| 基于内存中的网络传输数据结构获取电子数据 |
| |
| 引用本文: | 冯永旭,罗文华,司洪黎. 基于内存中的网络传输数据结构获取电子数据[J]. 中国司法鉴定, 2013, 0(2): 76-79 |
| |
| 作者姓名: | 冯永旭 罗文华 司洪黎 |
| |
| 作者单位: | 1. 西藏警官高等专科学校,西藏拉萨,850003
2. 中国刑事警察学院,辽宁沈阳,110854 |
| |
| 摘 要: | 电子数据取证实践中,获取嫌疑人进行网络信息传输涉及的IP地址、端口号、MAC地址以及对应进程信息,有助于全面深入揭示嫌疑人网络犯罪行为。基于IPv4首部、sockaddr_in、_TCPT_OBJECT、Ethernet V2标准MAC帧等四种数据结构于内存中的具体格式,归纳总结用于定位相关结构的特征关键字,同时通过实例说明提取网络传输电子证据的方法,并对过程中涉及的具体技术与注意事项予以阐述。电子数据取证实践证明,所述方法准确高效。
|
| 关 键 词: | 内存 数据结构 IPv4首部 sockaddr_in _TCPT_OBJECT MAC帧 |
Acquisition of Digital Evidence from the Data Structure of Network Transmission in RAM |
| |
| Feng Yong-xu,Luo Wen-hua,Si Hong-li. Acquisition of Digital Evidence from the Data Structure of Network Transmission in RAM[J]. Chinese Journal of Forensic Sciences, 2013, 0(2): 76-79 |
| |
| Authors: | Feng Yong-xu Luo Wen-hua Si Hong-li |
| |
| Affiliation: | 1.Tibet Police College,Lasa 850003,China;2.China Criminal Police University,Shenyang 110854,China) |
| |
| Abstract: | In the practice of computer forensics,it is very helpful to acquire the information of IP address,port number,MAC address and PID for revealing network crimes.Based on the structures of head of IPv4,sockaddr_in,_TCPT_OBJECT and MAC frame in RAM,this paper concluded the characteristic signatures for locating the related structure in RAM,and illustrated the method for acquiring the digital evidence from network transmission by examples.The specific techniques and precautions were elaborated as well.The method is proved to be accurate and efficient in the real digital investigation. |
| |
| Keywords: | RAM data structure head of IPv4 sockaddr_in _TCPT_OBJECT MAC frame |
| 本文献已被 维普 万方数据 等数据库收录! |
|
