉴定时,将电子证据、内存信息和其对应的区块链地址发送至司法鉴定机构终端;The electronic evidence fixed terminal downloads credible forensic tools through the blockchain network; interacts with the blockchain network to verify the legality of the forensic tool's execution code; runs the forensic tool to obtain electronic data, and generate operation logs, and use internal forensic technology to obtain Computer memory information for evidence fixation; generate hash values for electronic data, operation logs and memory information respectively, upload them to the blockchain network, and receive the corresponding blockchain address returned; when the electronic evidence obtained needs to be authenticated , Send the electronic evidence, memory information and the corresponding blockchain address to the terminal of the judicial authentication agency;
司法鉴定机构终端接收电子证据固定终端发送的区块链地址;根据区块链地址查询区块链上的信息,验证电子数据、操作日志和内存信息的合法性;验证通过后,采用内存取证技术分析内存信息,提取电子证据获取时系统状态,并验证系统状态与电子证据和操作日志的相符性;采用内存分析验证取证工具运行时是否被hook或注入,并验证其运行环境可靠性;生成司法鉴定报告。The terminal of the judicial appraisal institution receives the blockchain address sent by the fixed terminal of the electronic evidence; queries the information on the blockchain according to the blockchain address to verify the legality of the electronic data, operation log and memory information; after the verification is passed, the internal memory forensic technology is adopted Analyze the memory information, extract the system status when the electronic evidence is obtained, and verify the consistency of the system status with the electronic evidence and operation log; use memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment; generate justice Identification report.
根据本公开的一个或多个实施例的一个方面,提供一种基于内存取证和区块链的网络取证系统。According to one aspect of one or more embodiments of the present disclosure, there is provided a network forensics system based on memory forensics and blockchain.
一种基于内存取证和区块链的网络取证系统,基于所述的一种基于内存取证和区块链的网络取证方法,该系统包括:电子证据固定终端和司法鉴定机构终端;A network forensics system based on internal and external forensics and blockchain, based on the described network forensic method based on internal and external forensics and blockchain, the system includes: electronic evidence fixed terminal and judicial authentication agency terminal;
所述电子证据固定终端,通过区块链网络下载可信的取证工具;与区块链网络交互,验证取证工具执行代码合法性;运行取证工具,获取电子数据,并生成操作日志,同时采用内存取证技术获取计算机内存信息,进行证据固定;分别将电子数据、操作日志和内存信息生成hash值,上传至区块链网络,并接收返回的对应的区块链地址;在需要对获得的电子证据进行鉴定时,将电子证据、内存信息和其对应的区块链地址发送至司法鉴定机构终端;The electronic evidence fixed terminal downloads a credible forensic tool through the blockchain network; interacts with the blockchain network to verify the legality of the forensic tool's execution code; runs the forensic tool to obtain electronic data and generate an operation log, while using memory Forensics technology obtains computer memory information and fixes evidence; generates hash values for electronic data, operation logs, and memory information respectively, uploads them to the blockchain network, and receives the corresponding blockchain address returned; when needed, the electronic evidence obtained When conducting authentication, send the electronic evidence, memory information and its corresponding blockchain address to the terminal of the judicial authentication agency;
所述司法鉴定机构终端,接收电子证据固定终端发送的区块链地址;根据区块链地址查询区块链上的信息,验证电子数据、操作日志和内存信息的合法性;验证通过后,采用内存取证技术分析内存信息,提取电子证据获取时系统状态,并验证系统状态与电子证据和操作日志的相符性;采用内存分析验证取证工具运行时是否被hook或注入,并验证其运行环境可靠性;生成司法鉴定报告。The judicial authentication agency terminal receives the blockchain address sent by the electronic evidence fixed terminal; queries the information on the blockchain according to the blockchain address to verify the legitimacy of the electronic data, operation log and memory information; after the verification is passed, use Internal forensics technology analyzes memory information, extracts the system status when electronic evidence is obtained, and verifies the consistency of the system status with the electronic evidence and operation log; uses memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment ; Generate a forensic appraisal report.
本公开的有益效果:The beneficial effects of the present disclosure:
本公开提供的一种基于内存取证和区块链的电子证据固定和网络取证方法及系统,通过基于内存取证和区块链的电子证据固定方法,将电子证据固定前置,避免了取证时机延误问题;利用内存取证技术、区块链技术和专门取证工具确保了电子数据获取来源、获取过程的可信,使得获取的电子证据难以篡改,使得获得的证据更容易被法院采信。The present disclosure provides a method and system for fixing electronic evidence and network forensics based on memory forensic and blockchain. Through the method for fixing electronic evidence based on memory forensic and blockchain, the electronic evidence is fixed and forwarded, avoiding the delay in obtaining evidence. Problem: The use of memory forensics technology, blockchain technology and specialized forensic tools ensures the credibility of the source and process of obtaining electronic data, making the obtained electronic evidence difficult to tamper with, and making the obtained evidence easier to be accepted by the court.
附图说明Description of the drawings
构成本申请的一部分的说明书附图用来提供对本申请的进一步理解,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。The drawings of the specification forming a part of the application are used to provide a further understanding of the application, and the exemplary embodiments and descriptions of the application are used to explain the application, and do not constitute an improper limitation of the application.
图1是常规的执法取证流程示意图;Figure 1 is a schematic diagram of the routine law enforcement evidence collection process;
图2是根据一个或多个实施例的一种基于内存取证和区块链的电子证据固定方法流程 图;Fig. 2 is a flow chart of a method for fixing electronic evidence based on memory card and blockchain according to one or more embodiments;
图3是根据一个或多个实施例的执法取证流程示意图;Figure 3 is a schematic diagram of a law enforcement evidence collection process according to one or more embodiments;
图4是根据一个或多个实施例的一种基于内存取证和区块链的网络取证方法流程图;Fig. 4 is a flowchart of a method for network forensics based on memory forensics and blockchain according to one or more embodiments;
图5是根据一个或多个实施例的另一种基于内存取证和区块链的网络取证方法流程图。Fig. 5 is a flowchart of another network forensics method based on memory forensics and blockchain according to one or more embodiments.
具体实施方式:Detailed ways:
下面将结合本公开的一个或多个实施例中的附图,对本公开的一个或多个实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本公开的一个或多个实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in one or more embodiments of the present disclosure with reference to the accompanying drawings in one or more embodiments of the present disclosure. Obviously, the described embodiments are only part of the implementation of the present disclosure. Examples, not all examples. Based on one or more embodiments of the present disclosure, all other embodiments obtained by a person of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
应该指出,以下详细说明都是例示性的,旨在对本申请提供进一步的说明。除非另有指明,本实施例使用的所有技术和科学术语具有与本申请所属技术领域的普通技术人员通常理解的相同含义。It should be pointed out that the following detailed descriptions are all illustrative and are intended to provide further explanations for the application. Unless otherwise specified, all technical and scientific terms used in this embodiment have the same meaning as commonly understood by those of ordinary skill in the technical field to which this application belongs.
需要注意的是,这里所使用的术语仅是为了描述具体实施方式,而非意图限制根据本申请的示例性实施方式。如在这里所使用的,除非上下文另外明确指出,否则单数形式也意图包括复数形式,此外,还应当理解的是,当在本说明书中使用术语“包含”和/或“包括”时,其指明存在特征、步骤、操作、器件、组件和/或它们的组合。It should be noted that the terms used here are only for describing specific embodiments, and are not intended to limit the exemplary embodiments according to the present application. As used herein, unless the context clearly indicates otherwise, the singular form is also intended to include the plural form. In addition, it should also be understood that when the terms "comprising" and/or "including" are used in this specification, they indicate There are features, steps, operations, devices, components, and/or combinations thereof.
需要注意的是,附图中的流程图和框图示出了根据本公开的各种实施例的方法和系统的可能实现的体系架构、功能和操作。应当注意,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,所述模块、程序段、或代码的一部分可以包括一个或多个用于实现各个实施例中所规定的逻辑功能的可执行指令。也应当注意,在有些作为备选的实现中,方框中所标注的功能也可以按照不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,或者它们有时也可以按照相反的顺序执行,这取决于所涉及的功能。同样应当注意的是,流程图和/或框图中的每个方框、以及流程图和/或框图中的方框的组合,可以使用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以使用专用硬件与计算机指令的组合来实现。It should be noted that the flowcharts and block diagrams in the drawings illustrate the possible implementation architecture, functions, and operations of the method and system according to various embodiments of the present disclosure. It should be noted that each block in the flowchart or block diagram may represent a module, program segment, or part of code, and the module, program segment, or part of code may include one or more for implementing the various embodiments. Executable instructions for the specified logic function. It should also be noted that, in some alternative implementations, the functions noted in the block may also occur in a different order than that noted in the drawings. For example, two blocks shown in succession may actually be executed substantially in parallel, or they may sometimes be executed in the reverse order, depending on the functions involved. It should also be noted that each block in the flowchart and/or block diagram, and the combination of the blocks in the flowchart and/or block diagram, can be implemented using a dedicated hardware-based system that performs the specified functions or operations. Or it can be implemented using a combination of dedicated hardware and computer instructions.
在不冲突的情况下,本公开中的实施例及实施例中的特征可以相互组合,下面结合附图与实施例对本公开作进一步说明。In the case of no conflict, the embodiments in the present disclosure and the features in the embodiments can be combined with each other, and the present disclosure will be further described below with reference to the drawings and embodiments.
实施例一Example one
根据本公开的一个或多个实施例的一个方面,提供一种基于内存取证和区块链的电子证据固定和网络取证方法。According to one aspect of one or more embodiments of the present disclosure, there is provided an electronic evidence fixing and network forensics method based on internal deposit and withdrawal and blockchain.
如图2所示,根据本公开的一个或多个实施例的一个方面,提供一种基于内存取证和区块链的电子证据固定方法。As shown in FIG. 2, according to one aspect of one or more embodiments of the present disclosure, a method for fixing electronic evidence based on memory card and blockchain is provided.
一种基于内存取证和区块链的电子证据固定方法,该方法包括:A method for fixing electronic evidence based on memory card and blockchain, the method includes:
S101:通过区块链网络下载可信的取证工具;S101: Download credible forensics tools through the blockchain network;
S102:与区块链网络交互,验证取证工具执行代码合法性;S102: Interact with the blockchain network to verify the legality of the execution code of the forensic tool;
S103:运行取证工具,获取电子数据,并生成操作日志,同时采用内存取证技术获取计算机内存信息,进行证据固定;S103: Run forensic tools to obtain electronic data and generate operation logs. At the same time, internal forensic technology is used to obtain computer memory information to fix evidence;
S104:分别将电子数据、操作日志和内存信息生成hash值,上传至区块链网络,并接收返回的对应的区块链地址。S104: Generate hash values for electronic data, operation logs, and memory information, upload them to the blockchain network, and receive the corresponding blockchain addresses returned.
在本实施例的步骤S101中,获取从区块链网络上下载专门的取证工具;在计算机上从区块链网络下载可信的专用取证工具,运行取证工具。本公开中的取证工具均采用现有计算机取证工具,在计算机取证过程中,可采用但不限于常见的Tcpdump、Argus、NFR、Tcpwrapper、Sniffers、Honeypot,Tripwires、Network monitor,磁盘镜像、网页固定、内存获取/分析等取证工具。In step S101 of this embodiment, a special forensic tool is obtained and downloaded from the blockchain network; a trusted special forensic tool is downloaded from the blockchain network on a computer, and the forensic tool is run. The forensics tools in this disclosure all use existing computer forensics tools. In the computer forensics process, the common Tcpdump, Argus, NFR, Tcpwrapper, Sniffers, Honeypot, Tripwires, Network monitor, disk mirroring, web page fixation, Forensic tools such as memory acquisition/analysis.
在本实施例的步骤S102中,取证工具运行前与区块链交互,所述验证取证工具执行代码合法性为验证取证工具的执行代码未被修改过。In step S102 of this embodiment, the forensic tool interacts with the blockchain before running, and the verification of the legality of the execution code of the forensic tool is to verify that the execution code of the forensic tool has not been modified.
在本实施例的步骤S103和S104中,具体步骤包括:In steps S103 and S104 of this embodiment, the specific steps include:
利用该取证工具获取网页信息和各类APP的电子数据,进行证据固定,并对每一步操作及操作结果生成审计日志,对固定的证据及其日志使用hash函数生成hash值,根据取证需求,将hash值/固定的证据/审计日志上传给区块链网络。Use this forensics tool to obtain web page information and electronic data of various APPs, fix evidence, generate audit logs for each step of operation and operation results, and use hash functions to generate hash values for fixed evidence and logs. The hash value/fixed evidence/audit log is uploaded to the blockchain network.
进行以下步骤的同时,利用内存取证技术获取计算机内存信息,进行证据固定,并将内存信息的hash值上传给区块链网络。While performing the following steps, use memory forensics technology to obtain computer memory information, fix the evidence, and upload the hash value of the memory information to the blockchain network.
内存取证技术(Memory Forensics):对计算机及相关智能设备运行时的物理内存中存储的临时数据进行获取与分析,提取有价值的数据。内存是操作系统及各种软件交换数据的区域,数据易丢失(Volatile),通常在关机后数据很快就消失。在本实施例中采用本申请人先前申请的Windows/Linux系统内存取证方法来获取和分析计算机内存信息。Memory Forensics: Acquire and analyze the temporary data stored in the physical memory of computers and related smart devices when they are running, and extract valuable data. The memory is the area where the operating system and various software exchange data. Data is easy to lose (Volatile), and usually the data disappears soon after shutdown. In this embodiment, the Windows/Linux system access forensic method previously applied by the applicant is used to obtain and analyze computer memory information.
具体的,在本实施例的步骤S103中,运行取证工具,Specifically, in step S103 of this embodiment, the forensic tool is run,
1)运行网页固定取证工具,获取网页或各类APP信息、各类运行环境信息等电子证据;1) Run webpage fixed forensics tools to obtain webpage or various APP information, various operating environment information and other electronic evidence;
2)运行任意取证工具,对获取过程生成操作日志;2) Run any forensic tool to generate operation logs for the acquisition process;
3)运行内存获取取证工具,获取计算机内存镜像信息。3) Run the memory acquisition forensics tool to obtain computer memory mirroring information.
在本实施例的步骤S104中,取证工具使用hash函数,分别对获取的电子证据、操作日志及内存镜像信息生成hash值,将证据的hash值、操作日志及其hash值、内存镜像信息的hash值,上传至区块链中。区块链将区块链地址回传给取证工具。In step S104 of this embodiment, the forensic tool uses the hash function to generate hash values for the acquired electronic evidence, operation log, and memory mirroring information, respectively, and hash values of the evidence, operation log and its hash value, and memory mirroring information. Value, uploaded to the blockchain. The blockchain returns the blockchain address to the forensics tool.
进一步地,该方法还包括:在需要对获得的电子证据进行鉴定时,将电子证据、内存信息和其对应的区块链地址发送至司法鉴定机构终端。Further, the method also includes: when the obtained electronic evidence needs to be authenticated, sending the electronic evidence, memory information and the corresponding blockchain address to the terminal of the judicial authentication agency.
在本公开的一个或多个实施例中,用户如果需要该证据,则将固定的证据提供给司法鉴定机构,司法鉴定机构根据电子证据以及区块链的信息进行司法鉴定:利用内存取证技术取保证据获取过程中系统没有被非法入侵,并排除其他可能影响证据真实性的行为,利用区块链技术确保整个过程的数据没有修改过。司法鉴定机构根据鉴定结果出具司法鉴定报告。In one or more embodiments of the present disclosure, if the user needs the evidence, the fixed evidence is provided to the judicial authentication agency, and the judicial authentication agency conducts judicial authentication based on the electronic evidence and the information of the blockchain: using memory forensics technology to obtain security In the process of obtaining evidence, the system has not been illegally invaded, and other behaviors that may affect the authenticity of the evidence are excluded, and blockchain technology is used to ensure that the data in the entire process has not been modified. Judicial authentication institutions shall issue judicial authentication reports based on the authentication results.
如图3所述,本公开的一个或多个实施例将原来网络数据的取证流程的“证据的固定环节”由原来必须由第三方机构来做的工作,变为可由任何个人或单位来做,即,由原来的流程“查找电子证据-委托第三方进行司法固定服务和鉴定服务-第三方进行证据固定-第三方进行司法坚定并出具司法鉴定报告”变为“查找电子证据-证据固定服务-委托第三方进行司法鉴定-第三方进行司法鉴定并出具司法鉴定报告”。As shown in Figure 3, one or more embodiments of the present disclosure change the "fixed link of evidence" in the original network data forensic process from a work that must be done by a third-party organization to any individual or unit. That is, from the original process of "finding electronic evidence-entrusting a third party to provide judicial fixation services and appraisal services-third parties for evidence fixation-third parties for judicial firmness and issuing judicial appraisal reports" to "finding electronic evidence-evidence fixation services" -Entrust a third party to conduct judicial identification-The third party conducts judicial identification and issues a judicial identification report".
本公开的一个或多个实施例避免了取证时机延误问题。由于当前的网络数据取证方法不可信,只能由司法鉴定机构或公证机构来进行证据固定。由于发现电子证据线索到委托第三方机构来进行证据固定,之间需要进行业务委托(包括价格商谈,双方盖章)、业务安排、证据固定等阶段,需要一段时间,而网站数据和社交APP的数据变化迅速,往往会造成取证时,要取证的数据已被修改,无法获得所需的证据。One or more embodiments of the present disclosure avoid the problem of delay in obtaining evidence. Since the current network data collection methods are not credible, the evidence can only be fixed by judicial authentication agencies or notary agencies. Since the discovery of electronic evidence leads to a third-party agency for evidence fixation, business entrustment (including price negotiation, seals between the two parties), business arrangement, evidence fixation and other stages need to be carried out, which takes a period of time. However, website data and social APP Data changes rapidly, which often results in that the data to be collected has been modified when collecting evidence, and the required evidence cannot be obtained.
节省了费用,由于证据固定可由任何个人或单位来做,不需要第三方机构来做,显然节省了大量的证据固定费用。The cost is saved. Since the evidence fixation can be done by any individual or unit, and no third-party organization is needed, it obviously saves a lot of evidence fixation costs.
获取方法更为可信,使得获得的证据更容易被法院采信。The method of obtaining is more credible, making the obtained evidence easier to be accepted by the court.
实施例二Example two
根据本公开的一个或多个实施例的一个方面,提供一种计算机可读存储介质。According to an aspect of one or more embodiments of the present disclosure, a computer-readable storage medium is provided.
一种计算机可读存储介质,其中存储有多条指令,所述指令适于由电子设备的处理器加载并执行所述的一种基于内存取证和区块链的电子证据固定方法。A computer-readable storage medium stores a plurality of instructions, and the instructions are adapted to be loaded by a processor of an electronic device and execute the method for fixing electronic evidence based on memory card and blockchain.
实施例三Example three
根据本公开的一个或多个实施例的一个方面,提供一种电子设备。According to an aspect of one or more embodiments of the present disclosure, an electronic device is provided.
一种电子设备,其包括处理器和计算机可读存储介质,处理器用于实现各指令;计算机可读存储介质用于存储多条指令,所述指令适于由处理器加载并执行所述的一种基于内存取证和区块链的电子证据固定方法。An electronic device comprising a processor and a computer-readable storage medium, the processor is used to implement each instruction; the computer-readable storage medium is used to store a plurality of instructions, the instructions are suitable for being loaded by the processor and executing the one A method of fixing electronic evidence based on internal deposit and withdrawal and blockchain.
这些计算机可执行指令在设备中运行时使得该设备执行根据本公开中的各个实施例所描述的方法或过程。When these computer-executable instructions run in the device, the device executes the methods or processes described in the various embodiments of the present disclosure.
在本实施例中,计算机程序产品可以包括计算机可读存储介质,其上载有用于执行本公开的各个方面的计算机可读程序指令。计算机可读存储介质可以是可以保持和存储由指令执行设备使用的指令的有形设备。计算机可读存储介质例如可以是――但不限于――电存储设备、磁存储设备、光存储设备、电磁存储设备、半导体存储设备或者上述的任意合适的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:便携式计算机盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、静态随机存取存储器(SRAM)、便携式压缩盘只读存储器(CD-ROM)、数字多功能盘(DVD)、记忆棒、软盘、机械编码设备、例如其上存储有指令的打孔卡或凹槽内凸起结构、以及上述的任意合适的组合。这里所使用的计算机可读存储介质不被解释为瞬时信号本身,诸如无线电波或者其他自由传播的电磁波、通过波导或其他传输媒介传播的电磁波(例如,通过光纤电缆的光脉冲)、或者通过电线传输的电信号。In this embodiment, the computer program product may include a computer-readable storage medium, which carries computer-readable program instructions for executing various aspects of the present disclosure. The computer-readable storage medium may be a tangible device that can hold and store instructions used by the instruction execution device. The computer-readable storage medium may be, for example, but not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples of computer-readable storage media (non-exhaustive list) include: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM) Or flash memory), static random access memory (SRAM), portable compact disk read-only memory (CD-ROM), digital versatile disk (DVD), memory stick, floppy disk, mechanical encoding device, such as a printer with instructions stored thereon The protruding structure in the hole card or the groove, and any suitable combination of the above. The computer-readable storage medium used here is not interpreted as a transient signal itself, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (for example, light pulses through fiber optic cables), or through wires Transmission of electrical signals.
本文所描述的计算机可读程序指令可以从计算机可读存储介质下载到各个计算/处理设备,或者通过网络、例如因特网、局域网、广域网和/或无线网下载到外部计算机或外部存储设备。网络可以包括铜传输电缆、光纤传输、无线传输、路由器、防火墙、交换机、网关计算机和/或边缘服务器。每个计算/处理设备中的网络适配卡或者网络接口从网络接收计算机可读程序指令,并转发该计算机可读程序指令,以供存储在各个计算/处理设备中的计算机可读存储介质中。The computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to various computing/processing devices, or downloaded to an external computer or external storage device via a network, such as the Internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, optical fiber transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network, and forwards the computer-readable program instructions for storage in the computer-readable storage medium in each computing/processing device .
用于执行本公开内容操作的计算机程序指令可以是汇编指令、指令集架构(ISA)指令、机器指令、机器相关指令、微代码、固件指令、状态设置数据、或者以一种或多种编程语言的任意组合编写的源代码或目标代码,所述编程语言包括面向对象的编程语言—诸如C++等,以及常规的过程式编程语言—诸如“C”语言或类似的编程语言。计算机可读程序指令可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络—包括局域网(LAN)或广域网(WAN)—连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通 过因特网连接)。在一些实施例中,通过利用计算机可读程序指令的状态信息来个性化定制电子电路,例如可编程逻辑电路、现场可编程门阵列(FPGA)或可编程逻辑阵列(PLA),该电子电路可以执行计算机可读程序指令,从而实现本公开内容的各个方面。The computer program instructions used to perform the operations of the present disclosure may be assembly instructions, instruction set architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or in one or more programming languages Source code or object code written in any combination of, the programming language includes object-oriented programming languages-such as C++, etc., and conventional procedural programming languages-such as "C" language or similar programming languages. Computer-readable program instructions can be executed entirely on the user's computer, partly on the user's computer, executed as a stand-alone software package, partly on the user's computer and partly executed on a remote computer, or entirely on the remote computer or server carried out. In the case of a remote computer, the remote computer can be connected to the user's computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computer (for example, using an Internet service provider to access the Internet connection). In some embodiments, an electronic circuit, such as a programmable logic circuit, a field programmable gate array (FPGA), or a programmable logic array (PLA), can be customized by using the status information of the computer-readable program instructions. The computer-readable program instructions are executed to implement various aspects of the present disclosure.
实施例四Example four
根据本公开的一个或多个实施例的一个方面,提供一种基于内存取证和区块链的电子证据固定终端。According to an aspect of one or more embodiments of the present disclosure, there is provided an electronic evidence fixed terminal based on an internal pass and a blockchain.
一种基于内存取证和区块链的电子证据固定终端,基于所述的一种基于内存取证和区块链的电子证据固定方法,包括:An electronic evidence fixing terminal based on memory card and blockchain, based on the said method for fixing electronic evidence based on memory card and blockchain, includes:
取证工具下载模块,被配置为通过区块链网络下载可信的取证工具;The forensic tool download module is configured to download credible forensic tools through the blockchain network;
合法性验证模块,被配置为与区块链网络交互,验证取证工具执行代码合法性;The legitimacy verification module is configured to interact with the blockchain network to verify the legitimacy of the code executed by the forensic tool;
证据固定模块,被配置为运行取证工具,获取电子数据,并生成操作日志,同时采用内存取证技术获取计算机内存信息,进行证据固定;The evidence fixation module is configured to run forensic tools, obtain electronic data, and generate operation logs. At the same time, it uses internal forensics technology to obtain computer memory information and fix evidence;
区块链上传模块,被配置为分别将电子数据、操作日志和内存信息生成hash值,上传至区块链网络,并接收返回的对应的区块链地址。The blockchain upload module is configured to generate hash values for electronic data, operation logs, and memory information, upload them to the blockchain network, and receive the corresponding blockchain addresses returned.
进一步地,该电子证据固定终端还包括通信模块,被配置为在需要对获得的电子证据进行鉴定时,将电子证据、内存信息和其对应的区块链地址发送至司法鉴定机构终端。Further, the electronic evidence fixing terminal further includes a communication module configured to send the electronic evidence, the memory information and the corresponding blockchain address to the terminal of the judicial authentication agency when the obtained electronic evidence needs to be authenticated.
应当注意,尽管在上文的详细描述中提及了设备的若干模块或子模块,但是这种划分仅仅是示例性而非强制性的。实际上,根据本公开的实施例,上文描述的两个或更多模块的特征和功能可以在一个模块中具体化。反之,上文描述的一个模块的特征和功能可以进一步划分为由多个模块来具体化。It should be noted that although several modules or sub-modules of the device are mentioned in the above detailed description, this division is only exemplary and not mandatory. In fact, according to the embodiments of the present disclosure, the features and functions of two or more modules described above may be embodied in one module. Conversely, the features and functions of a module described above can be further divided into multiple modules to be embodied.
实施例五Example five
根据本公开的一个或多个实施例的一个方面,提供一种基于内存取证和区块链的网络取证方法。According to one aspect of one or more embodiments of the present disclosure, a network forensics method based on internal access forensics and blockchain is provided.
如图4所述,一种基于内存取证和区块链的网络取证方法,该方法在司法鉴定机构终端中实现,包括:As shown in Figure 4, a network forensics method based on internal deposit and withdrawal and blockchain, which is implemented in the terminal of a judicial authentication agency, includes:
S201:接收电子证据固定终端发送的区块链地址;S201: Receive the blockchain address sent by the fixed terminal of the electronic evidence;
S202:根据区块链地址查询区块链上的信息,验证电子数据、操作日志和内存信息的合法性;S202: Query the information on the blockchain according to the blockchain address, and verify the legality of the electronic data, operation log and memory information;
S203:验证通过后,采用内存取证技术分析内存信息,提取电子证据获取时系统状态,并验证系统状态与电子证据和操作日志的相符性;S203: After the verification is passed, use internal forensics technology to analyze the memory information, extract the system state when the electronic evidence is obtained, and verify the consistency of the system state with the electronic evidence and operation log;
S204:采用内存分析验证取证工具运行时是否被hook或注入,并验证其运行环境可靠性;S204: Use memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment;
S205:生成司法鉴定报告。S205: Generate a judicial appraisal report.
进一步地,所述验证电子数据、操作日志和内存信息的合法性为验证电子数据、操作日志和内存信息未被修改过。Further, the verification of the legality of the electronic data, the operation log and the memory information is to verify that the electronic data, the operation log and the memory information have not been modified.
司法鉴定机构终端依据区块链地址上的内容以及用户提供的电子证据,分别做以下工作:According to the content on the blockchain address and the electronic evidence provided by the user, the judicial authentication agency terminal does the following tasks:
1)查询区块链上的信息,验证电子证据、操作日志、内存镜像信息有没有被修改过;1) Query the information on the blockchain to verify whether the electronic evidence, operation log, and memory mirror information have been modified;
2)验证通过后,利用内存取证技术分析内存镜像信息,提取证据获取时的系统状态,验证系统状态与电子数据/操作日志等信息相符;2) After the verification is passed, use internal forensics technology to analyze the memory mirroring information, extract the system status when the evidence is obtained, and verify that the system status is consistent with the electronic data/operation log and other information;
3)使用内存分析技术,验证取证工具运行时没有被hook或注入,验证其运行环境的可靠性。3) Use memory analysis technology to verify that the forensic tool is not hooked or injected during operation, and verify the reliability of its operating environment.
进一步地,该方法还包括:将司法鉴定报告发送至用户终端。Further, the method further includes: sending a judicial authentication report to the user terminal.
实施例六Example Six
根据本公开的一个或多个实施例的一个方面,提供一种计算机可读存储介质。According to an aspect of one or more embodiments of the present disclosure, a computer-readable storage medium is provided.
一种计算机可读存储介质,其中存储有多条指令,所述指令适于由电子设备的处理器加载并执行所述的一种基于内存取证和区块链的网络取证方法。A computer-readable storage medium stores a plurality of instructions, and the instructions are suitable for being loaded by a processor of an electronic device and executing the aforementioned method for network forensics based on memory forensics and blockchain.
实施例七Example Seven
根据本公开的一个或多个实施例的一个方面,提供一种电子设备。According to an aspect of one or more embodiments of the present disclosure, an electronic device is provided.
一种电子设备,其包括处理器和计算机可读存储介质,处理器用于实现各指令;计算机可读存储介质用于存储多条指令,所述指令适于由处理器加载并执行所述的一种基于内存取证和区块链的网络取证方法。An electronic device comprising a processor and a computer-readable storage medium, the processor is used to implement each instruction; the computer-readable storage medium is used to store a plurality of instructions, the instructions are suitable for being loaded by the processor and executing the one A network forensics method based on internal memory forensics and blockchain.
这些计算机可执行指令在设备中运行时使得该设备执行根据本公开中的各个实施例所描述的方法或过程。When these computer-executable instructions run in the device, the device executes the methods or processes described in the various embodiments of the present disclosure.
在本实施例中,计算机程序产品可以包括计算机可读存储介质,其上载有用于执行本公开的各个方面的计算机可读程序指令。计算机可读存储介质可以是可以保持和存储由指令执行设备使用的指令的有形设备。计算机可读存储介质例如可以是――但不限于――电存储设备、磁存储设备、光存储设备、电磁存储设备、半导体存储设备或者上述的任意合适的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:便携式计算机盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、 静态随机存取存储器(SRAM)、便携式压缩盘只读存储器(CD-ROM)、数字多功能盘(DVD)、记忆棒、软盘、机械编码设备、例如其上存储有指令的打孔卡或凹槽内凸起结构、以及上述的任意合适的组合。这里所使用的计算机可读存储介质不被解释为瞬时信号本身,诸如无线电波或者其他自由传播的电磁波、通过波导或其他传输媒介传播的电磁波(例如,通过光纤电缆的光脉冲)、或者通过电线传输的电信号。In this embodiment, the computer program product may include a computer-readable storage medium, which carries computer-readable program instructions for executing various aspects of the present disclosure. The computer-readable storage medium may be a tangible device that can hold and store instructions used by the instruction execution device. The computer-readable storage medium may be, for example, but not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples of computer-readable storage media (non-exhaustive list) include: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM) Or flash memory), static random access memory (SRAM), portable compact disk read-only memory (CD-ROM), digital versatile disk (DVD), memory stick, floppy disk, mechanical encoding device, such as a printer with instructions stored thereon The protruding structure in the hole card or the groove, and any suitable combination of the above. The computer-readable storage medium used here is not interpreted as a transient signal itself, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (for example, light pulses through fiber optic cables), or through wires Transmission of electrical signals.
本文所描述的计算机可读程序指令可以从计算机可读存储介质下载到各个计算/处理设备,或者通过网络、例如因特网、局域网、广域网和/或无线网下载到外部计算机或外部存储设备。网络可以包括铜传输电缆、光纤传输、无线传输、路由器、防火墙、交换机、网关计算机和/或边缘服务器。每个计算/处理设备中的网络适配卡或者网络接口从网络接收计算机可读程序指令,并转发该计算机可读程序指令,以供存储在各个计算/处理设备中的计算机可读存储介质中。The computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to various computing/processing devices, or downloaded to an external computer or external storage device via a network, such as the Internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, optical fiber transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network, and forwards the computer-readable program instructions for storage in the computer-readable storage medium in each computing/processing device .
用于执行本公开内容操作的计算机程序指令可以是汇编指令、指令集架构(ISA)指令、机器指令、机器相关指令、微代码、固件指令、状态设置数据、或者以一种或多种编程语言的任意组合编写的源代码或目标代码,所述编程语言包括面向对象的编程语言—诸如C++等,以及常规的过程式编程语言—诸如“C”语言或类似的编程语言。计算机可读程序指令可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络—包括局域网(LAN)或广域网(WAN)—连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。在一些实施例中,通过利用计算机可读程序指令的状态信息来个性化定制电子电路,例如可编程逻辑电路、现场可编程门阵列(FPGA)或可编程逻辑阵列(PLA),该电子电路可以执行计算机可读程序指令,从而实现本公开内容的各个方面。The computer program instructions used to perform the operations of the present disclosure may be assembly instructions, instruction set architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or in one or more programming languages Source code or object code written in any combination of, the programming language includes object-oriented programming languages-such as C++, etc., and conventional procedural programming languages-such as "C" language or similar programming languages. Computer-readable program instructions can be executed entirely on the user's computer, partly on the user's computer, executed as a stand-alone software package, partly on the user's computer and partly executed on a remote computer, or entirely on the remote computer or server carried out. In the case of a remote computer, the remote computer can be connected to the user's computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computer (for example, using an Internet service provider to access the Internet connection). In some embodiments, an electronic circuit, such as a programmable logic circuit, a field programmable gate array (FPGA), or a programmable logic array (PLA), can be customized by using the status information of the computer-readable program instructions. The computer-readable program instructions are executed to implement various aspects of the present disclosure.
实施例八Example eight
根据本公开的一个或多个实施例的一个方面,提供一种基于内存取证和区块链的网络取证终端。According to one aspect of one or more embodiments of the present disclosure, there is provided a network forensics terminal based on internal deposit and withdrawal and blockchain.
一种基于内存取证和区块链的网络取证终端,基于所述的一种基于内存取证和区块链的网络取证方法,包括:A network forensics terminal based on internal memory forensics and blockchain, based on the described network forensic method based on internal memory forensics and blockchain, includes:
区块链地址接收模块,被配置为接收电子证据固定终端发送的区块链地址;The block chain address receiving module is configured to receive the block chain address sent by the electronic evidence fixed terminal;
合法性验证模块,被配置为根据区块链地址查询区块链上的信息,验证电子数据、操作日志和内存信息的合法性;The legitimacy verification module is configured to query the information on the blockchain based on the blockchain address and verify the legitimacy of electronic data, operation logs and memory information;
第一鉴定模块,被配置为验证通过后,采用内存取证技术分析内存信息,提取电子证据获取时系统状态,并验证系统状态与电子证据和操作日志的相符性;The first authentication module is configured to use memory forensics technology to analyze the memory information after the verification is passed, extract the system status when the electronic evidence is obtained, and verify the consistency of the system status with the electronic evidence and operation log;
第二鉴定模块,被配置为采用内存分析验证取证工具运行时是否被hook或注入,并验证其运行环境可靠性;The second identification module is configured to use memory analysis to verify whether the forensic tool is hooked or injected during operation, and to verify the reliability of its operating environment;
报告生成模块,被配置为生成司法鉴定报告。The report generation module is configured to generate forensic identification reports.
进一步地,该网络取证终端还包括通信模块,被配置为将司法鉴定报告发送至用户终端。Further, the network forensics terminal further includes a communication module configured to send a judicial authentication report to the user terminal.
应当注意,尽管在上文的详细描述中提及了设备的若干模块或子模块,但是这种划分仅仅是示例性而非强制性的。实际上,根据本公开的实施例,上文描述的两个或更多模块的特征和功能可以在一个模块中具体化。反之,上文描述的一个模块的特征和功能可以进一步划分为由多个模块来具体化。It should be noted that although several modules or sub-modules of the device are mentioned in the above detailed description, this division is only exemplary and not mandatory. In fact, according to the embodiments of the present disclosure, the features and functions of two or more modules described above may be embodied in one module. Conversely, the features and functions of a module described above can be further divided into multiple modules to be embodied.
实施例九Example 9
根据本公开的一个或多个实施例的一个方面,提供一种基于内存取证和区块链的网络取证方法。According to one aspect of one or more embodiments of the present disclosure, a network forensics method based on internal access forensics and blockchain is provided.
如图5所示,一种基于内存取证和区块链的网络取证方法,该方法在网络取证系统中实现,包括:As shown in Figure 5, a network forensics method based on internal memory forensics and blockchain, which is implemented in a network forensics system, includes:
步骤S101:电子证据固定终端通过区块链网络下载可信的取证工具;步骤S102:与区Step S101: The fixed terminal of electronic evidence downloads a credible forensics tool through the blockchain network; Step S102: Contact
块链网络交互,验证取证工具执行代码合法性;Block chain network interaction to verify the legality of the execution code of the forensic tool;
步骤S103:运行取证工具,获取电子数据,并生成操作日志,同时采用内存取证技术获取计算机内存信息,进行证据固定;Step S103: Run a forensic tool to obtain electronic data and generate an operation log. At the same time, internal forensic technology is used to obtain computer memory information, and evidence is fixed;
步骤S104:分别将电子数据、操作日志和内存信息生成hash值,上传至区块链网络,并接收返回的对应的区块链地址;Step S104: Generate hash values for electronic data, operation logs and memory information respectively, upload them to the blockchain network, and receive the corresponding blockchain addresses returned;
在需要对获得的电子证据进行鉴定时,电子证据固定终端将电子证据、内存信息和其对应的区块链地址发送至司法鉴定机构终端;When the obtained electronic evidence needs to be authenticated, the electronic evidence fixed terminal sends the electronic evidence, memory information and its corresponding blockchain address to the terminal of the judicial authentication agency;
步骤S201:司法鉴定机构终端接收电子证据固定终端发送的区块链地址;Step S201: the terminal of the judicial authentication agency receives the blockchain address sent by the fixed terminal of the electronic evidence;
步骤S202:司法鉴定机构终端根据区块链地址查询区块链上的信息,验证电子数据、操作日志和内存信息的合法性;Step S202: The terminal of the judicial authentication agency queries the information on the blockchain according to the blockchain address, and verifies the legality of the electronic data, operation log and memory information;
步骤S203:司法鉴定机构终端验证通过后,采用内存取证技术分析内存信息,提取电子证据获取时系统状态,并验证系统状态与电子证据和操作日志的相符性;Step S203: After the judicial authentication agency passes the verification through the terminal, it uses memory forensics technology to analyze the memory information, extracts the system status when the electronic evidence is obtained, and verifies the consistency of the system status with the electronic evidence and operation log;
步骤S204:司法鉴定机构终端采用内存分析验证取证工具运行时是否被hook或注入,并验证其运行环境可靠性;Step S204: The terminal of the judicial authentication agency uses memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment;
步骤S205:司法鉴定机构终端生成司法鉴定报告。Step S205: the judicial authentication agency terminal generates a judicial authentication report.
如图3所述,采用基于内存取证和区块链技术的网络取证流程。按照本专利实施方式的网络数据或各类网络app数据取证过程中,用户在区块链技术的支撑下按需收集固定包括计算机内存在内的电子数据(步骤1),固定完证据后,再按需委托司法鉴定机构对电子证据进行司法鉴定(步骤2),司法鉴定机构依据区块链上的数据、内存数据和电子证据,进行司法鉴定,验证电子证据在获取及获取之后没有被修改过(步骤3),并给用户出具司法报告(步骤4)。As shown in Figure 3, the network forensics process based on internal memory forensics and blockchain technology is adopted. In the process of obtaining evidence for network data or various network app data according to the implementation of this patent, the user collects and fixes electronic data including computer memory on demand with the support of blockchain technology (step 1), and then fixes the evidence, and then Entrust a judicial authentication agency to conduct judicial authentication on electronic evidence as needed (step 2). The judicial authentication agency conducts judicial authentication based on the data, memory data and electronic evidence on the blockchain, and verifies that the electronic evidence has not been modified after acquisition and acquisition (Step 3), and issue a judicial report to the user (Step 4).
从图1和图3对比中可以看到,采取本专利方法,取证需求单位或个人可以按自己的需求自己收集和固定证据,可有效减少证据形成的环节和处理时间,同时也避免了二次收集证据的时间间隔所造成的原始证据更改、销毁的潜在隐患。It can be seen from the comparison between Figure 1 and Figure 3 that by adopting the method of this patent, the unit or individual who needs evidence can collect and fix evidence according to their own needs, which can effectively reduce the link and processing time of evidence formation, and also avoid secondary Potential hidden dangers of alteration and destruction of original evidence caused by the time interval of collecting evidence.
实施例十Example ten
根据本公开的一个或多个实施例的一个方面,提供一种基于内存取证和区块链的网络取证系统。According to one aspect of one or more embodiments of the present disclosure, there is provided a network forensics system based on memory forensics and blockchain.
一种基于内存取证和区块链的网络取证系统,基于所述的一种基于内存取证和区块链的网络取证方法,该系统包括:电子证据固定终端和司法鉴定机构终端;A network forensics system based on internal and external forensics and blockchain, based on the described network forensic method based on internal and external forensics and blockchain, the system includes: electronic evidence fixed terminal and judicial authentication agency terminal;
所述电子证据固定终端,通过区块链网络下载可信的取证工具;与区块链网络交互,验证取证工具执行代码合法性;运行取证工具,获取电子数据,并生成操作日志,同时采用内存取证技术获取计算机内存信息,进行证据固定;分别将电子数据、操作日志和内存信息生成hash值,上传至区块链网络,并接收返回的对应的区块链地址;在需要对获得的电子证据进行鉴定时,将电子证据、内存信息和其对应的区块链地址发送至司法鉴定机构终端;The electronic evidence fixed terminal downloads a credible forensic tool through the blockchain network; interacts with the blockchain network to verify the legality of the forensic tool's execution code; runs the forensic tool to obtain electronic data and generate an operation log, while using memory Forensics technology obtains computer memory information and fixes evidence; generates hash values for electronic data, operation logs, and memory information respectively, uploads them to the blockchain network, and receives the corresponding blockchain address returned; when needed, the electronic evidence obtained When conducting authentication, send the electronic evidence, memory information and its corresponding blockchain address to the terminal of the judicial authentication agency;
所述司法鉴定机构终端,接收电子证据固定终端发送的区块链地址;根据区块链地址查询区块链上的信息,验证电子数据、操作日志和内存信息的合法性;验证通过后,采用内存取证技术分析内存信息,提取电子证据获取时系统状态,并验证系统状态与电子证据和操作日志的相符性;采用内存分析验证取证工具运行时是否被hook或注入,并验证其运行环境可靠性;生成司法鉴定报告。The judicial authentication agency terminal receives the blockchain address sent by the electronic evidence fixed terminal; queries the information on the blockchain according to the blockchain address to verify the legitimacy of the electronic data, operation log and memory information; after the verification is passed, use Internal forensics technology analyzes memory information, extracts the system status when electronic evidence is obtained, and verifies the consistency of the system status with the electronic evidence and operation log; uses memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment ; Generate a forensic appraisal report.
以上所述仅为本申请的优选实施例而已,并不用于限制本申请,对于本领域的技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above descriptions are only preferred embodiments of the application, and are not used to limit the application. For those skilled in the art, the application can have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included in the protection scope of this application. Therefore, the present invention will not be limited to the embodiments shown in this document, but should conform to the widest scope consistent with the principles and novel features disclosed in this document.

Claims (10)

  1. 一种基于内存取证和区块链的电子证据固定方法,其特征在于,该方法包括:A method for fixing electronic evidence based on memory card and blockchain, characterized in that the method includes:
    通过区块链网络下载可信的取证工具;Download credible forensics tools through the blockchain network;
    与区块链网络交互,验证取证工具执行代码合法性;Interact with the blockchain network to verify the legality of the execution code of the forensic tool;
    运行取证工具,获取电子数据,并生成操作日志,同时采用内存取证技术获取计算机内存信息,进行证据固定;Run forensic tools, obtain electronic data, and generate operation logs. At the same time, use internal forensics technology to obtain computer memory information and fix evidence;
    分别将电子数据、操作日志和内存信息生成hash值,上传至区块链网络,并接收返回的对应的区块链地址。Generate hash values of electronic data, operation logs and memory information respectively, upload them to the blockchain network, and receive the corresponding blockchain addresses returned.
  2. 如权利要求1所述的一种基于内存取证和区块链的电子证据固定方法,其特征在于,在该方法中,所述验证取证工具执行代码合法性为验证取证工具的执行代码未被修改过;The method for fixing electronic evidence based on memory forensics and blockchain according to claim 1, characterized in that, in the method, the verification of the legality of the execution code of the forensic tool is to verify that the execution code of the forensic tool has not been modified Over
    或,该方法还包括:在需要对获得的电子证据进行鉴定时,将电子证据、内存信息和其对应的区块链地址发送至司法鉴定机构终端。Or, the method further includes: when the obtained electronic evidence needs to be authenticated, sending the electronic evidence, the memory information and the corresponding blockchain address to the terminal of the judicial authentication agency.
  3. 一种计算机可读存储介质,其中存储有多条指令,其特征在于,所述指令适于由电子设备的处理器加载并执行如权利要求1-2任一项所述的一种基于内存取证和区块链的电子证据固定方法。A computer-readable storage medium, wherein a plurality of instructions are stored, wherein the instructions are adapted to be loaded by a processor of an electronic device and executed according to any one of claims 1-2. And the electronic evidence fixing method of the blockchain.
  4. 一种电子设备,其包括处理器和计算机可读存储介质,处理器用于实现各指令;计算机可读存储介质用于存储多条指令,其特征在于,所述指令适于由处理器加载并执行如权利要求1-2任一项所述的一种基于内存取证和区块链的电子证据固定方法。An electronic device comprising a processor and a computer-readable storage medium, the processor is used to implement each instruction; the computer-readable storage medium is used to store multiple instructions, characterized in that the instructions are suitable for being loaded and executed by the processor A method for fixing electronic evidence based on memory card and blockchain according to any one of claims 1-2.
  5. 一种基于内存取证和区块链的网络取证方法,其特征在于,该方法在司法鉴定机构终端中实现,包括:A network forensics method based on internal deposit and withdrawal and blockchain, characterized in that the method is implemented in the terminal of a judicial authentication agency, and includes:
    接收电子证据固定终端发送的区块链地址;The blockchain address sent by the fixed terminal to receive the electronic evidence;
    根据区块链地址查询区块链上的信息,验证电子数据、操作日志和内存信息的合法性;Query the information on the blockchain according to the blockchain address, verify the legality of electronic data, operation logs and memory information;
    验证通过后,采用内存取证技术分析内存信息,提取电子证据获取时系统状态,并验证系统状态与电子证据和操作日志的相符性;After the verification is passed, use internal forensics technology to analyze the memory information, extract the system status when the electronic evidence is obtained, and verify the consistency of the system status with the electronic evidence and operation log;
    采用内存分析验证取证工具运行时是否被hook或注入,并验证其运行环境可靠性;Use memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment;
    生成司法鉴定报告。Generate forensic identification reports.
  6. 如权利要求5所述的一种基于内存取证和区块链的网络取证方法,其特征在于,所述验证电子数据、操作日志和内存信息的合法性为验证电子数据、操作日志和内存信息未被修改过;A network forensics method based on internal access forensics and blockchain according to claim 5, wherein the verification of the legality of electronic data, operation logs and memory information is to verify the validity of electronic data, operation logs and memory information. Has been modified
    或,该方法还包括:将司法鉴定报告发送至用户终端。Or, the method further includes: sending the forensic identification report to the user terminal.
  7. 一种计算机可读存储介质,其中存储有多条指令,其特征在于,所述指令适于由电子设备的处理器加载并执行权利要求5-6任一项所述的一种基于内存取证和区块链的网络取证方法。A computer-readable storage medium, wherein a plurality of instructions are stored, wherein the instructions are adapted to be loaded by the processor of an electronic device and executed according to any one of claims 5-6 based on the memory card and The blockchain network forensics method.
  8. 一种电子设备,其包括处理器和计算机可读存储介质,处理器用于实现各指令;计算机可读存储介质用于存储多条指令,其特征在于,所述指令适于由处理器加载并执行权利要求5-6任一项所述的一种基于内存取证和区块链的网络取证方法。An electronic device comprising a processor and a computer-readable storage medium, the processor is used to implement each instruction; the computer-readable storage medium is used to store multiple instructions, characterized in that the instructions are suitable for being loaded and executed by the processor A network forensics method based on internal access forensics and blockchain according to any one of claims 5-6.
  9. 一种基于内存取证和区块链的网络取证方法,其特征在于,该方法在网络取证系统中实现,包括:A network forensics method based on memory forensics and blockchain, characterized in that the method is implemented in a network forensics system, and includes:
    电子证据固定终端通过区块链网络下载可信的取证工具;与区块链网络交互,验证取证工具执行代码合法性;运行取证工具,获取电子数据,并生成操作日志,同时采用内存取证技术获取计算机内存信息,进行证据固定;分别将电子数据、操作日志和内存信息生成hash值,上传至区块链网络,并接收返回的对应的区块链地址;在需要对获得的电子证据进行鉴定时,将电子证据、内存信息和其对应的区块链地址发送至司法鉴定机构终端;The electronic evidence fixed terminal downloads credible forensic tools through the blockchain network; interacts with the blockchain network to verify the legality of the forensic tool's execution code; runs the forensic tool to obtain electronic data, and generate operation logs, and use internal forensic technology to obtain Computer memory information for evidence fixation; generate hash values for electronic data, operation logs and memory information respectively, upload them to the blockchain network, and receive the corresponding blockchain address returned; when the electronic evidence obtained needs to be authenticated , Send the electronic evidence, memory information and the corresponding blockchain address to the terminal of the judicial authentication agency;
    司法鉴定机构终端接收电子证据固定终端发送的区块链地址;根据区块链地址查询区块链上的信息,验证电子数据、操作日志和内存信息的合法性;验证通过后,采用内存取证技术分析内存信息,提取电子证据获取时系统状态,并验证系统状态与电子证据和操作日志的相符性;采用内存分析验证取证工具运行时是否被hook或注入,并验证其运行环境可靠性;生成司法鉴定报告。The terminal of the judicial appraisal institution receives the blockchain address sent by the fixed terminal of the electronic evidence; queries the information on the blockchain according to the blockchain address to verify the legality of the electronic data, operation log and memory information; after the verification is passed, the internal memory forensic technology is adopted Analyze the memory information, extract the system status when the electronic evidence is obtained, and verify the consistency of the system status with the electronic evidence and operation log; use memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment; generate justice Identification report.
  10. 一种基于内存取证和区块链的网络取证系统,其特征在于,基于如权利要求9所述的一种基于内存取证和区块链的网络取证方法,该系统包括:电子证据固定终端和司法鉴定机构终端;A network forensics system based on internal memory certificates and blockchains, characterized in that, based on a network forensics method based on internal memory certificates and blockchains as claimed in claim 9, the system includes: electronic evidence fixed terminals and judicial Appraisal agency terminal;
    所述电子证据固定终端,通过区块链网络下载可信的取证工具;与区块链网络交互,验证取证工具执行代码合法性;运行取证工具,获取电子数据,并生成操作日志,同时采用内存取证技术获取计算机内存信息,进行证据固定;分别将电子数据、操作日志和内存信息生成hash值,上传至区块链网络,并接收返回的对应的区块链地址;在需要对获得的电子证据进行鉴定时,将电子证据、内存信息和其对应的区块链地址发送至司法鉴定机构终端;The electronic evidence fixed terminal downloads a credible forensic tool through the blockchain network; interacts with the blockchain network to verify the legality of the forensic tool's execution code; runs the forensic tool to obtain electronic data and generate an operation log, while using memory Forensics technology obtains computer memory information and fixes evidence; generates hash values for electronic data, operation logs, and memory information respectively, uploads them to the blockchain network, and receives the corresponding blockchain address returned; when needed, the electronic evidence obtained When conducting authentication, send the electronic evidence, memory information and its corresponding blockchain address to the terminal of the judicial authentication agency;
    所述司法鉴定机构终端,接收电子证据固定终端发送的区块链地址;根据区块链地址查询区块链上的信息,验证电子数据、操作日志和内存信息的合法性;验证通过后,采用内存取证技术分析内存信息,提取电子证据获取时系统状态,并验证系统状态与电子证据和操作 日志的相符性;采用内存分析验证取证工具运行时是否被hook或注入,并验证其运行环境可靠性;生成司法鉴定报告。The judicial authentication agency terminal receives the blockchain address sent by the electronic evidence fixed terminal; queries the information on the blockchain according to the blockchain address to verify the legitimacy of the electronic data, operation log and memory information; after the verification is passed, use Internal forensics technology analyzes memory information, extracts the system status when electronic evidence is obtained, and verifies the consistency of the system status with the electronic evidence and operation log; uses memory analysis to verify whether the forensic tool is hooked or injected during operation, and verify the reliability of its operating environment ; Generate a forensic appraisal report.
PCT/CN2020/095945 2019-06-14 2020-06-12 Method and system for digital evidence fixing and network forensics on basis of memory forensics and blockchain WO2020249112A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2020290622A AU2020290622A1 (en) 2019-06-14 2020-06-12 Method and system for digital evidence fixing and network forensics on basis of memory forensics and blockchain

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910516137.5 2019-06-14
CN201910516137.5A CN110232645B (en) 2019-06-14 2019-06-14 Electronic evidence fixing and network evidence obtaining method and system based on memory evidence obtaining and block chain

Publications (1)

Publication Number Publication Date
WO2020249112A1 true WO2020249112A1 (en) 2020-12-17

Family

ID=67859299

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/095945 WO2020249112A1 (en) 2019-06-14 2020-06-12 Method and system for digital evidence fixing and network forensics on basis of memory forensics and blockchain

Country Status (3)

Country Link
CN (1) CN110232645B (en)
AU (1) AU2020290622A1 (en)
WO (1) WO2020249112A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114355853A (en) * 2021-12-30 2022-04-15 绿盟科技集团股份有限公司 Industrial control data evidence obtaining method and device, electronic equipment and storage medium
CN114666353A (en) * 2022-03-16 2022-06-24 南京邮电大学 Electronic access evidence obtaining system and method based on block chain

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110232645B (en) * 2019-06-14 2021-09-21 山东省计算中心(国家超级计算济南中心) Electronic evidence fixing and network evidence obtaining method and system based on memory evidence obtaining and block chain
CN110782374A (en) * 2019-10-28 2020-02-11 支付宝(杭州)信息技术有限公司 Electronic evidence obtaining method and system based on block chain
CN112966042A (en) * 2019-12-12 2021-06-15 成都鼎桥通信技术有限公司 Law enforcement recorder information processing method and system based on block chain
CN113132109B (en) * 2019-12-31 2023-01-24 航天信息股份有限公司 Electronic deposit certificate management method and device based on block chain and electronic equipment
CN111475465B (en) * 2020-03-19 2023-05-05 重庆邮电大学 Intelligent home evidence obtaining method based on body
CN112214801A (en) * 2020-09-23 2021-01-12 湖南信达通信息技术有限公司 Electronic evidence obtaining management method, electronic evidence obtaining equipment and computer readable storage medium
CN112214464A (en) * 2020-10-12 2021-01-12 厦门市美亚柏科信息股份有限公司 Evidence preservation method and system based on block chain
CN112380269B (en) * 2020-10-28 2022-03-22 杭州链城数字科技有限公司 Identity card information inquiry and evidence fixing and obtaining method based on block chain
CN112632372B (en) * 2020-12-11 2022-05-13 杭州趣链科技有限公司 Electronic evidence information uplink method and device and block link point equipment
CN112751920B (en) * 2020-12-28 2023-03-24 杭州趣链科技有限公司 Block chain-based network interaction behavior evidence obtaining method and device and terminal
CN113986806B (en) * 2021-11-03 2022-08-02 厦门市美亚柏科信息股份有限公司 GOIP high-speed evidence obtaining method and system based on serial port and network port and storage medium
CN118133356A (en) * 2024-05-10 2024-06-04 山东省计算中心(国家超级计算济南中心) Evidence obtaining method and system for network transaction behavior data

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948736A (en) * 2017-11-03 2018-04-20 法信公证云(厦门)科技有限公司 A kind of audio and video preservation of evidence method and system
CN108924151A (en) * 2018-07-23 2018-11-30 杭州安恒信息技术股份有限公司 A kind of method and system of internet of things equipment evidence obtaining
CN109102437A (en) * 2018-08-10 2018-12-28 山东省计算中心(国家超级计算济南中心) A kind of webpage automatic evidence-collecting method and system based on block chain
CN109344635A (en) * 2018-09-29 2019-02-15 华东师范大学 A kind of electronic evidence acquisition, preservation and verification method based on block chain
CN110232645A (en) * 2019-06-14 2019-09-13 山东省计算中心(国家超级计算济南中心) The electronic evidence of evidence obtaining and block chain is fixed and network forensics method and system based on memory

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102325139B (en) * 2011-09-14 2014-07-09 福建伊时代信息科技股份有限公司 Electronic document processing method, processing system and verification system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107948736A (en) * 2017-11-03 2018-04-20 法信公证云(厦门)科技有限公司 A kind of audio and video preservation of evidence method and system
CN108924151A (en) * 2018-07-23 2018-11-30 杭州安恒信息技术股份有限公司 A kind of method and system of internet of things equipment evidence obtaining
CN109102437A (en) * 2018-08-10 2018-12-28 山东省计算中心(国家超级计算济南中心) A kind of webpage automatic evidence-collecting method and system based on block chain
CN109344635A (en) * 2018-09-29 2019-02-15 华东师范大学 A kind of electronic evidence acquisition, preservation and verification method based on block chain
CN110232645A (en) * 2019-06-14 2019-09-13 山东省计算中心(国家超级计算济南中心) The electronic evidence of evidence obtaining and block chain is fixed and network forensics method and system based on memory

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114355853A (en) * 2021-12-30 2022-04-15 绿盟科技集团股份有限公司 Industrial control data evidence obtaining method and device, electronic equipment and storage medium
CN114355853B (en) * 2021-12-30 2023-09-19 绿盟科技集团股份有限公司 Industrial control data evidence obtaining method and device, electronic equipment and storage medium
CN114666353A (en) * 2022-03-16 2022-06-24 南京邮电大学 Electronic access evidence obtaining system and method based on block chain

Also Published As

Publication number Publication date
CN110232645A (en) 2019-09-13
CN110232645B (en) 2021-09-21
AU2020290622A1 (en) 2022-01-27

Similar Documents

Publication Publication Date Title
WO2020249112A1 (en) Method and system for digital evidence fixing and network forensics on basis of memory forensics and blockchain
US11750659B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US10230756B2 (en) Resisting replay attacks efficiently in a permissioned and privacy-preserving blockchain network
CA2966408C (en) A system and method for network intrusion detection of covert channels based on off-line network traffic
US10356101B2 (en) Utilizing transport layer security (TLS) fingerprints to determine agents and operating systems
US20210360032A1 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
Wazid et al. Hacktivism trends, digital forensic tools and challenges: A survey
Asghari et al. Security economics in the HTTPS value chain
CN112950415B (en) Judicial evidence fixing method, platform and system based on blockchain
Alrawi et al. Chains of distrust: Towards understanding certificates used for signing malicious applications
CN117313122A (en) Data sharing and exchanging management system based on block chain
Zhang et al. Rusted anchors: A national client-side view of hidden root CAs in the web PKI ecosystem
Hawanna et al. Risk Rating System of X. 509 Certificates
CN116980175A (en) Enterprise privacy analysis and anomaly discovery method, device, equipment and storage medium
Alrawais et al. X. 509 check: A tool to check the safety and security of digital certificates
Kent et al. Sp 800-92. guide to computer security log management
Mugisha Role and impact of digital forensics in cyber crime investigations
Li et al. The invisible side of certificate transparency: exploring the reliability of monitors in the wild
Gundert Proactive threat identification neutralizes remote access trojan efficacy
CN111212080B (en) Security authentication method, authentication system and application thereof
Krishnan Role and Impact of Digital Forensics in Cyber Crime Investigations
Moric et al. ENTERPRISE TOOLS FOR DATA FORENSICS.
Hawanna et al. Risk assessment of X. 509 certificate by evaluating Certification Practice Statements
Sandhiya et al. Identification of url fuzzing and subdomain enumeration using raccoon tool

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20822090

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2020290622

Country of ref document: AU

Date of ref document: 20200612

Kind code of ref document: A

122 Ep: pct application non-entry in european phase

Ref document number: 20822090

Country of ref document: EP

Kind code of ref document: A1