一种基于内容特征的Word文件雕复方法

提出一种不依赖于文件系统元信息,而凭借于文件数据内容及其内部结构特征的Word文件雕复方法,其基本原理是利用文件头/根存储/最大扇区、分片文件的扇区分配表和分片文件的数据流等验证方法。此雕复方法能自动雕复在原始磁盘镜像中连续和分片有序存储的Word文件。实验结果表明该方法可以在Word文件自动雕复的高准确率情况下,确保低＂误报＂率。     

Early width estimation of fragmented JPEG with corrupted header

In transformed and compressed domain fragmented files are very difficult to recover using conventional file recovery software. JPEG images are forensically important file format due to its popularity in a wide area of applications. In JPEG compression the header keeps important parameters that are required to decode the image back to pixel domain. In this paper the detection of width and height of an image from the JPEG stream is improved with less assumptions than previous papers. In the old approaches it was assumed that information about the image like Huffman table, Reset (RST) value and Quantization table were readily available for the techniques to work. However, in this paper the width is extracted from the quantized AC values that reduce the assumptions to just Huffman table.     

Improving energy efficiency for flash memory based embedded applications

The JFFS2 file system for flash memory compresses files before actually writing them into flash memory. Because of this, multimedia files, for instance, which are already compressed in the application level go through an unnecessary and time-consuming compression stage and cause energy waste. Also, when reading such multimedia files, the default use of disk cache results in unnecessary main memory access, hence an energy waste, due to the low cache hit ratio. This paper presents two techniques to reduce the energy consumption of the JFFS2 flash file system for power-aware applications. One is to avoid data compression selectively when writing files, and the other is to bypass the page caching when reading sequential files. The modified file system is implemented on a PDA running Linux and the experiment results show that the proposed mechanism effectively reduces the overall energy consumption when accessing continuous and large files.     

基于NTFS加密文件的安全保障

基于NTFS文件加密是一种相对比较安全的本地信息保护功能。本文从NTFS文件加密的实质以及证书文件、账户许可、管理员账户和数据恢复代理等几个方面,分析了基于NTFS文件加密后的安全保障及可能存在的问题。     

NTFS文件系统结构分析

详细分析了Windows NT操作系统使用的NTFS文件系统的基本结构，深入剖析了其主控文件表MFT、MFT记录、文件结构和目录结构等基本数据的结构。针对NTFS的卷结构，目录与文件结构、日志文件系统、故障时数据恢复等方面进行了研究。NTFS使用日志文件系统实现系统的数据故障恢复功能，对数据恢复过程及过程中日志文件系统的使用给出了详细的说明。     

A security carving approach for AVI video based on frame size and index

Recovery of fragmented files is an important part of digital forensics. Video files are more likely to be fragmented since their sizes are relatively large that recovering video files without the file system information is meaningful. This paper presents a video recovery technique of a fragmented video file using the frame size information in every frame and the index. Many existing video recovery techniques attempt to recover videos using file system information or header/footer flag. These approaches may fail in the situations which the file system information is unknown or videos are fragmented. The proposed method addresses how to extract AVI file fragments from data images and map all the extracted fragments into original order. Experiments result show that mapping the AVI fragments according to the frame size information in every fragment and index is credible and the non-overwritten part of the fragmented video can be recovered using the method.     

Multimedia file forensics system exploiting file similarity search

With the fast increase of multimedia contents, efficient forensics investigation methods for multimedia files have been required. In multimedia files, the similarity means that the identical media (audio and video) data are existing among multimedia files. This paper proposes an efficient multimedia file forensics system based on file similarity search of video contents. The proposed system needs two key techniques. First is a media-aware information detection technique. The first critical step for the similarity search is to find the meaningful keyframes or key sequences in the shots through a multimedia file, in order to recognize altered files from the same source file. Second is a video fingerprint-based technique (VFB) for file similarity search. The byte for byte comparison is an inefficient similarity searching method for large files such as multimedia. The VFB technique is an efficient method to extract video features from the large multimedia files. It also provides an independent media-aware identification method for detecting alterations to the source video file (e.g., frame rates, resolutions, and formats, etc.). In this paper, we focus on two key challenges: to generate robust video fingerprints by finding meaningful boundaries of a multimedia file, and to measure video similarity by using fingerprint-based matching. Our evaluation shows that the proposed system is possible to apply to realistic multimedia file forensics tools.

     

基于输入图像内容的比特率控制

在静止图像的压缩中 ,为得到固定大小的码流文件 ,有必要根据输入图像的特点 ,自适应地控制量化器的参数 ,从而控制输出压缩图像的比特率 .JPEG标准未给出比特率控制方法 ,而一些传统的比特率控制方法为专用的压缩解压缩系统设计 ,并不适用在于开放的基于交换格式的 JPEG压缩系统 .本文提出一种和 JPEG标准完全兼容的比特率控制算法 ,按照输入图像的活动性 ,计算相应的压缩质量因子 ,自适应地为每个 8× 8的块分配比特数 ,并且在熵编码时调整各块的比特数 ,适时启动块截除 ,保证压缩文件的大小不超过预先给定值 .本算法适用于存储容量有限的静止图像压缩的场合 ,可以保证存储规定帧数的压缩文件图像     

基于NTFS文件系统的数字证据收集技术

分析了NTFS文件系统的物理结构和逻辑框架,提出了计算机取证软件的开发需要先解决元数据的读取和碎片文件的恢复等问题,并编程实现了信息收集模块,为计算机取证软件的设计提供了一种方案。     

Identifying and understanding header file hotspots in C/C++ build processes

Software developers rely on a fast build system to incrementally compile their source code changes and produce modified deliverables for testing and deployment. Header files, which tend to trigger slow rebuild processes, are most problematic if they also change frequently during the development process, and hence, need to be rebuilt often. In this paper, we propose an approach that analyzes the build dependency graph (i.e., the data structure used to determine the minimal list of commands that must be executed when a source code file is modified), and the change history of a software system to pinpoint header file hotspots—header files that change frequently and trigger long rebuild processes. Through a case study on the GLib, PostgreSQL, Qt, and Ruby systems, we show that our approach identifies header file hotspots that, if improved, will provide greater improvement to the total future build cost of a system than just focusing on the files that trigger the slowest rebuild processes, change the most frequently, or are used the most throughout the codebase. Furthermore, regression models built using architectural and code properties of source files can explain 32–57 % of these hotspots, identifying subsystems that are particularly hotspot-prone and would benefit the most from architectural refinement.     

基于NTFS的文件加密系统

NTFS提供了一种称为加密文件系统的功能,这和功能使用户可以对自己的文件进行加密,以防止其内容暴露作入侵者面前。用户在使用这个功能的过程中,一方面会遇到自己加密的文件无法恢复的情况,另一方面是自己加密的文件被入侵者窃取,并查看其内容。本文讨论了文件加密的概念,加密解密过程,使用教程中的常见问题以及加密文件系统的安全性。     

NTFS文件系统中的视频数据恢复方法

在NTFS文件系统中,视频监控文件在形成过程中被分割成大量非常小的块进行存储,通过多个索引表形成整个文件,删除该文件后,主索引表被丢弃,但扩展属性中的索引表还存在。针对该问题,提出根据文件的扩展属性恢复数据的方法,通过整合大量分散存储的碎片,能够恢复被删除的视频文件的大部分内容。     

Content-dependent chunking for differential compression,the local maximum approach

When a file is to be transmitted from a sender to a recipient and when the latter already has a file somewhat similar to it, remote differential compression seeks to determine the similarities interactively so as to transmit only the part of the new file not already in the recipient's old file. Content-dependent chunking means that the sender and recipient chop their files into chunks, with the cutpoints determined by some internal features of the files, so that when segments of the two files agree (possibly in different locations within the files) the cutpoints in such segments tend to be in corresponding locations, and so the chunks agree. By exchanging hash values of the chunks, the sender and recipient can determine which chunks of the new file are absent from the old one and thus need to be transmitted.We propose two new algorithms for content-dependent chunking, and we compare their behavior, on random files, with each other and with previously used algorithms. One of our algorithms, the local maximum chunking method, has been implemented and found to work better in practice than previously used algorithms.Theoretical comparisons between the various algorithms can be based on several criteria, most of which seek to formalize the idea that chunks should be neither too small (so that hashing and sending hash values become inefficient) nor too large (so that agreements of entire chunks become unlikely). We propose a new criterion, called the slack of a chunking method, which seeks to measure how much of an interval of agreement between two files is wasted because it lies in chunks that don't agree.Finally, we show how to efficiently find the cutpoints for local maximum chunking.     

重建GPT分区与NTFS_DBR的研究

GPT分区是目前硬盘普遍使用的一种分区形式,克服了MBR对分区管理不能超过2 TB的缺点;而NTFS文件系统是Windows操作系统的重要组成部分。文中以Windows 7为平台,虚拟硬盘为实验对象,WinHex 15.08作为数据分析与恢复工具,对GPT硬盘结构和NTFS文件系统结构进行分析;对硬盘GPT分区、NTFS_DBR和NTFS_DBR备份同时被破坏后进行修复实验。实验结果表明,当GPT分区、NTFS_DBR和NTFS_DBR备份同时被破坏后,通过元文件$MFT的0号记录、1号记录和8号记录中的80H属性相关数据,计算NTFS卷的总容量与NTFS_DBR中BPB的参数。提出了通过NTFS卷的总容量重建GPT分区的基本思路、方法与步骤,并获得各GPT分区开始扇区号(即各NTFS_DBR所在扇区)在整个GPT磁盘中的位置,以及恢复NTFS_DBR和NTFS_DBR备份的思路、方法与步骤。解决了GPT分区和NTFS_DBR同时被破坏后难以恢复的技术难题。     

新加密文件系统的研究与实现

为了解决Windows系统中文件加密存储的难题,分析了Windows EFS系统的不足,深入研究了过滤驱动开发过程中对IRP的处理、文件状态跟踪、避免重入等关键技术,使用文件过滤驱动技术,设计并实现了一个新的加密文件系统.该系统对用户完全透明,可以根据用户的策略对指定文件、文件夹或者某一类型文件进行加密存储,支持NTFS、FAT等多种文件系统,加密算法可以更改.实验结果表明,该系统性能良好且在功能和应用上都扩充了Windows EFS.     

NTFS系统下“小文件”取证软件的设计与实现

文章介绍了通过MFT文件记录恢复＂小文件＂的方法,介绍了＂小文件＂恢复需要解决的乱码问题和多次删除数据的恢复问题,介绍了＂小文件＂取证软件的总体执行流程图和测试情况。该软件可以自动扫描NTFS系统的$MFT元文件,从$MFT元文件中依次找出每个包含＂小文件＂数据的MFT记录,如果某个MFT记录包含可以恢复的数据,则将其恢复出来。     

Windows NTFS下数据恢复的研究与实现

针对由主观或客观因素造成计算机中数据丢失的情况,提出一种Windows NTFS文件系统下数据恢复的实现方案.介绍了NTFS文件系统在磁盘上的结构,重点分析了NTFS文件系统的核心--主文件表MFT,文件记录的结构和文件的几个关键属性.通过分析文件删除前后文件记录中属性值的变化,详细阐述了数据恢复的具体实现.     

ASF文件格式解析及其在流媒体同步中的应用

ASF文件格式是远程教育中使用较多的流媒体格式,ASF文件逻辑上由头对象、数据对象和索引对象组成。基于对ASF文件的头对象等的深入研究,提出了ASF格式流媒体同步的解决方案,并在网络课件开发平台中得到具体实现。该方案有两个重要步骤:其一、对文件的格式进行必要的修改,在ASF文件内部加入一些控制信息和时间断点信息;其二、用JavaScript等脚本语言对媒体进行同步控制。     

Windows malware detection system based on LSVC recommended hybrid features

To combat exponentially evolved modern malware, an effective Malware Detection System and precise malware classification is highly essential. In this paper, the Linear Support Vector Classification (LSVC) recommended Hybrid Features based Malware Detection System (HF-MDS) has been proposed. It uses a combination of the static and dynamic features of the Portable Executable (PE) files as hybrid features to identify unknown malware. The application program interface calls invoked by the PE files during their execution along with their correspondent category are collected and considered as dynamic features from the PE file behavioural report produced by the Cuckoo Sandbox. The PE files’ header details such as optional header, disk operating system header, and file header are treated as static features. The LSVC is used as a feature selector to choose prominent static and dynamic features from their respective Original Feature Space. The features recommended by the LSVC are highly discriminative and used as final features for the classification process. Different sets of experiments were conducted using real-world malware samples to verify the combination of static and dynamic features, which encourage the classifier to attain high accuracy. The tenfold cross-validation experimental results demonstrate that the proposed HF-MDS is proficient in precisely detecting malware and benign PE files by attaining detection accuracy of 99.743% with sequential minimal optimization classifier consisting of hybrid features.