摘要
由于Windows操作系统的封闭性,其NTFS文件系统资料匮乏,其驱动程序核心技术无人问津,大大阻碍了研究工作的进行。但是通过对Windows内核进行逆向工程和调试跟踪,可以轻易发现其运行机理和调度手段,为今后各种相关工作指明方向。采用的双机调试技术完整地揭示了NTFS空间再分配策略,对电子取证和信息安全行业都将产生积极影响。
Because of the closed nature of the Windows operating system, it is lack of information on the NTFS file system. That nobody cares its core technology greatly hindered the research work. But through the Windows kernel reverse engineering and debugging trace, we can easily find its operation mechanism and scheduling means pointing the direction for the future of all relevant work. This paper with complete two-machine debugging technique revealed the NTFS space reallocation strategy,making positive effects on the electronic forensics and information security in- dustry.
出处
《计算机科学》
CSCD
北大核心
2015年第B10期92-94,98,共4页
Computer Science
