作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2009, Vol. 35 ›› Issue (9): 176-178. doi: 10.3969/j.issn.1000-3428.2009.09.062

• 安全技术 • 上一篇    下一篇

基于FAT32文件系统的计算机取证研究与实现

王中杉,刘乃琦,秦 科,郝玉洁   

  1. (电子科技大学计算机学院,成都 610054)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2009-05-05 发布日期:2009-05-05

Computer Forensics Research and Implementation Based on FAT32 File System

WANG Zhong-shan, LIU Nai-qi, QIN Ke, HAO Yu-jie   

  1. (School of Computer, University of Electronic Science & Technology, Chengdu 610054)
  • Received:1900-01-01 Revised:1900-01-01 Online:2009-05-05 Published:2009-05-05

摘要: 针对FAT32文件系统,分析离散存储碎片,提出一种基于部分匹配预测算法PPMC来重构文件碎片的模型。采用PPMC算法确定出任意2个碎片的相邻性概率值,通过剪枝技术逐步加工处理,重构出一个有完整顺序的原文件,并分析系统中的隐藏文件index.dat。

关键词: 数据恢复, 文件碎片, 取证系统, 文件重构, index.dat文件

Abstract: Aiming at on FAT32 file system, this paper emphasizes to analyze scattered fragments of disk files, and proposes a model of reassembling deleted file fragments based on PPMC algorithm. Employed Prediction by Partial Matching(PPM) is used to build a context model and compute candidate probabilities of the possible adjacency of two document fragments, and pruning technology is adopted to process gradually and reassemble a complete file. It also analyzes the hidden file named index.dat in the system.

Key words: data recovery, file fragments, forensic system, file reassembly, file of index.dat

中图分类号: