摘要
为了解决计算机取证中Ext4文件系统的数据恢复问题,提出了一种基于文件头尾特征元数据Extent重构的恢复方法。在Extent树完整性遭到破坏的情况下提出了重构的方法,通过扫描磁盘扇区定位文件头尾特征所在的磁盘位置,确定文件大小,并根据ext4_extent_header中魔数信息实现对Extent的重建,进而实现对文件的恢复。实验结果表明,经该方法设计的软件在文件恢复的时间效率和成功率方面有了较大的提高。
In order to realize Ext4 file system data recovery in computer forensics, this paper propo- ses a recovery method based on extent reconstruction of head and foot feature metadata. In the con- text of Extent tree integrity damage, an Extent reconstruction method is proposed. By scanning the disk sector, the head and tail characteristics of the file could be located and the file size could be determined. Then, the ext4_exteut_header magical number is utilized to reconstruct Extent and re- cover file completely. Experimental results show that the software designed by the recovery method can improve evidently the time efficiency and success rate.
出处
《信息工程大学学报》
2017年第1期98-102,共5页
Journal of Information Engineering University
基金
国家自然科学基金资助项目(60903220)
