基于介质存储结构的数据恢复技术研究
|
摘要
信息和各种数据是当今信息社会最为宝贵的财富,重要数据的丢失或破坏往往会造成难以弥补的损失。如何最大程度的获得已丢失、已破坏的数据或电子犯罪证据,就成了本文所要探讨的问题。
本文围绕各类文件数据的完整恢复和分区恢复的相关理论及其技术进行了一些研究,得到了一些结果,主要概括如下:
1.概述了国内外数据恢复技术的研究进展情况,简要介绍了磁介质存储原理,分析了主流分区和文件系统结构。
2.研究了各类文件存储结构,分析了国内外各类数据恢复软件对文件和分区的恢复能力及其优点和缺点。
3.针对传统数据恢复软件无法完整恢复目录或主文件表损坏等情况下被损数据的不足,给出基于NTFS数据流属性、模式匹配的文件级数据恢复算法和残缺复合文档的恢复方案,实验表明这些算法和方案能够有效恢复部分极端数据灾难下的数据。
4.针对传统分区恢复软件无法有效恢复多次破坏或覆盖等情况下被损分区链的不足,提出一套较为完整的分区表规则,并给出基于该规则的分区定位算法和分区表项计算工具,测试与分析结果表明该方法能有效解决MBR、EBR和DBR等破坏后的分区恢复。
Information and various data are the most valuable riches in information society, the loss or damage of critical data will result in irreparable damage. The purpose of this paper is to investigate how to prevent these important data from being damaged and how to recover data or electronic evidence of the crime that has been lost or destroyed.
This thesis mainly focuses on the theory and methods of file recovery and partition recovery. Some results are obtained and summarized as follows:
1. The data recovery technology at home and abroad is summarized. The principle of magnetic media storage is discussed briefly. The structure of main partition and file system are illuminated.
2. The principle of file storage is investigated. The performance of the domestic and foreign data recovery software to recovery the file and partition are analyzed, and the merit and shortcoming are summarized.
3. For the shortcoming of traditional data recovery software which can't recovery data when the directory or master file table is damaged, the file-level data recovery algorithms based on DATARUNS and pattern matching, and the programs of incomplete compound document recovery are proposed. Experimental results show that these algorithms and programs have a good performance to recovery some of the data under extreme data disaster.
4. To compensate the shortcoming of traditional data recovery software can't recovery the partition chain when it is multiple damaged or overwritten, a set of relatively complete partition table rules is proposed. Based on these rules, the partition location algorithm and computing tool of the partition table are given, the test and analysis results show that this method can effectively recover the partition when the MBR, EBR and DBR and others are damaged.
本文围绕各类文件数据的完整恢复和分区恢复的相关理论及其技术进行了一些研究,得到了一些结果,主要概括如下:
1.概述了国内外数据恢复技术的研究进展情况,简要介绍了磁介质存储原理,分析了主流分区和文件系统结构。
2.研究了各类文件存储结构,分析了国内外各类数据恢复软件对文件和分区的恢复能力及其优点和缺点。
3.针对传统数据恢复软件无法完整恢复目录或主文件表损坏等情况下被损数据的不足,给出基于NTFS数据流属性、模式匹配的文件级数据恢复算法和残缺复合文档的恢复方案,实验表明这些算法和方案能够有效恢复部分极端数据灾难下的数据。
4.针对传统分区恢复软件无法有效恢复多次破坏或覆盖等情况下被损分区链的不足,提出一套较为完整的分区表规则,并给出基于该规则的分区定位算法和分区表项计算工具,测试与分析结果表明该方法能有效解决MBR、EBR和DBR等破坏后的分区恢复。
Information and various data are the most valuable riches in information society, the loss or damage of critical data will result in irreparable damage. The purpose of this paper is to investigate how to prevent these important data from being damaged and how to recover data or electronic evidence of the crime that has been lost or destroyed.
This thesis mainly focuses on the theory and methods of file recovery and partition recovery. Some results are obtained and summarized as follows:
1. The data recovery technology at home and abroad is summarized. The principle of magnetic media storage is discussed briefly. The structure of main partition and file system are illuminated.
2. The principle of file storage is investigated. The performance of the domestic and foreign data recovery software to recovery the file and partition are analyzed, and the merit and shortcoming are summarized.
3. For the shortcoming of traditional data recovery software which can't recovery data when the directory or master file table is damaged, the file-level data recovery algorithms based on DATARUNS and pattern matching, and the programs of incomplete compound document recovery are proposed. Experimental results show that these algorithms and programs have a good performance to recovery some of the data under extreme data disaster.
4. To compensate the shortcoming of traditional data recovery software can't recovery the partition chain when it is multiple damaged or overwritten, a set of relatively complete partition table rules is proposed. Based on these rules, the partition location algorithm and computing tool of the partition table are given, the test and analysis results show that this method can effectively recover the partition when the MBR, EBR and DBR and others are damaged.
引文
[1]戴士剑,张杰,郭久武.数据恢复技术综述.信息网络安全.2006,01.
[2]戴士剑,郭久武,王凤泰.数据恢复与信息存储安全.中国科协年会论文集(下册).2006.
[3]Mitchell Dawson, Chris Forgie, Jon Davis. Data Recovery. Computer Forensics. 2003,7.
[4]Dr. David Dampier. Data Recovery and Data Hiding. Center for Computer Security Research (CCSR).2003.
[5]Charles H.Sobey. Drive-Independent Data Recovery:The Current State of the Art. Canada:ActionFront Data Recovery Labs, Inc,2003.
[6]Action Front Data Recovery Labs. Professional data recovery definition is from Action Front Data Recovery Labs Data Emergency Guide. April 14,2004.
[7]戴士剑.数据恢复技术的基本概念与发展现状.2006.
[8]Charles Sobey. Recovering Unrecoverable Data-The Need for Drive-Independent Data Recovery. American:A channel science white paper,2004.
[9]STEERS.KIRK. Salvage the files you lost from your hard drive. PC World (San Francisco, CA).2005,23.164-167.
[10]Huang Wei, Yu Meisheng. The quickly solving method of file recovery in windows environment. CSSE.2008.12-14.
[11]Pamela Kane著,王潜译.计算机数据恢复大全北京:电子工业出版社,1995.
[12]H.Gareia-Molina, C.A.PolyZois. Issues in Disaster Recovery. In IEEE ComPcon. February 1990.573-577.
[13]Time创作室.电脑灾难恢复典型应用技巧.人民邮电出版社,2004.
[14]黄步根.数据恢复与计算机取证.计算机安全,2006.
[15]李俊莉.数据恢复技术在计算机取证中的应用.南阳师范学院学报.2008.
[16]Vicki Miller Luoma. Computer forensics and electronic discovery:The new management challenge. Computer & Security.2006, (25).91-96.
[17]许榕生,吴海燕,刘宝旭.计算机取证概述.计算机工程应用.2001(21).7-8.
[18]戴士剑,涂彦晖.数据恢复技术.第2版.电子工业出版社,2005.
[19]王英兰,居锦武NTFS文件系统结构分析.计算机工程与设计.2006年2月,第27卷第3期.
[20]梁金千,张跃NTFS文件系统的主要数据结构.计算机工程与应用.2003,8.
[21]王丽娜,杨墨等.基于NTFS文件系统的计算机取证.武汉大学学报(理学版).2006,5.
[22]黄步根.数据恢复与计算机取证.计算机安全.2006,6.
[23]游春晖,刘乃琦,代立松.数据恢复技术在计算机取证系统中的应用.成都大学学报(自然科学版).2008,2.
[24]李军胜.寻找回来的世界四大数据恢复软件大比拼.计算机与网络.2009,z1.
[25]文光斌.数据恢复技术的发展前景、技术层次及常用方法.网络安全技术与应用.2005.5:74-76.
[26]Daniel G. James. Forensically Unrecoverable Hard Drive Data Destruction. December 2006.
[27]Venugopal Veeravalli. Detection of Digital Information from Erased Magnetic Disks. Masters thesis, Carnegie-Mellon University,1987.
[28]M. Slusarczuk et al. Emergency Destruction of Information Storing Media. Institute for Defense Analyses, December 1987.
[29]Dong Sam Ha. Data Recovery Block Design for Impulse Modulated Power Line Communications in a Microprocessor.2003.
[30]Peter Gutmann. Secure Deletion of Data from Magnetic and Solid-State Memory. California:San Jose, July 22-25,1996.
[31]D.Rugar, H.Mamin, P.Guenther, et al. Magnetic force microscopy:General principles and application to longitudinal recording media. Journal of Applied Physics. August 1990, Vol.68, No.3. p.1169.
[32]Jian-Gang Zhu, Yansheng Luo, Juren Ding. Magnetic Force Microscopy Study of Edge Overwrite Characteristics in Thin Film Media. IEEE Trans.on Magnetics. November 1994, Vol.30, No.6. p.4242.
[33]D.Rugar, H.Mamin, P.Guenther, et al. Magnetic force microscopy:General principles and application to longitudinal recording media. Journal of Applied Physics. August 1990, Vol.68, No.3 p.1169.
[34]Romel Gomez, Amr Adly, Isaak Mayergoyz, Edward Burke. Magnetic Force Scanning Tunnelling Microscope Imaging of Overwritten Data. IEEE Trans.on Magnetics. September 1992, Vol.28, No.5. p.3141.
[35]Paul Rice, John Moreland. Tunneling-stabilized Magnetic Force Microscopy of Bit Tracks on a Hard Disk. IEEE Trans.on Magnetics. May 1991, Vol.27, No.3. p.3452.
[36]Wright.C, Kleiman.D. Can Intelligence Agencies Read Overwritten Data? http://www.nber.org/sys-admin/overwritten-data-gutmann.html.
[37]范小娟.数据恢复对策分析与研究.软件导刊.2008,8.
[38]周开民,赵强,张晓等.数据的安全性研究.科学技术与工程.2003.
[39]梅志荣.磁盘存储技术浅析.物探装备.2006,16,2.
[40]杨泽明,许榕生,刘宝旭.文件删除的恢复与反恢复.Netinfo Security. 2002(4).38-41.
[41]COLBORNE L. Securing storage. Complete data erasure on storage systems. Information Storage & Security Journal.2005,13(4).1-2.
[42]尤晋元,史美林.Windows操作系统原理.北京:机械工业出版社,2002.
[43]于富强,王国庆,齐兰.硬盘分区表的磁盘参数分析与主DOS分区的恢复.河北省科学院学报.1998,3.
[44]姚罡,李大军,梅顺良.硬盘分区链表结构分析与应用.微计算机信息.2006,22(3-3).
[45]黄国盛,梁平元,周小清. Windows环境中分区表结构剖析与安全修复.吉首大学学报(自然科学版).2003,24(1).
[46]吴埙晖,王明倩.Window文件系统的数据恢复,2005.
[47]赵春媛.FAT与NTFS之间的区别.油气田地面工程.2004,7.
[48]毛明.FAT32文件系统研究.微计算机应用.2001,6.
[49]唐宏亮NTFS文件系统结构与安全性研究.湖北第二师范学院学报.2009,8.
[50]邵志毅.文件恢复的可行性分析.陕西师范大学学报.自然科学版.2007.11.
[51]Daniel Rentz. Microsoft Compound Document File Format.2007.Aug.07.
[52]汪中夏,刘伟.数据恢复高级技术.电子工业出版社,2006.12.
[53]戴士剑,汪中夏等.数据恢复.北京:赛迪电子出版社,2004.3.
[54]马林.数据重现--文件系统原理精解与数据恢复最佳实践.北京:清华大学出版社,2009.
[55]涂彦晖,戴士剑.数据安全与编程技术.清华大学出版社,2005.
[56]郑平泰.磁盘数据安全技术与编程实例.北京:中国水利水电出版社,2007.
[57]刘健,吴蕾.大容量硬盘分区信息链表研究.宜春学院学报(自然科学).2001,12,23(2).
[58]姚罡,李大军,梅顺良.硬盘分区链表结构分析与应用.微计算机信息.2006,22(3-3).
[59]刘健.从逻辑零扇区恢复硬盘主引导扇区算法实现.宜春学院学报(自然科学).2002,8,24(4).
[60]刘健,张海帆.硬盘分区链表中结点信息的完全恢复算法.甘肃教育学院学报(自然科学版).2002,1,16(1).
[61]黄国盛,梁平元,周小清. Windows环境中分区表结构剖析与安全修复.吉林大学学报(自然科学版).2003,24(1).
[2]戴士剑,郭久武,王凤泰.数据恢复与信息存储安全.中国科协年会论文集(下册).2006.
[3]Mitchell Dawson, Chris Forgie, Jon Davis. Data Recovery. Computer Forensics. 2003,7.
[4]Dr. David Dampier. Data Recovery and Data Hiding. Center for Computer Security Research (CCSR).2003.
[5]Charles H.Sobey. Drive-Independent Data Recovery:The Current State of the Art. Canada:ActionFront Data Recovery Labs, Inc,2003.
[6]Action Front Data Recovery Labs. Professional data recovery definition is from Action Front Data Recovery Labs Data Emergency Guide. April 14,2004.
[7]戴士剑.数据恢复技术的基本概念与发展现状.2006.
[8]Charles Sobey. Recovering Unrecoverable Data-The Need for Drive-Independent Data Recovery. American:A channel science white paper,2004.
[9]STEERS.KIRK. Salvage the files you lost from your hard drive. PC World (San Francisco, CA).2005,23.164-167.
[10]Huang Wei, Yu Meisheng. The quickly solving method of file recovery in windows environment. CSSE.2008.12-14.
[11]Pamela Kane著,王潜译.计算机数据恢复大全北京:电子工业出版社,1995.
[12]H.Gareia-Molina, C.A.PolyZois. Issues in Disaster Recovery. In IEEE ComPcon. February 1990.573-577.
[13]Time创作室.电脑灾难恢复典型应用技巧.人民邮电出版社,2004.
[14]黄步根.数据恢复与计算机取证.计算机安全,2006.
[15]李俊莉.数据恢复技术在计算机取证中的应用.南阳师范学院学报.2008.
[16]Vicki Miller Luoma. Computer forensics and electronic discovery:The new management challenge. Computer & Security.2006, (25).91-96.
[17]许榕生,吴海燕,刘宝旭.计算机取证概述.计算机工程应用.2001(21).7-8.
[18]戴士剑,涂彦晖.数据恢复技术.第2版.电子工业出版社,2005.
[19]王英兰,居锦武NTFS文件系统结构分析.计算机工程与设计.2006年2月,第27卷第3期.
[20]梁金千,张跃NTFS文件系统的主要数据结构.计算机工程与应用.2003,8.
[21]王丽娜,杨墨等.基于NTFS文件系统的计算机取证.武汉大学学报(理学版).2006,5.
[22]黄步根.数据恢复与计算机取证.计算机安全.2006,6.
[23]游春晖,刘乃琦,代立松.数据恢复技术在计算机取证系统中的应用.成都大学学报(自然科学版).2008,2.
[24]李军胜.寻找回来的世界四大数据恢复软件大比拼.计算机与网络.2009,z1.
[25]文光斌.数据恢复技术的发展前景、技术层次及常用方法.网络安全技术与应用.2005.5:74-76.
[26]Daniel G. James. Forensically Unrecoverable Hard Drive Data Destruction. December 2006.
[27]Venugopal Veeravalli. Detection of Digital Information from Erased Magnetic Disks. Masters thesis, Carnegie-Mellon University,1987.
[28]M. Slusarczuk et al. Emergency Destruction of Information Storing Media. Institute for Defense Analyses, December 1987.
[29]Dong Sam Ha. Data Recovery Block Design for Impulse Modulated Power Line Communications in a Microprocessor.2003.
[30]Peter Gutmann. Secure Deletion of Data from Magnetic and Solid-State Memory. California:San Jose, July 22-25,1996.
[31]D.Rugar, H.Mamin, P.Guenther, et al. Magnetic force microscopy:General principles and application to longitudinal recording media. Journal of Applied Physics. August 1990, Vol.68, No.3. p.1169.
[32]Jian-Gang Zhu, Yansheng Luo, Juren Ding. Magnetic Force Microscopy Study of Edge Overwrite Characteristics in Thin Film Media. IEEE Trans.on Magnetics. November 1994, Vol.30, No.6. p.4242.
[33]D.Rugar, H.Mamin, P.Guenther, et al. Magnetic force microscopy:General principles and application to longitudinal recording media. Journal of Applied Physics. August 1990, Vol.68, No.3 p.1169.
[34]Romel Gomez, Amr Adly, Isaak Mayergoyz, Edward Burke. Magnetic Force Scanning Tunnelling Microscope Imaging of Overwritten Data. IEEE Trans.on Magnetics. September 1992, Vol.28, No.5. p.3141.
[35]Paul Rice, John Moreland. Tunneling-stabilized Magnetic Force Microscopy of Bit Tracks on a Hard Disk. IEEE Trans.on Magnetics. May 1991, Vol.27, No.3. p.3452.
[36]Wright.C, Kleiman.D. Can Intelligence Agencies Read Overwritten Data? http://www.nber.org/sys-admin/overwritten-data-gutmann.html.
[37]范小娟.数据恢复对策分析与研究.软件导刊.2008,8.
[38]周开民,赵强,张晓等.数据的安全性研究.科学技术与工程.2003.
[39]梅志荣.磁盘存储技术浅析.物探装备.2006,16,2.
[40]杨泽明,许榕生,刘宝旭.文件删除的恢复与反恢复.Netinfo Security. 2002(4).38-41.
[41]COLBORNE L. Securing storage. Complete data erasure on storage systems. Information Storage & Security Journal.2005,13(4).1-2.
[42]尤晋元,史美林.Windows操作系统原理.北京:机械工业出版社,2002.
[43]于富强,王国庆,齐兰.硬盘分区表的磁盘参数分析与主DOS分区的恢复.河北省科学院学报.1998,3.
[44]姚罡,李大军,梅顺良.硬盘分区链表结构分析与应用.微计算机信息.2006,22(3-3).
[45]黄国盛,梁平元,周小清. Windows环境中分区表结构剖析与安全修复.吉首大学学报(自然科学版).2003,24(1).
[46]吴埙晖,王明倩.Window文件系统的数据恢复,2005.
[47]赵春媛.FAT与NTFS之间的区别.油气田地面工程.2004,7.
[48]毛明.FAT32文件系统研究.微计算机应用.2001,6.
[49]唐宏亮NTFS文件系统结构与安全性研究.湖北第二师范学院学报.2009,8.
[50]邵志毅.文件恢复的可行性分析.陕西师范大学学报.自然科学版.2007.11.
[51]Daniel Rentz. Microsoft Compound Document File Format.2007.Aug.07.
[52]汪中夏,刘伟.数据恢复高级技术.电子工业出版社,2006.12.
[53]戴士剑,汪中夏等.数据恢复.北京:赛迪电子出版社,2004.3.
[54]马林.数据重现--文件系统原理精解与数据恢复最佳实践.北京:清华大学出版社,2009.
[55]涂彦晖,戴士剑.数据安全与编程技术.清华大学出版社,2005.
[56]郑平泰.磁盘数据安全技术与编程实例.北京:中国水利水电出版社,2007.
[57]刘健,吴蕾.大容量硬盘分区信息链表研究.宜春学院学报(自然科学).2001,12,23(2).
[58]姚罡,李大军,梅顺良.硬盘分区链表结构分析与应用.微计算机信息.2006,22(3-3).
[59]刘健.从逻辑零扇区恢复硬盘主引导扇区算法实现.宜春学院学报(自然科学).2002,8,24(4).
[60]刘健,张海帆.硬盘分区链表中结点信息的完全恢复算法.甘肃教育学院学报(自然科学版).2002,1,16(1).
[61]黄国盛,梁平元,周小清. Windows环境中分区表结构剖析与安全修复.吉林大学学报(自然科学版).2003,24(1).