patents.google.com

CN114138346A - Terminal evidence obtaining method and device, electronic equipment and storage medium - Google Patents

  • ️Fri Mar 04 2022
Terminal evidence obtaining method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114138346A
CN114138346A CN202111289503.1A CN202111289503A CN114138346A CN 114138346 A CN114138346 A CN 114138346A CN 202111289503 A CN202111289503 A CN 202111289503A CN 114138346 A CN114138346 A CN 114138346A Authority
CN
China
Prior art keywords
terminal
evidence obtaining
disk
forensics
boot
Prior art date
2021-11-02
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111289503.1A
Other languages
Chinese (zh)
Inventor
王盈
徐翰隆
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Antiy Network Technology Co Ltd
Original Assignee
Beijing Antiy Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
2021-11-02
Filing date
2021-11-02
Publication date
2022-03-04
2021-11-02 Application filed by Beijing Antiy Network Technology Co Ltd filed Critical Beijing Antiy Network Technology Co Ltd
2021-11-02 Priority to CN202111289503.1A priority Critical patent/CN114138346A/en
2022-03-04 Publication of CN114138346A publication Critical patent/CN114138346A/en
Status Pending legal-status Critical Current

Links

  • 238000000034 method Methods 0.000 title claims abstract description 66
  • 238000004088 simulation Methods 0.000 claims abstract description 9
  • 230000008569 process Effects 0.000 claims description 13
  • 230000008676 import Effects 0.000 claims description 3
  • 238000010586 diagram Methods 0.000 description 4
  • 230000009471 action Effects 0.000 description 3
  • 230000006870 function Effects 0.000 description 2
  • 238000010295 mobile communication Methods 0.000 description 2
  • 238000004364 calculation method Methods 0.000 description 1
  • 238000004891 communication Methods 0.000 description 1
  • 238000004590 computer program Methods 0.000 description 1
  • 230000000694 effects Effects 0.000 description 1
  • 230000003993 interaction Effects 0.000 description 1
  • 230000003287 optical effect Effects 0.000 description 1
  • 238000006467 substitution reaction Methods 0.000 description 1

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping
    • G06F9/4406Loading of operating system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/0671In-line storage system
    • G06F3/0673Single storage device
    • G06F3/0674Disk device
    • G06F3/0676Magnetic disk device
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping
    • G06F9/4411Configuring for operating with peripheral devices; Loading of device drivers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/18Legal services

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Tourism & Hospitality (AREA)
  • Computer Security & Cryptography (AREA)
  • Technology Law (AREA)
  • Human Computer Interaction (AREA)
  • Health & Medical Sciences (AREA)
  • Economics (AREA)
  • General Health & Medical Sciences (AREA)
  • Human Resources & Organizations (AREA)
  • Marketing (AREA)
  • Primary Health Care (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment of the invention discloses a terminal evidence obtaining method, a terminal evidence obtaining device, electronic equipment and a storage medium, relates to the technical field of computer evidence obtaining, and can solve the problem that different computer hardware architecture types correspond to different virtual simulation analysis software in the existing evidence obtaining method and inconvenience is brought to evidence obtaining personnel. The terminal forensics method comprises the steps of importing a disk mirror image corresponding to a terminal to be forensics, configuring boot startup parameters, matching a kernel file corresponding to the disk mirror image from a plurality of kernel files arranged in the terminal according to the boot startup parameters, and starting an operating system according to the kernel file to carry out system simulation so as to obtain forensics results. The method is suitable for the terminal evidence obtaining scene of the multi-computer hardware architecture type, and can improve the evidence obtaining efficiency.

Description

Terminal evidence obtaining method and device, electronic equipment and storage medium

Technical Field

The invention relates to the technical field of computer forensics, in particular to a terminal forensics method and device, electronic equipment and a storage medium.

Background

A large amount of private information of a user is reserved in a computer system and can be used for evidence obtaining. However, the computer hardware has more types, and is more complicated when being matched with corresponding different virtual simulation analysis software, so that inconvenience is brought to the evidence obtaining personnel.

Disclosure of Invention

In view of this, embodiments of the present invention provide a terminal forensics method, apparatus, electronic device, and storage medium, so as to solve the problem that different computer hardware architecture types correspond to different virtual simulation analysis software in the existing forensics method, which is inconvenient for forensics staff.

In a first aspect, an embodiment of the present invention provides a terminal forensics method, including:

importing a disk mirror image corresponding to a terminal to be forensics;

configuring boot startup parameters;

matching a kernel file corresponding to the disk mirror image from a plurality of kernel files arranged in the disk mirror image according to the boot startup parameters;

and starting an operating system according to the kernel file to perform system simulation so as to obtain a forensics result.

According to a specific implementation manner of the embodiment of the present invention, before the importing the disk image corresponding to the terminal to be forensics, the method further includes:

starting the terminal to be subjected to evidence obtaining through the starting disc;

and obtaining the disk mirror image corresponding to the terminal to be subjected to evidence obtaining through a copy instruction.

According to a specific implementation manner of the embodiment of the present invention, the method further includes:

acquiring a hard disk of a terminal to be subjected to evidence obtaining;

and reading the hard disk of the terminal to be subjected to evidence obtaining through a disk copying machine to derive a disk mirror image corresponding to the terminal to be subjected to evidence obtaining.

According to a specific implementation manner of the embodiment of the present invention, the boot startup parameters include:

the disk image evidence number, the disk ID of the image, the image size, the image operating system type, the image operating system instruction set and the starting mode.

Further, the start-up mode includes: MBR start-up mode and UEFI start-up mode.

According to a specific implementation manner of the embodiment of the present invention, the matching of the kernel file corresponding to the disk image according to the boot startup parameter from a plurality of kernel files provided in the disk image includes:

and matching a kernel file corresponding to the disk image according to the type of the image operating system.

According to a specific implementation manner of the embodiment of the present invention, the starting of the operating system according to the kernel file includes:

reading a preset memory address in a first sector of a hard disk of a evidence obtaining device;

judging whether the memory address is the same as a preset starting mark or not;

if so, loading the disk image corresponding to the terminal to be subjected to evidence obtaining to a boot area of a starting mode;

and the boot area of the boot mode reads and writes the kernel file to finish the boot process of the operating system corresponding to the matched disk mirror image.

In a second aspect, an embodiment of the present invention provides a terminal forensics apparatus, including:

the import module is used for importing the disk mirror image corresponding to the terminal to be subjected to evidence obtaining;

the configuration module is used for configuring boot startup parameters;

the matching module is used for matching a kernel file corresponding to the disk mirror image from a plurality of kernel files arranged in the matching module according to the boot startup parameters;

and the starting module is used for starting an operating system according to the kernel file to perform system simulation so as to obtain a forensics result.

In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor reads the executable program codes stored in the memory to run programs corresponding to the executable program codes, and is used for executing the terminal evidence obtaining method in any one of the implementation modes.

In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium storing one or more programs, where the one or more programs are executable by one or more processors to implement the terminal forensics method according to any one of the foregoing implementations.

According to the terminal evidence obtaining method, the terminal evidence obtaining device, the electronic equipment and the storage medium, the disk image corresponding to the terminal to be proved is led in, the boot startup parameters are configured, the kernel file corresponding to the disk image is matched from the various kernel files arranged in the terminal according to the boot startup parameters, the operating system is started according to the kernel file to perform system simulation so as to obtain the evidence obtaining result, the problem that inconvenience is caused to evidence obtaining personnel due to the fact that different computer hardware architecture types correspond to different virtual simulation analysis software in the existing evidence obtaining method can be solved, and the evidence obtaining efficiency is improved.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a flowchart of a terminal forensics method according to an embodiment of the invention;

fig. 2 is a flowchart of a second terminal forensics method according to an embodiment of the present invention;

FIG. 3 is a functional block diagram of a terminal forensics apparatus according to an embodiment of the invention;

fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The embodiment provides a terminal forensics method, which is used for solving the problem that different computer hardware architecture types correspond to different virtual simulation analysis software in the existing forensics method, so that inconvenience is brought to forensics staff.

Fig. 1 is a schematic flowchart of a terminal forensics method according to a first embodiment of the present invention, and as shown in fig. 1, the terminal forensics method according to the present embodiment is applied to an electronic device.

The terminal forensics method of the embodiment may include:

step

101, importing a disk mirror image corresponding to a terminal to be subjected to evidence obtaining;

102, configuring boot startup parameters;

103, matching a kernel file corresponding to the disk mirror image from a plurality of kernel files arranged in the disk mirror image according to the boot startup parameters;

and

step

104, starting the operating system according to the kernel file to perform system simulation so as to obtain a forensics result.

In the process of the traditional terminal evidence obtaining method, because the types of computer hardware architectures are more, such as CPUs (central processing units) such as dragon cores, sealights, Feiteng, Shenwei and the like, each type of computer hardware architecture corresponds to different virtual simulation analysis software, and inconvenience is brought to evidence obtaining personnel.

In this embodiment, by importing a disk image corresponding to a terminal to be forensics, configuring boot startup parameters, matching kernel files corresponding to the disk image from a plurality of kernel files set in the terminal according to the boot startup parameters, and starting an operating system according to the kernel files to perform system simulation to obtain forensics results, the problem that different computer hardware architecture types correspond to different virtual simulation analysis software in the existing forensics method, inconvenience is brought to forensics staff, and forensics efficiency is improved.

Fig. 2 is a flowchart of a terminal forensics method according to a second embodiment of the present invention, and as shown in fig. 2, the terminal forensics method according to the present embodiment may include:

step

201, importing a disk mirror image corresponding to a terminal to be subjected to evidence obtaining;

in this embodiment, before importing the disk image corresponding to the terminal to be forensics, the method further includes:

starting the terminal to be subjected to evidence obtaining through the starting disc;

and obtaining the disk mirror image corresponding to the terminal to be subjected to evidence obtaining through the copy instruction. The copy instruction is, for example, a DD instruction.

Or,

acquiring a hard disk of a terminal to be subjected to evidence obtaining;

and reading the hard disk of the terminal to be subjected to evidence obtaining through a disk copying machine to derive a disk mirror image corresponding to the terminal to be subjected to evidence obtaining.

Step

202, configuring boot startup parameters including, but not limited to, disk image material evidence number, disk ID where the image is located, image size, image operating system type, image operating system instruction set, and startup mode;

in this embodiment, the start mode includes but is not limited to: MBR (Master Boot Record) Boot mode and UEFI (Unified Extensible Firmware Interface) Boot mode.

The mirror image operating system instruction set is used for carrying out virtual control after the operating system is started so as to obtain a forensics result.

And step 203, matching a kernel file corresponding to the disk image according to the type of the image operating system.

The kernel file is stored in the system and can be searched according to the type index of the mirror image operating system.

Step

204, reading a preset memory address in a first sector of a hard disk of the evidence obtaining equipment;

for example, a first Sector (0 head, 0 track, 1 Sector, Boot Sector) of the hard disk is read into a memory address 0000: 7c 00;

step

205, judging whether the memory address is the same as a preset starting mark;

step

206, if yes, loading the disk image corresponding to the terminal to be subjected to evidence obtaining to a boot area of the start mode;

and step 207, reading and writing the kernel file in the boot mode boot area, and completing the boot process of the operating system corresponding to the matched disk image.

In some embodiments, after the configuring the boot startup parameter is completed, the method further includes: BIOS (Basic Input Output System) power-on self-test;

if the Boot mode is MBR, a Boot Loader program (generally occupying 416 bytes in the first physical sector of the Boot disk) in the MBR finds a kernel file of the disk image file which is in emulation operation according to the Boot parameters, and the kernel program completes the Boot process of the operating system.

In this embodiment, by storing the kernel files corresponding to the plurality of different operating systems and matching the kernel files corresponding to the disk image according to the type of the image operating system, the method and the device can be applied to terminal evidence obtaining work of different operating systems, and improve evidence obtaining efficiency.

Through the technical solutions of the method embodiments shown in fig. 1 and fig. 2, the method and the device can be applied to terminal forensics work of different operating systems; the efficiency of collecting evidence can also be promoted.

Fig. 3 is a schematic structural diagram of a terminal forensics apparatus according to a first embodiment of the present invention, and as shown in fig. 3, the apparatus of this embodiment may include:

the

import module

31 is used for importing the disk mirror image corresponding to the terminal to be forensics;

a

configuration module

32 for configuring boot startup parameters;

the

matching module

33 is used for matching a kernel file corresponding to the disk mirror image from a plurality of kernel files which are arranged in the matching module according to the boot startup parameters;

and the starting

module

34 is used for starting the operating system according to the kernel file to perform system simulation so as to obtain a forensics result.

In some embodiments, on the basis of the previous embodiment, the apparatus of this embodiment further includes:

the first obtaining

module

35 is configured to start a terminal to be forensics through a start-up disk, and obtain a disk image corresponding to the terminal to be forensics through a copy instruction.

The second obtaining

module

36 is configured to obtain a hard disk of the terminal to be forensics, and read the hard disk of the terminal to be forensics through a disk copier to derive a disk image corresponding to the terminal to be forensics.

In this embodiment, the

matching module

33 is configured to:

and matching a kernel file corresponding to the disk image according to the type of the image operating system.

In this embodiment, the

start module

34 is configured to:

reading a preset memory address in a first sector of a hard disk of a evidence obtaining device;

judging whether the memory address is the same as a preset starting mark or not;

if so, loading the disk image corresponding to the terminal to be subjected to evidence obtaining to a boot area of a starting mode;

and the boot area of the boot mode reads and writes the kernel file to finish the boot process of the operating system corresponding to the matched disk mirror image.

The apparatus of this embodiment may be used to implement the technical solutions of the method embodiments shown in fig. 1 and fig. 2, and the implementation principles and technical effects are similar, which are not described herein again.

Fig. 4 is a schematic structural diagram of an embodiment of an electronic device of the present invention, which can implement the processes of the embodiments shown in fig. 1 and fig. 2 of the present invention, and as shown in fig. 4, the electronic device may include: the device comprises a

shell

41, a

processor

42, a

memory

43, a

circuit board

44 and a

power circuit

45, wherein the

circuit board

44 is arranged inside a space enclosed by the

shell

41, and the

processor

42 and the

memory

43 are arranged on the

circuit board

44; a

power supply circuit

45 for supplying power to each circuit or device of the electronic apparatus; the

memory

43 is used for storing executable program code; the

processor

42 executes a program corresponding to the executable program code by reading the executable program code stored in the

memory

43, for executing the terminal forensics method described in any of the foregoing embodiments.

For the specific execution process of the above steps by the

processor

42 and the steps further executed by the

processor

42 by running the executable program code, reference may be made to the description of the embodiments shown in fig. 1 and fig. 2 of the present invention, which is not described herein again.

The electronic device exists in a variety of forms, including but not limited to:

(1) a mobile communication device: such devices are characterized by mobile communications capabilities and are primarily targeted at providing voice, data communications. Such terminals include: smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.

(2) Mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.

(3) A portable entertainment device: such devices can display and play multimedia content. This type of device comprises: audio, video players (e.g., ipods), handheld game consoles, electronic books, and smart toys and portable car navigation devices.

(4) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.

(5) And other electronic equipment with data interaction function.

In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium storing one or more programs, where the one or more programs are executable by one or more processors to implement the terminal forensics method described in any of the foregoing embodiments.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.

In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.

The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A terminal evidence obtaining method is characterized by being applied to electronic equipment; the method comprises the following steps:

importing a disk mirror image corresponding to a terminal to be forensics;

configuring boot startup parameters;

matching a kernel file corresponding to the disk mirror image from a plurality of kernel files arranged in the disk mirror image according to the boot startup parameters;

and starting an operating system according to the kernel file to perform system simulation so as to obtain a forensics result.

2. The terminal forensics method according to claim 1, wherein before importing the disk image corresponding to the terminal to be forensics, the method further comprises:

starting the terminal to be subjected to evidence obtaining through the starting disc;

and obtaining the disk mirror image corresponding to the terminal to be subjected to evidence obtaining through a copy instruction.

3. The terminal forensics method according to claim 1, further comprising:

acquiring a hard disk of a terminal to be subjected to evidence obtaining;

and reading the hard disk of the terminal to be subjected to evidence obtaining through a disk copying machine to derive a disk mirror image corresponding to the terminal to be subjected to evidence obtaining.

4. The terminal forensics method according to claim 1, wherein the boot startup parameters include:

the disk image evidence number, the disk ID of the image, the image size, the image operating system type, the image operating system instruction set and the starting mode.

5. The terminal forensics method according to claim 4, wherein the start mode includes: MBR start-up mode and UEFI start-up mode.

6. The terminal forensics method according to claim 4, wherein the matching of the kernel file corresponding to the disk image according to the boot startup parameters from a plurality of kernel files built in the terminal comprises:

and matching a kernel file corresponding to the disk image according to the type of the image operating system.

7. The terminal forensics method according to claim 1, wherein the starting an operating system according to the kernel file includes:

reading a preset memory address in a first sector of a hard disk of a evidence obtaining device;

judging whether the memory address is the same as a preset starting mark or not;

if so, loading the disk image corresponding to the terminal to be subjected to evidence obtaining to a boot area of a starting mode;

and the boot area of the boot mode reads and writes the kernel file to finish the boot process of the operating system corresponding to the matched disk mirror image.

8. A terminal forensics device, comprising:

the import module is used for importing the disk mirror image corresponding to the terminal to be subjected to evidence obtaining;

the configuration module is used for configuring boot startup parameters;

the matching module is used for matching a kernel file corresponding to the disk mirror image from a plurality of kernel files arranged in the matching module according to the boot startup parameters;

and the starting module is used for starting an operating system according to the kernel file to perform system simulation so as to obtain a forensics result.

9. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor reads the executable program codes stored in the memory to run programs corresponding to the executable program codes, and is used for executing the terminal evidence obtaining method of any one of the claims 1-7.

10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the terminal forensics method of any of the preceding claims 1-7.

CN202111289503.1A 2021-11-02 2021-11-02 Terminal evidence obtaining method and device, electronic equipment and storage medium Pending CN114138346A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111289503.1A CN114138346A (en) 2021-11-02 2021-11-02 Terminal evidence obtaining method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111289503.1A CN114138346A (en) 2021-11-02 2021-11-02 Terminal evidence obtaining method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114138346A true CN114138346A (en) 2022-03-04

Family

ID=80392054

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111289503.1A Pending CN114138346A (en) 2021-11-02 2021-11-02 Terminal evidence obtaining method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114138346A (en)

Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6687819B1 (en) * 2000-03-23 2004-02-03 International Business Machines Corporation System, apparatus and method for supporting multiple file systems in boot code
US20080065811A1 (en) * 2007-11-12 2008-03-13 Ali Jahangiri Tool and method for forensic examination of a computer
US20090288164A1 (en) * 2003-06-23 2009-11-19 Architecture Technology Corporation Digital forensic analysis using empirical privilege profiling (epp) for filtering collected data
WO2010050012A1 (en) * 2008-10-29 2010-05-06 京セラ株式会社 Camera module mounted on a car
CN103425527A (en) * 2012-05-23 2013-12-04 腾讯科技(深圳)有限公司 Multi-system switching method and switching device
CN103686147A (en) * 2013-12-03 2014-03-26 浙江宇视科技有限公司 Method and device for testing cloning of video monitoring simulation terminals
CN103678747A (en) * 2012-09-19 2014-03-26 上海华虹集成电路有限责任公司 United simulation tool suitable for multi-type CPU
CN103744710A (en) * 2014-01-24 2014-04-23 中国联合网络通信集团有限公司 Installation method and system of operating systems
KR20150044072A (en) * 2013-10-15 2015-04-24 순천향대학교 산학협력단 Digital Forensic Evidence Collection Scheme for Social Network Service Environments
CN104714846A (en) * 2013-12-17 2015-06-17 华为技术有限公司 Resource processing method, operating system and equipment
CN105335178A (en) * 2014-07-28 2016-02-17 重庆重邮信科通信技术有限公司 Startup control method and apparatus
CN105653352A (en) * 2015-12-31 2016-06-08 公安部第三研究所 Virtual simulation evidence-obtaining method for operating system
CN105824678A (en) * 2016-05-17 2016-08-03 浪潮电子信息产业股份有限公司 Method and device for installing operating system
CN106575243A (en) * 2014-07-30 2017-04-19 微软技术许可有限责任公司 Hypervisor-hosted virtual machine forensics
CN107329769A (en) * 2017-07-07 2017-11-07 郑州云海信息技术有限公司 A kind of method and apparatus for configuring bare machine server
CN110928643A (en) * 2019-11-15 2020-03-27 国网甘肃省电力公司 A method and device for deploying a power simulation system based on containerization
CN111338889A (en) * 2020-02-14 2020-06-26 奇安信科技集团股份有限公司 Evidence obtaining method, device, equipment and storage medium supporting multiple operating systems

Patent Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6687819B1 (en) * 2000-03-23 2004-02-03 International Business Machines Corporation System, apparatus and method for supporting multiple file systems in boot code
US20090288164A1 (en) * 2003-06-23 2009-11-19 Architecture Technology Corporation Digital forensic analysis using empirical privilege profiling (epp) for filtering collected data
US20080065811A1 (en) * 2007-11-12 2008-03-13 Ali Jahangiri Tool and method for forensic examination of a computer
WO2010050012A1 (en) * 2008-10-29 2010-05-06 京セラ株式会社 Camera module mounted on a car
CN103425527A (en) * 2012-05-23 2013-12-04 腾讯科技(深圳)有限公司 Multi-system switching method and switching device
CN103678747A (en) * 2012-09-19 2014-03-26 上海华虹集成电路有限责任公司 United simulation tool suitable for multi-type CPU
KR20150044072A (en) * 2013-10-15 2015-04-24 순천향대학교 산학협력단 Digital Forensic Evidence Collection Scheme for Social Network Service Environments
CN103686147A (en) * 2013-12-03 2014-03-26 浙江宇视科技有限公司 Method and device for testing cloning of video monitoring simulation terminals
CN104714846A (en) * 2013-12-17 2015-06-17 华为技术有限公司 Resource processing method, operating system and equipment
CN103744710A (en) * 2014-01-24 2014-04-23 中国联合网络通信集团有限公司 Installation method and system of operating systems
CN105335178A (en) * 2014-07-28 2016-02-17 重庆重邮信科通信技术有限公司 Startup control method and apparatus
CN106575243A (en) * 2014-07-30 2017-04-19 微软技术许可有限责任公司 Hypervisor-hosted virtual machine forensics
CN105653352A (en) * 2015-12-31 2016-06-08 公安部第三研究所 Virtual simulation evidence-obtaining method for operating system
CN105824678A (en) * 2016-05-17 2016-08-03 浪潮电子信息产业股份有限公司 Method and device for installing operating system
CN107329769A (en) * 2017-07-07 2017-11-07 郑州云海信息技术有限公司 A kind of method and apparatus for configuring bare machine server
CN110928643A (en) * 2019-11-15 2020-03-27 国网甘肃省电力公司 A method and device for deploying a power simulation system based on containerization
CN111338889A (en) * 2020-02-14 2020-06-26 奇安信科技集团股份有限公司 Evidence obtaining method, device, equipment and storage medium supporting multiple operating systems

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张旭: "操作系统虚拟仿真取证技术研究", 计算机软件及计算机应用, vol. 12, no. 33, 25 November 2016 (2016-11-25), pages 264 - 266 *

Similar Documents

Publication Publication Date Title
US9558016B2 (en) 2017-01-31 Platform system, method for changing support hardware configuration of universal extensible firmware interface basic input output system and computer program product
CN105912362B (en) 2019-02-26 A kind of method, apparatus and electronic equipment loading plug-in unit
CN107635078B (en) 2020-12-22 Game control method and device
CN106599680B (en) 2020-01-03 Method and device for setting application program permission and electronic equipment
CN103123605A (en) 2013-05-29 Android platform automation integration testing method and device
KR101089260B1 (en) 2011-12-02 Method and system for automatic installation of a functional unit driver on a host
CN102135893A (en) 2011-07-27 Method for integrating operating system on BIOS (Basic Input Output System) chip and starting operating system on server
CN108091333A (en) 2018-05-29 Sound control method and Related product
US20190205375A1 (en) 2019-07-04 Method for Configuring Input Method and Terminal Device
CN101826020A (en) 2010-09-08 Method for reading starting sequence of computer starting equipment
CN105512041B (en) 2018-09-25 Method and device for testing application program performance and electronic equipment
CN102135923A (en) 2011-07-27 Method for integrating operating system into BIOS (Basic Input/Output System) chip and method for starting operating system
CN114138346A (en) 2022-03-04 Terminal evidence obtaining method and device, electronic equipment and storage medium
CN109189426A (en) 2019-01-11 A kind of upgrade method, device, storage medium and electronic equipment
CN109164987A (en) 2019-01-08 A kind of control method of magnetic disc array card, device and electronic equipment
CN106557525B (en) 2020-07-28 Method and device for cleaning application program residual file and electronic equipment
CN111399926A (en) 2020-07-10 Method and device for downloading starting program
CN109408124A (en) 2019-03-01 Store equipment and preparation method thereof, operating system double mode bootstrap technique and device
CN114281321A (en) 2022-04-05 Software development fast editing method and device, electronic equipment and medium
CN112036133A (en) 2020-12-04 File saving method and device, electronic equipment and storage medium
CN108875363B (en) 2021-04-30 Method and device for accelerating virtual execution, electronic equipment and storage medium
CN108874696B (en) 2022-09-30 Automatic testing method and device for multi-authority safety storage equipment and electronic equipment
CN112631842A (en) 2021-04-09 System memory identification test method and system and electronic equipment
CN111752588A (en) 2020-10-09 Application update method and electronic device
CN111178936A (en) 2020-05-19 Advertisement display testing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
2022-03-04 PB01 Publication
2022-03-04 PB01 Publication
2022-03-22 SE01 Entry into force of request for substantive examination
2022-03-22 SE01 Entry into force of request for substantive examination