摘要
电子数据取证实践中,获取嫌疑人进行网络信息传输涉及的IP地址、端口号、MAC地址以及对应进程信息,有助于全面深入揭示嫌疑人网络犯罪行为。基于IPv4首部、sockaddr_in、_TCPT_OBJECT、Ethernet V2标准MAC帧等四种数据结构于内存中的具体格式,归纳总结用于定位相关结构的特征关键字,同时通过实例说明提取网络传输电子证据的方法,并对过程中涉及的具体技术与注意事项予以阐述。电子数据取证实践证明,所述方法准确高效。
In the practice of computer forensics,it is very helpful to acquire the information of IP address,port number,MAC address and PID for revealing network crimes.Based on the structures of head of IPv4,sockaddr_in,_TCPT_OBJECT and MAC frame in RAM,this paper concluded the characteristic signatures for locating the related structure in RAM,and illustrated the method for acquiring the digital evidence from network transmission by examples.The specific techniques and precautions were elaborated as well.The method is proved to be accurate and efficient in the real digital investigation.
出处
《中国司法鉴定》
2013年第2期76-79,共4页
Chinese Journal of Forensic Sciences