机构地区:[1]中国刑事警察学院辽宁网络安全执法协同创新中心,沈阳110854
出 处:《刑事技术》2015年第6期440-444,共5页Forensic Science and Technology
基 金:公安部技术研究计划项目(2014JSYJB033);公安部应用创新计划课题(2014YYCXXJXY055);辽宁省教育科学‘十二五'规划课题(JG14db440);辽宁省自然科学基金计划项目(2015020091)
摘 要:目的针对残缺Excel文件研究有效的残留文本数据的定位、提取、恢复方法。方法针对NTFS文件系统上破损较轻的Office2003版本Excel文件设计了一种WorkBook流整体替换恢复方法:准备一个较大的Excel文件,将它的WorkBook流数据重置为0x00,使用Winhex从残缺Excel文件中完整提取出WorkBook流数据,并将其复制到目标Excel文件的WorkBook流位置。双击打开目标文件即可看到残缺Excel文件中的文本信息。针对破损严重的Excel文件设计了一种基于关键数据结构重组的文本恢复方法:准备一个较大的Excel文件,将它的WorkBook流数据重置为0x00,使用Winhex从破损文件中依次提取出WorkBook haeacder、BoundSheet、语言和地区设置、SST共享字符串、Extended SST和每个Sheet的数据内容,并逐个复制到目标文件的WorkBook流位置,补充缺失的数据结构,调整BoundSheet和Extended SST的绝对地址引用,最后打开目标文件即可看到残缺Excel文件中的文本信息。结果使用WorkBook流整体替换恢复方法得到的目标文件可以正常使用,可以恢复文本、格式设置、公式。基于关键数据结构重组的恢复方法得到的目标文件在打开时会提示出错信息,连续单击确定按钮之后,文本信息可以正常显示,但格式设置丢失。结论应用本文提出的残缺Excel文件数据信息恢复方法可以有效提取残缺Excel文件中的文本数据。Objective In computer-related case investigations, Excel files from suspect's computers are often damaged and unable to be analyzed. These incomplete Excel files usually store a lot of valuable text data, which are significant for the investigation. In this paper, we attempt to develop assays to recover these residues of text data. Methods A WorkBook stream exchange method towards slightly damaged Excel file is proposed. First, the target Excel file, a large one, is prepared, and its WorkBook stream data is set to 0x00. The WorkBook stream data of incomplete Excel file is then input to WorkBook stream of the target Excel file after being extracted with Winhex. The text information of incomplete Excel can be found when double-clicking the target Excel file. Another recovery method based on the reconstruction of the key data structure is also designed for severely damaged Excel files. A large target Excel file is firstly prepared with its WorkBook stream data set at 0x00. The WorkBook header, BoundSheet, Language and region, SST shared string, Extended SST and Sheetl data of incomplete Excel file are extracted successively with Winhex, and then copied to WorkBook stream of the target file. When missing data structure is supplemented, absolute address references for BoundSheet and Extended SST are adjusted, text information of incomplete Excel will be found in the target Excel file. Results The target file dealt with the WorkBook stream exchange method can recover its texts, formatting and formulas. When open those managed with the key data structure reconstruction, an error message will pop out. But its text information can be displayed after continuously clicking OK button, though the formatting is unrecoverable. Conclusions The proposed methods in this paper can effectively extract the text data in the incomplete Excel file.
关 键 词:电子物证 残缺Excel文件 文本数据 Work BOOK 恢复
分 类 号:TP317.3[自动化与计算机技术—计算机软件与理论]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
