Forensic analysis method and system for document files

摘要

The present invention relates to a forensic analysis method and a system for document files. The forensic analysis method comprises the following steps: a file receiving step receiving a file which is an object to be forensically analyzed; a file area checking step checking if there is a normal area or an unassigned area in the received file; a file searching step searching a compound document file in the normal or unassigned areas; a verifying step verifying the compound document file; and a data restoring step restoring data in the unassigned area of the compound document file. The forensic analysis method and system for document file can restore data stored in a damaged compound document file or an unassigned area of a damaged compound document file in which data is not assigned. [Reference numerals] (AA) Start; (BB) Receiving a file for performing forensic analysis; (CC) Mounted storage device; (DD) File/directory; (EE) Dump file in the unassigned area of a file; (FF) End; (S121) Kind of the file?; (S122) Analyzing a file system for determining into a normal area or the unassigned area; (S123) Received file is determined to be at the unassigned area; (S124) Received file is determined to be at the normal area; (S130) Searching a compound document file present in the normal area or unassigned area of the file; (S140) Validation for the searched compound document file is performed; (S150) Restoring of data in the unassigned area of the compound document file