基于闪存数据恢复的计算机取证技术的研究与实现
|
摘要
随着计算机技术的发展,高科技犯罪日益猖獗,犯罪分子会想方设法掩盖犯罪证据,因此研究如何对存储介质上的信息进行获取和分析成为计算机取证学的重要内容。另一方面,随着技术的进步,Flash闪存设备(如U盘)成为广大电脑用户存储数据、备份数据的重要载体,同时在消费电子产品(如手机、数码相机等)及其它嵌入式设备中,Flash闪存也得到了越来越广泛的使用,因此针对闪存设备的数据恢复技术在计算机取证中的作用越来越重要。
本文论述的计算机取证技术主要基于U盘的逻辑数据恢复和FAT32系统的文件数据恢复。在U盘的逻辑数据恢复过程中,本文通过分析FAT文件系统的存储特点,设计写入了基于逻辑扇区号的实验数据,在读取出闪存物理数据后进行对比分析找出从物理地址到逻辑地址的映射关系,从而实现U盘的逻辑数据恢复,并在此基础上设计了动态扫描的方法;在FAT32系统文件数据恢复中,本文提出了利用Linux系统工具恢复正常文件目录并进行证据查找的方法,对于人为删除或格式化造成丢失的文件,本文通过研究FAT32系统的文件删除及格式化原理,设计实现了相应的数据恢复程序,对文件系统中的数据进行快速与深度扫描,最大限度的发现已删除的数据和格式化后残留的数据,并对已删除的数据进行最大程度的恢复。
With the rapid development of computer technology, Hi-tech crime become more and more serious.Criminals will find ways to cover up evidence of a crime.So it is the important subject for computer forensics to research how to acquire and analyze sensitive information from memories. On the other hand, with the advances in technology, flash memory devices (such as U disk) has become an important carrier for the majority of computer users to store and backup data. At the same time in the consumer electronics (such as mobile phones, digital cameras, etc.) and other embedded devices, Flash memory has also been increasingly widely used.Therefore, data recovery technology for flash memory devices became more important in computer forensics.
This paper discusses computer forensics technology based on U disk logical data recovery and data recovery of FAT32 file system. In the U disk logical data recovery process, by analyzing the FAT file system storage features this thesis designed corresponding experimental data based on logic sector number, analyzed the flash memory physical data to find out the mapping from physical address to logical address then implement the U-disk logical data recovery, and on this basis to design a dynamic scanning method.In the data recovery of FAT32 file system, this paper presents the method of using Linux system tools to recovery normal files as well as directories and to search for evidence.For the loss files caused by man-made deleted or formatted, after research on principles of file deletion and formatting on FAT32 file system,this paper designed and implemented the appropriate procedures for data recovery, which can do fast and deep scan on file system, maximize the discovery of deleted data and remnant data after formatting, and restore deleted data most.
本文论述的计算机取证技术主要基于U盘的逻辑数据恢复和FAT32系统的文件数据恢复。在U盘的逻辑数据恢复过程中,本文通过分析FAT文件系统的存储特点,设计写入了基于逻辑扇区号的实验数据,在读取出闪存物理数据后进行对比分析找出从物理地址到逻辑地址的映射关系,从而实现U盘的逻辑数据恢复,并在此基础上设计了动态扫描的方法;在FAT32系统文件数据恢复中,本文提出了利用Linux系统工具恢复正常文件目录并进行证据查找的方法,对于人为删除或格式化造成丢失的文件,本文通过研究FAT32系统的文件删除及格式化原理,设计实现了相应的数据恢复程序,对文件系统中的数据进行快速与深度扫描,最大限度的发现已删除的数据和格式化后残留的数据,并对已删除的数据进行最大程度的恢复。
With the rapid development of computer technology, Hi-tech crime become more and more serious.Criminals will find ways to cover up evidence of a crime.So it is the important subject for computer forensics to research how to acquire and analyze sensitive information from memories. On the other hand, with the advances in technology, flash memory devices (such as U disk) has become an important carrier for the majority of computer users to store and backup data. At the same time in the consumer electronics (such as mobile phones, digital cameras, etc.) and other embedded devices, Flash memory has also been increasingly widely used.Therefore, data recovery technology for flash memory devices became more important in computer forensics.
This paper discusses computer forensics technology based on U disk logical data recovery and data recovery of FAT32 file system. In the U disk logical data recovery process, by analyzing the FAT file system storage features this thesis designed corresponding experimental data based on logic sector number, analyzed the flash memory physical data to find out the mapping from physical address to logical address then implement the U-disk logical data recovery, and on this basis to design a dynamic scanning method.In the data recovery of FAT32 file system, this paper presents the method of using Linux system tools to recovery normal files as well as directories and to search for evidence.For the loss files caused by man-made deleted or formatted, after research on principles of file deletion and formatting on FAT32 file system,this paper designed and implemented the appropriate procedures for data recovery, which can do fast and deep scan on file system, maximize the discovery of deleted data and remnant data after formatting, and restore deleted data most.
引文
[1]常建平.网络安全与计算机犯罪[M].北京:中国人民公安大学出版社.2002.
[2]丁丽萍,王永吉.计算机取证的相关法律技术问题研究[J].软件学报,Vol 16,No.22005,page:261-275.
[3]赵晓敏,陈庆章.计算机取证的研究现状及趋势[J].网络安全技术与应用.2003.9
[4]Wang L,Qian HL.Computer forensics and its future trend.Journal of Software, 2003,14(9):1635-1644.http://www.jos.org.cn/1000-9825/14/1635.htm.
[5]Mads Bryde.Andersen.Digital Evidence.Computer Law&Security Report.Vol.16,2000
[6]陈龙,麦永浩等.计算机取证技术[M].武汉大学出版社,page:5,2007.
[7]王玲,钱华林.计算机取证技术及其发展趋势[J].软件学报,2003,14(9):163521644.
[8]许榕生.中国数字取证的发展现状[J].中国教育网络研究与发展.No.8,2007
[9]Judd Robbins.An Explanation of Computer forensics.http://computerforensics. net/forensics.htm
[10]GPalmer.A road map for digital forensic research.Technical report,Report from the Digital Forensic Research WorkShop(DFRWS),November 2001.
[11]Mathew Hannan,Sandra Frings.Forensic Computing Theory&Pratice:Towards developing a methodology for a standardized approach to computer misuse.1st Australian Computer,Network&Information Forensics Conference 2003.
[12]Marcel Breeuwsma,Martien de Jongh.Forensic Data Recovery from Flash Memory.Small scale digital device forensics journal,Vol.1,No.1,June 2007.
[13]Robbins J.An Explanation of Computer Forensics[EB/OL].:http://www.comp uterforensics.net/forensics.htm,2005-09-01.
[14]孙波.计算机取证方法关键问题研究[D].北京;中国科学院软件研究所,2004.
[15]谭敏,胡晓龙,杨卫平.计算机取证概述[J].网络安全技术与应用,2006,12:75-77.
[16]黄步根.数据恢复与计算机取证[J].计算机安全,2006,6:79-80.
[17]Larry Daniel.Digital Forenics[EB/OL].http://www.ncids.org/Defender%20 Training/2006%20Investigators%20Conference/Computer%20Forensics%20Presentat ion.pdf,2006.
[18]Mark Reith,Clint Carr,Gregg Gunsch.An Examination of Digital ForensicModel[J/OJ].International Journal of Digital Evidence,2002,9(3).
[19]周开民,赵强,张晓,邓高明.数据残留的清除与安全性研究[J].科学技术与工程.2006,6(17):2769-2711
[20]戴士剑,涂彦晖,数据恢复技术(第二版).北京:电子工业出版社,2005:89-91
[21]文光斌.数据恢复技术的发展前景、技术层次及常用方法.网络安全技术与应用,2005.5:74-76
[22]于宗光,何耀宇.闪速存储器的研究与进展[J].半导体技术,1999,24(5):1-7
[23]Phil Wilshire.Execute In Place (XIP) overview[EB/OL],2000.http://www.uc dot.org
[24]易柏林.新型嵌入式移动存储卡标准的研究与实现[D].北京:北京邮电大学,2007
[25]三星电子,三星闪存数据手册"ds_k9xxg08uxa_rev11-8Gbit.pdf".
[26]冯翔.嵌入式系统中闪存设备管理技术研究与实现[D].湖南:湖南大学,2004.
[27]Chang M.L,Lee P.C,Chang R.C.Managing Flash Memory in Personal Communication Device[J].ISCE'97,1997.177-182.
[28]J.W.Hsieh,L.P.Chang,T.W.Kuo.Efficient On-Line Identification of Hot Data for Flash-Memory Management[C].In:Proceedings of the 2005 ACM symposium on Applied computing,Mar 2005,838-842.
[29]裴虹,裴波.硬盘综合数据恢复实例.教育技术咨讯,2006.10:1-3
[30]张明亮,张宗杰.浅析FAT32文件系统[J].计算机与数字工程.2005,33(1):56-59
[31]Microsoft.FAT32 File System Specification [EB/OL]:http://www.microsoft.com/ whdc/system/platform/firmware/fatgen.mspx.
[32]邓剑,杨晓非,廖俊卿.FAT文件系统原理与实现[J].计算机与数字工程.2005,33(9):105-108
[33]Jack.Dobiash. FAT32.Structure.Information[EB/OL].http://home.teleport.com /-Brainy/fat32.htm,2005.11.4
[2]丁丽萍,王永吉.计算机取证的相关法律技术问题研究[J].软件学报,Vol 16,No.22005,page:261-275.
[3]赵晓敏,陈庆章.计算机取证的研究现状及趋势[J].网络安全技术与应用.2003.9
[4]Wang L,Qian HL.Computer forensics and its future trend.Journal of Software, 2003,14(9):1635-1644.http://www.jos.org.cn/1000-9825/14/1635.htm.
[5]Mads Bryde.Andersen.Digital Evidence.Computer Law&Security Report.Vol.16,2000
[6]陈龙,麦永浩等.计算机取证技术[M].武汉大学出版社,page:5,2007.
[7]王玲,钱华林.计算机取证技术及其发展趋势[J].软件学报,2003,14(9):163521644.
[8]许榕生.中国数字取证的发展现状[J].中国教育网络研究与发展.No.8,2007
[9]Judd Robbins.An Explanation of Computer forensics.http://computerforensics. net/forensics.htm
[10]GPalmer.A road map for digital forensic research.Technical report,Report from the Digital Forensic Research WorkShop(DFRWS),November 2001.
[11]Mathew Hannan,Sandra Frings.Forensic Computing Theory&Pratice:Towards developing a methodology for a standardized approach to computer misuse.1st Australian Computer,Network&Information Forensics Conference 2003.
[12]Marcel Breeuwsma,Martien de Jongh.Forensic Data Recovery from Flash Memory.Small scale digital device forensics journal,Vol.1,No.1,June 2007.
[13]Robbins J.An Explanation of Computer Forensics[EB/OL].:http://www.comp uterforensics.net/forensics.htm,2005-09-01.
[14]孙波.计算机取证方法关键问题研究[D].北京;中国科学院软件研究所,2004.
[15]谭敏,胡晓龙,杨卫平.计算机取证概述[J].网络安全技术与应用,2006,12:75-77.
[16]黄步根.数据恢复与计算机取证[J].计算机安全,2006,6:79-80.
[17]Larry Daniel.Digital Forenics[EB/OL].http://www.ncids.org/Defender%20 Training/2006%20Investigators%20Conference/Computer%20Forensics%20Presentat ion.pdf,2006.
[18]Mark Reith,Clint Carr,Gregg Gunsch.An Examination of Digital ForensicModel[J/OJ].International Journal of Digital Evidence,2002,9(3).
[19]周开民,赵强,张晓,邓高明.数据残留的清除与安全性研究[J].科学技术与工程.2006,6(17):2769-2711
[20]戴士剑,涂彦晖,数据恢复技术(第二版).北京:电子工业出版社,2005:89-91
[21]文光斌.数据恢复技术的发展前景、技术层次及常用方法.网络安全技术与应用,2005.5:74-76
[22]于宗光,何耀宇.闪速存储器的研究与进展[J].半导体技术,1999,24(5):1-7
[23]Phil Wilshire.Execute In Place (XIP) overview[EB/OL],2000.http://www.uc dot.org
[24]易柏林.新型嵌入式移动存储卡标准的研究与实现[D].北京:北京邮电大学,2007
[25]三星电子,三星闪存数据手册"ds_k9xxg08uxa_rev11-8Gbit.pdf".
[26]冯翔.嵌入式系统中闪存设备管理技术研究与实现[D].湖南:湖南大学,2004.
[27]Chang M.L,Lee P.C,Chang R.C.Managing Flash Memory in Personal Communication Device[J].ISCE'97,1997.177-182.
[28]J.W.Hsieh,L.P.Chang,T.W.Kuo.Efficient On-Line Identification of Hot Data for Flash-Memory Management[C].In:Proceedings of the 2005 ACM symposium on Applied computing,Mar 2005,838-842.
[29]裴虹,裴波.硬盘综合数据恢复实例.教育技术咨讯,2006.10:1-3
[30]张明亮,张宗杰.浅析FAT32文件系统[J].计算机与数字工程.2005,33(1):56-59
[31]Microsoft.FAT32 File System Specification [EB/OL]:http://www.microsoft.com/ whdc/system/platform/firmware/fatgen.mspx.
[32]邓剑,杨晓非,廖俊卿.FAT文件系统原理与实现[J].计算机与数字工程.2005,33(9):105-108
[33]Jack.Dobiash. FAT32.Structure.Information[EB/OL].http://home.teleport.com /-Brainy/fat32.htm,2005.11.4