CN101546364A - Method and system for performing automatic intelligent forensics on storage medium - Google Patents
Method and system for performing automatic intelligent forensics on storage medium Download PDFInfo
- Publication number
- CN101546364A CN101546364A CN200810072533A CN200810072533A CN101546364A CN 101546364 A CN101546364 A CN 101546364A CN 200810072533 A CN200810072533 A CN 200810072533A CN 200810072533 A CN200810072533 A CN 200810072533A CN 101546364 A CN101546364 A CN 101546364A
- Authority
- CN
- China
- Prior art keywords
- analysis module
- analysis
- storage medium
- evidence obtaining
- evidence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method and a system for performing automatic intelligent forensics on storage medium. The method comprises the steps of automatically loading an analysis function module, intelligently selecting modules to be analyzed, beginning the analysis, reading partial data from the storage medium, performing function analysis, intelligently identifying useful results, saving the useful results, performing analytic judgment, and performing data reading judgment. The method and the system adopt the technical means of automatic loading, intelligent judgment and high-efficiency analysis for forensic analysis, ensure that the whole forensic process is simple and easy to operate and an analysis result does not depend on the technical level of forensic personnel, and have the advantages of comprehensive forensics, automatic operation, high-efficiency analysis, intelligent identification of useful information, and high forensic efficiency.
Description
Technical field
The present invention relates to a kind of evidence collecting method, particularly relate to a kind of method and system thereof that storage medium is carried out the automatic intelligent evidence obtaining storage medium.
Background technology
Along with a large amount of of computer utility popularize, incident is the appearance of computer crime phenomenon, as implementing stealing to computer information data, the computing machine significant data is implemented to destroy or distort, utilize computer manufacture, propagate harmful information, by computing machine manufacturing, transmitted virus, or implement " hacker " physical sabotage network order or the like.The consequence that this computer crime behavior is brought has seriously influenced the development of the development of the national economy and the safety and stablization of society, computer crime is collected evidence reconnoitred important means into present strike and prevention computer crime behavior.
The employed specialty analysis software overwhelming majority all was external product when our country was investigated at memory devices such as case hard disks at present, for example: EnCase, FTK etc.The software systems of this type often function are more powerful but use very complicated, operating personnel are required than higher, need higher computer technology level, and need special training reasonablely to play a role, and can't provide the function of investigating at domestic computing machine frequently-used data, for example: Foxmail, QQ data extract etc., can't comprehensively analyze evidence obtaining.
Existing forensic technologies mainly adopts repeatedly, the rapid analytical approach of multistep, is exactly at different cases specifically, as required, repeatedly calls difference in functionality and analyzes evidence obtaining.Fig. 1 is the process flow diagram of existing evidence collecting method, existing evidence collecting method mainly comprise the steps: artificial selection analyze content step (as the frame among Fig. 1 11 ' shown in), this step be according to the case characteristics require and the analyst to understanding, the evidence obtaining experience of technology, the content that the decision preparation will be analyzed, and carry out the relevant information configuration; The reading section data, carry out analytical procedure (as the frame among Fig. 1 12 ' shown in), this step is the analysis content of selecting according to previous step, the reading section data are analyzed in the storage medium to be analyzed, because storage medium data volume to be analyzed is big (tens GB even GB up to a hundred) generally, can't disposablely all read out, so this stage can only be reading section data, analyze; The data read determining step (as the frame among Fig. 1 13 ' shown in), whether this step reads to finish to data is judged, when judged result is that data are not when running through, return the reading section data, the step of analyzing, continue reading of data,, forward next step to when judged result is data when having run through; To analysis result do the bookmark step (as the frame among Fig. 1 14 ' shown in), this step is to do further screening by the evidence obtaining personnel to producing a large amount of analysis results in the analytic process, interested result is done a mark (bookmark), so that after follow-up repertoire analysis finishes, adjustment report of the receipts of freight and miscellany, because the condition of screening depends on the forensics analysis personnel to being familiar with and the evidence obtaining experience of the understanding of case, technology, and is therefore subjective, finishes by different people and different results will occur; The analysis and judgement step (as the frame among Fig. 1 15 ' shown in), whether this step is analyzed to finish to the required function of finishing is judged, when judged result when not finishing, returning artificial selection analysis content step selects another function to analyze evidence obtaining, when judged result when finishing, forward next step to; Arrangement bookmark step (as the frame among Fig. 1 16 ' shown in), this step is according to the mark of being done in the analytic process (bookmark), arrangement filters out useful data, so that the back produces report; Produce reporting step (as the frame among Fig. 1 17 ' shown in), this step generates report, so that submit to judiciary.
Mainly there is following deficiency in the evidence collecting method of prior art: the one, and function is disperseed, and per minute is analysed a function to be needed independently to finish; The 2nd, complicated operation, the operator need possess higher computer technology level, just can finish forensics analysis work; The 3rd, it is not comprehensive to collect evidence, because the content that the evidence obtaining need of work is paid close attention to is more, the evidence obtaining content rely on evidence obtaining personnel's computer technology level, to the understanding and the evidence obtaining experience of case, in actual mechanical process, often analyzed this, lost that, can't comprehensively carry out forensics analysis; The 4th, each forensics analysis process need is repeatedly analyzed every content, repeatedly reading of data from the destination object physical storage medium increases the possibility that the destination object physical storage medium damages, because repeatedly carry out the I/O operation, influenced analysis speed, analysis efficiency is slow; The 5th, because different evidence obtaining personnel's experience, technical merit are different, cause same electronic media, utilize same analysis tool software, but the report of last forensics analysis is different; The 6th, belong to the not homogeneous case of same classification, need do the analytical work of repeatability, workload is big, efficient is low.
Summary of the invention
The objective of the invention is to overcome the deficiency of prior art, a kind of method and system thereof that storage medium is carried out the automatic intelligent evidence obtaining is provided, be to have adopted the technological means of automatic loading, intelligent decision and efficient analysis to carry out forensics analysis, make that whole evidence obtaining process is simple, easy to operate, analysis result does not rely on evidence obtaining personnel's technical merit, has comprehensive evidence obtaining, operation automatically, efficient analysis, Intelligent Recognition useful information, the high characteristics of evidence obtaining efficient.
The technical solution adopted for the present invention to solve the technical problems is: a kind of method that storage medium is carried out the automatic intelligent evidence obtaining comprises the steps:
Automatically load analytic function module step, this step is after starting analysis, evidence obtaining computer run evidence-obtaining system, automatic searching system available analyses functional module plug-in unit, and all analytic function modules of all plug-in units are loaded in the evidence obtaining computing machine automatically, make the evidence obtaining computing machine possess comprehensive analytic function;
Intelligence Selection needs the analysis module step, and this step is to be imposed a condition to the input of evidence obtaining computing machine according to type, the characteristics of case by the evidence obtaining personnel, and evidence-obtaining system is according to the analysis module of the described Intelligence Selection needs employing that imposes a condition;
Beginning analytical procedure, this step are to start to enter functional analysis;
From storage medium reading section data step, this step is by evidence obtaining computing machine reading section data from storage medium to be analyzed;
Functional analysis step, this step are that the evidence-obtaining system by the evidence obtaining computing machine needs access one of them analysis module the adopted analysis module of the selected definite need of analysis module step from described Intelligence Selection;
Intelligent Recognition useful consequence step, this step are by the described analysis module that is called in the functional analysis step the described partial data that reads from storage medium reading section data step to be carried out analyzing and processing, and Intelligent Recognition goes out useful information;
Preserve and use result step, this step is that the useful information that Intelligent Recognition useful consequence step is identified is stored in the evidence obtaining computing machine corresponding storage territory;
Whether analysis and judgement step, this step are to need adopted all analysis modules of the selected definite need of analysis module step to be called to Intelligence Selection to judge; When judged result is never call when intact, returns the functional analysis step and select to call another analysis module and analyze evidence obtaining; When judged result is modulated using up, forward next step to;
Whether data read determining step, this step are to judge being read to finish by the data of the storage medium of being collected evidence; When judged result is the data of described storage medium when not running through, return from storage medium reading section data step, continue to read the data that are not read of described storage medium; When judged result is the data of described storage medium when having run through, forensics analysis is finished.
In the described automatic loading analytic function module step, further also comprise the steps:
Enumerate functional module control step, this step is to read the evidence obtaining plug-in unit of installing on the evidence obtaining computing machine;
Add and analyze listings step automatically, this step is the evidence obtaining plugin information that reads out to be added automatically analyze in the tabulation, allows automatic analytic function possess comprehensive analytic function;
Enumerate determining step, whether this step is to enumerate to finish and judge enumerating all evidence obtaining plug-in units that evidence obtaining installs on the computing machine; When judged result does not finish for enumerating, return and enumerate functional module control step, continue to read the evidence obtaining plug-in unit of installing on the evidence obtaining computing machine; When judged result finished for enumerating, loaded finished to load automatically analytic function module step.
Described Intelligence Selection needs further also to comprise the steps: in the analysis module step
Select the case type step, this step is according to the case actual conditions by the evidence obtaining personnel, the shown case attribute list of evidence-obtaining system to the evidence obtaining computing machine is inserted corresponding content, the analysis strategy that evidence-obtaining system will adopt when generating this case of analysis automatically according to the case attribute;
Load intelligence base analysis module step, this step is all analysis modules that load the intelligence base the inside;
Determine to want the analysis module step, this step is that evidence-obtaining system by the evidence obtaining computing machine is according to the analysis strategy of selecting to be produced behind the case type, and analyzable all analysis modules of evidence-obtaining system, intelligence is picked out and is suitable for this case and analyzes needed one or more functional analysis module, calls so that provide in subsequent step.
A kind of system that storage medium is carried out the automatic intelligent evidence obtaining comprises:
One loads the analytic function modular device automatically, and this device is used for seeking system's available analyses functional module plug-in unit automatically after starting analysis, and all analytic function modules of all plug-in units are loaded automatically;
One Intelligence Selection needs the analysis module device, this device is used for receiving the evidence obtaining personnel according to imposing a condition that type, the characteristics of case are imported, the analysis module that adopts according to the Intelligence Selection needs of being imported that impose a condition, and each selected analysis module deposited in the memory storage;
One memory storage is provided with first memory block and is used for storing each selected analysis module, is provided with second memory block and is used for storing useful information;
One reads storage medium partial data device to be analyzed, and this device is used for reading one by one the partial data of detected storage medium;
One calls the analysis module device, and this device is used for transferring one by one selected analysis module from memory storage;
One Intelligent Recognition useful information device, this device are to utilize analysis module that the partial data that reads from storage medium is carried out analyzing and processing, and Intelligent Recognition goes out useful information, and this useful information are stored in second memory block of memory storage;
One first compares judgment means, and whether this device has called each selected analysis module of being stored in the memory storage is judged, and according to judged result output control signal;
Whether one second judgment means relatively, this device are treated data in the analyzing stored medium and have been read and judge, and export control signal according to judged result;
Automatically the output that loads the analytic function modular device is connected to Intelligence Selection needs the analysis module device, and the former exports to the latter with the analysis module that loads, and is selected according to imposing a condition by the latter; Intelligence Selection needs the analysis module device to be connected with memory storage, and each analysis module that the former will select is stored in the memory block of latter's correspondence; Read storage medium partial data device to be analyzed and be connected with storage medium to be analyzed, the former reads the latter's partial data; Read storage medium partial data device to be analyzed and call the analysis module device and be connected, the latter transfers the former and treats the partial data that the analyzing stored medium is read; Call the analysis module device and be connected with memory storage, the former transfers selected analysis module one by one from the latter; The output of calling the analysis module device is connected to the input of Intelligent Recognition useful information device, the former is defeated by the latter with partial data and the selected analysis module from storage medium to be analyzed transferred, according to analysis module described partial data is carried out analyzing and processing by the latter; The output of Intelligent Recognition useful information device is connected to memory storage, the former with analyzing and processing after resulting useful information store in the memory block of latter's correspondence; The output of Intelligent Recognition useful information device is connected to the first relatively input of judgment means, the former the signal finished of analyzing and processing export to the latter; First relatively judgment means is connected with memory storage, the former transfers the information of each analysis module from the latter, whether analysis module has been transferred compare judgement; The first control signal output of comparing judgment means is connected to the control end that calls the analysis module device, and whether the latter calls analysis module according to the former instruction decision from memory storage; First output of comparing judgment means is connected to the second relatively input of judgment means, and the signal that the former will finish dealing with is exported to the latter; Second relatively judgment means is connected with storage medium to be analyzed, the former obtains comparison signal from the latter, and whether the data for the treatment of the analyzing stored medium have read and compare judgement; Second relatively the control signal output of judgment means be connected to the control end that reads storage medium partial data device to be analyzed, whether the latter resumes studies from storage medium relaying to be analyzed according to the former instruction decision and fetches data.
The invention has the beneficial effects as follows,, make the evidence obtaining computing machine possess comprehensive analytic function owing to adopted automatic loading analytic function module step to load all analytic function modules in the evidence obtaining computing machine; Owing to adopted Intelligence Selection to need the analysis module step to go out to be suitable for to call for subsequent step to being analyzed needed functional analysis module by the evidence obtaining case with Intelligence Selection; Owing to be earlier in analytic process from storage medium reading section data, Automatic Cycle is called and is analyzed needed each analysis module of case the partial data that is read is carried out analyzing and processing then, storage medium of traversal makes as long as just can have been analyzed the function that all need be analyzed; Eliminate the similar case that prior art causes and to have repeated the drawback that identical step is analyzed; It is not comprehensive to have eliminated the analysis that prior art causes, and analysis result depends on the drawback of evidence obtaining personnel's technical merit; That has eliminated that prior art causes does not follow certain analysis order, often misses the drawback of a certain analysis content; Eliminated in the analytic process that prior art causes and related to repeatedly I/O read operation, the drawback that analysis speed is slow.Owing to adopted the technological means of automatic loading, intelligent decision and efficient analysis to carry out forensics analysis, make that whole evidence obtaining process is simple, easy to operate, analysis result does not rely on evidence obtaining personnel's technical merit, has comprehensive evidence obtaining, operation automatically, efficient analysis, Intelligent Recognition useful information, the high advantage of evidence obtaining efficient.
A kind of method and system thereof that storage medium is carried out the automatic intelligent evidence obtaining of the present invention has comparatively wide application prospect, and according to statistics, present Chinese website quantity has reached 1,500,000, has increased by 660,000 compared with the same period of last year, and rate of growth reaches 78.4%.In a few years from now on, the quantity of website in the country also will present and increase by a wide margin, and by same rate of growth, estimate that the quantity of website in the country in 2010 will reach 8,500,000.Computing machine and network are relatively concentrated and flourishing place, the district occurred frequently of computer crime just.
The main forensics analysis product of China all depends on import at present, and external forensics analysis software development is more of a specified duration, and function is more powerful relatively but use also is a more complicated, and the threshold of starting with is higher.Method of the present invention will reduce forensics analysis personnel's technical requirement, allow more evidence obtaining personnel carry out forensics analysis work more efficiently comprehensively, and make forensics analysis software really realize production domesticization.
Adopt method of the present invention and system thereof, will shorten greatly evidence obtaining time, improve evidence obtaining efficient, and evidence obtaining more comprehensively, reliability is stronger, the evidence obtaining time will shorten more than 3 times, and along with the complicacy of case, the quantity of storage medium increase, efficient improves more obvious.
Below in conjunction with drawings and Examples the present invention is described in further detail; But a kind of method and system thereof that storage medium is carried out automatic intelligent evidence obtaining of the present invention is not limited to embodiment.
Description of drawings
Fig. 1 is the process flow diagram of existing evidence collecting method;
Fig. 2 is the main flow chart of the inventive method;
Fig. 3 is the process flow diagram of the automatic loading analytic function module step of the inventive method;
Fig. 4 is the process flow diagram that the Intelligence Selection of the inventive method needs the analysis module step;
Fig. 5 is the structured flowchart of system of the present invention.
Embodiment
Ginseng Fig. 2 is to shown in Figure 4, and a kind of method that storage medium is carried out the automatic intelligent evidence obtaining of the present invention comprises the steps:
Automatically load analytic function module step 11, this step 11 is after starting analysis, evidence obtaining computer run evidence-obtaining system, automatic searching system available analyses functional module plug-in unit, and all analytic function modules of all plug-in units are loaded in the evidence obtaining computing machine automatically, make the evidence obtaining computing machine possess comprehensive analytic function;
Should load analytic function module step 11 automatically and further also be broken down into following three steps:
Step 1 is promptly enumerated functional module control step 21, and this step 21 is to read the evidence obtaining plug-in unit of installing on the evidence obtaining computing machine;
Step 2 promptly adds and analyzes listings step 22 automatically, and this step is the evidence obtaining plugin information that reads out to be added automatically analyze in the tabulation, allows automatic analytic function possess comprehensive analytic function;
Step 3 is promptly enumerated determining step 23, and whether this step 23 is to enumerate to finish and judge enumerating all evidence obtaining plug-in units that evidence obtaining installs on the computing machine; When judged result does not finish for enumerating, return and enumerate functional module control step, promptly return step 21, continue to read the evidence obtaining plug-in unit of installing on the evidence obtaining computing machine; When judged result finished for enumerating, loaded finished to load automatically analytic function module step 11;
Intelligence Selection needs analysis module step 12, and this step 12 is to be imposed a condition to the input of evidence obtaining computing machine according to type, the characteristics of case by the evidence obtaining personnel, and evidence-obtaining system is according to the analysis module of the described Intelligence Selection needs employing that imposes a condition;
This Intelligence Selection needs analysis module step 12 further also to be broken down into following three steps:
Step 1, promptly select case type step 31, this step 31 is according to the case actual conditions by the evidence obtaining personnel, the shown case attribute list of evidence-obtaining system to the evidence obtaining computing machine is inserted corresponding content, the analysis strategy that evidence-obtaining system will adopt when generating this case of analysis automatically according to the case attribute;
Step 2 promptly loads intelligence base analysis module step 32, and this step 32 is all analysis modules that load the intelligence base the inside;
Step 3, promptly determine to want analysis module step 33, this step 33 is that evidence-obtaining system by the evidence obtaining computing machine is according to the analysis strategy of selecting to be produced behind the case type, and analyzable all analysis modules of evidence-obtaining system, intelligence is picked out and is suitable for this case and analyzes needed one or more functional analysis module, calls so that provide in subsequent step; Selection finishes, and finishing Intelligence Selection needs analysis module step 12;
Beginning analytical procedure 13, this step are to start to enter functional analysis;
From storage medium reading section data step 14, this step 14 is by evidence obtaining computing machine reading section data from storage medium to be analyzed; Storage medium data volume to be analyzed is big (tens GB even GB up to a hundred) generally, can't disposablely all read out, and can only be reading section data therefore, repeatedly read and analyze;
Intelligent Recognition useful consequence step 16, this step 16 are by the described analysis module that is called in the functional analysis step 15 the described partial data that reads from storage medium reading section data step 14 to be carried out analyzing and processing, and Intelligent Recognition goes out useful information;
Preserve with result step 17, this step 17 is that the useful information that Intelligent Recognition useful consequence step 16 is identified is stored in the evidence obtaining computing machine corresponding storage territory;
Whether analysis and judgement step 18, this step 18 are to need adopted all analysis modules of the selected definite need of analysis module step 12 to be called to Intelligence Selection to judge; When judged result is never call when intact, returns functional analysis step 15 and select to call another analysis module and analyze evidence obtaining; When judged result is modulated using up, forward next step to;
Whether data read determining step 19, this step 19 are to judge being read to finish by the data of the storage medium of being collected evidence; When judged result is the data of described storage medium when not running through, return from storage medium reading section data step 14, continue to read the data that are not read of described storage medium; When judged result is the data of described storage medium when having run through, forensics analysis is finished.
A kind of method of storage medium being carried out the automatic intelligent evidence obtaining of the present invention, step 11 is that all analytic function modules all are loaded in the evidence obtaining computing machine automatically, make the evidence obtaining computing machine possess comprehensive analytic function, if any n analysis module, then n analysis module all is loaded into automatically in the evidence obtaining computing machine; Step 12 is to be imposed a condition to the input of evidence obtaining computing machine according to type, the characteristics of case by the evidence obtaining personnel, the analysis module that evidence-obtaining system adopts according to the described Intelligence Selection needs that impose a condition, promptly from n analysis module, select m analysis module, call so that in subsequent step, provide, wherein the m value is 1,2 ..., n; The analysis module that promptly selects can be one or two or three ... or n; After beginning to analyze, step 14 is by evidence obtaining computing machine reading section data from storage medium to be analyzed, because storage medium data volume to be analyzed is generally bigger, can't disposablely all read out, therefore can only be reading section data,, read the second portion data such as reading first's data successively,, read n partial data etc.; After reading first's data, step 15 is that the evidence-obtaining system by the evidence obtaining computing machine needs access first analysis module the adopted analysis module of the selected definite need of analysis module step 12 from described Intelligence Selection; Step 16 item is to adopt first analysis module that the first's data that read from storage medium reading section data step 14 are carried out analyzing and processing, and Intelligent Recognition goes out useful information; Step 17 is that the useful information that first analysis module carries out being identified after the analyzing and processing to first's data is stored in the evidence obtaining computing machine corresponding storage territory; Step 18 is that Intelligence Selection is needed adopted all analysis modules of the selected definite need of analysis module step 12 are whether m analysis module has been called and judges, because step 15 just accesses first analysis module, therefore, judged result is that never call is intact, returns step 15; Access second analysis module by step 15, then be to adopt second analysis module that the first's data that read from storage medium reading section data step 14 are carried out analyzing and processing in step 16, step 17, and preserve useful information; Enter step 18 pair Intelligence Selection again and need adopted all analysis modules of the selected definite need of analysis module step 12 are whether m analysis module has been called and judges; Because step 15 only accesses two analysis modules, therefore, judged result is that never call is intact, returns step 15; Access the 3rd analysis module by step 15, the rest may be inferred, till m analysis module all has been called, here, step 15 → step 16 → step 17 → step 18 → step 15, formed first circulation, step 15 whenever accesses an analysis module, with regard to circulation primary, till circulation m time, like this, by m circulation of first round-robin, just realized analyzing and processing to first's data of storage medium; Step 19 item is whether the data to the storage medium of being collected evidence read to finish and judge, because step 14 just accesses first's data of storage medium, therefore, judged result is that the data of described storage medium do not run through, and returns from storage medium reading section data step 14; Read the second portion data by step 14, reading under the second portion data conditions, evidence-obtaining system repeats first circulation m time, make first analysis module, second analysis module ..., a m analysis module carries out analyzing and processing and preserves useful information the second portion data of storage medium respectively; Finish the second portion data of storage medium are carried out analyzing and processing after, whether the data that enter the storage medium that step 19 pair quilt collects evidence once more read to finish is judged, because step 14 only accesses two partial datas of storage medium, therefore, judged result is that the data of described storage medium do not run through, and returns from storage medium reading section data step 14 again; Read the third part data by step 14, the rest may be inferred, till after reading the n partial data, here, step 14 → m time first circulation → step 19 → step 14 has formed second circulation, like this, by second round-robin n time circulation, just realized analyzing and processing to all analysis modules of all data of storage medium.
Referring to shown in Figure 5, a kind of system that storage medium is carried out the automatic intelligent evidence obtaining of the present invention comprises:
One loads analytic function modular device 51 automatically, and this device 51 is used for seeking system's available analyses functional module plug-in unit automatically after starting analysis, and all analytic function modules of all plug-in units are loaded automatically;
One Intelligence Selection needs analysis module device 52, this device 52 is used for receiving the evidence obtaining personnel according to imposing a condition that type, the characteristics of case are imported, the analysis module that adopts according to the Intelligence Selection needs of being imported that impose a condition, and each selected analysis module deposited in the memory storage;
One memory storage 53 is provided with first memory block and is used for storing each selected analysis module, is provided with second memory block and is used for storing useful information;
One reads storage medium partial data device 54 to be analyzed, and this device 54 is used for reading one by one the partial data of detected storage medium 50;
One calls analysis module device 55, and this device 55 is used for transferring one by one selected analysis module from memory storage 53;
One Intelligent Recognition useful information device 56, this device 56 are to utilize analysis module that the partial data that reads from storage medium is carried out analyzing and processing, and Intelligent Recognition goes out useful information, and this useful information are stored in second memory block of memory storage;
One first compares judgment means 57, and whether each selected analysis module of being stored in 57 pairs of memory storages 53 of this device has called is judged, and according to judged result output control signal;
Whether one second judgment means 58 relatively, this device 58 are treated data in the analyzing stored medium 50 and have been read and judge, and export control signal according to judged result;
Automatically the output that loads analytic function modular device 51 is connected to Intelligence Selection needs analysis module device 52, and the former exports to the latter with the analysis module that loads, and is selected according to imposing a condition by the latter; Intelligence Selection needs analysis module device 52 to be connected with memory storage 53, and each analysis module that the former will select is stored in the memory block of latter's correspondence; Read storage medium partial data device 54 to be analyzed and be connected with storage medium 50 to be analyzed, the former reads the latter's partial data; Read storage medium partial data device 54 to be analyzed and call analysis module device 55 and be connected, the latter transfers the former and treats the partial data that the analyzing stored medium is read; Call analysis module device 55 and be connected with memory storage 53, the former transfers selected analysis module one by one from the latter; The output of calling analysis module device 55 is connected to the input of Intelligent Recognition useful information device 56, the former is defeated by the latter with partial data and the selected analysis module from storage medium to be analyzed transferred, according to analysis module described partial data is carried out analyzing and processing by the latter; The output of Intelligent Recognition useful information device 56 is connected to memory storage 53, the former with analyzing and processing after resulting useful information store in the memory block of latter's correspondence; The output of Intelligent Recognition useful information device 56 is connected to the first relatively input of judgment means 57, the former the signal finished of analyzing and processing export to the latter; First relatively judgment means 57 is connected with memory storage 53, the former transfers the information of each analysis module from the latter, whether analysis module has been transferred compare judgement; The first control signal output of comparing judgment means 57 is connected to the control end that calls analysis module device 55, and whether the latter calls analysis module according to the former instruction decision from memory storage 53; First output of comparing judgment means 57 is connected to the second relatively input of judgment means 58, and the signal that the former will finish dealing with is exported to the latter; Second relatively judgment means 58 is connected with storage medium 50 to be analyzed, the former obtains comparison signal from the latter, and whether the data for the treatment of the analyzing stored medium have read and compare judgement; Second relatively the control signal output of judgment means 58 be connected to the control end that reads storage medium partial data device 54 to be analyzed, whether the latter resumes studies from storage medium relaying to be analyzed according to the former instruction decision and fetches data.
The foregoing description only is used for further specifying a kind of method and system thereof that storage medium is carried out the automatic intelligent evidence obtaining of the present invention; but the present invention is not limited to embodiment; every foundation technical spirit of the present invention all falls into the protection domain of technical solution of the present invention to any simple modification, equivalent variations and modification that above embodiment did.
Claims (4)
1. the method that storage medium is carried out the automatic intelligent evidence obtaining is characterized in that: comprise the steps:
Automatically load analytic function module step, this step is after starting analysis, evidence obtaining computer run evidence-obtaining system, automatic searching system available analyses functional module plug-in unit, and all analytic function modules of all plug-in units are loaded in the evidence obtaining computing machine automatically, make the evidence obtaining computing machine possess comprehensive analytic function;
Intelligence Selection needs the analysis module step, and this step is to be imposed a condition to the input of evidence obtaining computing machine according to type, the characteristics of case by the evidence obtaining personnel, and evidence-obtaining system is according to the analysis module of the described Intelligence Selection needs employing that imposes a condition;
Beginning analytical procedure, this step are to start to enter functional analysis;
From storage medium reading section data step, this step is by evidence obtaining computing machine reading section data from storage medium to be analyzed;
Functional analysis step, this step are that the evidence-obtaining system by the evidence obtaining computing machine needs access one of them analysis module the adopted analysis module of the selected definite need of analysis module step from described Intelligence Selection;
Intelligent Recognition useful consequence step, this step are by the described analysis module that is called in the functional analysis step the described partial data that reads from storage medium reading section data step to be carried out analyzing and processing, and Intelligent Recognition goes out useful information;
Preserve and use result step, this step is that the useful information that Intelligent Recognition useful consequence step is identified is stored in the evidence obtaining computing machine corresponding storage territory;
Whether analysis and judgement step, this step are to need adopted all analysis modules of the selected definite need of analysis module step to be called to Intelligence Selection to judge; When judged result is never call when intact, returns the functional analysis step and select to call another analysis module and analyze evidence obtaining; When judged result is modulated using up, forward next step to;
Whether data read determining step, this step are to judge being read to finish by the data of the storage medium of being collected evidence; When judged result is the data of described storage medium when not running through, return from storage medium reading section data step, continue to read the data that are not read of described storage medium; When judged result is the data of described storage medium when having run through, forensics analysis is finished.
2. a kind of method that storage medium is carried out the automatic intelligent evidence obtaining according to claim 1 is characterized in that: in the described automatic loading analytic function module step, further also comprise the steps:
Enumerate functional module control step, this step is to read the evidence obtaining plug-in unit of installing on the evidence obtaining computing machine;
Add and analyze listings step automatically, this step is the evidence obtaining plugin information that reads out to be added automatically analyze in the tabulation, allows automatic analytic function possess comprehensive analytic function;
Enumerate determining step, whether this step is to enumerate to finish and judge enumerating all evidence obtaining plug-in units that evidence obtaining installs on the computing machine; When judged result does not finish for enumerating, return and enumerate functional module control step, continue to read the evidence obtaining plug-in unit of installing on the evidence obtaining computing machine; When judged result finished for enumerating, loaded finished to load automatically analytic function module step.
3. a kind of method that storage medium is carried out the automatic intelligent evidence obtaining according to claim 1 is characterized in that: described Intelligence Selection needs further also to comprise the steps: in the analysis module step
Select the case type step, this step is according to the case actual conditions by the evidence obtaining personnel, the shown case attribute list of evidence-obtaining system to the evidence obtaining computing machine is inserted corresponding content, the analysis strategy that evidence-obtaining system will adopt when generating this case of analysis automatically according to the case attribute;
Load intelligence base analysis module step, this step is all analysis modules that load the intelligence base the inside;
Determine to want the analysis module step, this step is that evidence-obtaining system by the evidence obtaining computing machine is according to the analysis strategy of selecting to be produced behind the case type, and analyzable all analysis modules of evidence-obtaining system, intelligence is picked out and is suitable for this case and analyzes needed one or more functional analysis module, calls so that provide in subsequent step.
4. system that storage medium is carried out automatic intelligent evidence obtaining is characterized in that: comprising:
One loads the analytic function modular device automatically, and this device is used for seeking system's available analyses functional module plug-in unit automatically after starting analysis, and all analytic function modules of all plug-in units are loaded automatically;
One Intelligence Selection needs the analysis module device, this device is used for receiving the evidence obtaining personnel according to imposing a condition that type, the characteristics of case are imported, the analysis module that adopts according to the Intelligence Selection needs of being imported that impose a condition, and each selected analysis module deposited in the memory storage;
One memory storage is provided with first memory block and is used for storing each selected analysis module, is provided with second memory block and is used for storing useful information;
One reads storage medium partial data device to be analyzed, and this device is used for reading one by one the partial data of detected storage medium;
One calls the analysis module device, and this device is used for transferring one by one selected analysis module from memory storage;
One Intelligent Recognition useful information device, this device are to utilize analysis module that the partial data that reads from storage medium is carried out analyzing and processing, and Intelligent Recognition goes out useful information, and this useful information are stored in second memory block of memory storage;
One first compares judgment means, and whether this device has called each selected analysis module of being stored in the memory storage is judged, and according to judged result output control signal;
Whether one second judgment means relatively, this device are treated data in the analyzing stored medium and have been read and judge, and export control signal according to judged result;
Automatically the output that loads the analytic function modular device is connected to Intelligence Selection needs the analysis module device, and the former exports to the latter with the analysis module that loads, and is selected according to imposing a condition by the latter; Intelligence Selection needs the analysis module device to be connected with memory storage, and each analysis module that the former will select is stored in the memory block of latter's correspondence; Read storage medium partial data device to be analyzed and be connected with storage medium to be analyzed, the former reads the latter's partial data; Read storage medium partial data device to be analyzed and call the analysis module device and be connected, the latter transfers the former and treats the partial data that the analyzing stored medium is read; Call the analysis module device and be connected with memory storage, the former transfers selected analysis module one by one from the latter; The output of calling the analysis module device is connected to the input of Intelligent Recognition useful information device, the former is defeated by the latter with partial data and the selected analysis module from storage medium to be analyzed transferred, according to analysis module described partial data is carried out analyzing and processing by the latter; The output of Intelligent Recognition useful information device is connected to memory storage, the former with analyzing and processing after resulting useful information store in the memory block of latter's correspondence; The output of Intelligent Recognition useful information device is connected to the first relatively input of judgment means, the former the signal finished of analyzing and processing export to the latter; First relatively judgment means is connected with memory storage, the former transfers the information of each analysis module from the latter, whether analysis module has been transferred compare judgement; The first control signal output of comparing judgment means is connected to the control end that calls the analysis module device, and whether the latter calls analysis module according to the former instruction decision from memory storage; First output of comparing judgment means is connected to the second relatively input of judgment means, and the signal that the former will finish dealing with is exported to the latter; Second relatively judgment means is connected with storage medium to be analyzed, the former obtains comparison signal from the latter, and whether the data for the treatment of the analyzing stored medium have read and compare judgement; Second relatively the control signal output of judgment means be connected to the control end that reads storage medium partial data device to be analyzed, whether the latter resumes studies from storage medium relaying to be analyzed according to the former instruction decision and fetches data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810072533A CN101546364A (en) | 2008-12-29 | 2008-12-29 | Method and system for performing automatic intelligent forensics on storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810072533A CN101546364A (en) | 2008-12-29 | 2008-12-29 | Method and system for performing automatic intelligent forensics on storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101546364A true CN101546364A (en) | 2009-09-30 |
Family
ID=41193493
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810072533A Pending CN101546364A (en) | 2008-12-29 | 2008-12-29 | Method and system for performing automatic intelligent forensics on storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101546364A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102696039A (en) * | 2010-03-29 | 2012-09-26 | Ubic股份有限公司 | Forensic system, forensic method, and forensic program |
| CN103092672A (en) * | 2012-11-23 | 2013-05-08 | 厦门美亚中敏电子科技有限公司 | Dynamic computer simulation method for realizing virtual start and intelligent repair |
| CN103166787A (en) * | 2011-12-15 | 2013-06-19 | ***通信集团浙江有限公司 | Information analysis method and information analysis device |
| CN103207972A (en) * | 2013-01-31 | 2013-07-17 | 厦门市美亚柏科信息股份有限公司 | Device and method for recovering and analyzing login password of computer operation system |
| US9244920B2 (en) | 2010-03-29 | 2016-01-26 | Ubic, Inc. | Forensic system, forensic method, and forensic program |
| CN105930092A (en) * | 2015-02-27 | 2016-09-07 | Yec株式会社 | Multi-trace System |
| CN110175058A (en) * | 2019-04-10 | 2019-08-27 | 阿里巴巴集团控股有限公司 | The method quickly retained, module, system and medium based on data exception information |
-
2008
- 2008-12-29 CN CN200810072533A patent/CN101546364A/en active Pending
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102696039A (en) * | 2010-03-29 | 2012-09-26 | Ubic股份有限公司 | Forensic system, forensic method, and forensic program |
| US8799317B2 (en) | 2010-03-29 | 2014-08-05 | Ubic, Inc. | Forensic system, forensic method, and forensic program |
| US9244920B2 (en) | 2010-03-29 | 2016-01-26 | Ubic, Inc. | Forensic system, forensic method, and forensic program |
| CN103166787A (en) * | 2011-12-15 | 2013-06-19 | ***通信集团浙江有限公司 | Information analysis method and information analysis device |
| CN103092672A (en) * | 2012-11-23 | 2013-05-08 | 厦门美亚中敏电子科技有限公司 | Dynamic computer simulation method for realizing virtual start and intelligent repair |
| CN103092672B (en) * | 2012-11-23 | 2016-01-20 | 厦门美亚中敏电子科技有限公司 | A kind of virtual computer dynamic stimulating method starting intelligence and repair |
| CN103207972A (en) * | 2013-01-31 | 2013-07-17 | 厦门市美亚柏科信息股份有限公司 | Device and method for recovering and analyzing login password of computer operation system |
| CN103207972B (en) * | 2013-01-31 | 2017-02-08 | 厦门市美亚柏科信息股份有限公司 | Device and method for recovering and analyzing login password of computer operation system |
| CN105930092A (en) * | 2015-02-27 | 2016-09-07 | Yec株式会社 | Multi-trace System |
| CN110175058A (en) * | 2019-04-10 | 2019-08-27 | 阿里巴巴集团控股有限公司 | The method quickly retained, module, system and medium based on data exception information |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101546364A (en) | Method and system for performing automatic intelligent forensics on storage medium | |
| US7739662B2 (en) | Methods and apparatus to analyze processor systems | |
| CN103092867B (en) | Method and system for managing data, and data analyzing device | |
| CN100461197C (en) | Automatic analysis system and method for malicious code | |
| CN105912609B (en) | A kind of data file processing method and device | |
| CN201993755U (en) | Data filtration, compression and storage system of real-time database | |
| CN103970903A (en) | Large industrial system feedback data real-time processing method and system based on Web | |
| CN102724059A (en) | Website operation state monitoring and abnormal detection based on MapReduce | |
| CN106534242B (en) | The processing method and device requested in a kind of distributed system | |
| CN106484709A (en) | A kind of auditing method of daily record data and audit device | |
| CN104714984A (en) | Database optimization method and device | |
| CN105354697A (en) | Financial account rule base based automatic online auditing method and system | |
| CN109992569A (en) | Cluster log feature extracting method, device and storage medium | |
| CN110399377A (en) | Optimization method, device, electronic equipment and the computer readable storage medium of SQL | |
| CN102541885A (en) | Method and device for detecting database blockage | |
| CN102724279B (en) | System for realizing log-saving and log-managing | |
| CN110908957A (en) | Network security log audit analysis method in power industry | |
| CN103019865B (en) | Virtual machine monitoring method and system | |
| CN107220183A (en) | Method of testing and system that a kind of server B MC event logs are set | |
| CN101562603A (en) | Method and system for parsing telnet protocol by echoing | |
| CN102722354B (en) | Charging service-oriented data real-time extraction and key index real-time analysis method | |
| CN105447067A (en) | Adaptive sampling method for hot spot microblog data in social media | |
| CN112783620A (en) | Optimization method for timing task scheduling, computer equipment and storage medium | |
| CN113542070A (en) | Thermal data extraction method based on use frequency | |
| CN1506805A (en) | Dynamic journal recording method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20090930 |