主管:中华人民共和国司法部
主办:司法鉴定科学研究院
ISSN 1671-2072  CN 31-1863/N
中国司法鉴定

›› 2013 ›› Issue (2): 76-79.

• 鉴定实践 • 上一篇    下一篇

基于内存中的网络传输数据结构获取电子数据

冯永旭   

  1. 西藏警官高等专科学校
  • 收稿日期:2013-04-02 修回日期:2013-02-01 出版日期:2013-03-15 发布日期:2013-04-02
  • 通讯作者: 冯永旭

  • Received:2013-04-02 Revised:2013-02-01 Published:2013-03-15 Online:2013-04-02

被引次数

3

摘要: 电子数据取证实践中,获取嫌疑人进行网络信息传输涉及的IP地址、端口号、MAC地址以及对应进程信息,有助于全面深入揭示嫌疑人网络犯罪行为。基于IPv4首部、sockaddr_in、_TCPT_OBJECT、Ethernet V2标准MAC帧等四种数据结构于内存中的具体格式,归纳总结用于定位相关结构的特征关键字,同时通过实例说明提取网络传输电子证据的方法,并对过程中涉及的具体技术与注意事项予以阐述。电子数据取证实践证明,所述方法准确高效。

关键词: 内存, 数据结构, IPv4首部, sockaddr_in, _TCPT_OBJECT, MAC帧, RAM, data structure, head of IPv4, sockaddr_in, _TCPT_OBJECT, MAC frame

Abstract: In the practice of computer forensics, it is very helpful to acquire the information of IP address, port number, MAC address and PID for revealing network crimes. Based on the structures of head of IPv4, sockaddr_in, _TCPT_OBJECT and MAC frame in RAM, this paper concluded the characteristic signatures for locating the related structure in RAM, and illustrated the method for acquiring the digital evidence from network transmission by examples. The specific techniques and precautions were elaborated as well. The method is proved to be accurate and efficient in the real digital investigation.