[go: up one dir, main page]

CN112486924B - A method, device and electronic device for searching file deletion time in NTFS - Google Patents

A method, device and electronic device for searching file deletion time in NTFS Download PDF

Info

Publication number
CN112486924B
CN112486924B CN202011502940.2A CN202011502940A CN112486924B CN 112486924 B CN112486924 B CN 112486924B CN 202011502940 A CN202011502940 A CN 202011502940A CN 112486924 B CN112486924 B CN 112486924B
Authority
CN
China
Prior art keywords
file
record item
record
offset
bytes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011502940.2A
Other languages
Chinese (zh)
Other versions
CN112486924A (en
Inventor
孙丽
李盛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Ruan Niu Technology Group Co ltd
Original Assignee
Shenzhen Ruan Niu Technology Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Ruan Niu Technology Group Co ltd filed Critical Shenzhen Ruan Niu Technology Group Co ltd
Priority to CN202011502940.2A priority Critical patent/CN112486924B/en
Publication of CN112486924A publication Critical patent/CN112486924A/en
Application granted granted Critical
Publication of CN112486924B publication Critical patent/CN112486924B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/16File or folder operations, e.g. details of user interfaces specifically adapted to file systems
    • G06F16/162Delete operations
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Human Computer Interaction (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

本说明书一个或多个实施例提供一种NTFS中查找文件删除时间的方法、装置及电子设备,通过查找文件系统中的$Logfile文件,并将找到的$Logfile文件中的记录项进行排序,将排序后的记录项分割为多个事务,找出其中的删除事务,针对删除事务中的记录项,基于redo操作及undo操作查找目标记录项,从所述目标记录项中提取文件名及对应的文件删除时间,从而实现对NTFS文件系统中已删除文件的删除时间的确定。

One or more embodiments of the present specification provide a method, device and electronic device for searching for file deletion time in NTFS, by searching for a $Logfile file in the file system, sorting the record items in the found $Logfile file, dividing the sorted record items into multiple transactions, finding the deletion transaction therein, and searching for the target record item based on the redo operation and the undo operation in the record item in the deletion transaction, extracting the file name and the corresponding file deletion time from the target record item, thereby realizing the determination of the deletion time of the deleted file in the NTFS file system.

Description

Method and device for searching file deletion time in NTFS (network time File System), and electronic equipment
Technical Field
One or more embodiments of the present disclosure relate to the technical field of searching for file deletion time in NTFS, and in particular, to a method, an apparatus, and an electronic device for searching for file deletion time in NTFS.
Background
NTFS is the mainstream file system on windows, under which deleted files need to be retrieved, and is currently mostly found based on the $mft file of the file system. However, even if the deleted file can be found, the creation time and the modification time of the deleted file can be determined, and the deletion time of the file cannot be known. And typically after a file is deleted, many people may not remember when the file was created and modified, only when the file was deleted. Therefore, it is important to determine the deletion time of a deleted file for a user who wishes to restore a misdeleted file.
Disclosure of Invention
In view of this, an object of one or more embodiments of the present disclosure is to provide a method, an apparatus and an electronic device for searching for a deletion time of a file in an NTFS, which can determine a deletion time of a deleted file in an NTFS file system.
In view of the above object, one or more embodiments of the present disclosure provide a method for searching for a file deletion time in an NTFS, including:
Searching a $ Logfile file according to the header information of the NTFS;
Analyzing the $ Logfile file, obtaining record items in the file, and sorting the record items based on serial numbers of the record items;
dividing the ordered record items into a plurality of transactions;
For each transaction, searching whether a record item with a redox operation of DeallocateFileRecordSegmen exists in the transaction, and if so, determining that the transaction is a deletion transaction;
for each record in the delete transaction, find the target record for which the redox operation is UpdateNonResidentValue and the undo operation is Noop;
And extracting the file name and the corresponding file deletion time from the target record item.
As an alternative embodiment, the locating and searching the $ Logfile file according to the header information of the NTFS includes:
Locating the position of the $MFT file according to the header information of the NTFS;
The $ Logfile file is looked up by the $mft file.
As an alternative embodiment, the sequence number consists of the first 8 bytes of the entry.
As an alternative embodiment, the sorting the record items based on the serial numbers of the record items includes:
the entries are ordered in order of the sequence number from small to large.
As an alternative implementation manner, the sequence of entries is divided into a plurality of transactions, where the first entry of each transaction is the entry with the last sequence number of 0, and the last entry is the entry with the redox operation of ForgetTransaction.
As an alternative embodiment, the integer of 8 bytes from 8 bytes of each record is the last sequence number, and the integer of 2 bytes from 0x30 position of each record is the redox operation value.
As an alternative embodiment, the integer value of 2 bytes of each entry offset by 0x32 position is an undo operation value.
As an alternative embodiment, in the content area of the redox operation of the target record item, 8 bytes from the 0x20 position are shifted to the value of the deletion time, and the 0x52 position is shifted to the name of the deleted file or folder.
As a second aspect of the present invention, there is also provided an apparatus for searching for a file deletion time in an NTFS, including:
the first searching unit is used for searching a $ Logfile file according to the volume header information of the NTFS;
the analyzing and sorting unit is used for analyzing the $ Logfile file, obtaining the record items in the file and sorting the record items based on the serial numbers of the record items;
A dividing unit, configured to divide the ordered record item into a plurality of transactions;
The second searching unit is used for searching whether a record item with a redox operation of DeallocateFileRecordSegmen exists in each transaction, and if so, the transaction is a deletion transaction;
A third search unit configured to search for a target entry whose redox operation is UpdateNonResidentValue and whose undo operation is Noop for each record in the delete transaction;
And the extraction unit is used for extracting the file name and the corresponding file deletion time from the target record item.
As a third aspect of the invention there is also provided an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method as described above when executing the program.
From the foregoing, it can be seen that, in the method, the apparatus and the electronic device for searching for a file deletion time in an NTFS provided in one or more embodiments of the present disclosure, by searching for a $ Logfile file in a file system, sorting the record items in the found $ Logfile file, dividing the sorted record items into a plurality of transactions, finding a deletion transaction therein, searching for a target record item in the deletion transaction based on a redox operation and an undo operation, extracting a file name and a corresponding file deletion time from the target record item, thereby implementing determination of the deletion time of a deleted file in the NTFS file system.
Drawings
For a clearer description of one or more embodiments of the present description or of the solutions of the prior art, the drawings that are necessary for the description of the embodiments or of the prior art will be briefly described, it being apparent that the drawings in the description below are only one or more embodiments of the present description, from which other drawings can be obtained, without inventive effort, for a person skilled in the art.
FIG. 1 is a logical diagram of a method for finding file delete times in NTFS in accordance with one or more embodiments of the present disclosure;
FIG. 2 is a schematic diagram of an apparatus for searching for file deletion time in NTFS according to one or more embodiments of the present disclosure;
Fig. 3 is a schematic diagram of an electronic device in accordance with one or more embodiments of the present disclosure.
Detailed Description
For the purposes of promoting an understanding of the principles and advantages of the disclosure, reference will now be made to the embodiments illustrated in the drawings and specific language will be used to describe the same.
In order to achieve the above object, the present invention provides a method for searching for file deletion time in NTFS, including:
Searching a $ Logfile file according to the header information of the NTFS;
Analyzing the $ Logfile file, obtaining record items in the file, and sorting the record items based on serial numbers of the record items;
dividing the ordered record items into a plurality of transactions;
For each transaction, searching whether a record item with a redox operation of DeallocateFileRecordSegmen exists in the transaction, and if so, determining that the transaction is a deletion transaction;
for each record in the delete transaction, find the target record for which the redox operation is UpdateNonResidentValue and the undo operation is Noop;
And extracting the file name and the corresponding file deletion time from the target record item.
In the embodiment of the invention, the record items in the found $ Logfile file in the file system are sorted, the sorted record items are divided into a plurality of transactions, the deleted transactions are found, the record items in the deleted transactions are searched for, the target record items are searched for based on the redox operation and the undo operation, and the file names and the corresponding file deletion time are extracted from the target record items, so that the determination of the deletion time of the deleted files in the NTFS file system is realized.
As shown in fig. 1, the present invention provides a method for searching for file deletion time in NTFS, including:
S100, searching a $ Logfile file according to the header information of the NTFS.
Optionally, the locating and searching the $ Logfile file according to the header information of the NTFS includes:
Locating the position of the $MFT file according to the header information of the NTFS;
The $ Logfile file is looked up by the $mft file.
S200, analyzing the $ Logfile file, obtaining the record items in the file, and sorting the record items based on the serial numbers lsn of the record items.
Wherein the sequence number lsn consists of the first 8 bytes of the entry.
Wherein the entries are ordered in order of the sequence number from small to large.
Wherein, record item record is an operation on NTFS metafile.
S300, dividing the ordered record items into a plurality of transactions.
Transaction, which consists of a plurality of entries.
The application may group a series of changes to the file into one transaction using the transaction NTFS (Transactional NTFS). The transaction can ensure that all changes are either validated at the same time or invalidated at the same time, and can ensure that no changes are known to external applications until the transaction commit is completed.
Wherein the first entry of each transaction is the entry with the last sequence number pre lsn of 0 and the last entry is the entry with the redox operation ForgetTransaction (value 27).
Wherein, the Redo operation is the operation performed on the current record item.
Each entry has stored therein a sequence number lsn of the current entry and a sequence number of the immediately preceding entry of the current entry, noted as the last sequence number pre lsn.
For the first entry of each transaction, there is no previous entry, so the last sequence number pre lsn of the first entry is 0.
Wherein an integer of 8 bytes from 8 bytes of each entry is a last sequence number pre lsn, and an integer of 2 bytes of each entry at 0x30 position is a redox operation value.
S400, for each transaction, searching whether a record item with a redox operation of DeallocateFileRecordSegmen (with a value of 3) exists in the transaction, and if so, determining that the transaction is a deletion transaction.
S500, searching for a target record item with a redox operation of UpdateNonResidentValue (with a value of 8) and an undo operation of Noop (with a value of 0) for the record item in each deletion transaction;
Wherein the undo operation is an operation performed to withdraw the current entry. Each entry is offset by 2 bytes of 0x38 position representing an offset of the undo operation content, and 2 bytes of 0x40 position representing a length of the undo operation content.
The integer value of 2 bytes of each entry offset by 0x32 position is an undo operation value in the content area of which the offset by 0x52 position starts to be the name of the deleted file or folder.
S600, extracting the file name and the corresponding file deletion time from the target record item.
In the content area of the redox operation of the target record item, 8 bytes from a 0x20 position are used as a deleting time value, and a 0x52 position is used as a deleting file or folder name.
Wherein 2 bytes of the target entry shifted by 0x34 position represent the shift of the redox operation content, and 2 bytes of the 0x36 position represent the length of the redox operation content.
It should be noted that the methods of one or more embodiments of the present description may be performed by a single device, such as a computer or server. The method of the embodiment can also be applied to a distributed scene, and is completed by mutually matching a plurality of devices. In the case of such a distributed scenario, one of the devices may perform only one or more steps of the methods of one or more embodiments of the present description, the devices interacting with each other to accomplish the methods.
It should be noted that the foregoing describes specific embodiments of the present invention. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Corresponding to the method for searching the file deletion time in the NTFS, the present invention further provides a device for searching the file deletion time in the NTFS, as shown in fig. 2, including:
A first searching unit 10, configured to search a $ Logfile file according to the header information of the NTFS;
the parsing and sorting unit 20 is configured to parse the $ Logfile file, obtain the record items therein, and sort the record items based on the serial numbers of the record items;
a dividing unit 30, configured to divide the ordered record items into a plurality of transactions;
A second searching unit 40, configured to search, for each transaction, whether there is a record item whose redox operation is DeallocateFileRecordSegmen in the transaction, and if there is a record item, the transaction is a delete transaction;
A second search unit 50 for searching for a target entry whose redox operation is UpdateNonResidentValue and whose redox operation is Noop for each record in the delete transaction;
An extracting unit 60, configured to extract a file name and a corresponding file deletion time from the target record item.
In the embodiment of the invention, the record items in the found $ Logfile file in the file system are sorted, the sorted record items are divided into a plurality of transactions, the deleted transactions are found, the record items in the deleted transactions are searched for, the target record items are searched for based on the redox operation and the undo operation, and the file names and the corresponding file deletion time are extracted from the target record items, so that the determination of the deletion time of the deleted files in the NTFS file system is realized.
It is noted that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present disclosure should be taken in a general sense as understood by one of ordinary skill in the art to which the present disclosure pertains. The use of the terms "first," "second," and the like in one or more embodiments of the present description does not denote any order, quantity, or importance, but rather the terms "first," "second," and the like are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items.
For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, the functions of each module may be implemented in one or more pieces of software and/or hardware when implementing one or more embodiments of the present description.
Based on the same inventive concept, corresponding to the method of any embodiment, one or more embodiments of the present disclosure further provide an electronic device, including a memory, a processor, and a computer program stored on the memory and capable of running on the processor, where the processor implements the method for searching for file deletion time in the NTFS according to any embodiment when the processor executes the program.
Fig. 3 shows a more specific hardware architecture of an electronic device provided by the present embodiment, which may include a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 implement communication connections therebetween within the device via a bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit ), a microprocessor, an Application SPECIFIC INTEGRATED Circuit (ASIC), or one or more integrated circuits, etc. for executing related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage, dynamic storage, etc. Memory 1020 may store an operating system and other application programs, and when the embodiments of the present specification are implemented in software or firmware, the associated program code is stored in memory 1020 and executed by processor 1010.
The input/output interface 1030 is used to connect with an input/output module for inputting and outputting information. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
Communication interface 1040 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 1050 includes a path for transferring information between components of the device (e.g., processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).
It should be noted that although the above-described device only shows processor 1010, memory 1020, input/output interface 1030, communication interface 1040, and bus 1050, in an implementation, the device may include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.
The electronic device of the foregoing embodiment is configured to implement the method for searching for the file deletion time in the corresponding NTFS in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
It will be appreciated by persons skilled in the art that the foregoing discussion of any embodiment is merely exemplary and is not intended to imply that the scope of the disclosure, including the claims, is limited to these examples, that technical features in the above embodiments or in different embodiments may be combined, that steps may be implemented in any order, and that many other variations of the different aspects of one or more embodiments of the present description as described above exist, which are not provided in detail for clarity.
The present disclosure is intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Any omissions, modifications, equivalents, improvements, and the like, which are within the spirit and principles of the one or more embodiments of the disclosure, are therefore intended to be included within the scope of the disclosure.

Claims (3)

1.一种NTFS中查找文件删除时间的方法,其特征在于,包括:1. A method for searching for file deletion time in NTFS, comprising: 根据NTFS的卷头信息查找$Logfile文件;Find the $Logfile file based on the NTFS volume header information; 解析所述$Logfile文件,获取其中的记录项,并基于所述记录项的序列号将所述记录项排序;Parsing the $Logfile file, obtaining the record items therein, and sorting the record items based on the sequence numbers of the record items; 将排序后的所述记录项划分为多个事务,应用程序使用事务NTFS将一系列对文件的更改归组到一个事务中,以确保所有更改同时生效和同时作废,并确保在事务提交完成前,外部应用程序无法获知任何更改;Divide the sorted record items into multiple transactions, and the application uses transactional NTFS to group a series of changes to the file into one transaction to ensure that all changes are effective and invalidated at the same time, and ensure that external applications cannot be notified of any changes before the transaction is committed; 针对每个事务,查找所述事务中是否有redo操作为DeallocateFileRecordSegmen的记录项,如果有,则所述事务为删除事务,所述DeallocateFileRecordSegmen的redo操作值为3,每个所述记录项的偏移8个字节开始的8个字节组成的整型为上一序列号,每个所述记录项偏移0x30位置的2个字节组成的整型值为redo操作值,目标记录项偏移0x34位置的2个字节表示redo操作内容的偏移,0x36位置的2个字节表示redo操作内容的长度;For each transaction, find out whether there is a record item with redo operation as DeallocateFileRecordSegmen in the transaction. If yes, the transaction is a delete transaction, the redo operation value of DeallocateFileRecordSegmen is 3, the 8-byte integer starting from the offset 8 bytes of each record item is the previous sequence number, the 2-byte integer value at the offset 0x30 position of each record item is the redo operation value, the 2 bytes at the offset 0x34 position of the target record item represent the offset of the redo operation content, and the 2 bytes at the 0x36 position represent the length of the redo operation content; 针对每个删除事务中的记录项,查找redo操作为UpdateNonResidentValue,且undo操作为Noop的目标记录项,所述UpdateNonResidentValue的redo操作值为8,所述Noop的undo操作值为0,每个记录项偏移0x32位置的2个字节组成的整型值为undo操作值,每个记录项偏移0x38位置的2个字节表示undo操作内容的偏移,0x40位置的2个字节表示undo操作内容的长度;For each record item in the deletion transaction, search for the target record item whose redo operation is UpdateNonResidentValue and whose undo operation is Noop. The redo operation value of UpdateNonResidentValue is 8, and the undo operation value of Noop is 0. The integer value consisting of the 2 bytes at the offset 0x32 position of each record item is the undo operation value. The 2 bytes at the offset 0x38 position of each record item represent the offset of the undo operation content. The 2 bytes at the offset 0x40 position represent the length of the undo operation content. 从所述目标记录项中提取文件名及对应的文件删除时间,所述目标记录项的redo操作的内容区域中,偏移0x20位置开始的8个字节为删除时间的数值,偏移0x52位置开始为删除的文件或者文件夹的名称;Extract the file name and the corresponding file deletion time from the target record item. In the content area of the redo operation of the target record item, the 8 bytes starting from the offset 0x20 position are the value of the deletion time, and the 8 bytes starting from the offset 0x52 position are the names of the deleted files or folders. 所述根据NTFS的卷头信息查找$Logfile文件,包括:根据NTFS的卷头信息定位$MFT文件的位置;通过所述$MFT文件查找所述$Logfile文件;The searching for the $Logfile file according to the NTFS volume header information includes: locating the location of the $MFT file according to the NTFS volume header information; searching for the $Logfile file through the $MFT file; 所述序列号由所述记录项的头部8个字节组成;The sequence number is composed of the first 8 bytes of the record item; 所述基于所述记录项的序列号将所述记录项排序,包括:按照所述序列号由小到大的顺序将所述记录项排序;The step of sorting the record items based on the serial numbers of the record items comprises: sorting the record items in ascending order of the serial numbers; 所述将所述记录项序列划分为多个事务,其中,每个事务的第一个记录项为上一序列号为0的记录项,最后一个记录项为redo操作为ForgetTransaction的记录项,所述ForgetTrans action的redo操作值为27。The record item sequence is divided into a plurality of transactions, wherein the first record item of each transaction is a record item with a previous sequence number of 0, and the last record item is a record item with a redo operation of ForgetTransaction, and the redo operation value of the ForgetTransaction action is 27. 2.一种NTFS中查找文件删除时间的装置,其特征在于,包括:2. A device for searching file deletion time in NTFS, comprising: 第一查找单元,用于根据NTFS的卷头信息查找$Logfile文件;The first search unit is used to search for the $Logfile file according to the volume header information of NTFS; 解析与排序单元,用于解析所述$Logfile文件,获取其中的记录项,并基于所述记录项的序列号将所述记录项排序,所述序列号由所述记录项的头部8个字节组成,按照所述序列号由小到大的顺序将所述记录项排序;A parsing and sorting unit, used for parsing the $Logfile file, obtaining the record items therein, and sorting the record items based on the sequence number of the record item, wherein the sequence number is composed of the first 8 bytes of the record item, and the record items are sorted in the order of the sequence number from small to large; 划分单元,用于将排序后的所述记录项划分为多个事务,应用程序使用事务NTFS将一系列对文件的更改归组到一个事务中,以确保所有更改同时生效和同时作废,并确保在事务提交完成前,外部应用程序无法获知任何更改;A partitioning unit, for partitioning the sorted record items into a plurality of transactions, wherein the application uses transactional NTFS to group a series of changes to the file into one transaction, so as to ensure that all changes are effective and invalidated at the same time, and ensure that an external application cannot be informed of any changes before the transaction is committed; 第二查找单元,用于针对每个事务,查找所述事务中是否有redo操作为DeallocateFileRecordSegmen的记录项,如果有,则所述事务为删除事务, 所述DeallocateFileRecordSegmen的redo操作值为3,每个所述记录项的偏移8个字节开始的8个字节组成的整型为上一序列号,每个所述记录项偏移0x30位置的2个字节组成的整型值为redo操作值,目标记录项偏移0x34位置的2个字节表示redo操作内容的偏移,0x36位置的2个字节表示redo操作内容的长度;The second search unit is used to search for a record item whose redo operation is DeallocateFileRecordSegmen in each transaction. If so, the transaction is a delete transaction. The redo operation value of DeallocateFileRecordSegmen is 3. The integer consisting of 8 bytes starting from the offset 8 bytes of each record item is the previous sequence number. The integer value consisting of 2 bytes at the offset 0x30 position of each record item is the redo operation value. The 2 bytes at the offset 0x34 position of the target record item represent the offset of the redo operation content. The 2 bytes at the offset 0x36 position represent the length of the redo operation content. 第三查找单元,用于针对每个删除事务中的记录项,查找redo操作为UpdateNonResidentValue,且undo操作为Noop的目标记录项,所述UpdateNonResidentValue的redo操作值为8,所述Noop的undo操作值为0,每个记录项偏移0x32位置的2个字节组成的整型值为undo操作值,每个记录项偏移0x38位置的2个字节表示undo操作内容的偏移,0x40位置的2个字节表示undo操作内容的长度;A third search unit is used to search for a target record item whose redo operation is UpdateNonResidentValue and whose undo operation is Noop for each record item in the deletion transaction, wherein the redo operation value of UpdateNonResidentValue is 8, the undo operation value of Noop is 0, the integer value consisting of 2 bytes at the offset 0x32 position of each record item is the undo operation value, the 2 bytes at the offset 0x38 position of each record item represent the offset of the undo operation content, and the 2 bytes at the offset 0x40 position represent the length of the undo operation content; 提取单元,用于从所述目标记录项中提取文件名及对应的文件删除时间,所述目标记录项的redo操作的内容区域中,偏移0x20位置开始的8个字节为删除时间的数值,偏移0x52位置开始为删除的文件或者文件夹的名称;an extraction unit, configured to extract a file name and a corresponding file deletion time from the target record item, wherein in the content area of the redo operation of the target record item, the 8 bytes starting from the offset 0x20 position are the value of the deletion time, and the 8 bytes starting from the offset 0x52 position are the names of the deleted files or folders; 根据NTFS的卷头信息查找$Logfile文件,包括:根据NTFS的卷头信息定位$MFT文件的位置;通过所述$MFT文件查找所述$Logfile文件;Searching for the $Logfile file according to the NTFS volume header information includes: locating the location of the $MFT file according to the NTFS volume header information; searching for the $Logfile file through the $MFT file; 所述将所述记录项序列划分为多个事务,其中,每个事务的第一个记录项为上一序列号为0的记录项,最后一个记录项为redo操作为ForgetTransaction的记录项,所述ForgetTransaction的redo操作值为27。The record item sequence is divided into a plurality of transactions, wherein the first record item of each transaction is a record item with a previous sequence number of 0, and the last record item is a record item with a redo operation of ForgetTransaction, and the redo operation value of ForgetTransaction is 27. 3.一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时实现如权利要求1所述的方法。3. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the method according to claim 1 when executing the program.
CN202011502940.2A 2020-12-17 2020-12-17 A method, device and electronic device for searching file deletion time in NTFS Active CN112486924B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011502940.2A CN112486924B (en) 2020-12-17 2020-12-17 A method, device and electronic device for searching file deletion time in NTFS

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011502940.2A CN112486924B (en) 2020-12-17 2020-12-17 A method, device and electronic device for searching file deletion time in NTFS

Publications (2)

Publication Number Publication Date
CN112486924A CN112486924A (en) 2021-03-12
CN112486924B true CN112486924B (en) 2024-12-10

Family

ID=74914121

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011502940.2A Active CN112486924B (en) 2020-12-17 2020-12-17 A method, device and electronic device for searching file deletion time in NTFS

Country Status (1)

Country Link
CN (1) CN112486924B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105740103A (en) * 2016-02-02 2016-07-06 厦门市美亚柏科信息股份有限公司 NTFS ((New Technology File System) deletion file recovery method and device based on log

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6856993B1 (en) * 2000-03-30 2005-02-15 Microsoft Corporation Transactional file system
US8145686B2 (en) * 2005-05-06 2012-03-27 Microsoft Corporation Maintenance of link level consistency between database and file system
CN101937377B (en) * 2009-06-29 2014-10-22 百度在线网络技术(北京)有限公司 Data recovery method and device
CN102426581B (en) * 2011-09-20 2017-08-11 奇智软件(北京)有限公司 A kind of method and device for generating previewing file
CN102508855A (en) * 2011-09-28 2012-06-20 北京安天电子设备有限公司 Method and device for quickly clearing data in storage medium
CN105488187A (en) * 2015-12-02 2016-04-13 北京四达时代软件技术股份有限公司 Method and device for extracting multi-source heterogeneous data increment
CN106126486B (en) * 2016-06-30 2019-03-08 童晓冲 Time information encoding method, encoded value retrieval method, decoding method and device
CN107832352B (en) * 2017-10-23 2022-01-04 中国银行股份有限公司 Log automatic processing method, device, storage medium and equipment
CN110908885B (en) * 2019-11-21 2022-08-05 苏州浪潮智能科技有限公司 Log collection method and device and related components
CN111581163B (en) * 2020-05-12 2022-03-08 山东省计算中心(国家超级计算济南中心) Data traceless deletion method and system based on NTFS (New technology File System)

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105740103A (en) * 2016-02-02 2016-07-06 厦门市美亚柏科信息股份有限公司 NTFS ((New Technology File System) deletion file recovery method and device based on log

Also Published As

Publication number Publication date
CN112486924A (en) 2021-03-12

Similar Documents

Publication Publication Date Title
US7240069B2 (en) System and method for building a large index
CN111274263B (en) Visual database change sentence generation method, device and storage medium
CN111190583B (en) Association conflict block rendering method and apparatus
US20160041992A1 (en) Data management apparatus, data management method and non-transitory recording medium
CN105138312A (en) Table generation method and apparatus
US20210342316A1 (en) Systems and methods for extracting data in column-based not only structured query language (nosql) databases
CN112486734B (en) NTFS deleted file recovery method and device and electronic equipment
CN112486924B (en) A method, device and electronic device for searching file deletion time in NTFS
CN106919593B (en) A search method and device
CN114048136A (en) Test type determination method, apparatus, server, medium and product
CN106815372A (en) Test question duplication removing method and device based on physical examination question bank and user equipment
CN113157766A (en) Application analysis method and device, electronic equipment and computer-readable storage medium
CN112631838B (en) Method and device for recovering office file in NTFS and electronic equipment
JP6870454B2 (en) Analytical equipment, analytical programs and analytical methods
CN115809304A (en) Method and device for analyzing field-level blood margin, computer equipment and storage medium
JP5538459B2 (en) Information processing apparatus and method
CN114595391A (en) Data processing method, device and electronic device based on information search
US9495374B2 (en) Recording medium, information management method, and information management device associating objects with each other based upon whether folders match
JP6852002B2 (en) Data search method, data search device and program
RU2688260C1 (en) Method of searching for semiconductor parts with using algorithm of deleting last letter
CN113326417A (en) Method and device for updating webpage library
CN111061863A (en) Periodical catalog display method, device and equipment
JP2016095639A (en) Database device, data management method, and program
CN111737210B (en) Method and device for extracting thumbnail of Huacheng mobile phone and electronic equipment
EP2804140A1 (en) Data extraction program, data extraction method, and data extraction device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Country or region after: China

Address after: 1301-1310, Building 2, Jinlitong Financial Center Building, No. 1100 Xingye Road, Haiwang Community, Xin'an Street, Bao'an District, Shenzhen City, Guangdong Province

Applicant after: Shenzhen Ruan Niu Technology Group Co.,Ltd.

Address before: No. 15-3 Haitian Road, Building C, Excellence Times Square, N23 Haiwang Community, Xin'an Street, Bao'an District, Shenzhen City, Guangdong Province, China 2903

Applicant before: AFIRSTSOFT CO.,LTD.

Country or region before: China

GR01 Patent grant
GR01 Patent grant