Method and system for Trojan network communication detecting and evidence obtaining

Abstract

The invention discloses a method for Trojan network communication detecting and evidence obtaining. The method comprises the steps of receiving an evidence obtaining instruction submitted by a user and receiving input from the user, wherein the input is a Trojan process ID number needing to be monitored; capturing a network data package in computer network communication process from a network card layer in real time according to the evidence obtaining instruction to generate computer network data package files; capturing network linking information under the monitored Trojan process ID number of the user from a transmission-network layer to generate network communication linking information files of the monitored Trojan process; filtering out network data package files, only related to the monitored Trojan process, of the monitored Trojan process by enabling the computer network data package files to be controlled by the network communication linking information of the monitored Trojan process. The method can solve the technical problems that through the existing network communication evidence obtaining technology, a Trojan can not be exactly related to data packages sent out or received by the Trojan, or data packages sent in or sent out by the Trojan can not be presented in the mode of a complete file of an application layer.

Description

technical field [0001] The invention belongs to the field of computer network communication evidence collection for computer information security, and more specifically relates to a Trojan horse network communication detection and evidence collection method and system Background technique [0002] At present, network communication forensics technology mainly relies on the interception of data packets at the network card layer, and analyzes the communication link address (source IP, destination IP, source port, destination port) and data packet load to determine the source of the communication link. Whether the address or destination is reliable and whether the data packet payload involves user privacy, etc. Although this kind of analysis can determine to a certain extent whether the computer is threatened by intrusion, it is impossible to accurately locate the process that transfers malicious files from the outside to the computer or transfers sensitive files from the comput...

AI Technical Summary

Problems solved by technology

[0004] Aiming at the above defects or improvement needs of the prior art, the present invention provides a Trojan horse network communication detection and evidence collection method and system, the purpose of which is to solve the problem that the existing network communication forensics technology cannot separate the Trojan horse from the data sent or received by the Trojan horse. Packet association, or the technical problem of not being able to present Trojan horse incoming or outgoing data packets in the form of a complete file at the application layer, through the association of Trojan horses with data packets, and the reassembly of incoming or outgoing data packets into application layer files The complete document enables the evidence collection method of the present invention to have the subject-specific orientation of the evidence and the intuitive certainty of the evidence, and finally provide a logical chain of evidence with the subject-specific orientation that is accurate, reliable and intuitive, making the criminal behavior undeniable

Images