摘要
目的研究NTFS存储设备的3种数据恢复方式,测试、比较不同方式的恢复效果,促进电子物证检验工作。方法本文针对同一NTFS存储设备,分别使自行设计的NTFS日志检验软件测试基于NTFS日志文件的恢复方式,使用Final Data的快速扫描功能测试基于MFT记录的恢复方式,使用Final Data的完整扫描功能测试基于文件头部存储特征值的恢复方式,比较3种方式的恢复效果,分析各自的恢复原理。结果基于NTFS日志和MFT记录的方式恢复出的信息较全,用时较短,但不适合恢复较长时间之前删除的文件。基于文件头部存储特征值的方式可恢复较长时间前删除的文件,但用时长,不能恢复文件名、创建时间等信息,也不能有效恢复离散存储的文件。结论结合实际情况、综合运用3种方式可有效恢复数据。
Objective In practice,such situations are often encountered that the files have not been restored because of the incorrect recovery tools and/or varied restoring methods.In this paper,three data recovery modes used with NTFS storage device were analyzed and their effects were tested and compared.Methods For the same NTFS storage device,we used NTFS log inspection software developed from previous research to test the recovery choice based on NTFS log file,utilized the quick scan function of Final Data to test the recovery choice based on MFT,and used the full scan function of Final Data to test the recovery choice based on characteristic value.Finally we compared the effect of the three choices and analyzed their recovery principles.Results The recovery choices based on NTFS log file and MFT could obtain comprehensive information but were not suitable for files deleted long before.Though the recovery choice based on characteristic value played poor effect on restoring either the non-contiguous files or the file names and file-creating time,it could restore the files deleted long before albeit time consuming.Conclusions Three methods can be applied in casework with their integrative utilization.
出处
《刑事技术》
2015年第1期55-58,共4页
Forensic Science and Technology
基金
公安部科研计划项目(No.2014JSYJB033
No.2014YYCXXJXY055)
辽宁省教育科学‘十二五’规划课题(No.JG14db440)
关键词
电子物证
NTFS
日志
MFT
特征值
恢复
digital forensics
NTFS
$Log File
MFT
characteristic value
restoration
