《恢复实验报告模板.docx》由会员分享,可在线阅读,更多相关《恢复实验报告模板.docx(10页珍藏版)》请在课桌文档上搜索。
1、班级:学号:姓名:实验名称:数据恢复技术一、实验目的通过之前的学习我们了解到了一些关于NTFS文件系统的根本知识,知道它具有很高的平安性和稳定性,同时也提供了容错结构日,是目前比拟常用的文件系统之一.我们在了解了NTFS文件系统根本结构的根底上,学习了其卷中文件的删除及其恢复原理:即在NTSF卷中删除一个文件后,系统会至少在三个地方做改变,一是该文件MFT头偏移16H处的一个字节置为“OOH,二是其父文件夹的90H属性会做相应的改变,三是在为题元数据文件中把该文件所占用的簇对应位置置为“0”.通过此次试验,一方面对NTFS文件系统的结构进行进一步的了解,通过具体的实例,分析具体的文件结构;另一
2、方面将恢复原理进行实际应用,提高学生的动手实践能力.二、实验内容1、在WinheX中对虚拟U盘中的数据进行分析,找出文件”的MFT、数据区等信息;2、将文件“删除,观察磁盘中的数据会出现什么变化;3、利用NTFS数据恢复的原理,将删除的文件”“恢复到其他的磁盘当中;三、实验操作步骤及截图1、安装虚拟U盘软件“vdisk”,并在其中创立一个虚拟U盘,并格式化为NTFS文件系统;2、将素材文件拷贝到虚拟U盘中;3、翻开WinheX软件,翻开虚拟U盘对应的磁盘数据;4、进入文件系统的MFT,跳转到文件记录5(是NTFS系统元数据文件之一,是文件系统的根目录,主要存储虚拟U盘中根目录下文件的一些信息,
3、通过对该MFT的AOH属性的分析,可以找到文件的索引项),如下图:转到文件记录TeI文件记录:5,确定助肖Offset0123456789ABCDEF/I/3I021AB40046494C45300003006341100000000000FILEDcA021AB4100500010038000300880211011DD400118I021AB4200000000000000000OA0000000000000021AB430UbUUU/UUUUUUUUUUIUUUUUUU4bID:5UUUUH021AB440000018000000000030000000180000000021AB450
4、D9ACAl5E698CCF018978IC77698CCF01U-iilIIxwill021AB4608978IC77698CCF018978IC77698CCF01IxwillIxwill021AB47006000000000000000000000000000000021AB480300000006000000000001800000001000、021AB49044000000180001000500000000000500D021AB4A0D9ACAl5E698CCF01D9ACAl5E698CCF010-iiCJrLiIi021AB4B0D9ACAl5E698CCF01D9ACAl
5、5E698CCF01u-,riiUrlAiIf021AB4C000000000000000000000000000000000021AB4D0060000100000000001032E0000000000021AB4E050000000680000000000180000000200Ph021AB4F050000000180000000100048030000000P10021AB5004000000000000000140000000200IC00021AB5100100000000031400FF01IF0001010000y021AB52000000001000000000102000
6、000000005021AB53020000000200200000102000000000005021AB54020000000200200009000000058000000X021AB550000418000000060038000000200000008021AB56024004900330030003000000001000000$1300021AB57000100000010000001000000028000000(021AB58028000000010000000000000000000000(021AB59018000000030000000000000000000000根目
7、录MFT5、根据根目录MFT的AOH属性(索引分配属性,根目录的索引分配属性定义了根目录索引的运行开始VCN和结束VCN,以及数据运行的起始LCN和占用的簇数)的数据运行数据,我们可以跳转到根目录的索引分配数据上:AOH属性头021AB59018 00 00 00 03 00 00 00 00 00 00 00 00 00 00021AB5102IAB 5(02IAB 51021AB5I0 00 0AO 0048 0024000000100000000000490000000000500000003300000000000000000000000000010000000400101040000
8、0000000000000000000000000000800000000000000003。Ii CIl 2C 0。/ 00 CIO OO IeIo021AB5F0BO 00 00 00 28 00 00 00 00 04 18 00 00 00 05 00AOH的属性体,该数据运行表示: 该数据共占用1个 簇,且起始簇号为 2CH即第44簇00 10 00 00 00 00 OC 00 10 00 00 00 00 0( Tt 01 2 00 00 00 0( 00 04 18 00 00 00 0524 00 49 00 33 00 3Q是一个数据运行8 Bit (): 4416 Bit
9、 () 4432 Bit () 441Qa6、跳转到44簇,查看根目录的索引表,找到文件”的索引项,分析索引项可得到该文件的MFT参考号为26号:转到扇区。逻辑(L):扇区:352=簇:IT二件的索引0002C610Q02C620 0030 002C64t该文件的MFT顺序 号为26号确定(Q)物理(P):柱面小t道磁头/S(H): 扇区:取消(A)UbUUWWUUUO05008978IC77698CCF01006946FFA944CF01E9D9IE77698CCF018978IC77698CCF01001000000000000068Q9QQQQQQQOQQOO20000000000000
10、000703530057004B002E006A0070006700000000000000000010000000020000000002C6500002C6600002C6700002C680G600 PE ClO Frm 7 n九。0 0。CIo oo 0。CtO 口。0 00 00 00 00 01 00 60 00 50 00 00 00 00 00f.txt & PIX wi11 iFyDI eU will IX wi11 hS W K . j p g7、跳转到26号文件记录(即“的MFT),查看他的80H属性,附属性头的38H偏移获得文件的大小:6809000000000000,
11、即2408字节;属性体的数据运行中获得数据的起始簇号和所占簇数:H01250001000000,该文件占一个簇,其实簇号为25H,即37号簇80H属性该文件正在被使用文件的MFTOffset0123456789AKCDEF/匚,L021B380046494C453000030081421000M000000FILEDB021B38100100010038ioOlOP500100OO000400008P021B38200000000000000000030000po260000)0&021B383002000000000000001000000060000000*021B384000000000
12、000000004800000018000000H021B38508978IC77698CCF01006946FFA944CFJlIxwilliFyDI021B3860E9D9IE77698CCF018978IC77698CCF31eUwillIxwill021B387020000000000000000000000000000000021B388000000000050100000000000000000000021B3890000000000000000030000000680000000h021B38A000000000000002005000000018000100P021B38B00
13、5000000000005008978IC77698CCFDlIxwill021B38C08978IC77698CCF018978IC77698CCFHIxwillIxwill021B3D08978IC77698CCF010010000000000000Ixwillx021B38E00000000000000000200000000000000002JB38F00703530057004B002E006A0070006700SWK.jpg02190C80000000480000000100000000000110IH021B3K000000000000000000000000000000100
14、21B392C7。000000000000000010000000000010021B393C68090000000000006809000000000010hh021B394011012500010000叩FFFFFFFF82794711%yyyyy021B395000000000000000000000000000000000021B396000000000000000000000000000000000021B397000000000000000000000000000000000021B398000000000000000000000000000000000021B3990000000
15、0000000000000000000000000000000000000000703530057004:8000400000000000000000004800000000000000900000000pnnonnn0070数据解程器-回8Bit():1040016Bit()24080032Bit()240800000068090000001101250001000000FFFFFFFF8200000000000000000000000000文件大小021B38F0021B3900021B3910021B3920021B3930021B3940021B3950021B3960021B3970
16、021B3980021B39900703530057004B002E006A00700067008000000048000000010000000000010000000000400000006809000011015000000000000000000000000000000000001000000000000000000000000000000001000000000000068090000000000000000000000000000000000000000000000000000000000000000000000000000文件起始簇号数据弊糅器叵8Bit():3716Bit()3
17、732Bit()65573947110000000000000000000000000000000000008、根据上一步中找出的起始簇号和文件的大小,即可找到文件”的数据区域Offset00025000000250100002502000025030000250400002505000025060000250700002508000025090000250A0000250B0000250C0000250D0000250E0000250F0000251000002511000025120000251300002514000025150000251600002517000025180000251
18、90Fki11,kc螃侬C选块结束:令凝味签1i46Alt+1)43Alt+2)OE22,31,编后(E)3ECrBUHUUURM-IUItlIC3B3B3B3B3B3B3B3B3B3B3B3B0011080001FFC40000000000OAOBFFC4050404003141061342BlCl151819IA25434445466364656683843B3B3B3B3B3B3B3B3B45005CIF000000000000B51000017D51610752DlFO26272847484967686985868788899AA2A3A4B8B9BAC2D6D7D8D9F2F3F4F
19、5010101013B3B3B03010100012224294A6A8AA5A6A7A8C3C4C5C6DAElE2E3F6F7F8F90101010149460000OA071810OEIF222134393B3BFFDB3B28223B3B3B3B3B3B3B3B3B0122000501010203040201030203007114323362722A3435535455737475010101070807ODODOE262B373E3E3E004301283B3B3B3B3B3B3B3B3B3B3B0211010101010506070302040411058191Al8209OA3
20、63738565758767778数据解程器叵8Bit():-116Bit()-998532Bit()-5201036815391010000000000006006OAID152F26252EOAOB3B3B3B3B3B3BFFCO0311010008090305122108231617393A595A797A9899B6B7D4D5EAFl00030001zI值y0yaJFIFytJC#玲,!&+7/)4)!0A149;DICyUCyA)IAQaq2*iBARfi3$3brl%St,()*456789CdefghijstuvwxyCdefghijstuvwxyIiiiiiiriiiiiiI
21、C;023,El,19AaaAqeeeo66OxOUUaaaaaaegeeeooooo-0uuyA对数据区进行选块Offset000258D0000258E0000258F000025900000259100002592000025930000259400002595000025960000259700002598000025990000259A0000259B0000259C0000259D0000259E0000259F0OOA8EFFE4A7FF6745157ID1207B96F4EF85ED6172B28D6CBAF39516B8CFFOOE3F5B23CIB12B65AEF23B81
22、1633FAD1456738C5CB5426F42193C036AFC8BB65CFA47D3F5A7E9DE085D3CCAOEA2D2A498214C78DA47FCOA8A29AA71Bl3D4BFFOOFO8E2631F696FC8FF8D2278723047FA4BFE47FC68AFE35ADA68A28508AOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO297B3896E99E5DBB607FFFD同OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
23、OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO4ADA02375B87E7EB2F9D9F9FFBBEC3DEOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO/J上i)JOtQW1O0+(0E9Qkly2c?-sIBoBjiil1GOoSek5-Jel/IIuAI(PIyU00025A0000025A10000
24、25A2000025A3000025A4000025A5000025A60OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO选块完成的数据区9、在虚拟U盘中将文件”删除M*INWVdoc2014/3/2
25、1UM5MG01WM5ciicWcrd-10、MTBflS4Sk;mJ乐4KQiflWlNT(C)KM*(tl一,幽内一可,GUIGJSWKjpg”“14IMO7:AE1CS查看该文件的MFT的变化,MFT的16H偏移的标志由原来的OIH变为OOH,表示该文件已经被删除Offset021B3800021B3810021B3820021B3830021B3840021B3850021B3860021B3870021B3880021B3890021B38A0021B38B0021B38C0021B38D0021B38E0021B38F0021B3900021B3910021B3920021B393
26、0021B3940021B3950021B3960021B3970021B3980021B3990021B39A0021B39BO0123456789ABCDEF46494C4530OO03OO02OOOlOO13800HOOOOOOOOOOOOOOOOOO05OOOOOO897855E720OOOOOOOOOOOOOOOOOOOOOOIC77A5A9OOOOOOOOOOOOOOOOOOOOOOOO698C6E8COOOO05OlOOOOOOOOOOOOOOOOCFOlCFOlOOOOOOOOOOOO02OO05OOOOOOOOOO05OO8978IC77698CCFOl8978IC77698
27、CCFOlOOOOOOOOOOOOOOOO070353OO57OO4BOO40OOOOOO10OOOOOO967168A3OlOOOOOOOOOOOOOOOO10OOOO6809OOOOFFFFFFFFOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO28OOOOOO18OOOOOOC42BF3A4OOOOOlOOOOOOOOOOOOOOOOOOOOOOOOOO82794711OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO60481000OO0000OO78Ol00000004000004000000260000OOIO0000OO600000OO4800000
28、018000000OO6946FFA944CFOl8978IC77698CCFOl000000000000000000OO00OOOO00000030000000680000OO500000001800Ol008978IC77698CCFOl8978IC77698CCFOlOO100000000000OO20000000OO0000OO2E006AOO700067OO0000000000000300B6E638795AF8E31180000000480000OO000000000000000040OO0000000000OO680900OOOO00000011Ol2500Ol000000OO0000OOOO000000000000OO000000OO000000000000000000000000000000OO000000OOOO0000OOFILEDH8X&HlwilliFyDIUOnlIIxwillOhPIxwillIxwillIxwillIxwillSWK.jPg(H8yZ0alqhA+6lHhhZyyyyy11、按照上述方法,找到该文件的数据区,将文件进行恢复,恢复结果如下图: