面向编辑过程还原的勒索病毒删除文档重组方法  

作　　者：徐国天[1] XU Guo-tian(College of Public Security Information Technology and Intelligence,Criminal Investigation Police University of China,Shenyang 110854,China)

机构地区：[1]中国刑事警察学院公安信息技术与情报学院,沈阳110854

出　　处：《小型微型计算机系统》2023年第5期1087-1094,共8页Journal of Chinese Computer Systems

基　　金：公安部软科学计划项目(2020LLYJXJXY031)资助;公安部技术研究计划课题项目(2016JSYJB06)资助;辽宁省自然科学基金课题项目(2019-ZD-0167,20180550841,2015020091)资助;中央高校基本科研业务费项目(D2021006,3242017013)资助;辽宁省社会科学规划基金项目(L16BFX012)资助;辽宁网络安全执法协同创新中心项目(WXZX-201807010)资助;辽宁省教育厅科学研究项目(LJKZ0072)资助。

摘　　要：勒索病毒会加密用户主机内全部办公文档,覆盖删除原始数据,在无解密秘钥情况下,很难还原文档内容.针对上述问题,提出一种基于编辑过程还原的勒索病毒删除文档重组方法,通过扫描磁盘空闲存储空间,根据ZIP标志位和修改时间字段识别全部办公文档编辑过程痕迹分片,再利用目录项特征值匹配方法识别、重组电子文档数据块,对分片边界位置识别错误数据块,利用CRC32校验技术探测正确的块分界位置,进而修正识别错误数据块.实验结果表明,在主机感染勒索病毒情况下,该方法可准确识别、恢复2007以上版本Office电子文档编辑痕迹数据分片,重组原始文档内容.The ransomware will encrypt all office documents in the user′s host,overwrite and delete the original data,and it is difficult to restore the document contents without the decryption key.In view of the above problems,A ransomware deletion document reorganization method based on editing process restoration is proposed,By scanning the free storage space on the disk,According to the ZIP flag bit and the modification time field,all the trace fragments in the editing process of office documents are identified,and then the electronic document data blocks are identified and reorganized by the directory item eigenvalue matching method.The wrong data blocks are identified at the segmentation boundary position,and the correct block boundary position is detected by CRC32 verification technology,and then the wrong data blocks are corrected and identified.The experimental results show that this method can accurately identify and restore the editing trace data fragments of Office electronic documents above 2007 and reorganize the original document contents when the host computer is infected with ransomware.

关 键 词：勒索病毒 办公文档 编辑过程 分片边界 CRC32 

分 类 号：TP399[自动化与计算机技术—计算机应用技术]