摘要: 针对FAT32文件系统,分析离散存储碎片,提出一种基于部分匹配预测算法PPMC来重构文件碎片的模型。采用PPMC算法确定出任意2个碎片的相邻性概率值,通过剪枝技术逐步加工处理,重构出一个有完整顺序的原文件,并分析系统中的隐藏文件index.dat。
关键词:
数据恢复,
文件碎片,
取证系统,
文件重构,
index.dat文件
Abstract: Aiming at on FAT32 file system, this paper emphasizes to analyze scattered fragments of disk files, and proposes a model of reassembling deleted file fragments based on PPMC algorithm. Employed Prediction by Partial Matching(PPM) is used to build a context model and compute candidate probabilities of the possible adjacency of two document fragments, and pruning technology is adopted to process gradually and reassemble a complete file. It also analyzes the hidden file named index.dat in the system.
Key words:
data recovery,
file fragments,
forensic system,
file reassembly,
file of index.dat
中图分类号:
王中杉;刘乃琦;秦 科;郝玉洁. 基于FAT32文件系统的计算机取证研究与实现[J]. 计算机工程, 2009, 35(9): 176-178.
WANG Zhong-shan; LIU Nai-qi; QIN Ke; HAO Yu-jie. Computer Forensics Research and Implementation Based on FAT32 File System[J]. Computer Engineering, 2009, 35(9): 176-178.