检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
作 者:徐国天[1]
机构地区:[1]中国刑事警察学院网络犯罪侦查系,沈阳110854
出 处:《刑事技术》2015年第1期55-58,共4页Forensic Science and Technology
基 金:公安部科研计划项目(No.2014JSYJB033;No.2014YYCXXJXY055);辽宁省教育科学‘十二五’规划课题(No.JG14db440)
摘 要:目的研究NTFS存储设备的3种数据恢复方式,测试、比较不同方式的恢复效果,促进电子物证检验工作。方法本文针对同一NTFS存储设备,分别使自行设计的NTFS日志检验软件测试基于NTFS日志文件的恢复方式,使用Final Data的快速扫描功能测试基于MFT记录的恢复方式,使用Final Data的完整扫描功能测试基于文件头部存储特征值的恢复方式,比较3种方式的恢复效果,分析各自的恢复原理。结果基于NTFS日志和MFT记录的方式恢复出的信息较全,用时较短,但不适合恢复较长时间之前删除的文件。基于文件头部存储特征值的方式可恢复较长时间前删除的文件,但用时长,不能恢复文件名、创建时间等信息,也不能有效恢复离散存储的文件。结论结合实际情况、综合运用3种方式可有效恢复数据。Objective In practice,such situations are often encountered that the files have not been restored because of the incorrect recovery tools and/or varied restoring methods.In this paper,three data recovery modes used with NTFS storage device were analyzed and their effects were tested and compared.Methods For the same NTFS storage device,we used NTFS log inspection software developed from previous research to test the recovery choice based on NTFS log file,utilized the quick scan function of Final Data to test the recovery choice based on MFT,and used the full scan function of Final Data to test the recovery choice based on characteristic value.Finally we compared the effect of the three choices and analyzed their recovery principles.Results The recovery choices based on NTFS log file and MFT could obtain comprehensive information but were not suitable for files deleted long before.Though the recovery choice based on characteristic value played poor effect on restoring either the non-contiguous files or the file names and file-creating time,it could restore the files deleted long before albeit time consuming.Conclusions Three methods can be applied in casework with their integrative utilization.
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:3.147.61.19
