CN111090779A

CN111090779A - Cloud storage and retrieval analysis method for case-handling exploration evidence-taking data

Info

Publication number: CN111090779A
Application number: CN201910170845.8A
Authority: CN
Inventors: 王文梅
Original assignee: Individual
Current assignee: Individual
Priority date: 2019-03-01
Filing date: 2019-03-01
Publication date: 2020-05-01

Abstract

The invention discloses a cloud storage and retrieval analysis method for case handling, investigation and evidence obtaining data, which is based on the idea of assisting in guiding investigation work by using investigation and evidence obtaining big data obtained in investigation and case handling, and develops the construction of an investigation and evidence obtaining data cloud system, namely a big data cloud storage and fast search correlation analysis information system; on the basis of realizing cloud storage of case handling, investigation and evidence obtaining data, a third-party data interface is reserved, electronic data are rapidly searched and serially analyzed, investigation data information construction is strengthened, investigation and evidence obtaining data of various criminal cases are collected, analyzed, researched and utilized, clue evidences are obtained, criminal trends, characteristics and laws are known and mastered in time, investigation is guided through data information, investigation directions and key points of investigation are accurately researched and judged, investigation capacity is effectively improved, investigation work is purposefully developed, and scientific development of intelligent criminal investigation work in the big data era is realized.

Description

Cloud storage and retrieval analysis method for case-handling exploration evidence-taking data

Technical Field

The invention belongs to the technical field of gathering and analyzing of case-handling exploration evidence-obtaining data, and particularly relates to a technology and a method for cloud storage and retrieval of analysis cloud systems of case-handling exploration evidence-obtaining data.

Background

In recent years, a great number of criminal major cases and critical cases such as public security, traffic accident, killing people, releasing fire, robbery, money laundering and the like can not be dealt with, investigated and tested for evidence. The construction of the capacity of handling case, investigation and evidence collection and rapid analysis follows the development of the era and the development of the law and the method, and is suitable for the requirement of the development of intelligent investigation. At present, crime situations such as public security, traffic, economy and the like are severe, the characteristics of ganging, networking and intellectualization are presented, and the method poses serious threats to national politics, economy, finance, culture, environmental safety and social stability.

Based on the idea of applying case-handling exploration evidence-obtaining big data and assisting in guiding investigation work, the construction of a cloud storage and retrieval analysis cloud system for case-handling exploration evidence-obtaining data is developed. On the basis of realizing cloud storage of case handling, investigation and evidence obtaining data of the whole jurisdiction, a data interface across jurisdictions is reserved, quick search and series analysis of case handling and investigation data are realized, criminal direction, characteristics and laws are known and mastered in time by strengthening investigation informatization construction, collecting, analyzing, researching and utilizing the case handling and investigation data, investigation is guided through data information, investigation direction and investigation key point are accurately researched and judged, investigation capability is effectively improved, investigation work is purposefully developed, and scientific development of intelligent investigation work in a big data era is realized; in order to solve the problem that evidence obtaining data is isolated and can not be gathered, a evidence obtaining cloud system of investigation case handling and investigation data is built according to the overall arrangement of intelligent investigation, the investigation case handling, the big data storage and the quick search correlation analysis of case handling and investigation data are realized, the important benefits of science and technology are achieved, and the development direction and the future of the intelligent investigation work in the new period are realized.

The invention content is as follows:

a cloud storage and retrieval analysis method for case-handling exploration evidence-obtaining data is disclosed, and the invention aims at: the cloud storage and retrieval analysis system for the case-handling exploration evidence-obtaining data is based on information-based intelligent investigation and combines the mainstream technologies of a distributed operation frame, a distributed file system, Web service and the like of a big data analysis technology, so that the cloud system for big data storage, search, series connection, analysis and interaction is realized, and a simple, standard and efficient data analysis system is established; the cloud system provides a whole set of scheme which can serve a single case and can process cross-system and cross-region cases by combining the function of case handling and investigation data evidence obtaining and the analysis thinking of big data, and the following aims are achieved:

(1) the informatization of investigation and evidence obtaining work is improved;

in order to improve the informatization degree of investigation and evidence collection work and fully improve case handling efficiency, the system summarizes system data such as supporting and integrating information data, telecommunication operators, banks and the like; the method has the advantages that the data multi-point query function is realized, a data comprehensive analysis system is set up, the convenient information query and integration analysis functions are realized, and necessary clues and evidences are provided for the investigation work;

(2) the evidence obtaining tool is integrated, so that the investigation efficiency is improved, and the investigation cost is saved; the integration degree of big data is improved, besides the integration of third-party data information, for digital products such as investigation evidence collection, computers, storage media and the like held by suspects, especially for a large amount of personal data stored in the investigation evidence collection, a professional evidence collection tool is needed to be used for data extraction and recovery; meanwhile, on the basis of a big data analysis system, a detection worker can independently check various data in investigation and evidence collection when needed, and filter and inquire according to special attributes such as time, characters, events, keywords and the like as needed; the investigation personnel can also inquire and analyze the suspect data in the investigation and evidence collection and the data in the third-party data system in real time after acquiring the related authorization according to the investigation requirement, thereby fully improving the utilization rate of the data;

(3) information query and authority management are enhanced, and investigation work is standardized;

the integrated management and analysis of the data are targets, and the authority management of the investigation personnel is the guarantee of the data security; in order to realize standardized management and supervision, a detection worker needs to submit a viewing range to an administrator before inquiring and analyzing related data, and can view data in a corresponding range after obtaining authorization; meanwhile, all inquired, browsed and analyzed data keep related log records, and necessary information is provided for supervision and tracing of the responsibility of later-stage investigation personnel;

(4) customized development;

because the investigation process and the investigation method have more or less difference under different cases and different conditions, the big data analysis system can adjust the details according to different user requirements, such as: customizing a system name and a logo, customizing a data viewing range and a scout person viewing right, and the like;

the system ensures simple operation and convenient viewing of the interface on the premise of ensuring safe and efficient application of data, and fully improves the efficiency of the investigation personnel while ensuring easy use of the investigation personnel.

A technical route of a system and a method for forensics of investigation and case-handling survey data is as follows:

by the construction of a case-handling exploration data evidence obtaining, big data storage and fast search correlation analysis cloud system, and the acquisition and aggregation of data obtained by the evidence-taking of exploration data, an integrated and intelligent cloud data fast search correlation analysis system is formed, and comprehensive correlation analysis is carried out on the case-handling exploration evidence-taking data through related technologies such as data mining, data cleaning, big data correlation, artificial intelligence and the like, so that assistance is provided for the investigation and the deep excavation line expansion of case cases efficiently; the flow direction of security, traffic, logistics and traces is locked, and security, traffic and case-involved objects are checked and cleared by acquiring and analyzing the geographic positions of security, traffic and criminal occurrence, such as time, place, wharf, river boundary, space and the like, the composition of case-involved aircrafts, vehicles, ships and other transportation tools, case-involved personnel, group work division and other related investigation data; the criminal criminals and the gangues are locked through investigation data such as personnel communication, data and track analysis is carried out, a structural thinking guide diagram of the criminals and the gangues is formed, information of the related personnel is cleared, and criminal processes, the involved criminals, gangues core personnel and assistant personnel are found out; through the track data investigation and query, positioning data such as a navigation system installed in a vehicle used by criminals or gangs and information such as personnel communication zone bits are called, cross comparison and analysis are carried out, and criminals or gangs are researched and found out related case information; locking the capital involved in the case through capital flow direction data, analyzing the collection and payment records and data of personnel involved in the case, obtaining certificates such as receipts and receipts, effectively consolidating an evidence system, and carrying out deep digging and line expansion; the criminal crime process is verified through the sound image data, the call information of case-involved personnel, road surface bayonet images and the like are called, integrated and analyzed, the first-hand audiovisual image data of the criminal crime scene is obtained through technical means, and the case and the related cases are assisted to break through and dig deeply.

The technology and the method for realizing the cloud system for storing, retrieving and analyzing the case-handling exploration evidence-taking data are as follows:

a technology and method for handling case investigation and evidence obtaining data storage and retrieval analysis cloud system can enrich the data acquisition means of the investigation department of the existing market, is based on the collection of security, traffic, investigation and case investigation and investigation data, etc., utilizes the mature big data solution, is based on the technical frameworks of distributed file storage, parallel computation, etc., has the characteristics of unity, expandability, high reliability, easy management, simplicity, practicality, etc., is compatible with various investigation and evidence obtaining data, computer data, audio and video image data collected by case investigation and evidence obtaining, can be accessed to the comprehensive information system data of public security network personnel, vehicles, case-involved sites, articles, appliances, etc., and carries out mass data collision and correlation analysis, provides actual combat service for the criminal case investigation personnel, and provides the basis of efficient intelligent analysis and auxiliary decision-making for the case-handling commander;

the cloud system realizes big data storage, search, series connection, analysis and interaction, establishes a simple, standard and efficient data analysis system, is based on collection of public security, traffic, economy, gun poison, anti-terrorism case handling field investigation data and the like, utilizes a mature big data solution scheme, is based on technical architectures such as distributed file storage, parallel computation and the like, has the characteristics of unification, expandability, high reliability, easy management, simplicity, practicability and the like, is compatible with various data, computer data and audio and video image data collected by public security evidence obtaining, can be accessed into third-party information system data such as people, vehicles, objects and the like, performs mass data collision and correlation analysis, provides a practical service for criminal case reconnaissance officers, and provides high-efficiency intelligent analysis and decision-assisting basis for commanders in case handling departments;

the problems to be solved by fast searching and analyzing investigation, case handling, investigation and evidence obtaining data are as follows:

(1) the data storage of each stage of case handling unit is dispersed, and multi-channel data access means and interfaces need to be expanded; the long-term centralized storage and safe backup of case handling unit data at all levels are realized, the data resources of all business systems are effectively expanded, the data fusion and butt joint between an internal case handling system and other systems of banks and communication companies are realized, and a unified data pool capable of effectively promoting case handling command decisions is formed;

(2) the data mining, analyzing and series technical and tactical methods have limited functions and are purposefully developed according to case characteristics; designing various types of case handling tactical models around the handling work content, combining the technologies of unstructured text processing, big data association mining and the like, quickly depicting the attribute characteristics, social relations, behavior tracks, behavior habits, economic behaviors, images and association analysis of multi-person relations of a holder, acquiring evidences, and combining effective auxiliary handling; establishing analysis models such as communication relation person analysis, keyword analysis, class case analysis, batch comparison, track activity analysis and the like, outputting data analysis products according to actual combat requirements, and continuously improving the working capacity of case situation analysis and research and judgment;

the relation between the technology and the method for handling case, investigation and evidence obtaining data storage, retrieval and analysis cloud system and other information systems in use is as follows:

based on efficient analysis and deep application, construction is developed, and long-term storage, data grading sharing, efficient application of data and the like of the data for case-handling exploration and evidence-taking are achieved; the system is different from other data analysis systems in data source, independent in data storage and backup and different in functional role positioning, and is closely customized and developed in combination with the requirements of case handling and evidence obtaining;

service application mode and application scope:

a cloud storage and retrieval analysis method for case-handling exploration evidence-obtaining data is divided into a front-end acquisition storage system and a back-end data analysis system; the front-end acquisition and storage system is characterized in that main user objects are case-handling and survey data acquisition personnel, inspection and appraisal personnel, first-line investigation case-handling personnel, information analysis personnel and the like; the main user objects of the back-end analysis system are criminal case handling commanders, comprehensive analysis and study personnel, front-line investigation case handling personnel and the like.

Overall business process and business volume:

a cloud storage and retrieval analysis method for case handling, investigation and evidence obtaining data is characterized in that various public security evidence obtaining collected data are collected and backed up to a data storage resource pool, and are pushed to comprehensive analysis and judgment personnel through key word query, series analysis, intelligent early warning and other modes for case piece investigation command decision reference; and (3) overall service flow: public security forensics front-end acquisition- > acquisition of equipment data synchronous storage- > quick query- > series analysis- > comprehensive study- > functional chart and report form feedback; the public security evidence obtaining data quantity is preliminarily on line by taking 10000 pieces as a system, is increased year by year based on the first year basis, is increased year by year based on the 100000G data quantity, and is continuously used for 5 years by the first-period on-line capacity; simultaneously logging in the user scale on line by using 20000 as the minimum standard;

internal control measures:

a cloud storage and retrieval analysis method for case-handling, investigation and evidence-obtaining data is in need of coordinating with services such as public security, traffic, detection and the like, and realizes the whole process links of extraction, transmission, filing, retrieval, use and the like of public security evidence-obtaining data, external files, data use quality recording, quality supervision, quality control, internal audit, management and review informatization and systematization;

performance requirements and other requirements:

(1) the system operation index is as follows:

data manipulation: the response time is less than or equal to 2 seconds in a general time period, and less than or equal to 4 seconds in a peak time period;

simple query: the response time is less than or equal to 3 seconds in the general time period, and less than or equal to 5 seconds in the peak time period;

complex query, tandem analysis: the response time is less than or equal to 5 seconds in the general time period, and less than or equal to 20 seconds in the peak time period.

Specific complex applications: the response time is not more than 30 seconds;

(2) data extraction indexes are as follows:

stability, or reliability data, of the system operating above 120% of the current (or planned) load; the test is required to continuously run for more than 24 hours, and the success rate is not lower than 95 percent;

(3) data service index:

the use condition of system resources: under normal pressure, the occupancy rates of the CPU and the Memory of the application server and the database server are respectively lower than 70 percent and 80 percent, and the occupancy rates of the database storage space and the file system space are lower than 70 percent;

(4) safety service index:

the data is classified, stored and managed, and the safety of the data is ensured by combining a safety backup principle; safe storage needs special server backup, and the disaster tolerance capability of the system is improved.

(5) Configuring a system server:

the model is as follows: PowerEdge R730 (and higher performance) rack-mounted cloud server cluster, two-way E52650V 4 (twenty-four cores 48 thread 2.4GHZ)128GB memory 8TB × 5 RAID storage H730P dual power (and higher performance);

(6) client configuration:

THINKPADT480, CPIU: i7-8550U (1.8GHz-4.0GHz)/14 inch LED/memory: 16G (DDR 4)/hard disk: 1tb (sata) +128GB SSD/2G independent graphics card/USB 3.0 × 3/headphone, microphone two-in-one interface/HDMI/4 in1 card reader/bluetooth/battery: built-in 24Whr + post 24 Whr/operating system: windows 7, Windows 10 (and higher);

(7) data integration access tool:

1) the access of structured data is supported, and the material evidence results which are analyzed and fixed can be uploaded to distributed mass storage through a data extraction analysis client and can be uploaded to a cloud analysis system for unified management;

2) unstructured data import: the data files acquired in the data analysis client can be uploaded to distributed mass storage through the data analysis client, and file retrieval indexing and metadata analysis can be performed;

(8) the data graphical analysis module:

the method supports data multi-dimensional graphical analysis, including data collision, time axis graph, geographical graph, trajectory graph and the like, and the detailed data in the analysis result can be associated with historical data query, and at least comprises the following functions:

1) the time line visualization analysis function can perform frequency, rule statistics and other functions according to time and range, and at least comprises more than four icon displays;

2) the time-space trajectory collision dynamic analysis function can dynamically display time, space trajectories and collision effects on a map according to the acquired data such as activity time, geographic coordinates, communication coordinates and the like;

3) the method comprises the following steps of performing relation network collision visual analysis, supporting more than two kinds of relation chart display, supporting single-target and multi-target import association analysis, supporting icon color customization, supporting relation data type customization analysis, and supporting automatic display of dense relation;

4) the method supports the visualized analysis of the fund record, supports the integrated analysis of fund change data, and is internally provided with more than three chart display methods;

(9) a data search module:

the method supports data search of single cases and historical cases, has a one-key search function, and can search the following data:

1) the file content searching function is that a user can input any keyword after data processing is finished, index searching is carried out, and searched results are displayed in real time;

2) the evidence obtaining result searching function is that a user can input keywords to be searched in a search box of a data browsing interface, and a system can search matched records in event content, event objects and event behaviors;

3) the contact data searching function can support searching of specific field data within a specified type of data range, such as: the user name in the history extraction data is searched for;

4) the address book association query function is used for automatically performing association retrieval on various numbers and account numbers under the data and other data by the system;

(10) the data display module:

the system is internally provided with a data graphical display module, can display evidence data results through WEB according to different preset authorities, and at least comprises the following functions:

1) evidence obtaining result display can be realized by aiming at event data extracted from a structured database during viewing, classifying according to conditions such as application types, application names, occurrence time and the like, and displaying through an original data interface;

2) the evidence obtaining accessory and the file system display interface adopt an interface style which accords with the operation habits of investigation evidence obtaining personnel to check the data content, and an analyst can mark or download the data content according to the requirement;

(11) a data depth analysis module:

by mining unknown incidence relations in a plurality of data sets, supporting distributed parallel operation and call record deep analysis, including interpersonal relation graph, single communication analysis and call attribution analysis; the method supports deep analysis of various browsing records and analysis of various transaction records;

(12) the data sensitive word analysis module:

the system supports the user to set the sensitive words, automatically analyzes the sensitive words of newly uploaded data, predicts the newly uploaded data through multiple conditions according to a built-in algorithm model in the uploaded data, and prompts inspectors to analyze and check related data in a key way; the data property can be predicted according to the sensitive word database;

(13) a communication analysis module:

the method supports analysis of the communication of three operators in different formats, and the analysis function comprises the following steps:

1) the import function supports various conventional communication data and supports direct import of different communication data of mobile, communication and telecommunication; when the communication is introduced, the common fields can be identified automatically;

2) the communication interpersonal relationship graph can be automatically maintained according to the grasped information;

3) communication details of a single suspect can be deeply analyzed;

4) the user can analyze the communication conditions among a plurality of suspects;

5) the user can analyze commonly-connected numbers among a plurality of suspects;

6) the user can analyze all the call places which appear in the communication of the suspect;

(14) bill analysis module

1) The import function supports direct import of various bills with conventional formats;

2) may pass through single or multiple account details and paths of the suspect;

3) the fund K line of the suspect can be analyzed;

4) the time and fund distribution of bills of the suspect can be analyzed;

(15) the public security evidence obtaining data storage management module comprises:

1) the data pool can be created in a user-defined mode according to the inspection and analysis requirements of a user, data can be uploaded, and the range of different data pools can be selected for data correlation analysis;

2) supporting multidimensional management, including case management, personnel management, uploading management and other different authority dimension management;

3) the system is provided with an operation log monitoring module, so that the processing process of a user and the recorded log information can be managed and traced conveniently; business function

Business logic framework

A cloud storage and retrieval analysis method for case-handling exploration evidence-taking data is based on a big data analysis idea, adopts an integral idea of combining Internet plus and informatization construction, utilizes advanced data storage, analysis and management technologies, realizes the respective functions of multiple departments, and cooperates and efficiently handles case-related data services to achieve the construction target of a novel informatization system; the design of the overall framework of the system is beneficial to the promotion of the existing case handling system and the expansion of the system later, and can keep sustainable development in the construction of software and hardware.

Description of the drawings:

FIG. 1: is four major basic principles of the advancement of system technology;

the system is based on Advanced Technology (Technology), and combines four basic principles of case investigation and evidence collection data security (Secure), data manageability (manageability), Rapid clue evidence inspection (Rapid) and Advanced Technology and concept (Advanced), so as to provide a domestic and foreign Advanced big data analysis system for users;

meanwhile, the system can fully realize the localization customization according to the actual use requirements of different users, effectively utilize the existing inspection resources and exert the maximum value of the inspection work of the investigation material evidence;

FIG. 2: the system has four core functions:

the system has four core functions; from the extraction and storage management, authority distribution management, data distributed operation management and big data application management of the case-handling survey data, the four main systems carry out unified planning management, simplify the survey evidence-obtaining analysis process, reduce the working strength, fully exert the advantage function of the survey evidence-obtaining data and play a role in actual combat;

FIG. 3: is the overall framework design of the system solution:

1) and an infrastructure layer: hardware support and network support, including network, hardware device, private line/VPN;

2) and the data center: the system comprises a case handling public security evidence obtaining data information base, a case handling self-owned information base, a data exchange component, a webpage data analysis service and a file import function;

case handling information base: including data, communication data, capital data, and basic information storage and maintenance.

3) And data exchange: the data exchange middleware realizes the functions of public information system data import, data format definition, data extraction and the like with a third party; the web page query analysis service provides a standard access and call interface;

4) and service application: social public information query, data analysis, communication/bank bill analysis, suspect portrait

5) And an information security system: the method comprises the steps of security policy, security organization, security assessment and security technology;

6) information standard/management/security system: the system comprises information, technical standards, organization mechanisms, management systems and an operation and maintenance support system;

through the implementation of the architecture, the user provides all-round information service which is adaptive to the identity and the authority of the user to different roles of a criminal case handling leader decision-making layer, case handling policemen of different departments and administrators;

FIG. 4 is an underlying data warehouse technology scenario;

(1) survey evidence data storage management system:

the data acquisition and evidence collection system comprises a data special system and a database which are extracted; the method is mainly used for extracting and storing data files, and on the other hand, standardized data can be stored; the two file systems are clustered to realize big data storage, and the query efficiency is improved through concurrent, sending, reading and fetching; compared with the traditional storage area network, the system has the advantages of low hardware requirement, capability of fully utilizing the hardware performance, capability of adapting to the use requirements of different users and capability of ensuring the full utilization and expansibility of the existing hardware system;

the system adopts a mainstream large database, and has the characteristics of high reliability, strong expansibility, high safety and convenience in customization; under the condition of fully utilizing the advantages of the solid-state storage medium, the query efficiency is far higher than that of a common database;

meanwhile, the two file systems both support a distributed operation frame, when a calculation centralized task is executed, the quick response support of the distributed frame can be obtained, and the requirements of cross-region, multi-department composite combat and quick visual analysis of mass data are fully improved;

fixed data are extracted, scheduling is carried out uniformly through Web page form service, and clear records are reserved for file access, uploading and other operations, so that standard management is facilitated; meanwhile, the Web safety bastion service isolates the direct operation of the user on the file, and further ensures the data safety; meanwhile, light-weight clients are provided for different systems, and data interfaces are provided for subsequent development; note: will provide the super administrator with direct access rights to the files;

(2) distributed system:

distributed operation is the core of the analysis system, and the system is based on a mainstream high-performance distributed computation framework, combines the characteristics of investigation and evidence obtaining unstructured data, and carries out secondary development; a distributed computing framework of a unique technology depends on a special file system, a distributed cluster consists of two parts of task management distribution and task tracking feedback, and comprises a distributed computing management engine and a distributed computing engine, so that flexible customization can be performed according to different case inspection requirements of users and case handling unit scale, and related encrypted files can be decrypted by means of a high-performance GPU acceleration technology; during the analysis, centralized traffic is computed, such as: word extraction index, regular analysis and the like are executed in a special distributed mode, and hardware resources are automatically distributed according to the multitask requirement so as to improve the efficiency to the maximum extent;

meanwhile, after the file is uploaded, the system carries out index preprocessing on the data in the background so as to accelerate the working efficiency of the system during access; thereby achieving load balance and obtaining the highest time utilization rate;

FIG. 5 is a data pre-processing flow diagram;

when the system performs data analysis, the preprocessing analysis result is fully utilized, the analysis speed is effectively accelerated, and the working efficiency is improved; meanwhile, if necessary, case handling personnel can also acquire data of the original form so as to meet the requirement of later manual analysis;

(3) the authority management system comprises:

the case basic information comprises case information, but is not limited to case numbers, case names, case creation time, belonging user groups and the like; the case owner and the system administrator can control the case access authority, only authorized case handling command layers and case handling personnel can access the case information through the system; the access, addition and deletion authorities are managed respectively; ordinary case handling personnel can inquire and report files and data, but are not allowed to modify and increase or decrease the original data, so that the case is guaranteed to be just and effective, and all data access, modification and increase or decrease are recorded into system records;

FIG. 6 is a management system architecture;

the management system structure:

case management is divided into an explicit three-layer management structure; the top view is the system owner, who has the highest management authority to manage all data and resources in the system. The second layer is a case owner view, and the management content comprises the permissions of most operations such as case creation, case data addition, case authorization management and the like; the case owner is mainly responsible for distributing specific tasks to specific responsible persons, and counting and summarizing the data of each case; the third layer is a view of the personnel handling the case, which mainly comprises: the currently allocated analysis data can be one or more; the access authority of the basic-level case handling personnel is controlled by the superior case owner, and the inquiry access authority of the detected case is generally only granted;

FIG. 7 is an application system architecture;

(4) big data investigation application system

The application layer is built on a service bus constructed by Web service and has high expansibility and language compatibility; the main application at present being B/S frameworksWeb page layout analysisA system;

according to the characteristics of Web services, all background resources are accessed and scheduled through a bus, the upgrading and the changing of any part in the system cannot cause the stop of other systems, and the hot deployment is supported to the maximum extent; different applications of the application layer completely ensure independent operation without generating mutual dependence; serverEnd dataThe work of indexing, redundancy backup and the like can be automatically scheduled and finished without user maintenance; meanwhile, new applications are deployed or new background services are configured, so that the current normal work of the system cannot be stopped;

(5) survey forensic data analysis system:

and (3) accessing survey evidence-obtaining data:

data access:

1) structured data access:

the material evidence results which are well analyzed and fixed are uploaded to distributed mass storage through a data extraction and analysis client, and unified management can be carried out on the data in an intelligent case handling analysis system;

through the customized interface, the data of the third party can be arranged, summarized and integrated, the extracted clue evidence is integrated and perfected, and the integrated clue evidence is uploaded to an intelligent case handling analysis system for unified management;

2) unstructured data import:

uploading the acquired data file to a distributed mass storage through a data analysis client, verifying the integrity of the data in the uploading process, and automatically calling a data analysis module to perform file retrieval indexing and metadata analysis after the uploading is finished;

and (3) data display:

and (3) displaying survey evidence data:

FIG. 8 is a sketch of suspect image structure:

the suspect portrait is a set of all information tags of a single suspect based on big data analysis, namely all the tags of the user are integrated by collecting and analyzing the main information of population attributes, social interaction, behavior preference and the like of the user, and the overall characteristics and outline of the user are outlined; the suspect portrait can provide key information and reference data for the personnel handling the case more accurately, and gradually becomes a convenient means for solving the case;

the suspect portrait is a figure metaphor; with the help of big data technology, more information of a suspect can be known, but due to the limitation of implementation cost and privacy protection, the portrait is not a holographic 'photograph' or 'video', is designed as required, and cannot be infinitely thinned, namely, the portrait is unrealistic to have ultrahigh 'pixels' without considering cost and requirements; in big data analysis, suspects are classified as: feature word matching, cluster analysis, judgment logic analysis and the like, and suspects can be divided into different categories according to features;

the data sources of the suspect portrait comprise site investigation, evidence obtaining data, communication, bills, third party access data and the like;

FIG. 9 is a drawing showing a suspect portrait:

content of suspect portrait display:

displaying case types, serial numbers, basic information, asset information, concerns, APP use conditions, friend adding records, interpersonal relationships, opposite sex contact, fund analysis, communication records and the like of suspected persons;

fig. 10 is a suspect image, basic information display:

displaying images and basic information of the suspect: displaying case-related images, names, sexes, ages, addresses, marital conditions, personal funds, famous assets, social security information, industrial and commercial information and the like;

fig. 11 is a diagram showing matters concerning the attention of the case personnel, fig. 11-1 is a diagram showing the use case of APP, adding a friend record,

FIG. 12 shows the interpersonal relationship, opposite sex contact, male and female contact person number, FIG. 12-1 bank message analysis,

3) FIG. 12-2 case data automated analysis;

a user logs in a system home page, and the page shows the number of cases of the user and the automatic analysis result of data in the working cases of the user; surveying evidence data, collision analysis data, communication association data, sensitive word analysis data and the like; once the user uploads the data, the user can check the related analysis data on the home page;

FIG. 13 is a case data auto-analysis display, FIG. 13-1 attachment preview display, FIG. 13-2 file system display;

surveying and obtaining evidence data: such as communication numbers, email addresses, bank accounts, identity cards and the like, and can be added according to the case handling requirements;

collision analysis data: the system automatically performs relevant collision analysis on data under the case, rapidly displays an analysis result, and can also view derived data to hide clues and evidence deep display on the case;

communication related data: the system automatically matches the new data with all historical data and displays the matching result;

sensitive word analysis data: the system automatically retrieves event data according to the set sensitive words and quickly displays retrieval results; the sensitive words can be uniformly set by an administrator;

searching for investigation and evidence obtaining data:

FIG. 14 is a file content search diagram;

1) searching file contents:

a user can input keywords to be searched in a search box of a data browsing interface, and a system can search matched records in event content, event objects and event behaviors;

FIG. 15 is a forensics results search graph;

2) and (3) evidence obtaining result searching:

FIG. 16 is a user search interface;

3) FIG. 16-1 is a contact list association query:

user' sUpload inspection materialThen, the system automatically willUnder the material to be inspectedVarious numbers, account numbers and other detected materials are subjected to associated retrieval, and once the numbers are found to be in other placesAppearance of materialDisplaying the correlation result to the user; the user can also perform secondary data query on the correlation result;

carrying out relevant collision analysis on the survey evidence data;

in order to facilitate user analysis, the system provides a plurality of chart analysis methods, including a time axis chart, a geographical chart, a track chart and the like;

FIG. 17 is a comprehensive analysis of the time line;

1) comprehensive analysis of time lines:

the message quantity of the data in different time periods is graphically displayed; each bar represents the total amount of data sent and received in the current month by an application; through the graph, all messages of a specific application at a specific time can be quickly inquired;

FIG. 18 is a communication geographical analysis diagram;

2) communication regional analysis:

the geographical map is displayed on the data record related to the telephone number by mainly using a dynamic graphical method; judging the location of the target by the investigation evidence-obtaining number, and dividing the target investigation evidence-obtaining according to regions; by clicking the target location, the table will dynamically display all the related communication target numbers and also display all the communication numbers of the communication target location;

FIG. 19 is a spatiotemporal trajectory graph analysis;

3) analyzing a space-time trajectory diagram:

the investigation and evidence-obtaining system and software record a large amount of geographical position information interacted among users, dynamically display space-time trajectory collision effect on a map according to space data such as activity time, geographical coordinates, base station coordinates and the like of the obtained data, visually display the activity condition of a target object and the collision information of multiple targets, and facilitate analysis and check of the activity rule of the target object;

FIG. 20 is a common contact ring analysis diagram, and FIG. 20-1 is a common contact mesh collision analysis diagram;

the collision target object and the data type can be quickly selected according to actual inspection requirements and displayed in different colors, so that the collision target object and the data type can be conveniently and quickly checked;

4) analyzing relation excavation collision;

an important goal of cloud data systems is: mining unknown association relationships in a plurality of data sets; by means of the parallel operation capability, the common contact among data and friends applied by social contact are obtained, powerful information is provided for data analysis and judgment, and at present, the system passes collision test of a plurality of million-level data of data in an implemented test unit; meanwhile, for the collision display interface, various display interfaces can be provided according to the use habits and the inspection requirements of the user;

FIG. 21 is a selection of association numbers in the analysis results;

5) historical data association:

finding spider silk traces from other historical case test materials, and selecting number correlation query from analysis results;

FIG. 22 is a historical data association display;

FIG. 23 is a tactical experience management;

6) managing skills and tactics experience;

the analyst can combine various tactics depth analysis in the collision analysis to mine more valuable data; comprehensive tactics, in the later updating, the experience achievements shared by the optimized users are continuously sorted, and effective analysis experience and tactics are provided for all system users;

multi-dimensional query:

the user can carry out statistical query from a plurality of dimensions according to the bill of a suspect, and the existing dimensions comprise:

FIG. 24 is a fund K-line graph;

fund K line graph:

the user analyzes the fund K line of the bank card of the suspect: monthly, daily, early-of-day, sunset, maximum, minimum, maximum-minimum fall, etc.;

a third-party data set management system:

for convenience, the third-party file data is imported and the data is extracted from the inside, so that deep analysis of various data sources is performed, and the data of other sources are uniformly incorporated into a data set for management; the user can perform collision analysis on the data set and the data, and can also query the data of the data set in event query and address list query; the data types are mainly oriented to address book data and various exploration storage media to extract data, such as: text data, OFFICE file data, various picture data, audio-video data and various types of data;

list of data sets:

the import of the subset of data is performed,

FIG. 25 is a data subset import diagram;

FIG. 26 is a graph of data subset internal extraction and collision analysis;

extracting and analyzing collision in the data subset;

an information security system;

service security requirements:

network security precaution:

the service reduces the right, and sets the right of the service to start the normal user to operate;

changing the default port;

when the corresponding page cannot be found, listing files and catalogues;

deleting the tomcat background management user name and password;

capturing and processing an error interface;

terminal protection:

the system uses Linux as an operating system for running application software; according to the characteristics of Linux, the following method is suggested to be used for setting the system:

changing the ROOT user name and the user password;

establishing an IP access strategy and forbidding unnecessary ports;

updating system patches in time;

protecting the mobile terminal;

identity authentication;

by adopting a centralized authentication technology and combining a password authentication mode and a USB Key dual authentication mode, brute force attack is effectively prevented;

logging:

the method mainly records the operation behavior and operation data of a user in the system so as to verify the operation of the user in the system, so as to ensure that the user behavior cannot be forged, destroyed and repudiated;

code decompilation protection:

performing obfuscation and compilation on the JAVA code to prevent the JAVA code from being reversely analyzed, and incompletely using JSP as a system technology implementation mode; c, performing shell protection;

copyright protection:

a USB dongle is used as a system authorization mode, so that the system program is prevented from being diffused randomly;

adopting a safe programming technology;

carrying out SQL injection attack test on the system;

performing cross-site script test on the system;

carrying out frame attack test on the system;

carrying out cookie attack test on the system;

USBKEY information leakage prevention test;

authorizing a system user based on an RBAC authority authentication model system;

security enforcement techniques for other application systems;

the following system needs to decide whether to strengthen the safety measures according to the actual requirements of users;

weak password protection system: finding out weak passwords in time, reminding corresponding clients and enhancing the authentication process;

tamper-resistant system: detecting the web Trojan attack by monitoring an application program in real time;

a search engine prevention system; preventing discovery and search by a search engine;

service disaster tolerance requirements:

a perfect data backup mechanism is established by an administrator, the database and the data of the retrieval service are backed up in time, when a hardware error or fault occurs in the system, the system can be quickly recovered according to the backup data, and the loss caused by the hardware fault is reduced;

the grade protection requires:

identity authentication

log logging

code decompilation protection:

copyright protection:

adopting a safe programming technology;

carrying out SQL injection attack test on the system;

performing cross-site script test on the system;

carrying out frame attack test on the system;

carrying out cookie attack test on the system;

USBKEY information leakage prevention test;

security enforcement techniques for other application systems;

other safety protection:

sensitive data encryption:

sensitive service data are encrypted, such as user passwords, system configuration files and the like; after the system is broken at the operating system level, the system still has good stress resistance, and the system is not easy to analyze and crack;

data volume monitoring:

monitoring the disk space of the system, and alarming in time when the disk space exceeds a threshold range;

and monitoring the data access amount and the data increment, and timely reminding when the service data access amount and the data increment exceed expectations.

Service emergency measures:

when a fault problem occurs, the fault should be well registered and timely researched and solved, and if the fault cannot be solved in more than 1 working day (24 hours), fault bulletins should be issued on the system in time.

The specific implementation mode is as follows:

a technology and a method for handling case, investigation and evidence obtaining data storage, retrieval and analysis cloud system are provided:

(2) the data mining, analyzing and series technical and tactical methods have limited functions and are purposefully developed according to case characteristics; designing various types of case handling tactical models around the handling work content, combining the technologies of unstructured text processing, big data association mining and the like, quickly depicting the attribute characteristics, social relations, behavior tracks, behavior habits, economic behaviors, images and association analysis of multi-person relations of a holder, acquiring evidences, and combining effective auxiliary handling; establishing analysis models such as communication relation person analysis, keyword analysis, class case analysis, batch comparison, track activity analysis and the like, outputting data analysis products according to actual combat requirements, and continuously improving the working capacity of case situation study and judgment;

service application mode and application scope:

Overall business process and business volume:

internal control measures:

performance requirements and other requirements:

(1) the system operation index is as follows:

Specific complex applications: the response time is not more than 30 seconds;

(2) data extraction indexes are as follows:

(3) data service index:

(4) safety service index:

(5) Configuring a system server:

(6) client configuration:

(7) data integration access tool:

(8) the data graphical analysis module:

(9) a data search module:

(10) the data display module:

(11) a data depth analysis module:

(12) the data sensitive word analysis module:

(13) a communication analysis module:

3) communication details of a single suspect can be deeply analyzed;

(14) bill analysis module

3) the fund K line of the suspect can be analyzed;

4) the time and fund distribution of bills of the suspect can be analyzed;

Business logic framework

Claims

1. A cloud storage and retrieval analysis method for case-handling, investigation and evidence-obtaining data is characterized by comprising the following steps: based on information intelligent investigation, combining with the technologies such as a distributed operation frame, a distributed file system and Web service of the mainstream of a big data analysis technology, a cloud system for storing, searching, connecting in series, analyzing and interacting big data is realized, and a simple, standard and efficient data analysis system is established; the cloud storage system provides a whole set of scheme which can serve a single case and can process cross-system and cross-region cases by combining the evidence collection function of case investigation data and the analysis thinking method of big data, and realizes the following aims:

(4) customized development;

the system ensures simple operation and convenient viewing of an interface on the premise of ensuring safe and efficient application of data, and fully improves the efficiency of the investigation personnel while ensuring easy use of the investigation personnel;

by the construction of a case-handling exploration data evidence obtaining, big data storage and fast search correlation analysis cloud system, and the acquisition and aggregation of data obtained by the evidence-taking of exploration data, an integrated and intelligent cloud data fast search correlation analysis system is formed, and comprehensive correlation analysis is carried out on the case-handling exploration evidence-taking data through related technologies such as data mining, data cleaning, big data correlation, artificial intelligence and the like, so that assistance is provided for the investigation and the deep excavation line expansion of case cases efficiently; the flow direction of security, traffic, logistics and traces is locked, and security, traffic and case-involved objects are checked and cleared by acquiring and analyzing the geographic positions of security, traffic and criminal occurrence, such as time, place, wharf, river boundary, space and the like, the composition of case-involved aircrafts, vehicles, ships and other transportation tools, case-involved personnel, group work division and other related investigation data; the criminal criminals and the gangues are locked through investigation data such as personnel communication, data and track analysis is carried out, a structural thinking guide diagram of the criminals and the gangues is formed, information of the related personnel is cleared, and criminal processes, the involved criminals, gangues core personnel and assistant personnel are found out; through the track data investigation and query, positioning data such as a navigation system installed in a vehicle used by criminals or gangs and information such as personnel communication zone bits are called, cross comparison and analysis are carried out, and criminals or gangs are researched and found out related case information; locking the capital involved in the case through capital flow direction data, analyzing the collection and payment records and data of personnel involved in the case, obtaining certificates such as receipts and receipts, effectively consolidating an evidence system, and carrying out deep digging and line expansion; the criminal crime process is verified through the voice image data, case-involved person communication information, road surface bayonet image and the like are called, integrated and analyzed, first-hand audiovisual image data of a criminal crime scene is obtained by combining technical means, and breaking through and deep digging of cases and related cases are assisted;

service application mode and application scope:

Overall business process and business volume:

internal control measures:

performance requirements and other requirements:

(1) the system operation index is as follows:

Specific complex applications: the response time is not more than 30 seconds;

(2) data extraction indexes are as follows:

(3) data service index:

(4) safety service index:

(5) Configuring a system server:

(6) client configuration:

(7) data integration access tool:

(8) the data graphical analysis module:

(9) a data search module:

(10) the data display module:

(11) a data depth analysis module:

(12) the data sensitive word analysis module:

(13) a communication analysis module:

3) communication details of a single suspect can be deeply analyzed;

(14) bill analysis module

3) the fund K line of the suspect can be analyzed;

4) the time and fund distribution of bills of the suspect can be analyzed;

3) the system is provided with an operation log monitoring module, so that the management and the tracing of the processing process of the help user are facilitated, and log information is recorded; a service function;

business logic framework