电诈窝点勘查中计算机内存数据现场取证方法研究  被引量：1

作　　者：徐杰 梁广俊 徐家骐 马壮 丁兆锟 史向东 印杰[2] XU Jie;LIANG Guangjun;XU Jiaqi;MA Zhuang;DING Zhaokun;SHI Xiangdong;YIN Jie(Zhangjiagang Public Security Bureau,Zhangjiagang 215600,Jiangsu,China;Department of Computer and Network Security,Jiangsu Police Institute,Nanjing 210031,China;Nanjing Tuojie Information Technology Co.,Ltd,Nanjing 210001,China)

机构地区：[1]张家港市公安局,江苏张家港215600 [2]江苏警官学院计算机与网络安全系,南京210031 [3]南京拓界信息技术有限公司,南京210001

出　　处：《刑事技术》2023年第5期459-465,共7页Forensic Science and Technology

基　　金：江苏省公安厅科技项目(2021LX009)。

摘　　要：窝点勘查中涉案电子设备勘查及电子数据提取是打击电信网络诈骗犯罪的关键环节,而内存数据现场取证是其中的重要组成部分。电诈窝点现场环境通常复杂多样,涉案设备类型多、数量大,同时现场取证设备功能往往受限且对取证时间有较高要求,这给内存数据的现场取证带来了较大的技术难度和挑战。本文调研了当前常用的内存提取方法,针对电信网络诈骗窝点现场取证环境下计算机操作系统和涉案设备的实际情况,依据《电子证据数据现场获取通用方法》中的相关原则,对窝点勘查现场内存数据的提取方法、使用工具和工作流程进行了系统研究,提出了较为完整的内存数据现场取证方案,并结合实际应用案例,为此类案件的勘查取证提供借鉴参考。In the investigation of telecom fraud dens,it is a key link to investigate the electronic equipment involved and extract electronic data,and the on-site evidence collection of memory data is an essential part of it.The scene of telecom fraud dens is usually complex and diverse,which commonly does not have the conditions to use large-scale forensics equipment.At the same time,there are numerous types and quantities of equipment involved,and the time for forensics is tight,which brings great technical diffi culties and challenges to the scene forensics of memory data.Based on the relevant principles in“General Method for Collecting Electronic Evidence Data on the Spot”,this paper studied the current situation of memory data extraction in on-site evidence collection of telecom fraud dens.Firstly,according to the actual needs of the scene investigation of telecom fraud dens,the memory extraction methods of Windows,MAC and Linux systems in normal state were introduced.Then,for some troublesome problems,from the mechanism of operating system hibernation and unexpected system crash,the infl uence of hibernation fi les and dump fi les on memory extraction was analyzed,and the memory extraction method without knowing the password was proposed by using DMA dynamic memory reading technology.Finally,based on the characteristics of memory extraction in den investigation,a scheme of scene memory forensics was proposed and applied to practical cases,which provided reference for the exploration and evidence collection of such cases.

关 键 词：电信网络诈骗 窝点勘查 现场取证 内存数据 

分 类 号：D918.2[政治法律—法学] D631.2