WO2022028255A1 - Data extraction method and system for mobile phone enterprise wechat, and storage medium - Google Patents

Data extraction method and system for mobile phone enterprise wechat, and storage medium Download PDF

Info

Publication number
WO2022028255A1
WO2022028255A1 PCT/CN2021/108000 CN2021108000W WO2022028255A1 WO 2022028255 A1 WO2022028255 A1 WO 2022028255A1 CN 2021108000 W CN2021108000 W CN 2021108000W WO 2022028255 A1 WO2022028255 A1 WO 2022028255A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
enterprise wechat
file
mobile phone
information
Prior art date
Application number
PCT/CN2021/108000
Other languages
French (fr)
Chinese (zh)
Inventor
吴松洋
刘善军
石奥迪
陈祥奎
罗倩
Original Assignee
公安部第三研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 公安部第三研究所 filed Critical 公安部第三研究所
Publication of WO2022028255A1 publication Critical patent/WO2022028255A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/04Real-time or near real-time messaging, e.g. instant messaging [IM]
    • H04L51/046Interoperability with other network applications or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Definitions

  • the invention relates to a data extraction technology, and specifically designs a mobile terminal data extraction technology.
  • the extracted data is incomplete: There are many types of enterprise WeChat data, including user account information, to-do information, friend information, group information, and positioning information. Existing enterprise WeChat extraction methods are often difficult to extract all information.
  • the purpose of the present invention is to provide a data extraction method for mobile phone enterprise WeChat, which can effectively solve the problems existing in the prior art. Accordingly, the present invention further provides a data extraction system and a storage medium.
  • the data extraction method for mobile phone enterprise WeChat includes:
  • the method parses the storage file of the enterprise WeChat data in the mobile phone, extracts the folder storing the account information, and parses out the account information contained in the enterprise WeChat;
  • the method can convert the decoded content into a corresponding Chinese character string using UTF-8 in the function GetProtoGB.
  • the data extraction system for mobile phone enterprise WeChat provided by the present invention includes:
  • a path analysis module which is used to analyze the storage files of the enterprise WeChat data in the mobile phone, and analyze the storage locations of various types of data in the enterprise WeChat;
  • a file decryption module decodes each file information in the data storage path of the enterprise WeChat by using the secret key generation algorithm, and extracts all the data information of the enterprise WeChat.
  • the present invention provides a storage medium, wherein the storage medium includes a stored program, and the program executes the above-mentioned data extraction method.
  • the solution provided by the present invention analyzes the information of the enterprise WeChat storage file by investigating the enterprise WeChat storage file; meanwhile, the secret key generation algorithm is used to decrypt the enterprise WeChat storage file information and extract the data information; thus ensuring the comprehensive data extraction.
  • 1 is an example diagram of the operation flow of the secret key generation algorithm in the example of the present invention.
  • FIG. 2 is an example diagram of the operation flow of the self-defined replacement algorithm in the example of the present invention.
  • the user data stored in the enterprise WeChat can be found according to the attribute of the folder name, so that it is convenient to export the user data to the specified folder in the subsequent steps.
  • the relevant key Key_1 for decrypting files such as Info.db and Message1 can be obtained through Base64 decoding and Google protobuf deserialization.
  • content such as friend group information, personal information, friends, groups, chat information, announcements, colleagues, to-do items, etc. can be parsed.
  • this solution provides an extraction system for mobile phone enterprise WeChat data.
  • the extraction system is mainly composed of a path analysis module and a file decryption module.
  • the path analysis module in this system is used to analyze the storage files of enterprise WeChat data in the mobile phone, and analyze the storage location of various types of enterprise WeChat data.
  • the file decryption module in this system uses the secret key generation algorithm to decode the information of each file in the data storage path of the enterprise WeChat, and extracts all the data information of the enterprise WeChat.
  • the data extraction system thus formed can comprehensively and efficiently extract the data of the mobile phone enterprise WeChat according to the above data extraction method and process during operation.
  • This application example extracts the mobile phone enterprise WeChat data by building the corresponding data extraction system.
  • the entire extraction process mainly includes two parts: enterprise WeChat file path analysis and enterprise WeChat file decryption.
  • iOS phone storage location /com.tencent.ww/Documents/Profiles.
  • the obtained protobuf serialized binary data block can be deserialized into a readable structure through protoc.exe, and the decryption related key key_1 can be obtained.
  • the file can be decrypted and parsed through a secret key generation algorithm, and valid data can be extracted, wherein the specific implementation of the secret key generation algorithm is shown in FIG. 1 .
  • a corresponding key aeskey is generated through a corresponding key generation algorithm (as shown in FIG. 1 ), so as to decrypt the account information storage file.
  • the basic process is as follows:
  • the key can be generated quickly and safely, thereby further improving the security and reliability of the whole scheme.
  • the above-mentioned method of the present invention is a pure software architecture, and can be deployed on a physical medium, such as a hard disk, an optical disk, or any electronic device (such as a smart phone, a computer-readable storage medium), when the machine loads the program code and executes (eg, a smart phone loads and executes), the machine becomes a device for carrying out the present invention.
  • a physical medium such as a hard disk, an optical disk, or any electronic device
  • the machine loads the program code and executes (eg, a smart phone loads and executes)
  • the machine becomes a device for carrying out the present invention.
  • the above-mentioned method and device of the present invention can also transmit the program code type through some transmission media, such as cable, optical fiber, or any transmission type.
  • a machine such as a smart phone
  • the machine becomes a device for carrying out the invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed in the present invention are a data extraction method and system for mobile phone enterprise WeChat, and a storage medium. The method comprises: parsing a storage file of enterprise WeChat data in a mobile phone, and analyzing the storage positions of various types of enterprise WeChat data; and decoding file information in an enterprise WeChat data storage path by using a key generation algorithm, and extracting all data information of the enterprise WeChat. According to the solution provided by the present invention, by investigating an enterprise WeChat storage file, parsing enterprise WeChat storage file information, decoding the enterprise WeChat storage file information by using the key generation algorithm, and extracting data information, it is ensured that data is comprehensively extracted. According to the solution provided by the present invention, each storage file of the enterprise WeChat is decoded, an enterprise WeChat data extraction process is developed, and the enterprise WeChat data parsing efficiency is improved, and thus, the data extraction efficiency is improved.

Description

一种针对手机企业微信的数据提取方法,系统以及存储介质A data extraction method, system and storage medium for mobile phone enterprise WeChat 技术领域technical field
本发明涉及数据提取技术,具体设计移动终端数据提取技术。The invention relates to a data extraction technology, and specifically designs a mobile terminal data extraction technology.
背景技术Background technique
目前中国手机用户数达到8亿,办公手段也越来越多的从依赖电脑转移到手机。目前市面上针对办公的社交软件种类较多,针对手机办公软件上的数据量越来越大。手机办公软件记录了用户的个人信息、工作信息以及位置信息等。目前手机数据提取已经不是单纯的手机物理内存中个人信息的提取,大多数时候已经转移到手机APP中。近年来针对微信、微博、QQ等个人社交APP的数据提取较为成熟,但是针对办公社交软件的数据取证较少。At present, the number of mobile phone users in China has reached 800 million, and more and more office methods have shifted from relying on computers to mobile phones. At present, there are many types of social software for office work on the market, and the amount of data on mobile office software is increasing. Mobile office software records the user's personal information, work information and location information. At present, the extraction of mobile phone data is not simply the extraction of personal information in the physical memory of the mobile phone, but has been transferred to the mobile APP most of the time. In recent years, data extraction for personal social apps such as WeChat, Weibo, and QQ is relatively mature, but data forensics for office social software is less.
现有的手机APP取证方法大多是通过解析APP存储文件,再通过解密方法对存储文件中的账户信息和数据信息等进行解密,最后提取出重要的信息。但是不同的APP文件存储路径不同,且文件加密方法各异,所以发展一种企业微信的数据提取方法较为重要。Most of the existing mobile phone APP forensics methods are to analyze the APP storage file, and then decrypt the account information and data information in the stored file through a decryption method, and finally extract important information. However, different APP files have different storage paths and different file encryption methods, so it is more important to develop a data extraction method for enterprise WeChat.
现有针对企业微信的数据提取方案在实际使用过程中主要存在如下问题:The existing data extraction solutions for enterprise WeChat mainly have the following problems in the actual use process:
1.数据提取较少:现有的企业微信提取办法大多是利用涉案人员提供的企业微信账号,登录后对企业微信进行提取;在无法获取企业微信登录账号与密码的情况下,难以对企业微信数据进行提取。1. Less data extraction: Most of the existing enterprise WeChat extraction methods are to use the enterprise WeChat account provided by the person involved to extract the enterprise WeChat after logging in; in the case that the enterprise WeChat login account and password cannot be obtained, it is difficult to obtain the enterprise WeChat account. data is extracted.
2.提取的数据不全:企业微信数据包含种类较多,包含用户账户信息、待办已办事项信息、好友信息、群组信息和定位信息等。现有企业微信提取办法往往难以对全部信息进行提取。2. The extracted data is incomplete: There are many types of enterprise WeChat data, including user account information, to-do information, friend information, group information, and positioning information. Existing enterprise WeChat extraction methods are often difficult to extract all information.
3.提取效率较低:目前针对企业微信尚无完整流程方法,所以对企业微信的取证依赖临时的调研,导致数据提取效率低下。3. Low extraction efficiency: At present, there is no complete process method for enterprise WeChat, so the forensics of enterprise WeChat relies on temporary research, resulting in low data extraction efficiency.
发明内容SUMMARY OF THE INVENTION
针对现有企业微信数据提取方案所存在的问题,需要一种新的数据提取方 案。In view of the problems existing in the existing enterprise WeChat data extraction solution, a new data extraction solution is needed.
为此,本发明的目的在于提供一种针对手机企业微信的数据提取方法,其能够有效解决现有技术所存在的问题。据此,本发明还进一步提供一种数据提取系统,以及存储介质。Therefore, the purpose of the present invention is to provide a data extraction method for mobile phone enterprise WeChat, which can effectively solve the problems existing in the prior art. Accordingly, the present invention further provides a data extraction system and a storage medium.
为了达到上述目的,本发明提供的针对手机企业微信的数据提取方法,包括:In order to achieve the above purpose, the data extraction method for mobile phone enterprise WeChat provided by the present invention includes:
解析企业微信数据在手机中的存储文件,并对企业微信各类型数据的存储位置进行分析;Analyze the storage files of enterprise WeChat data in the mobile phone, and analyze the storage location of various types of enterprise WeChat data;
利用秘钥生成算法对企业微信数据存储路径中各文件信息进行解码,提取出企业微信所有数据信息。Use the secret key generation algorithm to decode the information of each file in the data storage path of the enterprise WeChat, and extract all the data information of the enterprise WeChat.
进一步的,所述方法对企业微信数据在手机中的存储文件进行解析时,提取出存储账户信息的文件夹,解析出企业微信包含的账户信息;Further, when the method parses the storage file of the enterprise WeChat data in the mobile phone, extracts the folder storing the account information, and parses out the account information contained in the enterprise WeChat;
从手机中提取出加密企业微信文件,并将需要解码的企业微信文件写入一个临时文件夹,针对其中提取出的文件,先找到文件“io_data.json”,通过反序列的方式取“login_keys”的值,用于解密存储企业微信数据的数据库文件;Extract the encrypted enterprise WeChat file from the mobile phone, and write the enterprise WeChat file that needs to be decoded into a temporary folder. For the extracted file, first find the file "io_data.json", and get "login_keys" by reverse sequence. The value of , used to decrypt the database file that stores the enterprise WeChat data;
获取到login_keys的值之后,再通过解码和反序列的方式解密出相关秘钥Key_1。After obtaining the value of login_keys, decrypt the relevant secret key Key_1 by decoding and deserializing.
进一步的,所述方法针对得到的秘钥Key_1,通过秘钥生成算法生成的解密秘钥,使用对称加密算法,对企业微信数据存储路径中的各文件信息进行解码。Further, for the obtained secret key Key_1, the method uses the decryption secret key generated by the secret key generation algorithm, and uses the symmetric encryption algorithm to decode each file information in the enterprise WeChat data storage path.
进一步的,所述方法对解码后的内容,在函数GetProtoGB中使用UTF-8可以转成对应的中文字符串。Further, the method can convert the decoded content into a corresponding Chinese character string using UTF-8 in the function GetProtoGB.
为了达到上述目的,本发明提供的针对手机企业微信的数据提取系统,包括:In order to achieve the above-mentioned purpose, the data extraction system for mobile phone enterprise WeChat provided by the present invention includes:
路径解析模块,所述路径解析模块用于解析企业微信数据在手机中的存储文件,并对企业微信中各类型数据的存储位置进行分析;A path analysis module, which is used to analyze the storage files of the enterprise WeChat data in the mobile phone, and analyze the storage locations of various types of data in the enterprise WeChat;
文件解密模块,所述文件解密模块利用秘钥生成算法对企业微信数据存储路径中各文件信息进行解码,提取出企业微信的所有数据信息。A file decryption module, the file decryption module decodes each file information in the data storage path of the enterprise WeChat by using the secret key generation algorithm, and extracts all the data information of the enterprise WeChat.
为了达到上述目的,本发明提供的存储介质,所述存储介质包括存储的程 序,所述程序执行上述的数据提取方法。In order to achieve the above object, the present invention provides a storage medium, wherein the storage medium includes a stored program, and the program executes the above-mentioned data extraction method.
本发明提供的方案通过调研企业微信存储文件,解析出企业微信存储文件信息;同时,采用秘钥生成算法,对企业微信存储文件信息进行解密,提取数据信息;由此保证数据提取全面。The solution provided by the present invention analyzes the information of the enterprise WeChat storage file by investigating the enterprise WeChat storage file; meanwhile, the secret key generation algorithm is used to decrypt the enterprise WeChat storage file information and extract the data information; thus ensuring the comprehensive data extraction.
本发明提供的方案通过对企业微信各个存储文件进行解码,发展企业微信数据提取流程,提高企业微信数据解析效率,由此提高数据提取效率。The solution provided by the present invention develops the data extraction process of the enterprise WeChat by decoding each storage file of the enterprise WeChat, and improves the data analysis efficiency of the enterprise WeChat, thereby improving the data extraction efficiency.
附图说明Description of drawings
以下结合附图和具体实施方式来进一步说明本发明。The present invention will be further described below with reference to the accompanying drawings and specific embodiments.
图1为本发明实例中秘钥生成算法的运行流程示例图;1 is an example diagram of the operation flow of the secret key generation algorithm in the example of the present invention;
图2为本发明实例中自定义置换算法的运行流程示例图。FIG. 2 is an example diagram of the operation flow of the self-defined replacement algorithm in the example of the present invention.
具体实施方式detailed description
为了使本发明实现的技术手段、创作特征、达成目的与功效易于明白了解,下面结合具体图示,进一步阐述本发明。In order to make it easy to understand the technical means, creation features, achieved goals and effects of the present invention, the present invention will be further described below with reference to the specific figures.
本方案针对手机企业微信运行产生的数据,首先,通过解析企业微信数据存储文件,并对企业微信各类型数据的存储位置进行分析;This solution is aimed at the data generated by the operation of mobile phone enterprise WeChat. First, it analyzes the storage location of various types of enterprise WeChat data by parsing the enterprise WeChat data storage files;
接着,利用秘钥生成算法对企业微信数据存储路径中各文件信息进行解码,提取出企业微信所有数据信息。Next, use the secret key generation algorithm to decode the information of each file in the data storage path of the enterprise WeChat, and extract all the data information of the enterprise WeChat.
由此实现对手机企业微信运行产生的数据进行全面且高效的提取。In this way, a comprehensive and efficient extraction of the data generated by the mobile phone enterprise WeChat operation is realized.
本方案提供的针对手机企业微信数据的提取方法,其在具体实施时通过如下步骤来实现:The extraction method for mobile phone enterprise WeChat data provided by this solution is realized through the following steps during specific implementation:
(1)提取企业微信在手机中的安装与存储路径,找到Profiles文件。(1) Extract the installation and storage path of the enterprise WeChat in the mobile phone, and find the Profiles file.
(2)提取出存储账户信息的文件夹,企业微信会为每一个用户创建一个文件夹,文件夹名为用户ID的MD5值,该文件夹用于存储用户数据,解析出企业微信包含的账户信息,即可获取企业微信的用户数据文件夹。(2) Extract the folder for storing account information. Enterprise WeChat will create a folder for each user. The folder name is the MD5 value of the user ID. This folder is used to store user data and parse out the accounts contained in Enterprise WeChat. information, you can get the user data folder of enterprise WeChat.
根据文件夹名称的属性即可找到企业微信中存储的用户数据,从而方便后续步骤中将用户数据导出到指定文件夹。The user data stored in the enterprise WeChat can be found according to the attribute of the folder name, so that it is convenient to export the user data to the specified folder in the subsequent steps.
(3)为了保证原始手机数据不被修改,将需要解码的企业微信数据导出 到一个临时文件,针对提取出的手机企业微信文件,从中获取到login_keys的值,通过解码和反序列的方式解密出相关秘钥Key_1。(3) In order to ensure that the original mobile phone data is not modified, export the enterprise WeChat data that needs to be decoded to a temporary file, obtain the value of login_keys from the extracted mobile phone enterprise WeChat file, and decrypt it by decoding and deserializing. Related key Key_1.
作为举例,可通过Base64解码和Google protobuf反序列化得到解密Info.db和Message1等文件的相关密钥Key_1。As an example, the relevant key Key_1 for decrypting files such as Info.db and Message1 can be obtained through Base64 decoding and Google protobuf deserialization.
(4)针对解码后的内容,在函数GetProtoGB中使用UTF-8可以转成对应的中文字符串。(4) For the decoded content, use UTF-8 in the function GetProtoGB to convert it into the corresponding Chinese character string.
(5)参照上述解析框架,可以解析出好友群组信息、个人信息、好友、群、聊天信息、公告、同事吧、待办事项等内容。(5) Referring to the above analysis framework, content such as friend group information, personal information, friends, groups, chat information, announcements, colleagues, to-do items, etc. can be parsed.
本方法通过调研企业微信存储文件,解析出企业微信存储文件信息;同时,采用秘钥生成算法,对企业微信存储文件信息进行解密,提取数据信息。由此有效克服现有方案数据提取较少的问题。The method analyzes the information of the enterprise WeChat storage file by investigating the enterprise WeChat storage file; at the same time, the secret key generation algorithm is used to decrypt the enterprise WeChat storage file information and extract the data information. This effectively overcomes the problem of less data extraction in the existing scheme.
本方案利用秘钥生成算法,对企业微信存储文件中各个文件信息进行解码与逆向,提取出对应信息的相关存储区域,解析完成数据信息。由此有效克服现有方案提取数据不全的问题。This solution uses the secret key generation algorithm to decode and reverse each file information in the enterprise WeChat storage file, extract the relevant storage area of the corresponding information, and parse and complete the data information. This effectively overcomes the problem of incomplete data extraction in the existing scheme.
本方案通过对企业微信各个存储文件进行解码,发展企业微信数据提取流程,提高企业微信数据解析效率。有效克服现有方案提取效率较低的问题。This solution develops the data extraction process of enterprise WeChat by decoding each storage file of enterprise WeChat, and improves the efficiency of enterprise WeChat data analysis. Effectively overcome the problem of low extraction efficiency of the existing scheme.
本方案在具体实现时,可利用相应的软件程序形式呈现,并可存储在相应的存储介质中,这里对于存储介质的构型形式不加以限定。When the solution is specifically implemented, it can be presented in the form of a corresponding software program, and can be stored in a corresponding storage medium, and the configuration form of the storage medium is not limited here.
针对上述的数据提取方法,本方案给出一种针对手机企业微信数据的提取系统,该提取系统主要由路径解析模块和文件解密模块配合构成。Aiming at the above data extraction method, this solution provides an extraction system for mobile phone enterprise WeChat data. The extraction system is mainly composed of a path analysis module and a file decryption module.
本系统中的路径解析模块用于解析企业微信数据在手机中的存储文件,并对企业微信各类型数据的存储位置进行分析。The path analysis module in this system is used to analyze the storage files of enterprise WeChat data in the mobile phone, and analyze the storage location of various types of enterprise WeChat data.
作为举例,本系统中的路径解析模块针对企业微信,主要分析三个文件:从“io_data.json”文件中可以解析出用户的账号信息以及秘钥Key_1;使用秘钥Key_1解密“Session.db”文件后可以解析出用户的好友信息;使用秘钥Key_1解密“Info.db”文件后可以解析出用户的聊天信息与群聊信息。As an example, the path analysis module in this system mainly analyzes three files for enterprise WeChat: the user's account information and the secret key Key_1 can be parsed from the "io_data.json" file; the "Session.db" can be decrypted using the secret key Key_1. After the file, the user's friend information can be parsed; after decrypting the "Info.db" file with the secret key Key_1, the user's chat information and group chat information can be parsed.
本系统中的文件解密模块利用秘钥生成算法对企业微信数据存储路径中各文件信息进行解码,提取出企业微信所有数据信息。The file decryption module in this system uses the secret key generation algorithm to decode the information of each file in the data storage path of the enterprise WeChat, and extracts all the data information of the enterprise WeChat.
由此所形成的数据提取系统在运行时,可按照上述数据提取方法流程对手 机企业微信的数据进行全面和高效的提取。The data extraction system thus formed can comprehensively and efficiently extract the data of the mobile phone enterprise WeChat according to the above data extraction method and process during operation.
针对上述方案,以下通过以具体应用实例来进一步说明其实施过程。For the above solution, the implementation process of the above solution is further described below by taking a specific application example.
本应用实例通过构件相应的数据提取系统来对手机企业微信数据进行提取,整个提取过程主要包括:企业微信文件路径解析和企业微信文件解密两部分。This application example extracts the mobile phone enterprise WeChat data by building the corresponding data extraction system. The entire extraction process mainly includes two parts: enterprise WeChat file path analysis and enterprise WeChat file decryption.
其中,首先进行企业微信文件路径解析,其过程如下。Among them, the path analysis of the enterprise WeChat file is firstly performed, and the process is as follows.
针对企业微信在Andriod与iOS系统中的安装路径不同,本方案分别对两种操作系统中企业微信的存储路径进行解析;找出企业微信的存储路径:In view of the different installation paths of enterprise WeChat in Android and iOS systems, this solution analyzes the storage path of enterprise WeChat in the two operating systems respectively; find out the storage path of enterprise WeChat:
Andriod手机存储位置:Android phone storage location:
data/data/com.tencent.wework/app_data/Profiles;data/data/com.tencent.wework/app_data/Profiles;
如:小米手机存放路径为For example: Xiaomi mobile phone storage path is
"/data/data/com.tencent.wework/r/app_data/Profiles/^[0-9a-fA-F]{32}$";"/data/data/com.tencent.wework/r/app_data/Profiles/^[0-9a-fA-F]{32}$";
其他Andriod手机存放路径为Other Android phone storage paths are
"/data/data/com.tencent.wework/app_data/Profiles/^[0-9a-fA-F]{32}$""/data/data/com.tencent.wework/app_data/Profiles/^[0-9a-fA-F]{32}$"
iOS手机存储位置:/com.tencent.ww/Documents/Profiles。iOS phone storage location: /com.tencent.ww/Documents/Profiles.
具体为:Specifically:
"/AppDomain/com.tencent.ww/Documents/Profiles/^[0-9a-fA-F]{32}$")。"/AppDomain/com.tencent.ww/Documents/Profiles/^[0-9a-fA-F]{32}$").
对企业微信存储路径下相关文件中账户信息进行解析,通过解析发现企业微信针对每个账户创建一个文件夹用于存储账户数据信息,主要信息保存在Profiles/MD5/Message1目录下;同时对账户信息存储文件采用aes-128-cbc方式加密,解密相关密钥保存在Profiles/MD5/io_data.json中。Analyze the account information in the relevant files under the enterprise WeChat storage path. Through the analysis, it is found that the enterprise WeChat creates a folder for each account to store account data information. The main information is stored in the Profiles/MD5/Message1 directory; The storage file is encrypted by aes-128-cbc, and the decryption key is stored in Profiles/MD5/io_data.json.
接着,进行企业微信文件解密,其过程如下。Next, decrypt the enterprise WeChat files, and the process is as follows.
针对io_data.json文件,获取键值为“login_keys”的值,为base64字符串,对其进行解码,解码后得到protobuf序列化后的二进制数据块。For the io_data.json file, obtain the value whose key value is "login_keys", which is a base64 string, decode it, and obtain the protobuf serialized binary data block after decoding.
接着对得到的protobuf序列化后的二进制数据块通过protoc.exe可反序列化成可读结构体,即可获取解密相关密钥key_1。Then, the obtained protobuf serialized binary data block can be deserialized into a readable structure through protoc.exe, and the decryption related key key_1 can be obtained.
此时可通过秘钥生成算法对文件进行解密和解析,并提取出有效的数据,其中,秘钥生成算法的具体实施如图1所示。At this time, the file can be decrypted and parsed through a secret key generation algorithm, and valid data can be extracted, wherein the specific implementation of the secret key generation algorithm is shown in FIG. 1 .
这里针对获取到的解密相关密钥key_1,通过相应的秘钥生成算法(如图1所示)生成相应的密钥aeskey,以用于对账户信息存储文件进行解密。其基本流程如下:Here, for the obtained decryption-related key key_1, a corresponding key aeskey is generated through a corresponding key generation algorithm (as shown in FIG. 1 ), so as to decrypt the account information storage file. The basic process is as follows:
(1)从Profiles/MD5/io_data.json中解析出key_1(过程如上);(1) Parse key_1 from Profiles/MD5/io_data.json (the process is as above);
(2)将密钥key_1通过图1所示的秘钥生成算法,生成密钥Aes key;(2) generate the key Aes key by passing the key key_1 through the secret key generation algorithm shown in Figure 1;
(3)接着通过aes-123-cbc算法,解密上述Message1和Info.db等相关文件。(3) Then decrypt the above-mentioned related files such as Message1 and Info.db through the aes-123-cbc algorithm.
作为举例,以下结合附图1说明一下,本实例中密钥生成的过程:As an example, the following describes the process of key generation in this example in conjunction with accompanying drawing 1:
1)取key_1前8字节与一个默认的24字节数据组成中间密钥key_a;1) Take the first 8 bytes of key_1 and a default 24-byte data to form an intermediate key key_a;
2)将默认32字节数据进行50次循环md5计算得到中间密钥key_a_1;2) Perform 50 cycles of md5 calculation on the default 32-byte data to obtain the intermediate key key_a_1;
3)将key_a和key_a_1进行自定义置换算法生成32字节md5值temp_b;3) Perform a custom replacement algorithm on key_a and key_a_1 to generate a 32-byte md5 value temp_b;
4)将key_a和temp_b组合成64字节数据块进行50次md5得到的前16字节数据与当前页数+4字节缺省值组成24字节的中间密钥key_b;4) Combining key_a and temp_b into a 64-byte data block and performing 50 times of md5 to obtain the first 16-byte data and the current page number+4-byte default value to form a 24-byte intermediate key key_b;
5)对key_b做一次md5计算得到最终解密用的Aes key。5) Do an md5 calculation on key_b to get the Aes key for final decryption.
与之配合的,本密钥生成过程中采用到的自定义置换过程如下(如图2所示):In conjunction with it, the custom replacement process used in this key generation process is as follows (as shown in Figure 2):
1)初始化256字节的置换表init_table;1) Initialize the 256-byte replacement table init_table;
2)根据循环次数count与key_a_1的每一个字节进行与操作生成初始置换项init_md5;2) Perform an AND operation with each byte of the number of cycles count and key_a_1 to generate the initial replacement item init_md5;
3)依次将init_table[i]与init_md5[i%16]进行与操作,得到中间索引temp,最后交换init_table[i]和init_table[temp]的值;3) Perform an AND operation with init_table[i] and init_md5[i%16] in turn to obtain the intermediate index temp, and finally exchange the values of init_table[i] and init_table[temp];
4)依次将key_a[i-1]与init_table[temp]进行与操作得到temp_2,并将temp_2存放入key_a[i-1];4) Perform an AND operation with key_a[i-1] and init_table[temp] in turn to obtain temp_2, and store temp_2 in key_a[i-1];
5)循环步骤1-4预定次数(如20次),得到key_a。5) Repeat steps 1-4 for a predetermined number of times (eg 20 times) to obtain key_a.
据此方法能够快速且安全的生成密钥,从而能够进一步的提高整个方案的安全可靠性。According to this method, the key can be generated quickly and safely, thereby further improving the security and reliability of the whole scheme.
最后,需要说明的,上述本发明的方法,或特定系统单元、或其部份单元,为纯软件架构,可以透过程序代码布设于实体媒体,如硬盘、光盘片、或是任何电子装置(如智能型手机、计算机可读取的储存媒体),当机器加载程序代码 且执行(如智能型手机加载且执行),机器成为用以实行本发明的装置。上述本发明的方法与装置亦可以程序代码型态透过一些传送媒体,如电缆、光纤、或是任何传输型态进行传送,当程序代码被机器(如智能型手机)接收、加载且执行,机器成为用以实行本发明的装置。Finally, it should be noted that the above-mentioned method of the present invention, or a specific system unit, or some of its units, is a pure software architecture, and can be deployed on a physical medium, such as a hard disk, an optical disk, or any electronic device ( Such as a smart phone, a computer-readable storage medium), when the machine loads the program code and executes (eg, a smart phone loads and executes), the machine becomes a device for carrying out the present invention. The above-mentioned method and device of the present invention can also transmit the program code type through some transmission media, such as cable, optical fiber, or any transmission type. When the program code is received, loaded and executed by a machine (such as a smart phone), The machine becomes a device for carrying out the invention.
以上显示和描述了本发明的基本原理、主要特征和本发明的优点。本行业的技术人员应该了解,本发明不受上述实施例的限制,上述实施例和说明书中描述的只是说明本发明的原理,在不脱离本发明精神和范围的前提下,本发明还会有各种变化和改进,这些变化和改进都落入要求保护的本发明范围内。本发明要求保护范围由所附的权利要求书及其等效物界定。The foregoing has shown and described the basic principles, main features and advantages of the present invention. Those skilled in the art should understand that the present invention is not limited by the above-mentioned embodiments. The above-mentioned embodiments and descriptions only illustrate the principle of the present invention. Without departing from the spirit and scope of the present invention, the present invention will also have Various changes and modifications fall within the scope of the claimed invention. The claimed scope of the present invention is defined by the appended claims and their equivalents.

Claims (6)

  1. 针对手机企业微信的数据提取方法,其特征在于,包括:The data extraction method for mobile phone enterprise WeChat is characterized in that, it includes:
    解析企业微信数据在手机中的存储文件,并对企业微信各类型数据的存储位置进行分析;Analyze the storage files of enterprise WeChat data in the mobile phone, and analyze the storage location of various types of enterprise WeChat data;
    利用秘钥生成算法对企业微信数据存储路径中各文件信息进行解码,提取出企业微信所有数据信息。Use the secret key generation algorithm to decode the information of each file in the data storage path of the enterprise WeChat, and extract all the data information of the enterprise WeChat.
  2. 根据权利要求1针对手机企业微信的数据提取方法,其特征在于,所述方法对企业微信数据在手机中的存储文件进行解析时,提取出存储账户信息的文件夹,解析出企业微信包含的账户信息;The data extraction method for mobile phone enterprise WeChat according to claim 1, characterized in that, when the method analyzes the storage file of enterprise WeChat data in the mobile phone, it extracts a folder for storing account information, and parses out the account contained in the enterprise WeChat. information;
    从手机中提取出加密企业微信文件,并将需要解码的企业微信文件写入一个临时文件夹,针对其中提取出的文件,先找到文件“io_data.json”,通过反序列的方式取“login_keys”的值,用于解密存储企业微信数据的数据库文件;Extract the encrypted enterprise WeChat file from the mobile phone, and write the enterprise WeChat file that needs to be decoded into a temporary folder. For the extracted file, first find the file "io_data.json", and get "login_keys" by reverse sequence. The value of , used to decrypt the database file that stores the enterprise WeChat data;
    获取到login_keys的值之后,再通过解码和反序列的方式解密出相关秘钥Key_1。After obtaining the value of login_keys, decrypt the relevant secret key Key_1 by decoding and deserializing.
  3. 根据权利要求1针对手机企业微信的数据提取方法,其特征在于,所述方法针对得到的秘钥Key_1,通过秘钥生成算法生成的解密秘钥,使用对称加密算法,对企业微信数据存储路径中的各文件信息进行解码。According to the data extraction method for mobile phone enterprise WeChat according to claim 1, it is characterized in that, for the obtained secret key Key_1, the decryption secret key generated by the secret key generation algorithm uses a symmetric encryption algorithm to store data in the enterprise WeChat data storage path. The information of each file is decoded.
  4. 根据权利要求1针对手机企业微信的数据提取方法,其特征在于,所述方法对解码后的内容,在函数GetProtoGB中使用UTF-8可以转成对应的中文字符串。The data extraction method for mobile phone enterprise WeChat according to claim 1, wherein the decoded content can be converted into a corresponding Chinese character string by using UTF-8 in the function GetProtoGB.
  5. 针对手机企业微信的数据提取系统,其特征在于,包括:The data extraction system for mobile phone enterprise WeChat is characterized in that it includes:
    路径解析模块,所述路径解析模块用于解析企业微信数据在手机中的存储文件,并对企业微信各类型数据的存储位置进行分析;A path analysis module, which is used to analyze the storage files of the enterprise WeChat data in the mobile phone, and analyze the storage locations of various types of enterprise WeChat data;
    文件解密模块,所述文件解密模块利用秘钥生成算法对企业微信数据存储路径中各文件信息进行解码,提取出企业微信所有数据信息。A file decryption module, wherein the file decryption module uses a secret key generation algorithm to decode each file information in the enterprise WeChat data storage path, and extracts all the data information of the enterprise WeChat.
  6. 存储介质,所述存储介质包括存储的程序,其特征在于,所述程序执行权利要求1-4中任一项所述的数据提取方法。A storage medium, wherein the storage medium includes a stored program, wherein the program executes the data extraction method according to any one of claims 1-4.
PCT/CN2021/108000 2020-08-04 2021-07-22 Data extraction method and system for mobile phone enterprise wechat, and storage medium WO2022028255A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010773365.3A CN111934987A (en) 2020-08-04 2020-08-04 Data extraction method, system and storage medium for mobile phone enterprise WeChat
CN202010773365.3 2020-08-04

Publications (1)

Publication Number Publication Date
WO2022028255A1 true WO2022028255A1 (en) 2022-02-10

Family

ID=73307639

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/108000 WO2022028255A1 (en) 2020-08-04 2021-07-22 Data extraction method and system for mobile phone enterprise wechat, and storage medium

Country Status (2)

Country Link
CN (1) CN111934987A (en)
WO (1) WO2022028255A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111934987A (en) * 2020-08-04 2020-11-13 公安部第三研究所 Data extraction method, system and storage medium for mobile phone enterprise WeChat
CN113094418A (en) * 2021-03-23 2021-07-09 佛山青藤信息科技有限公司 Business processing method and system based on enterprise WeChat and computer equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8122340B2 (en) * 2008-09-29 2012-02-21 Tow Bruce System and method for management of common decentralized applications data and logic
CN105678174A (en) * 2015-12-31 2016-06-15 四川秘无痕信息安全技术有限责任公司 Method for decrypting WeChat encrypted data based on binary system
CN106528688A (en) * 2016-10-25 2017-03-22 公安部第三研究所 Analysis evidence-taking method for Twitter
CN106788999A (en) * 2016-12-09 2017-05-31 武汉中软通证信息技术有限公司 A kind of wechat evidence collecting method and system based on data collision
CN111934987A (en) * 2020-08-04 2020-11-13 公安部第三研究所 Data extraction method, system and storage medium for mobile phone enterprise WeChat

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101072205A (en) * 2007-06-21 2007-11-14 腾讯科技(深圳)有限公司 Chat information searching method and system
CN107563215A (en) * 2016-07-01 2018-01-09 四川秘无痕信息安全技术有限责任公司 A kind of Android system wechat chat record decryption method
CN109450777B (en) * 2018-12-28 2021-09-17 苏州开心盒子软件有限公司 Session information extraction method, device, equipment and medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8122340B2 (en) * 2008-09-29 2012-02-21 Tow Bruce System and method for management of common decentralized applications data and logic
CN105678174A (en) * 2015-12-31 2016-06-15 四川秘无痕信息安全技术有限责任公司 Method for decrypting WeChat encrypted data based on binary system
CN106528688A (en) * 2016-10-25 2017-03-22 公安部第三研究所 Analysis evidence-taking method for Twitter
CN106788999A (en) * 2016-12-09 2017-05-31 武汉中软通证信息技术有限公司 A kind of wechat evidence collecting method and system based on data collision
CN111934987A (en) * 2020-08-04 2020-11-13 公安部第三研究所 Data extraction method, system and storage medium for mobile phone enterprise WeChat

Also Published As

Publication number Publication date
CN111934987A (en) 2020-11-13

Similar Documents

Publication Publication Date Title
CN106788995B (en) File encryption method and device
WO2022028255A1 (en) Data extraction method and system for mobile phone enterprise wechat, and storage medium
CN104903904B (en) Bar code authentication for resource request
US8539241B2 (en) Method and system for securing communication
Zhang et al. Breaking into the vault: Privacy, security and forensic analysis of Android vault applications
CN106161006B (en) Digital encryption algorithm
Zhang et al. The forensic analysis of WeChat message
US20150163065A1 (en) Identity authentication method and apparatus and server
CN107612683B (en) Encryption and decryption method, device, system, equipment and storage medium
CN110084599B (en) Key processing method, device, equipment and storage medium
US20150220718A1 (en) Method for web service user authentication
CN103618705A (en) Personal code managing tool and method under open cloud platform
CN107241184B (en) Personal password generation and management method based on improved AES
CN106067874A (en) A kind of method by data record to server end, terminal and server
CN106778292B (en) A kind of quick restoring method of Word encrypted document
Wu et al. Encryption of accounting data using DES algorithm in computing environment
Park et al. Research on Note-Taking Apps with Security Features.
CN113922968A (en) Access token generation and verification method and device, electronic equipment and storage medium
Vengala et al. Three factor authentication system with modified ECC based secured data transfer: untrusted cloud environment
US8751819B1 (en) Systems and methods for encoding data
Zhang et al. Research on security mechanism and forensics of SQLite database
CN106788999A (en) A kind of wechat evidence collecting method and system based on data collision
US20230169186A1 (en) Method to secure computer code
US20180019977A1 (en) Multi-layered data security
CN115459984A (en) Encryption and decryption method and device

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21854014

Country of ref document: EP

Kind code of ref document: A1