CN111062008A - Remote electronic evidence obtaining system and method - Google Patents

Remote electronic evidence obtaining system and method Download PDF

Info

Publication number
CN111062008A
CN111062008A CN201811211936.3A CN201811211936A CN111062008A CN 111062008 A CN111062008 A CN 111062008A CN 201811211936 A CN201811211936 A CN 201811211936A CN 111062008 A CN111062008 A CN 111062008A
Authority
CN
China
Prior art keywords
evidence
hard disk
evidence obtaining
backup
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811211936.3A
Other languages
Chinese (zh)
Other versions
CN111062008B (en
Inventor
陈贤斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Yueyu Information Technology Co Ltd
Original Assignee
Shanghai Yueyu Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Yueyu Information Technology Co Ltd filed Critical Shanghai Yueyu Information Technology Co Ltd
Priority to CN201811211936.3A priority Critical patent/CN111062008B/en
Publication of CN111062008A publication Critical patent/CN111062008A/en
Application granted granted Critical
Publication of CN111062008B publication Critical patent/CN111062008B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/305Authentication, i.e. establishing the identity or authorisation of security principals by remotely controlling device operation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1448Management of the data involved in backup or backup restore
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Debugging And Monitoring (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to a remote electronic evidence obtaining system which comprises a remote end and a field end, wherein the field end is in communication connection with the remote end through a network. The remote end comprises a forensics analysis module, a forensics plug-in database, an equipment driving database and a digital signature module. The field end comprises a hard disk backup device and a evidence obtaining device, and the evidence obtaining device is connected with the hard disk backup device through a data line. The hard disk backup device comprises a hard disk backup port and a backup hard disk. The evidence obtaining device comprises an evidence obtaining operating system and an evidence obtaining module, wherein the evidence obtaining module comprises a backup hard disk analysis module, an evidence extraction module and an evidence obtaining report database. The invention also discloses a remote electronic evidence obtaining method, which comprises the processes of a field cloning evidence obtaining system, a remote analysis evidence obtaining system, data acquisition, data analysis and the like. The invention adopts hard disk backup and safe evidence obtaining environment to collect and analyze data, and has the characteristics of safety and reliability.

Description

Remote electronic evidence obtaining system and method
Technical Field
The invention relates to an electronic evidence obtaining system and method, in particular to an improved remote electronic evidence obtaining system and method, and belongs to the field of electronic evidence obtaining.
Background
Electronic evidence collection refers to a process of obtaining, storing, analyzing and presenting evidence of criminal behaviors such as computer intrusion, destruction, fraud, attack and the like in a manner of meeting legal specifications by using computer software and hardware technologies, and specifically refers to a process of dissecting the criminal behaviors of a computer, searching and extracting criminal evidence by using advanced identification and analysis technologies. At the present stage, the digitalization of criminal means is increasingly shown, and the collection of effective electronic evidence becomes the key of solving a case. The existing electronic evidence obtaining method has problems in evidence obtaining environment and evidence obtaining reliability.
Disclosure of Invention
The invention discloses a remote electronic evidence obtaining system and a method, which adopt a hard disk backup and a safe evidence obtaining environment to carry out data acquisition and analysis, and solve the problems of the evidence obtaining environment and the evidence obtaining reliability existing in the prior scheme.
The remote electronic evidence obtaining system comprises a remote end and a site end, wherein the site end is in communication connection with the remote end through a network. The remote end comprises a forensics analysis module, a forensics plug-in database, an equipment driving database and a digital signature module, wherein the forensics analysis module is used for analyzing a field forensics target system, the forensics plug-in database is used for storing and managing forensics plug-in information, the equipment driving database is used for storing and managing equipment driving information, and the digital signature module is used for digitally signing. The field end comprises a hard disk backup device and a evidence obtaining device, and the evidence obtaining device is connected with the hard disk backup device through a data line. The hard disk backup device comprises a hard disk backup port and a backup hard disk, wherein the hard disk backup port is used for transmitting and copying the data of the evidence obtaining hard disk, and the backup hard disk is used for storing the data of the evidence obtaining hard disk. The evidence obtaining device comprises an evidence obtaining operating system and an evidence obtaining module, wherein the evidence obtaining module comprises a backup hard disk analysis module, an evidence extracting module and an evidence obtaining report database, the evidence obtaining operating system is used for starting a backup hard disk, the backup hard disk analysis module is used for analyzing system information on the backup hard disk, the evidence extracting module is used for extracting evidence information, and the evidence obtaining report database is used for storing and managing evidence obtaining reports.
The invention also discloses a remote electronic evidence obtaining method based on the remote electronic evidence obtaining system, wherein the remote electronic evidence obtaining system comprises a remote end and a site end, and the site end is in communication connection with the remote end through a network. The remote end comprises a forensics analysis module, a forensics plug-in database, an equipment driving database and a digital signature module. The field end comprises a hard disk backup device and a evidence obtaining device, and the evidence obtaining device is connected with the hard disk backup device through a data line. The hard disk backup device comprises a hard disk backup port and a backup hard disk. The evidence obtaining device comprises an evidence obtaining operating system and an evidence obtaining module, wherein the evidence obtaining module comprises a backup hard disk analysis module, an evidence extraction module and an evidence obtaining report database. The method comprises the following steps: the field terminal copies data of the evidence obtaining hard disk to the backup hard disk through the hard disk backup port, the evidence obtaining operation system starts the backup hard disk, the backup hard disk analysis module analyzes the backup hard disk system to obtain backup hard disk system information and sends the backup hard disk system information to the evidence obtaining analysis module of the remote terminal, the evidence obtaining analysis module calls corresponding equipment drive from the equipment drive database according to the backup hard disk system information and then sends the equipment drive to the field terminal for loading, the evidence obtaining analysis module calls corresponding evidence obtaining plug-in from the evidence obtaining plug-in database according to the backup hard disk system information and then sends the evidence obtaining plug-in to the field terminal for execution to obtain an analysis result, the evidence extracting module marks related files and data in the backup hard disk system according to the analysis result and extracts evidence information to form an evidence obtaining report, and the digital signature module digitally signs the evidence obtaining report and then stores the evidence obtaining report database.
Furthermore, the evidence obtaining module of the scheme also comprises a data recovery module and a recovery information database, wherein the data recovery module recovers the data damaged and deleted on the backup hard disk and stores the data into the recovery information database, and the evidence extracting module extracts evidence information from the recovery information database and writes the evidence information into an evidence obtaining report.
Furthermore, the evidence obtaining module of the scheme also comprises a password cracking module and a decryption information database, the password cracking module stores decryption data into the decryption information database after removing encrypted files, compressed packets and data on the backup hard disk, and the evidence extracting module extracts evidence information from the decryption information database and writes the evidence information into an evidence obtaining report.
The remote electronic evidence obtaining system and the method adopt hard disk backup and a safe evidence obtaining environment to carry out data acquisition and analysis, and have the characteristics of safety and reliability.
Drawings
Fig. 1 is a schematic diagram of a remote electronic forensics system.
Detailed Description
As shown in fig. 1, the remote electronic evidence obtaining system of the present invention includes a remote end and a site end, wherein the site end and the remote end are connected through network communication. The remote end comprises a forensics analysis module, a forensics plug-in database, an equipment driving database and a digital signature module, wherein the forensics analysis module is used for analyzing a field forensics target system, the forensics plug-in database is used for storing and managing forensics plug-in information, the equipment driving database is used for storing and managing equipment driving information, and the digital signature module is used for digitally signing. The field end comprises a hard disk backup device and a evidence obtaining device, and the evidence obtaining device is connected with the hard disk backup device through a data line. The hard disk backup device comprises a hard disk backup port and a backup hard disk, wherein the hard disk backup port is used for transmitting and copying the data of the evidence obtaining hard disk, and the backup hard disk is used for storing the data of the evidence obtaining hard disk. The evidence obtaining device comprises an evidence obtaining operating system and an evidence obtaining module, wherein the evidence obtaining module comprises a backup hard disk analysis module, an evidence extracting module and an evidence obtaining report database, the evidence obtaining operating system is used for starting a backup hard disk, the backup hard disk analysis module is used for analyzing system information on the backup hard disk, the evidence extracting module is used for extracting evidence information, and the evidence obtaining report database is used for storing and managing evidence obtaining reports. According to the scheme, the hard disk backup and the safe evidence obtaining environment are adopted for data acquisition and analysis, and the safe evidence obtaining operation system is utilized to start the evidence obtaining hard disk system, so that the safety and the reliability of data evidence obtaining are improved.
The invention also discloses a remote electronic evidence obtaining method based on the remote electronic evidence obtaining system, wherein the remote electronic evidence obtaining system comprises a remote end and a site end, and the site end is in communication connection with the remote end through a network. The remote end comprises a forensics analysis module, a forensics plug-in database, an equipment driving database and a digital signature module. The field end comprises a hard disk backup device and a evidence obtaining device, and the evidence obtaining device is connected with the hard disk backup device through a data line. The hard disk backup device comprises a hard disk backup port and a backup hard disk. The evidence obtaining device comprises an evidence obtaining operating system and an evidence obtaining module, wherein the evidence obtaining module comprises a backup hard disk analysis module, an evidence extraction module and an evidence obtaining report database. The method comprises the following steps: the field terminal copies data of the evidence obtaining hard disk to the backup hard disk through the hard disk backup port, the evidence obtaining operation system starts the backup hard disk, the backup hard disk analysis module analyzes the backup hard disk system to obtain backup hard disk system information and sends the backup hard disk system information to the evidence obtaining analysis module of the remote terminal, the evidence obtaining analysis module calls corresponding equipment drive from the equipment drive database according to the backup hard disk system information and then sends the equipment drive to the field terminal for loading, the evidence obtaining analysis module calls corresponding evidence obtaining plug-in from the evidence obtaining plug-in database according to the backup hard disk system information and then sends the evidence obtaining plug-in to the field terminal for execution to obtain an analysis result, the evidence extracting module marks related files and data in the backup hard disk system according to the analysis result and extracts evidence information to form an evidence obtaining report, and the digital signature module digitally signs the evidence obtaining report and then stores the evidence obtaining report database. According to the scheme, data acquisition and analysis are carried out by adopting a hard disk backup and a safe evidence obtaining environment, the safe evidence obtaining hard disk system is started by utilizing the safe evidence obtaining operation system, various drives are loaded in the safe evidence obtaining operation system, the remote end selects an evidence obtaining plug-in component to carry out evidence obtaining analysis according to a system analysis result, an evidence obtaining report is stored in the database after being electronically signed, the remote end can call data from the database, network transmission of a large amount of data is avoided, and the remote evidence obtaining efficiency and the safety and reliability of the data are improved.
In order to save effective data lost due to deletion, updating and other operations and restore original evidence data, the evidence obtaining module of the method further comprises a data restoring module and a restoring information database, the data restoring module restores the data damaged and deleted on the backup hard disk and stores the data into the restoring information database, and the evidence extracting module extracts evidence information from the restoring information database and writes the evidence information into an evidence obtaining report. Important evidence information may exist in the recovered data, and is of decisive significance for evidence obtaining work.
In order to break the encryption protection of files and data in the evidence obtaining system and collect more effective evidence data, the evidence obtaining module of the scheme also comprises a password cracking module and a decryption information database, the password cracking module stores the decryption data into the decryption information database after removing the encrypted files, compressed packets and data on the backup hard disk, and the evidence extracting module extracts evidence information from the decryption information database and writes the evidence information into an evidence obtaining report. The decrypted content may involve some important evidence information and may also bring subversive breakthroughs to the evidence obtaining work.
The systems, devices, modules, and the like disclosed in the present disclosure may be implemented by using general and customary schemes known in the art, and the algorithms may be implemented by using known general and customary algorithms, or may be modified as appropriate according to specific situations.
The remote electronic evidence obtaining system and method of the present invention are not limited to the disclosure of the specific embodiments, the technical solutions presented in the embodiments can be extended based on the understanding of those skilled in the art, and the simple alternatives made by those skilled in the art according to the present invention in combination with the common general knowledge also belong to the scope of the present invention.

Claims (4)

1. A remote electronic evidence obtaining system is characterized by comprising a remote end and a site end, wherein the site end is in communication connection with the remote end through a network, the remote end comprises an evidence obtaining analysis module, an evidence obtaining plug-in database, an equipment driving database and a digital signature module, the evidence obtaining analysis module is used for analyzing a site evidence obtaining target system, the evidence obtaining plug-in database is used for storing and managing evidence obtaining plug-in information, the equipment driving database is used for storing and managing the equipment driving information, the digital signature module is used for digital signature, the site end comprises a hard disk backup device and an evidence obtaining device, the evidence obtaining device is connected with the hard disk backup device through a data line, the hard disk backup device comprises a hard disk backup port and a backup hard disk, the hard disk backup port is used for transmitting, copying and obtaining hard disk data, and the backup hard disk is used for storing the evidence obtaining hard disk data, the device of collecting evidence is including the operating system that collects evidence, the module of collecting evidence is including backup hard disk analysis module, evidence extraction module, the report database of collecting evidence, the operating system that collects evidence is used for starting the backup hard disk, backup hard disk analysis module is used for the system information on the analysis backup hard disk, the evidence extraction module is used for extracting evidence information, the report database of collecting evidence is used for the storage, manages the report of collecting evidence.
2. The utility model provides a long-range electron method of collecting evidence, long-range electron method of collecting evidence is based on long-range electron system of collecting evidence, long-range electron system of collecting evidence includes remote end, scene end, the scene end with remote end passes through network communication and connects, remote end is including the analysis module of collecting evidence, the plug-in database of collecting evidence, equipment drive database, digital signature module, the scene end includes hard disk backup device, the device of collecting evidence with hard disk backup device passes through the data line connection, hard disk backup device includes hard disk backup port, backup hard disk, the device of collecting evidence is including the operating system of collecting evidence, the module of collecting evidence is including backup hard disk analysis module, evidence extraction module, the report database of collecting evidence, characterized by includes the process:
the field terminal copies data of the evidence obtaining hard disk to the backup hard disk through the hard disk backup port, the evidence obtaining operation system starts the backup hard disk, the backup hard disk analysis module analyzes the backup hard disk system to obtain backup hard disk system information and sends the backup hard disk system information to the evidence obtaining analysis module of the remote terminal, the evidence obtaining analysis module calls corresponding equipment drive from the equipment drive database according to the backup hard disk system information and then sends the equipment drive to the field terminal for loading, the evidence obtaining analysis module calls corresponding evidence obtaining plug-in from the evidence obtaining plug-in database according to the backup hard disk system information and then sends the evidence obtaining plug-in to the field terminal for execution to obtain an analysis result, the evidence extracting module marks related files and data in the backup hard disk system according to the analysis result and extracts evidence information to form an evidence obtaining report, and the digital signature module digitally signs the evidence obtaining report and then stores the evidence obtaining report database.
3. The remote electronic evidence obtaining method of claim 2, wherein the evidence obtaining module further comprises a data recovery module and a recovery information database, the data recovery module recovers the damaged and deleted data on the backup hard disk and stores the data into the recovery information database, and the evidence extracting module extracts evidence information from the recovery information database and writes the evidence information into the evidence obtaining report.
4. The remote electronic evidence obtaining method of claim 2, wherein the evidence obtaining module further comprises a password cracking module and a decryption information database, the password cracking module stores the decryption data into the decryption information database after removing the encrypted files, the compressed packets and the data on the backup hard disk, and the evidence extracting module extracts the evidence information from the decryption information database and writes the evidence information into the evidence obtaining report.
CN201811211936.3A 2018-10-17 2018-10-17 Remote electronic evidence obtaining system and method Active CN111062008B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811211936.3A CN111062008B (en) 2018-10-17 2018-10-17 Remote electronic evidence obtaining system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811211936.3A CN111062008B (en) 2018-10-17 2018-10-17 Remote electronic evidence obtaining system and method

Publications (2)

Publication Number Publication Date
CN111062008A true CN111062008A (en) 2020-04-24
CN111062008B CN111062008B (en) 2023-05-30

Family

ID=70297095

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811211936.3A Active CN111062008B (en) 2018-10-17 2018-10-17 Remote electronic evidence obtaining system and method

Country Status (1)

Country Link
CN (1) CN111062008B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114666133A (en) * 2022-03-23 2022-06-24 重庆傲雄在线信息技术有限公司 Remote inquiry evidence-obtaining system and method based on original handwriting signature

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1645381A (en) * 2004-06-22 2005-07-27 上海金诺网络安全技术发展股份有限公司 Method for arranging verification inserter structure of remote computer
US20110191533A1 (en) * 2010-02-02 2011-08-04 Legal Digital Services Digital forensic acquisition kit and methods of use thereof
CN203095330U (en) * 2013-03-21 2013-07-31 重庆云证科技有限公司 Electronic elevator information evidence obtaining system
CN104156669A (en) * 2014-08-11 2014-11-19 南京龙联信息技术有限公司 Computer information evidence obtaining system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1645381A (en) * 2004-06-22 2005-07-27 上海金诺网络安全技术发展股份有限公司 Method for arranging verification inserter structure of remote computer
US20110191533A1 (en) * 2010-02-02 2011-08-04 Legal Digital Services Digital forensic acquisition kit and methods of use thereof
CN203095330U (en) * 2013-03-21 2013-07-31 重庆云证科技有限公司 Electronic elevator information evidence obtaining system
CN104156669A (en) * 2014-08-11 2014-11-19 南京龙联信息技术有限公司 Computer information evidence obtaining system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
郝桂英;刘凤;李世忠;: "网络实时取证模型的研究与设计" *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114666133A (en) * 2022-03-23 2022-06-24 重庆傲雄在线信息技术有限公司 Remote inquiry evidence-obtaining system and method based on original handwriting signature
CN114666133B (en) * 2022-03-23 2023-09-15 重庆傲雄在线信息技术有限公司 Remote inquiry evidence obtaining system and method based on original handwriting signature

Also Published As

Publication number Publication date
CN111062008B (en) 2023-05-30

Similar Documents

Publication Publication Date Title
CN110008757B (en) Data protection method and system in updating of terminal firmware of Internet of things
CN103226675B (en) A kind of traceability system and method analyzing intrusion behavior
CN104850407A (en) Desktop screen capture system and method
CN113158248B (en) Method for credible data acquisition and evidence coexistence of electronic equipment based on block chain technology
CN101697520A (en) Method and device for processing system logs
CN111061593B (en) Electronic evidence obtaining system and method
CN106681865B (en) Service recovery method and device
CN113064760B (en) Database synthesis backup method and device, computer equipment and storage medium
CN112084154B (en) Cross-platform multi-host combined log compression method
CN104021217A (en) System and method for extracting fragment file and deleted file of mobile phone
CN102045268A (en) Method and device for recovering email data
CN111062008A (en) Remote electronic evidence obtaining system and method
CN108900505B (en) Cluster audit management and control method based on block chain technology
CN113098980B (en) Portable safety operation and maintenance system for power monitoring system
Ali Digital forensics best practices and managerial implications
CN101697561A (en) Method and mobile terminal for recycling short messages
CN102982288B (en) The encryption of data and the equipment of deciphering and method is performed in portable terminal
CN105159947A (en) Tamper-proof monitoring system
CN112329029A (en) Block chain-based electronic archive file safe storage method and system
CN113572860B (en) Method and device for tracking leaked data, storage system, equipment and storage medium
CN108777621A (en) A method of obtaining means of payment Alipay transaction record
KR102220635B1 (en) Memory DB based Deduplication Block Data Transmission method
Ojo et al. Secondhand smart IoT devices data recovery and digital investigation
Syambas et al. Two-Step Injection Method for Collecting Digital Evidence in Digital Forensics.
CN102314579B (en) File filter protecting method, drive device and client end

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant