电子学报 ›› 2013, Vol. 41 ›› Issue (8): 1487-1493.DOI: 10.3969/j.issn.0372-2112.2013.08.006

• 学术论文 • 上一篇    下一篇

一种基于闪存物理镜像的FAT文件系统重组方法

张丽1,2, 谭毓安1,3, 郑军1,3, 马忠梅1, 王文明1, 李元章1   

  1. 1. 北京理工大学计算机学院, 北京 100081;
    2. 南阳师范学院计算机与信息技术学院, 河南南阳 473061;
    3. 北京理工大学北京市海量信息处理与云计算应用工程技术中心, 北京 100081
  • 收稿日期:2012-09-10 修回日期:2013-01-31 出版日期:2013-08-25 发布日期:2013-08-25
  • 通讯作者: 郑 军
  • 作者简介:张 丽 女,1978年出生,河南南阳人.1997年、2001年分别在河南师范大学、湖南大学获理学学士和工学硕士学位,现为在读博士生,从事数字取证、嵌入式系统等有关研究. E-mail:hnnyzli@bit.edu.cn 谭毓安 男,1972年出生,重庆巫溪人.教授、博士生导师.现主要从事为信息安全、嵌入式系统等方面的研究工作. E-mail:tan2008@bit.edu.cn
  • 基金资助:
    国家863高技术研究发展计划(No.2013AA01A212)

A Method for Reconstructing the FAT File System from Flash Memory

ZHANG Li1,2, TAN Yu-an1,3, ZHENG Jun1,3, MA Zhong-mei1, WANG Wen-ming1, LI Yuan-zhang1   

  1. 1. School of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, China;
    2. Department of Computer and Information Technology, Nanyang Normal University, Nanyang, Henan 473061, China;
    3. Beijing Engineering Research Center of High Volume Language Information Processing and Cloud Computing Application, Beijing Institute of Technology, Beijing 100081, China
  • Received:2012-09-10 Revised:2013-01-31 Online:2013-08-25 Published:2013-08-25

摘要: 文件系统重组是闪存设备取证研究进行数据恢复的主要手段.传统的文件系统重组方法需要同时获取闪存设备在同一时刻的逻辑镜像和物理镜像,该条件在取证实践中常常难以满足,故提出一种仅依赖闪存物理镜像重组文件分配表(FAT)文件系统的方法.在引入统计分析法从物理镜像中提取逻辑地址字段和页状态字段的基础上,给出利用最新页状态值准确重组闪存设备最新FAT文件系统镜像的算法.最后以MTK6229闪存设备物理镜像的FAT文件系统重组过程为例,验证上述重组算法及相关方法是正确的.

关键词: 数字取证, 闪存, 物理镜像, 文件系统重组, 空闲区

Abstract: The file system reconstruction is an effective way of recovering the forensic data from Flash memory.However,the traditional reconstruction methods need a precondition that is there are both the logical image and the physical image of flash memory at the same time and that is usually not satisfied in practice.In this paper,we propose a method for reconstructing the File Allocation Table (FAT) file system of Flash device when only a physical image of Flash memory is acquired.After introducing the statistical methods to identify the logical address bytes and the page state byte from the physical image,we propose the new algorithm to reconstruct the newest FAT file system which is based on the newest value of the page state.At last,take the special flash devices with MTK6229 controllers as examples,we expound the methods related to reconstructing the FAT file system and verify the reconstruction algorithm.

Key words: digital forensics, flash memory, physical image, file system reconstruction, spare area

中图分类号: