一种基于闪存物理镜像的FAT文件系统重组方法
|
摘要
文件系统重组是闪存设备取证研究进行数据恢复的主要手段.传统的文件系统重组方法需要同时获取闪存设备在同一时刻的逻辑镜像和物理镜像,该条件在取证实践中常常难以满足,故提出一种仅依赖闪存物理镜像重组文件分配表(FAT)文件系统的方法.在引入统计分析法从物理镜像中提取逻辑地址字段和页状态字段的基础上,给出利用最新页状态值准确重组闪存设备最新FAT文件系统镜像的算法.最后以MTK6229闪存设备物理镜像的FAT文件系统重组过程为例,验证上述重组算法及相关方法是正确的.
The file system reconstruction is an effective way of recovering the forensic data from Flash memory.However,the traditional reconstruction methods need a precondition that is there are both the logical image and the physical image of flash memory at the same time and that is usually not satisfied in practice.In this paper,we propose a method for reconstructing the File Allocation Table(FAT) file system of Flash device when only a physical image of Flash memory is acquired.After introducing the statistical methods to identify the logical address bytes and the page state byte from the physical image,we propose the new algorithm to reconstruct the newest FAT file system which is based on the newest value of the page state.At last,take the special flash devices with MTK6229 controllers as examples,we expound the methods related to reconstructing the FAT file system and verify the reconstruction algorithm.
The file system reconstruction is an effective way of recovering the forensic data from Flash memory.However,the traditional reconstruction methods need a precondition that is there are both the logical image and the physical image of flash memory at the same time and that is usually not satisfied in practice.In this paper,we propose a method for reconstructing the File Allocation Table(FAT) file system of Flash device when only a physical image of Flash memory is acquired.After introducing the statistical methods to identify the logical address bytes and the page state byte from the physical image,we propose the new algorithm to reconstruct the newest FAT file system which is based on the newest value of the page state.At last,take the special flash devices with MTK6229 controllers as examples,we expound the methods related to reconstructing the FAT file system and verify the reconstruction algorithm.
引文
[1]许榕生.我国数字取证技术研究的十年回顾[J].计算机安全,2011,3:17-19.Xu Rongsheng.Decade review of digital forensic research[J].Computer Security,2011,3:17-19.(in Chinese)
[2]丁丽萍,王永吉.计算机取证的相关法律技术问题研究[J].软件学报,2005,16(2):260-273.Ding Liping,WangYongji.Study on relevant law andtechnolo-gy issues about computer forensics[J].Journal of Software,2005,16(2):260-273.(in Chinese)
[3]陈龙,娄晓会,王国胤.基于有限射影几何的细粒度数据完整性检验方法[J].电子学报,2011,39(12):2850-2855.Chen Long,Lou Xiaohui,Wang Guoyin.An integrity checkmethod for fine-grained data based on finite projective geometry[J].Acta Electronica Sinica,2011,39(12):2850-2855.(inChinese)
[4]孙国梓,耿伟明,陈丹伟,申涛.基于可信概率的电子数据取证有效性模型[J].计算机学报,2011,34(7):1262-1274.Sun Guozi,Geng Weiming,Chen Danwei,Shen Tao.One va-lidity model of digital data forensics based on trusted probabil-ity.Chinese Journal of Computers,2011,34(7):1262-1274.(in Chinese)
[5]王文奇,苗凤君,潘磊,张书钦.网络取证完整性技术研究[J].电子学报,2010,38(11):2529-2534.Wang Wenqi,Miao Fengjun,Pan Lei,Zhang Shuqin.The re-search on integrity of network-based forensic[J].Acta Elec-tronica Sinica,2010,38(11):2529-2534.(in Chinese)
[6]钟巍,孔祥维,尤新刚,王波.基于态函数的离散分数余弦倒谱变换在取证话音信息隐藏中的应用[J].电子学报,2012,40(3):595-599.Zhong Wei,Kong Xiangwei,You Xingang,Wang Bo.Forensicspeech information hiding using fractional cosine-cepstrumtransform[J].Acta Electronica Sinica,2012,40(3):595-599.(in Chinese)
[7]Shafik G,Punja,Richard P.Mislan.Mobile device analysis[J].Small Scale Digital Device Forensics Journal,2010,2(1):1-15.
[8]Vrizlynn L L Thing,Kian-Yong Ng,Ee-Chien Chang.Livememory forensics of mobile phones[J].Digital Investigation,2010,7(1):74-82.
[9]易凌鹰.基于闪存数据恢复的计算机取证技术的研究与实现[D].北京:北京邮电大学硕士学位论文,2009,6.Yi Lingying.Research and implementation of computer foren-sicstechnology based on data recovery from flash memory[D].Beijing:Beijing University of Post and Telecommunications ofChina,2009,6.(in Chinese)
[10]Marcel B,Martien DJ.Forensic data recovery from flashmemory[J].Small Scale Digital Device Forensic,2007,1(1):1-17.
[11]C.Klaver.Windows mobile advanced forensics[J].Journal ofDigital Investigation,2010,6:147-167.
[12]肖腾,许榕生.基于差异度的JPEG碎片重组方法[J].计算机工程,2011,37(10):263-265.Xiao Teng,Xu Rongsheng.Reassembling method for JPEGfragment based on degree of difference[J].Computer Eng-ineering,2011,37(10):263-265.(in Chinese)
[13]Scott Hand,Zhiqiang Lin,Guofei Gu etc.Bin-carver:automat-ic recovery of binary executable files[J].Digital Investiga-tion,2012,9:s108-s117.
[14]时正,纪金松,陈香兰,等.一种基于差分进化的Flash文件系统垃圾回收算法[J].电子学报,2011,39(2):280-284.Shi Zheng,Ji Jin-song,Chen Xiang-lan,Gong Yu-chang.Agarbage collection algorithm for flash file system based on dif-ferential evolution[J].Acta Electronica Sinica,2011,39(2):280-284.(in Chinese).
[15]Shiffler R E.Maximum Z score and outliers[J].The Amer-ican Statistician,1988,42(1):79-80.
[16]Steven J P.Intermediate Statistics:A Modern Approach[M].Hillsdale,New Jersey:Lawrence Erlbaum Associates,1990.456-502.
[2]丁丽萍,王永吉.计算机取证的相关法律技术问题研究[J].软件学报,2005,16(2):260-273.Ding Liping,WangYongji.Study on relevant law andtechnolo-gy issues about computer forensics[J].Journal of Software,2005,16(2):260-273.(in Chinese)
[3]陈龙,娄晓会,王国胤.基于有限射影几何的细粒度数据完整性检验方法[J].电子学报,2011,39(12):2850-2855.Chen Long,Lou Xiaohui,Wang Guoyin.An integrity checkmethod for fine-grained data based on finite projective geometry[J].Acta Electronica Sinica,2011,39(12):2850-2855.(inChinese)
[4]孙国梓,耿伟明,陈丹伟,申涛.基于可信概率的电子数据取证有效性模型[J].计算机学报,2011,34(7):1262-1274.Sun Guozi,Geng Weiming,Chen Danwei,Shen Tao.One va-lidity model of digital data forensics based on trusted probabil-ity.Chinese Journal of Computers,2011,34(7):1262-1274.(in Chinese)
[5]王文奇,苗凤君,潘磊,张书钦.网络取证完整性技术研究[J].电子学报,2010,38(11):2529-2534.Wang Wenqi,Miao Fengjun,Pan Lei,Zhang Shuqin.The re-search on integrity of network-based forensic[J].Acta Elec-tronica Sinica,2010,38(11):2529-2534.(in Chinese)
[6]钟巍,孔祥维,尤新刚,王波.基于态函数的离散分数余弦倒谱变换在取证话音信息隐藏中的应用[J].电子学报,2012,40(3):595-599.Zhong Wei,Kong Xiangwei,You Xingang,Wang Bo.Forensicspeech information hiding using fractional cosine-cepstrumtransform[J].Acta Electronica Sinica,2012,40(3):595-599.(in Chinese)
[7]Shafik G,Punja,Richard P.Mislan.Mobile device analysis[J].Small Scale Digital Device Forensics Journal,2010,2(1):1-15.
[8]Vrizlynn L L Thing,Kian-Yong Ng,Ee-Chien Chang.Livememory forensics of mobile phones[J].Digital Investigation,2010,7(1):74-82.
[9]易凌鹰.基于闪存数据恢复的计算机取证技术的研究与实现[D].北京:北京邮电大学硕士学位论文,2009,6.Yi Lingying.Research and implementation of computer foren-sicstechnology based on data recovery from flash memory[D].Beijing:Beijing University of Post and Telecommunications ofChina,2009,6.(in Chinese)
[10]Marcel B,Martien DJ.Forensic data recovery from flashmemory[J].Small Scale Digital Device Forensic,2007,1(1):1-17.
[11]C.Klaver.Windows mobile advanced forensics[J].Journal ofDigital Investigation,2010,6:147-167.
[12]肖腾,许榕生.基于差异度的JPEG碎片重组方法[J].计算机工程,2011,37(10):263-265.Xiao Teng,Xu Rongsheng.Reassembling method for JPEGfragment based on degree of difference[J].Computer Eng-ineering,2011,37(10):263-265.(in Chinese)
[13]Scott Hand,Zhiqiang Lin,Guofei Gu etc.Bin-carver:automat-ic recovery of binary executable files[J].Digital Investiga-tion,2012,9:s108-s117.
[14]时正,纪金松,陈香兰,等.一种基于差分进化的Flash文件系统垃圾回收算法[J].电子学报,2011,39(2):280-284.Shi Zheng,Ji Jin-song,Chen Xiang-lan,Gong Yu-chang.Agarbage collection algorithm for flash file system based on dif-ferential evolution[J].Acta Electronica Sinica,2011,39(2):280-284.(in Chinese).
[15]Shiffler R E.Maximum Z score and outliers[J].The Amer-ican Statistician,1988,42(1):79-80.
[16]Steven J P.Intermediate Statistics:A Modern Approach[M].Hillsdale,New Jersey:Lawrence Erlbaum Associates,1990.456-502.