目的:研究 NTFS 存储设备的3种数据恢复方式,测试、比较不同方式的恢复效果,促进电子物证检验工作。方法本文针对同一 NTFS 存储设备,分别使自行设计的 NTFS 日志检验软件测试基于 NTFS 日志文件的恢复方式,使用 Final Data 的快速扫描功能测试基于 MFT 记录的恢复方式,使用 Final Data 的完整扫描功能测试基于文件头部存储特征值的恢复方式,比较3种方式的恢复效果,分析各自的恢复原理。结果基于 NTFS日志和 MFT 记录的方式恢复出的信息较全,用时较短,但不适合恢复较长时间之前删除的文件。基于文件头部存储特征值的方式可恢复较长时间前删除的文件,但用时长,不能恢复文件名、创建时间等信息,也不能有效恢复离散存储的文件。结论结合实际情况、综合运用3种方式可有效恢复数据。%Objective In practice, such situations are often encountered that the files have not been restored because of the incorrect recovery tools and/or varied restoring methods. In this paper, three data recovery modes used with NTFS storage device were analyzed and their effects were tested and compared. Methods For the same NTFS storage device, we used NTFS log inspection software developed from previous research to test the recovery choice based on NTFS log file, utilized the quick scan function of Final Data to test the recovery choice based on MFT, and used the full scan function of Final Data to test the recovery choice based on characteristic value. Finally we compared the effect of the three choices and analyzed their recovery principles. Results The recovery choices based on NTFS log file and MFT could obtain comprehensive information but were not suitable for files deleted long before. Though the recovery choice based on characteristic value played poor effect on restoring either the non-contiguous files or the file names and file-creating time, it could restore the files deleted long before albeit time consuming. Conclusions Three methods can be applied in casework with their integrative utilization.
展开▼
