| 基于EXT3系统的文件内容操作痕迹提取软件设计 |
| |
| 引用本文: | 徐国天. 基于EXT3系统的文件内容操作痕迹提取软件设计[J]. 信息网络安全, 2014, 0(12): 47-50 |
| |
| 作者姓名: | 徐国天 |
| |
| 作者单位: | 中国刑警学院网络犯罪侦查系,辽宁沈阳110854 |
| |
| 基金项目: | 公安部应用创新计划项目[2014YYCXXJXY055];公安部技术研究计划项目[2014JSYJB0331;辽宁省教育科学“十二五”规划立项课题[JG14DB440] |
| |
| 摘 要: | EXT3文件系统是大多数Linux主机的默认硬盘分区格式,EXT3格式的硬盘中可能存储了大量涉案文件,识别出嫌疑人对这些涉案文件内容执行的增、删、改操作行为,提取出被修改的相关数据对公安机关的调查、取证工作有重要意义。文章对不同类型文件的操作痕迹进行了分析;介绍了EXT3日志文件的基本结构;研究了从日志中提取出文件名称和inode结点信息的方法;提出了基于inode编号链表的操作痕迹提取方法;设计了用于痕迹提取的状态转换机。设计的操作痕迹提取软件可以直接运行在Linux主机上,通过扫描日志文件完成痕迹提取,经过大量实际测试,软件可以有效提取EXT3文件系统中未被覆盖的操作痕迹。
|
| 关 键 词: | 操作痕迹 提取 EXT3 日志 inode |
Software Design of EXT3 File Operation Trace Extraction |
| |
| XU Guo-tian. Software Design of EXT3 File Operation Trace Extraction[J]. Netinfo Security, 2014, 0(12): 47-50 |
| |
| Authors: | XU Guo-tian |
| |
| Affiliation: | XU Guo-tian (China Criminal Police College, Shenyang Liaoning 110854, China) |
| |
| Abstract: | Most of the Linux hosts use the EXT3 file system. The hard disk of EXT3 format can store a large number of suspicious files. It's very important to identify the increase, delete, change operation of the suspect in the documents. Extraction of the modified data is important for the investigation and forensic of the public security organs. The operation traces of different ifles are analyzed in this paper. The basic structure of the EXT3 log ifle and a method to extract the ifle name and the inode node information from the log are studied. Extraction method of operating traces based on inode and a state transition machine are designed. The software can be run directly in the Linux host and complete the trace extraction by scanning the log ifle. After a lot of practical testing, the software can effectively extract the uncovered traces of operation in EXT3 ifle system. |
| |
| Keywords: | inode operation trace extraction journal inode |
| 本文献已被 维普 等数据库收录! |
