[go: up one dir, main page]

CN109710899B - File decryption and evidence collection method and device in storage medium - Google Patents

File decryption and evidence collection method and device in storage medium Download PDF

Info

Publication number
CN109710899B
CN109710899B CN201811563432.8A CN201811563432A CN109710899B CN 109710899 B CN109710899 B CN 109710899B CN 201811563432 A CN201811563432 A CN 201811563432A CN 109710899 B CN109710899 B CN 109710899B
Authority
CN
China
Prior art keywords
storage medium
files
file
under
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201811563432.8A
Other languages
Chinese (zh)
Other versions
CN109710899A (en
Inventor
任风凯
巩方志
王季阳
陈志浩
崔正中
刘利滨
黄力娜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Binhai Public Security Bureau
Original Assignee
Shandong Binhai Public Security Bureau
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Binhai Public Security Bureau filed Critical Shandong Binhai Public Security Bureau
Priority to CN201811563432.8A priority Critical patent/CN109710899B/en
Publication of CN109710899A publication Critical patent/CN109710899A/en
Application granted granted Critical
Publication of CN109710899B publication Critical patent/CN109710899B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

本发明公开了一种存储介质内文件解密、取证的方法及装置,涉及数据处理技术领域。文件解密并提取的方法包括:将U盘等送检的存储介质通过只读接口连接到检验设备,使用工具软件打开待检验存储介质,将待解密的文件夹Thumbs.dn及移动加密程序导出到本地目录下,读取Thumbs.dn文件夹下面名为117789687内的字符数组,按照ASCII编码将字符串数组转换成字符串,对字符串进行解密运算,将所有运算完的结果按照顺序保存在新的字符数组中,以UTF8编码方式转换数组为字符串,结果就是密钥,在Thumbs.dn同一目录下面,运行移动加密软件程序,输入密钥后点确定,原始文件就都出现在该目录下面,相对传统提取方法,不仅速度快,而且所有文件的名字都是原始文件名,保证了原始文件的完整性。

Figure 201811563432

The invention discloses a method and device for decrypting files in a storage medium and obtaining evidence, and relates to the technical field of data processing. The method of decrypting and extracting the file includes: connecting the storage medium submitted for inspection such as a U disk to the inspection device through a read-only interface, using tool software to open the storage medium to be inspected, and exporting the folder Thumbs.dn to be decrypted and the mobile encryption program to In the local directory, read the character array named 117789687 under the Thumbs.dn folder, convert the string array into a string according to the ASCII code, decrypt the string, and save all the calculated results in the new In the character array of , convert the array into a string with UTF8 encoding, and the result is the key. Under the same directory of Thumbs.dn, run the mobile encryption software program, enter the key and click OK, and the original files will appear under this directory. , compared with the traditional extraction method, not only is the speed faster, but also the names of all files are the original file names, which ensures the integrity of the original files.

Figure 201811563432

Description

存储介质内文件解密、取证方法和装置File decryption and evidence collection method and device in storage medium

技术领域technical field

本发明涉及文件解密取证领域,特别涉及一种文件夹加密过的存储介质内文件解密取证的方法及装置。The invention relates to the field of file decryption and evidence collection, in particular to a method and device for file decryption and evidence collection in a folder-encrypted storage medium.

背景技术Background technique

随着移动存储设备的迅速发展和广泛普及,存储介质内包含的信息已经成为犯罪侦查重要的线索和证据来源。由于犯罪分子反侦查意识的增强,涉案的TF卡、U盘内往往含有加密文件,尤其是涉及邪教组织的案件中,文件夹加密现象普遍存在。为侦破案件,维护社会稳定,打击违法犯罪,对文件进行解密、恢复和取证就显得格外重要。With the rapid development and widespread popularization of mobile storage devices, the information contained in the storage media has become an important source of clues and evidence for criminal investigation. Due to the enhanced anti-investigation awareness of criminals, the TF cards and U disks involved in the case often contain encrypted files, especially in cases involving cult organizations, folder encryption is common. In order to solve cases, maintain social stability, and crack down on crimes, it is extremely important to decrypt, restore, and collect evidence.

发明人在对TF卡、SD卡、U盘等存储介质进行技术检验过程中,遇到一种可以快速加密的文件夹加密软件(下称“移动加密软件”),该软件可方便的在互联网下载,且都是免费使用。在受理的多起邪教类案件中几百份检材内都存在该软件加密过的数据。依照现有技术对检材进行检验,需要使用取证大师、X-ways Forensics(下称“X-ways”)等专业的取证软件打开U盘等检材,对数据进行强行数据恢复。During the technical inspection of storage media such as TF cards, SD cards, and U disks, the inventor encountered a folder encryption software (hereinafter referred to as "mobile encryption software") that can be quickly encrypted. Download and use for free. The data encrypted by this software exists in hundreds of inspection materials in many cult cases accepted. To inspect the inspection materials according to the existing technology, it is necessary to use professional forensics software such as Forensics Master and X-ways Forensics (hereinafter referred to as "X-ways") to open the U disk and other inspection materials, and forcibly recover the data.

在实现本发明的过程中,发明人发现现有技术至少存在以下问题:In the process of realizing the present invention, the inventor finds that there are at least the following problems in the prior art:

一是使用X-ways等软件对加密优盘进行恢复后,无法获取文件名,强行数据恢复后文件名都是阿拉伯数字依次递增的序号,无法保证数据文件的完整性。在数据量庞大的情况下,无法通过文件名直观的获取文件大概的内容。二是效率比较低,在检验大量检材时,无法快速恢复介质内文件。One is that after using X-ways and other software to restore the encrypted USB flash drive, the file name cannot be obtained. After forced data recovery, the file names are all serial numbers with Arabic numerals increasing in sequence, and the integrity of the data file cannot be guaranteed. In the case of a huge amount of data, it is impossible to intuitively obtain the approximate content of the file through the file name. The second is that the efficiency is relatively low. When inspecting a large number of inspection materials, it is impossible to quickly restore the files in the medium.

发明内容Contents of the invention

为了提高检验效率,保证数据的完整性,及时的为委托单位提供侦查线索和诉讼证据,本发明实施例提供了一种对存储介质内文件解密取证的方法及装置。In order to improve the inspection efficiency, ensure the integrity of the data, and provide the client with investigation clues and litigation evidence in a timely manner, the embodiment of the present invention provides a method and device for decrypting files in the storage medium and obtaining evidence.

一方面,提供了一种对存储介质内文件解密取证的方法,用于将存储介质内的经过加密的文件进行解密、提取。On the one hand, a method for decrypting and obtaining evidence from files in a storage medium is provided, which is used for decrypting and extracting encrypted files in the storage medium.

所述方法包括:连接步骤,将U盘等送检的存储介质通过只读接口连接到检验设备,在检验时,依照检验规程GB/T 电子物证数据恢复检验规程,所有检材都必须保持只读。The method includes: a connection step, connecting the storage medium submitted for inspection, such as a U disk, to the inspection equipment through a read-only interface. During the inspection, according to the inspection regulations GB/T electronic evidence data recovery inspection regulations, all inspection materials must be kept only read.

拷贝步骤,使用X-ways或其他工具软件打开待检验存储介质,通过只读接口以只读方式将待解密的文件夹Thumbs.dn及移动加密程序拷贝到本地目录下。In the copying step, use X-ways or other tool software to open the storage medium to be checked, and copy the folder Thumbs.dn to be decrypted and the mobile encryption program to the local directory in a read-only manner through the read-only interface.

读取步骤,在Thumbs.dn文件夹下找到文件名为“117789687”的密钥文件,也可能为其他名字,该文件的特点是无扩展名,使用X-ways查看其内容为一串字母或数字的组合,读取Thumbs.dn文件夹下面名为117789687内的字符数组。Read the steps, find the key file named "117789687" in the Thumbs.dn folder, or it may be another name. The feature of this file is that it has no extension. Use X-ways to view its content as a string of letters or Combination of numbers, read the character array named 117789687 under the Thumbs.dn folder.

转换步骤,按照ASCII编码将字符串数组转换成字符串。In the conversion step, the string array is converted into a string according to the ASCII encoding.

解密步骤,对字符串进行解密运算,具体操作如下:The decryption step is to perform a decryption operation on the string, and the specific operation is as follows:

先对字符串进行分割,每两个字符为一组,因为ASCII编码的长度为2;First split the string, every two characters as a group, because the length of the ASCII code is 2;

对于奇数位的字符,与5进行异或运算,因为异或运算时位运算,所以运算时需要把所有字符转换为二进制,不足的位数用二进制数0补齐;For characters with odd digits, perform XOR operation with 5, because XOR operation is a bit operation, so all characters need to be converted to binary during operation, and the insufficient digits are filled with binary numbers 0;

对于偶数为的字符,与4进行异或运算;For characters with an even number, perform XOR operation with 4;

将所有运算完的结果按照顺序保存在新的字符数组中;Save all the calculated results in a new character array in order;

以UTF8编码方式转换数组为字符串,得到的结果就是密钥。Convert the array to a string in UTF8 encoding, and the result is the key.

获取步骤,在Thumbs.dn同一目录下面,运行移动加密软件程序,会弹出输入密钥窗口,输入密钥后点确定,原始文件就都出现在该目录下面,不仅速度快,而且所有文件的名字都是原始文件名。Obtaining steps, in the same directory of Thumbs.dn, run the mobile encryption software program, a window for entering the key will pop up, enter the key and click OK, and the original files will appear under this directory, not only fast, but also the names of all files Both are original filenames.

另一方面,提供了一种对存储介质内文件解密取证的装置,用于将存储介质内的经过加密的文件进行解密、提取。On the other hand, a device for decrypting and obtaining evidence from files in a storage medium is provided, which is used for decrypting and extracting encrypted files in the storage medium.

所述装置包括:连接模块,将U盘等送检的存储介质通过只读接口连接到检验设备,在检验时,依照检验规程GB/T 电子物证数据恢复检验规程,所有检材都必须保持只读。The device includes: a connection module, which connects the storage media submitted for inspection, such as a U disk, to the inspection equipment through a read-only interface. During the inspection, according to the inspection regulations GB/T electronic evidence data recovery inspection regulations, all inspection materials must be kept only read.

拷贝模块,使用X-ways或其他工具软件打开待检验存储介质,通过只读接口以只读方式将待解密的文件夹Thumbs.dn及移动加密程序拷贝到本地目录下。Copy the module, use X-ways or other tool software to open the storage medium to be checked, and copy the folder Thumbs.dn to be decrypted and the mobile encryption program to the local directory in a read-only manner through the read-only interface.

读取模块,在Thumbs.dn文件夹下找到文件名为“117789687”的密钥文件,也可能为其他名字,该文件的特点是无扩展名,使用X-ways查看其内容为一串字母或数字的组合,读取Thumbs.dn文件夹下面名为117789687内的字符数组。Read the module, and find the key file named "117789687" in the Thumbs.dn folder, or it may be another name. The feature of this file is that it has no extension. Use X-ways to view its content as a string of letters or Combination of numbers, read the character array named 117789687 under the Thumbs.dn folder.

转换模块,按照ASCII编码将字符串数组转换成字符串。The conversion module converts the string array into a string according to the ASCII encoding.

解密模块,对字符串进行解密运算,具体操作如下:The decryption module performs decryption operations on strings, and the specific operations are as follows:

先对字符串进行分割,每两个字符为一组,因为ASCII编码的长度为2;First split the string, every two characters as a group, because the length of the ASCII code is 2;

对于奇数位的字符,与5进行异或运算,因为异或运算时位运算,所以运算时需要把所有字符转换为二进制,不足的位数用二进制数0补齐;For characters with odd digits, perform XOR operation with 5, because XOR operation is a bit operation, so all characters need to be converted to binary during operation, and the insufficient digits are filled with binary numbers 0;

对于偶数位的字符,与4进行异或运算;For even-numbered characters, XOR with 4;

将所有运算完的结果按照顺序保存在新的字符数组中;Save all the calculated results in a new character array in order;

以UTF8编码方式转换数组为字符串,得到的结果就是密钥。Convert the array to a string in UTF8 encoding, and the result is the key.

获取模块,在Thumbs.dn同一目录下面,运行移动加密软件程序,会弹出输入密钥窗口,输入密钥后点确定,原始文件就都出现在该目录下面,不仅速度快,而且所有文件的名字都是原始文件名。Obtain the module, run the mobile encryption software program under the same directory as Thumbs.dn, and a window for entering the key will pop up. After entering the key, click OK, and the original files will appear under this directory. Not only is the speed fast, but the names of all files Both are original filenames.

附图说明Description of drawings

图1为发明人在检验检材过程中,在检材内发现的一款移动加密程序,后发现该软件通过互联网可以免费下载。Figure 1 shows a mobile encryption program that the inventor found in the inspection materials during the inspection of the inspection materials, and later found that the software can be downloaded for free through the Internet.

图2为一个实施例中的文件解密方法的流程图。Fig. 2 is a flowchart of a file decryption method in an embodiment.

图3为一个实施例中可运行本申请所述的文件解密方法的设备的结构示意图。Fig. 3 is a schematic structural diagram of a device capable of running the file decryption method described in this application in an embodiment.

图4为一个实施例中转换步骤与解密步骤具体流程图。Fig. 4 is a specific flow chart of the conversion step and the decryption step in an embodiment.

图5为一个实施例中文件解密提取装置结构图。Fig. 5 is a structural diagram of a device for decrypting and extracting files in an embodiment.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention, not to limit the present invention.

本发明过程所针研究的移动加密程序界面如图1,是发明人在检验检材时发现的一种文件夹加密软件,存在于大量送检的存储介质内,尤其是涉及邪教组织的案件。实施例也是针对该种加密软件而设计。但是本发明并不限定于本款软件。因为互联网上存在多款类似的文件夹加密软件,但加密原理都相同。The mobile encryption program interface studied in the process of the present invention is shown in Figure 1. It is a folder encryption software discovered by the inventor when inspecting materials. It exists in a large number of storage media submitted for inspection, especially in cases involving cult organizations. The embodiment is also designed for this kind of encryption software. But the present invention is not limited to this software. Because there are many similar folder encryption software on the Internet, but the encryption principle is the same.

在发明过程中,发明人针对该移动加密软件进行了大量的加密实验,最后发现Thumbs.dn文件夹内就是加密前文件夹内文件的存放位置,通过增加系统扩展名来改变双击后的效果,本人电脑显示的是控制面板里的打印机图标(双击如同打开控制面板的打印机),该文件夹内文件与加密前存储介质内文件结构、大小基本一致,只是文件名称被更改,而且文件整体或者单独导出后,都无法直接点开查看文件内容。同时发明人通过实验,对比前后数据,分析加密特点,总结规律后发现,该“117789687”文件内存储的即是进行加密后的密钥密文,发明人总结出了加密过程有如下规律:During the invention process, the inventor conducted a lot of encryption experiments on the mobile encryption software, and finally found that the Thumbs.dn folder is the storage location of the files in the folder before encryption. By adding the system extension to change the double-click effect, My computer displays the printer icon in the control panel (double-clicking is like opening the printer in the control panel). The file structure and size of the files in this folder are basically the same as those in the storage medium before encryption, but the file name is changed, and the file as a whole or individually After exporting, you cannot directly click to view the file content. At the same time, through experiments, the inventor compared the data before and after, analyzed the encryption characteristics, and after summarizing the rules, found that the encrypted key ciphertext was stored in the "117789687" file. The inventor concluded that the encryption process has the following rules:

(1)每个字符加密后,在密文中体现为两位字符;(2)奇数位或偶数位的相同字符,对应的密文是固定的;(3)同一个字符,分别位于明文的奇数位和偶数位时,对应的密文不同;(1) After each character is encrypted, it is reflected in two characters in the ciphertext; (2) The same character with odd or even digits, the corresponding ciphertext is fixed; (3) The same character is located in the odd number of the plaintext Bits and even bits, the corresponding ciphertext is different;

该移动加密软件将密文字符串存储在“117789687”文件内,并对数据文件的扩展名全部更改为“mem”后进行隐藏。所以该加密软件并没有直接对数据进行加密,而是对输入的密码进行加密,并对数据文件进行隐藏。运行该软件,输入正确的密码后,所有的文件会很快出现在加密程序所在的目录下。若不进行解密,只能看到添加打印机界面。The mobile encryption software stores the ciphertext string in the "117789687" file, and changes all the extensions of the data files to "mem" to hide them. Therefore, the encryption software does not directly encrypt the data, but encrypts the input password and hides the data files. Run this software, after entering the correct password, all files will appear in the directory where the encryption program is located soon. If you do not decrypt, you can only see the interface of adding a printer.

通过实验发现加密规律是本发明过程的一部分,该发明也是根据该移动加密软件的加密规律而设计的解密方案,并针对目前解密效率效率低,解密出的数据不完整的问题,使用了一定的技术手段,解决的遇到的技术问题,达到了提高检验效率、保证文件完整性的技术效果。It is found through experiments that the encryption law is a part of the process of the present invention. This invention is also a decryption scheme designed according to the encryption law of the mobile encryption software, and for the current problems of low decryption efficiency and incomplete decrypted data, a certain method is used. The technical means solve the technical problems encountered, and achieve the technical effect of improving the inspection efficiency and ensuring the integrity of the documents.

图2为一个实施例中可运行本申请所述的文件解密方法的设备的结构示意图。在一个实施例中,该设备包括通过系统总线连接处理器、存储介质、内存、显示屏幕和输入设备,并且有可以连接U盘、SD卡、TF卡等各类移动储存介质的只读接口。输入设备根据用户操作触发相关指令,显示屏幕则将相关数据信息展示给用户,设备的存储介质用于存储实现本申请所述数据提取方法的软件指令以及解密提取过程中产生的中间文件。处理器用于执行这些指令,只读接口用于按照检验规程通过只读方式读取检材内需要解密的Thumbs.dn文件夹内的待解密的数据Fig. 2 is a schematic structural diagram of a device capable of running the file decryption method described in this application in an embodiment. In one embodiment, the device includes a processor, a storage medium, memory, a display screen, and an input device connected through a system bus, and has a read-only interface that can be connected to various removable storage media such as U disk, SD card, and TF card. The input device triggers relevant instructions according to user operations, and the display screen displays relevant data information to the user. The storage medium of the device is used to store the software instructions for implementing the data extraction method described in this application and the intermediate files generated during the decryption and extraction process. The processor is used to execute these instructions, and the read-only interface is used to read the data to be decrypted in the Thumbs.

在该发明中,上述硬件是技术解决方案必不可少的一部分,尤其是只读设备。检验的过程必须始终保持存储介质的只读状态,否则一旦存储介质内数据发生变化,哈希值就会变化,提取出的数据为非法证据,不再具有法律效率。In this invention, the aforementioned hardware is an essential part of the technical solution, especially the read-only device. The verification process must always keep the storage medium in a read-only state, otherwise, once the data in the storage medium changes, the hash value will change, and the extracted data will be illegal evidence and no longer have legal efficiency.

在一个实施例中,一种对存储介质内文件解密取证的方法,整体流程图如图3所示,具体步骤如下。In one embodiment, a method for decrypting and obtaining evidence from a file in a storage medium, the overall flowchart is shown in FIG. 3 , and the specific steps are as follows.

步骤301,连接步骤,将U盘等送检的存储介质通过只读接口连接到检验设备,在检验时,依照检验规程GB/T 电子物证数据恢复检验规程,所有检材都必须保持只读,保持只读是为了不改变存储介质内的原始数据,从而存储介质的哈希值不会改变,方便以后重新检验或者补充检验。Step 301, the connection step, connect the storage medium submitted for inspection, such as a U disk, to the inspection equipment through a read-only interface. During the inspection, all inspection materials must be kept read-only in accordance with the inspection regulations GB/T Electronic Evidence Data Recovery Inspection Regulations. The purpose of keeping read-only is to not change the original data in the storage medium, so that the hash value of the storage medium will not change, which is convenient for re-inspection or supplementary inspection in the future.

步骤302,拷贝步骤,使用X-ways或其他工具软件打开待检验存储介质,通过只读接口以只读方式将待解密的文件夹Thumbs.dn及移动加密程序拷贝到本地目录下,以X-ways为例说明,软件中有打开磁盘功能,打开后即可查看存储介质内隐藏或删除的文件,默认情况下,Thumbs.dn文件夹一般处于隐藏状态,或者删除状态,需要用软件把该文件夹从介质内导出。Step 302, the copying step, use X-ways or other tool software to open the storage medium to be checked, copy the folder Thumbs.dn to be decrypted and the mobile encryption program to the local directory in a read-only manner through the read-only interface, and use X- Take ways as an example. The software has the function of opening the disk. After opening, you can view hidden or deleted files in the storage medium. By default, the Thumbs.dn folder is generally hidden or deleted. You need to use the software to open the file. Clips are exported from the media.

步骤303,读取步骤,在Thumbs.dn文件夹下找到文件名为“117789687”的密钥文件,也可能为其他名字,该文件的特点是无扩展名,使用X-ways查看其内容为一串字母或数字的组合,读取Thumbs.dn文件夹下面名为117789687内的字符数组,“117789687”文件存储在Thumbs.dn文件夹根目录下,文件内存储的是加密过的密钥,即存储的时密钥的密文形式。Step 303, the reading step, find the key file named "117789687" in the Thumbs.dn folder, or it may be another name. The feature of this file is that it has no extension. Use X-ways to view its content as a A combination of letters or numbers, read the character array named 117789687 under the Thumbs.dn folder, the "117789687" file is stored in the root directory of the Thumbs.dn folder, and the encrypted key is stored in the file, namely The ciphertext form of the key when stored.

步骤304,转换步骤,按照ASCII编码将字符串数组转换成字符串,比如在C#语言该方法为Encoding.ASCII.GetString(),直接调用该方法即可。Step 304, the conversion step, converts the string array into a string according to the ASCII encoding. For example, in the C# language, the method is Encoding.ASCII.GetString(), which can be called directly.

步骤305,解密步骤,对字符串进行解密运算,具体流程图如图4,具体步骤细分如下:Step 305, the decryption step, performs a decryption operation on the string, the specific flow chart is shown in Figure 4, and the specific steps are subdivided as follows:

先对字符串进行分割,每两个字符为一组,因为ASCII编码的长度为2,所以每两个字符编码一个密钥中的字符;First split the string, every two characters are a group, because the length of the ASCII code is 2, so every two characters encode a character in the key;

对于奇数位的字符组,与5进行异或运算,因为异或运算是位运算,所以运算时需要把所有字符转换为二进制,不足的位数用二进制数0补齐;For the character group with odd digits, XOR operation is performed with 5, because the XOR operation is a bit operation, so all characters need to be converted to binary during operation, and the insufficient digits are filled with binary numbers 0;

这里举例说明异或过程,当字符十六进制字符34与5异或时,34的二进制形式:0011 0100,5的二进制形式为0101,那么在运算时需要在0101前补齐0000,即00110100⊕00000101=00110001,转换成16进制就是34⊕5=31,其中⊕为异或运算的运算符;Here is an example to illustrate the XOR process. When the character hexadecimal characters 34 and 5 are XORed, the binary form of 34 is: 0011 0100, and the binary form of 5 is 0101. Then, 0000 must be added before 0101 during operation, that is, 00110100 ⊕00000101=00110001, converted into hexadecimal is 34⊕5=31, where ⊕ is the operator of XOR operation;

对于偶数位的字符组,与4进行异或运算;同样需要转换为二进制形式进行运算;For the character group of even digits, perform XOR operation with 4; it also needs to be converted to binary form for operation;

将所有运算完的结果按照顺序保存在新的字符数组中;Save all the calculated results in a new character array in order;

以UTF8编码方式转换数组为字符串,得到的结果就是密钥。Convert the array to a string in UTF8 encoding, and the result is the key.

步骤306,获取步骤,在与导出的Thumbs.dn文件夹同一目录下面,运行移动加密软件程序,会弹出输入密钥窗口,输入密钥后点确定,原始文件就都出现在该目录下面,不仅速度快,而且所有文件的名字都是原始文件名,保证了文件的完整性。Step 306, the acquisition step, under the same directory as the exported Thumbs.dn folder, run the mobile encryption software program, a window for entering the key will pop up, click OK after entering the key, and the original files will all appear under the directory, not only The speed is fast, and the names of all files are original file names, which ensures the integrity of the files.

本申请文件还提供了一种与上述文件解密提取方法相对应的文件解密提取装置。The document of this application also provides a device for decrypting and extracting files corresponding to the above method for decrypting and extracting files.

在一个实施例中,一种文件解密提取装置,对移动加密软件加密过的文件进行解密提取,如图5,具体模块如下。In one embodiment, a device for decrypting and extracting files decrypts and extracts files encrypted by mobile encryption software, as shown in Figure 5, and the specific modules are as follows.

模块301,连接模块,将U盘等送检的存储介质通过只读接口连接到检验设备。Module 301, a connection module, connects the storage medium submitted for inspection such as a U disk to the inspection equipment through a read-only interface.

模块302,拷贝模块,使用取证软件打开待检验存储介质,通过只读接口以只读方式将待解密的文件夹Thumbs.dn及移动加密程序拷贝到本地目录下,默认情况下,Thumbs.dn文件夹一般处于隐藏状态,或者删除状态,需要用X-ways等取证软件把该文件夹从介质内导出。Module 302, the copy module, uses forensics software to open the storage medium to be checked, and copies the folder Thumbs.dn and the mobile encryption program to be decrypted to the local directory in a read-only manner through the read-only interface. By default, the Thumbs.dn file The folder is generally hidden or deleted. It is necessary to use X-ways and other forensics software to export the folder from the media.

模块303,读取模块,在Thumbs.dn文件夹下找到文件名为“117789687”的密钥文件,读取Thumbs.dn文件夹下面名为117789687内的字符数组,“117789687”文件存储在Thumbs.dn文件夹根目录下,文件内存储的是加密过的密钥,即存储的是密钥的密文形式。Module 303, read module, find the key file named "117789687" under the Thumbs.dn folder, read the character array named 117789687 under the Thumbs.dn folder, and the "117789687" file is stored in Thumbs. Under the root directory of the dn folder, the encrypted key is stored in the file, that is, the ciphertext form of the key is stored.

模块304,转换模块,按照ASCII编码将字符串数组转换成字符串。Module 304, a conversion module, converts the string array into a string according to the ASCII code.

模块305,解密模块,对字符串进行解密运算,具体流程图如图4,具体内容细分如下:Module 305, the decryption module, performs decryption operations on character strings. The specific flow chart is shown in Figure 4, and the specific content is subdivided as follows:

先对字符串进行分割,每两个字符为一组;First split the string, every two characters as a group;

对于奇数位的字符组,与5进行异或运算,因为异或运算是位运算,所以运算时需要把所有字符转换为二进制,不足的位数用二进制数0补齐;For the character group with odd digits, XOR operation is performed with 5, because the XOR operation is a bit operation, so all characters need to be converted to binary during operation, and the insufficient digits are filled with binary numbers 0;

对于偶数位的字符组,与4进行异或运算;同样需要转换为二进制形式进行运算;For the character group of even digits, perform XOR operation with 4; it also needs to be converted to binary form for operation;

将所有运算完的结果按照顺序保存在新的字符数组中;Save all the calculated results in a new character array in order;

以UTF8编码方式转换数组为字符串,得到的结果就是密钥。Convert the array to a string in UTF8 encoding, and the result is the key.

模块306,获取模块,在与导出的Thumbs.dn文件夹同一目录下面,运行移动加密软件程序,会弹出输入密钥窗口,输入密钥后点确定,原始文件就都出现在该目录下面,不仅速度快,而且所有文件的名字都是原始文件名,保证了文件的完整性。Module 306, acquisition module, under the same directory as the exported Thumbs.dn folder, run the mobile encryption software program, an input key window will pop up, click OK after entering the key, and the original files will all appear under this directory, not only The speed is fast, and the names of all files are original file names, which ensures the integrity of the files.

Claims (2)

1. A method of decrypting a document within a storage medium for evidence, the method comprising:
a connection step of connecting the storage medium to be inspected to the inspection apparatus through a read-only interface;
a copying step, namely opening a storage medium to be checked by using electronic evidence obtaining software, and copying a file thumb. Dn to be decrypted and a mobile encryption program to a local directory;
a reading step, namely finding a key file with a file name of 117789687 under the thumb.dn folder, and reading a character array with the file name of 117789687 under the thumb.dn folder;
a conversion step of converting the character array into a character string according to ASCII coding;
a decryption step, wherein the character string is decrypted, and the specific operation is as follows:
firstly, segmenting a character string, wherein every two characters are in a group;
performing exclusive OR operation on the odd-numbered characters and 5;
performing exclusive OR operation on the even-numbered characters and 4;
storing all the operated results in a new character array according to the sequence, converting the array into character strings in a UTF8 coding mode, and obtaining a key as the result;
and in the acquisition step, a mobile encryption software program is operated under the same directory of thumb.dn, an input key window is popped up, the point is determined after the key is input, the original files are all under the directory, the speed is high, the names of all the files are original file names, and the integrity of the data files is ensured.
2. An apparatus for decrypting a forensic document in a storage medium, the apparatus comprising:
the connection module is used for connecting the storage medium for inspection to the inspection equipment through a read-only interface;
the copying module is used for opening a storage medium to be checked by using electronic evidence obtaining software and copying a file thumb. Dn to be decrypted and a mobile encryption program to a local directory;
the reading module is used for finding a key file with a file name of 117789687 under the thumb.dn folder and reading a character array with the file name of 117789687 under the thumb.dn folder;
the conversion module converts the character array into a character string according to ASCII codes;
the decryption module is used for carrying out decryption operation on the character string, and the specific operation is as follows:
firstly, the character string is divided into two groups, and the length of ASCII codes is 2;
performing exclusive OR operation on the odd-numbered characters and 5;
performing exclusive OR operation on the even-numbered characters and 4;
storing all the operated results in a new character array according to the sequence, converting the array into character strings in a UTF8 coding mode, and obtaining a key as the result;
the acquisition module runs the mobile encryption software program under the same directory of thumb.dn, and pops up an input key window, the input key is confirmed at a later point, and the original files are all under the directory, so that the speed is high, the names of all the files are original file names, and the integrity of the data files is ensured.
CN201811563432.8A 2018-12-20 2018-12-20 File decryption and evidence collection method and device in storage medium Expired - Fee Related CN109710899B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811563432.8A CN109710899B (en) 2018-12-20 2018-12-20 File decryption and evidence collection method and device in storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811563432.8A CN109710899B (en) 2018-12-20 2018-12-20 File decryption and evidence collection method and device in storage medium

Publications (2)

Publication Number Publication Date
CN109710899A CN109710899A (en) 2019-05-03
CN109710899B true CN109710899B (en) 2023-07-14

Family

ID=66256872

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811563432.8A Expired - Fee Related CN109710899B (en) 2018-12-20 2018-12-20 File decryption and evidence collection method and device in storage medium

Country Status (1)

Country Link
CN (1) CN109710899B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111931205B (en) * 2020-07-24 2024-12-10 北京沃东天骏信息技术有限公司 A method and device for encrypting shader files
CN114168976A (en) * 2021-11-04 2022-03-11 广东能龙教育股份有限公司 Slice file encryption method, slice file decryption method, storage medium and electronic device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7428306B2 (en) * 2006-04-18 2008-09-23 International Business Machines Corporation Encryption apparatus and method for providing an encrypted file system
CN101651864A (en) * 2008-08-14 2010-02-17 比亚迪股份有限公司 Method for managing file in mobile terminal and mobile terminal
CN101996298A (en) * 2009-08-14 2011-03-30 鸿富锦精密工业(深圳)有限公司 Encrypting method and decrypting method corresponding to same

Also Published As

Publication number Publication date
CN109710899A (en) 2019-05-03

Similar Documents

Publication Publication Date Title
Garfinkel Digital media triage with bulk data analysis and bulk_extractor
JP5914604B2 (en) Apparatus and method for decrypting encrypted file
US9607160B2 (en) Method and apparatus for providing string encryption and decryption in program files
Nemetz et al. A standardized corpus for SQLite database forensics
CN105095699A (en) Watermark information embedding method and device, and watermark information decoding method
CN104281815B (en) The method and system of file encryption-decryption
US20100070518A1 (en) Method for protecting private information and computer-readable recording medium storing program for executing the same
CN109710899B (en) File decryption and evidence collection method and device in storage medium
CN114386103B (en) Secret information hiding method, secret information extraction method and transmission system
Carbone Computer forensics with FTK
CN101667162B (en) File Encryption and Decryption System and Method
US9276742B1 (en) Unified storage and management of cryptographic keys and certificates
KR100943318B1 (en) Clipboard Security Method
Tibor et al. Development of Multi-Platform Steganographic Software Based on Random-LSB
CN109117670A (en) A kind of realization shear plate data encryption and decryption method, apparatus and hardware device
Hilgert et al. Syntactical carving of PNGs and automated generation of reproducible datasets
Lee et al. Block based smart carving system for forgery analysis and fragmented file identification
CN111291001A (en) Reading method and device of computer file, computer system and storage medium
CN116702172A (en) Data processing method and device
Dandass et al. An empirical analysis of disk sector hashes for data carving
US20170372077A1 (en) Selective data encryption
Twum et al. Cold boot attack on encrypted containers for forensic investigations
Venkatesh et al. Recovery of deleted files in the NTFS File system using Python and PyTSK3
CN108881472B (en) The processing method of electronic book documentary, electronic equipment, storage medium
CN113076548A (en) Robot automation process account information processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20230714