CN100353329C - Method for recovering deleted file of FAT32 partition - Google Patents
Method for recovering deleted file of FAT32 partition Download PDFInfo
- Publication number
- CN100353329C CN100353329C CNB2005101003031A CN200510100303A CN100353329C CN 100353329 C CN100353329 C CN 100353329C CN B2005101003031 A CNB2005101003031 A CN B2005101003031A CN 200510100303 A CN200510100303 A CN 200510100303A CN 100353329 C CN100353329 C CN 100353329C
- Authority
- CN
- China
- Prior art keywords
- file
- data
- deleted
- low
- document
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present invention relates to the technical field of computer principles, particularly to a method for recovering deleted files. A method for recovering the deleted files of an FAT32 partition comprises the following steps: A, analyzing a catalog item of the deleted file in the partition to obtain low 16 bit information of a data initial cluster; B, obtaining an expansion name of the deleted file; C, reading a disc position pointed by the low 16 bits of the initial cluster in the catalog item of the deleted file and arranging high 16 bits to be zero; D, obtaining a sector pointed by the low 16 bits of the file initial cluster and the assumed high 16 bits, and reading the sector; E, determining whether maximum sector number presented by the partition is exceeded or not; F, judging whether matching data is matched to a file type of the deleted file or not; G, adding one to the high 16 bits at the initial position of the cluster, remaining the low bits unchanged, and entering the step D; H, exiting. The present invention can accurately recover the deleted files of the FAT32 partition.
Description
Technical field
The present invention relates to computer realm, particularly a kind of method of recovering deleted document of counting.
Background technology
FAT32 directory entry structure as shown in Figure 1.Windows is when carrying out file operation, according to this structural orientation file data.During the file of a FAT32 Logical Disk of deletion, at first the first byte with filename is labeled as deleted marker, then high 16 of file data starting cluster is revised as 0, carries out the processing that the space discharges at last in the Windows system.The structure of the directory entry in the FAT32 subregion behind the file delete as shown in Figure 2.When file is deleted in the FAT32 subregion, high 16 bit data of describing its starting cluster are by clear 0, though low 16 that describe its data starting cluster is correct, the data structure in the remaining directory entry of most applications after according to file delete can not correctly find the position of file data.Can only correctly navigate to high 16 of file data starting cluster according to this remnants directory entry was exactly 0 situation originally, can learn by following calculating, this situation may be: 1, bunch size of FAT32 Logical Disk is 32K, and the deleted file data are positioned within the 2G of Logical Disk; 2, bunch size of FAT32 Logical Disk is 16K, and the deleted file data are positioned within the 1G of Logical Disk.
When 1, bunch size of FAT32 Logical Disk is 32K:
Size=0xFFFF bunch of representing of the multipotency of 32 bunches reference position * 32K/ bunch=2097120K
When 2, bunch size of FAT32 Logical Disk is 16K:
Size=0xFFFF bunch of representing of the multipotency of 16 bunches reference position * 16K/ bunch=1048560K
Certainly, by that analogy, bunch size of FAT32 Logical Disk is 64K, and the problems referred to above or the like are also arranged when the deleted file data are positioned within the 4G of Logical Disk.Decide during bunch size format subregion, bunch size is big more, the space of waste is also big more, but file access speed can be fast, Windows file system general acquiescence when format FAT32 subregion is selected 16K size or 32K size, and with the situation of 16K size (generally determining according to total size of subregion) in the majority, so the file in the FAT32 Logical Disk is deleted, if its data are positioned at the 2G (situation 1) of subregion or 1G (situation 2) when above, the recovery of file becomes a difficult problem.
Summary of the invention
Technical matters to be solved by this invention is, a kind of method of effective recovery FAT32 subregion deleted document is provided.
Technical matters to be solved by this invention is achieved by the following technical solution:
A kind of method of recovering FAT32 subregion deleted document, it comprises the steps:
A) analyze deleted document directory entry in the subregion, obtain low 16 information of deleted document directory entry data starting cluster;
B) from low 16 information of above-mentioned deleted document directory entry data starting cluster, obtain the extension name of this deleted document;
C) read the disk position of low 16 indications of above-mentioned starting cluster in this document directory entry, high 16 with starting cluster in the file directory item are made as 0 then;
D) read file starting cluster low 16 and high 16 the indication sectors of supposition;
E) judge whether to exceed the maximum fan area code that this section post can be represented,, otherwise enter f if jump to step h;
F) judge that whether data that coupling reads from sector described in the steps d are complementary with the file type of deleted document, if these data of coupling explanation may be the data of this document, get these data and save as file, thereby realize that file recovers, and jumps to step h; These data of explanation are not the data of this document if match, and jump to step g;
G) high 16 of the reference position of starting cluster add 1, and low 16 invariant positions enter steps d;
H) withdraw from.
Whether the present invention utilizes a scan cycle and file layout to judge the mode that combines, mate by judging the file type sign in file type and the data in magnetic disk, determines whether these data belong to this file data.Can accurately recover FAT32 subregion deleted document, when the identical file of a plurality of file layouts is arranged in the scanning result (it is very little this situation probability to occur), but the artificial judgment screening.
Description of drawings
Fig. 1 is a FAT32 directory entry structural drawing;
Fig. 2 is the FAT32 directory entry structural drawing behind the deleted file;
Fig. 3 is the method flow diagram of the multiple FAT32 subregion deleted document of the present invention.
Embodiment
The inventive method is by judging that whether the file type sign in file type and the data in magnetic disk mates, and determines whether these data belong to this file data.Concrete steps are as follows:
1. the deleted document directory entry in the analysis subregion obtains low 16 information of its data starting cluster;
2. obtain the extension name of this deleted document;
3. read the disk position of low 16 indications of starting cluster in this document directory entry, be made as 0 high 16;
4. read file starting cluster low 16 and high 16 the indication sectors of supposition, read this sector;
5. judge whether to have exceeded the maximum fan area code that this section post can be represented, if jump to step 8;
6. judge that whether these data of coupling are complementary with the file type of deleted document, if these data of coupling explanation may be the data of this document, get these data and save as file, thereby realize that file recovers.These data of explanation are not the data of this document if match, and jump to step 7;
7. high 16 of bunch reference position add 1, and low invariant position enters step 4;
8. withdraw from.
Because most of files all have a specific file type sign, these signs refer generally to several characters that file starts most, file header such as files such as executable file EXE, the DLL of windows, VXD is character string " MZ ", and the file header of the pdf document of Adobe company is a character string " %PDF " etc.But the file mark of some minority file is not the several characters that start most at file yet, but particular offset position hereof occurs.These signs are often used for determining whether file layout is correct, and whether file damages etc.
Whether the present invention utilizes a scan cycle and file layout to judge the mode that combines, mate by type and the sign of the file type in the data in magnetic disk of judging pre-recovery file, determines whether these data belong to this file data.Can accurately recover FAT32 subregion deleted document, when the identical file of a plurality of file layouts is arranged in the scanning result (it is very little this situation probability to occur), but the artificial judgment screening.
The present invention also has some other distortion or improvement.If those skilled in the art are subjected to the change or the improvement of the conspicuous unsubstantiality that inspiration of the present invention makes, all belong to the protection domain of claims of the present invention.
Claims (3)
1, a kind of method of recovering FAT32 subregion deleted document is characterized in that, comprises the steps:
A. analyze the deleted document directory entry in the subregion, obtain low 16 information of deleted document directory entry data starting cluster;
B. from low 16 information of above-mentioned deleted document directory entry data starting cluster, obtain the extension name of this deleted document;
C. read the disk position of low 16 indications of above-mentioned starting cluster in this document directory entry, high 16 with starting cluster in the file directory item are made as 0 then;
D. read file starting cluster low 16 and high 16 the indication sectors of supposition;
E. judge whether to have exceeded the maximum fan area code that this section post can be represented,, otherwise enter f if jump to step h;
F. judge that whether data that coupling reads from sector described in the steps d are complementary with the file type of deleted document, if these data of coupling explanation may be the data of this document, get these data and save as file, thereby realize that file recovers, and jumps to step h; These data of explanation are not the data of this document if match, and jump to step g;
G. high 16 of the reference position of starting cluster add 1, and low 16 invariant positions enter steps d;
H. withdraw from.
2, the method for recovery according to claim 1 FAT32 subregion deleted document is characterized in that, when the result obtains a plurality of file identical with desire recovery file type, screens by artificial judgment at last.
3, the method for recovery according to claim 1 FAT32 subregion deleted document is characterized in that, the starting cluster of described deleted document high 16 greater than 0.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101003031A CN100353329C (en) | 2005-10-17 | 2005-10-17 | Method for recovering deleted file of FAT32 partition |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101003031A CN100353329C (en) | 2005-10-17 | 2005-10-17 | Method for recovering deleted file of FAT32 partition |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1773462A CN1773462A (en) | 2006-05-17 |
| CN100353329C true CN100353329C (en) | 2007-12-05 |
Family
ID=36760454
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101003031A Active CN100353329C (en) | 2005-10-17 | 2005-10-17 | Method for recovering deleted file of FAT32 partition |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100353329C (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100454304C (en) * | 2006-07-28 | 2009-01-21 | 珠海金山软件股份有限公司 | Method for searching deleted document from assigned catalogue in FAT volume |
| CN100386763C (en) * | 2006-07-28 | 2008-05-07 | 珠海金山软件股份有限公司 | Method for searching deleted files in given table content in NTFS volumn |
| CN100407159C (en) * | 2006-08-01 | 2008-07-30 | 珠海金山软件股份有限公司 | Method for recovering files deleted from FAT32 document system |
| CN100446000C (en) * | 2006-08-16 | 2008-12-24 | 珠海金山软件股份有限公司 | Method for re-setting up catalogue structure and restoring data in FAI volume |
| CN100423002C (en) * | 2006-09-19 | 2008-10-01 | 珠海金山软件股份有限公司 | Method for deleting files in FAT roll |
| CN100454307C (en) * | 2006-09-19 | 2009-01-21 | 珠海金山软件股份有限公司 | Method for completely crashing file data in FAT roll |
| CN101937377B (en) * | 2009-06-29 | 2014-10-22 | 百度在线网络技术(北京)有限公司 | Data recovery method and device |
| CN102360318B (en) * | 2011-09-27 | 2013-07-31 | 深圳万兴信息科技股份有限公司 | Recovery method and device of deleted files in FAT (File Allocation Table) file system |
| CN102609531B (en) * | 2012-02-14 | 2015-05-06 | 北京鼎普科技股份有限公司 | Method for pegging files according to keywords |
| CN102937926B (en) * | 2012-10-30 | 2015-05-20 | 厦门市美亚柏科信息股份有限公司 | Method and device for recovering deleted sqlite files on mobile terminal |
| CN104331348A (en) * | 2014-11-27 | 2015-02-04 | 四川效率源信息安全技术有限责任公司 | Method for recovering file by reducing initial cluster number of FAT32 directory entry |
| CN104462433B (en) * | 2014-12-17 | 2017-11-10 | 四川效率源信息安全技术股份有限公司 | A kind of method of recovery FAT32 partition datas |
| CN109710455B (en) * | 2018-11-22 | 2020-09-22 | 厦门市美亚柏科信息股份有限公司 | Deleted file recovery method and system based on FAT32 file system |
| CN109614370B (en) * | 2018-11-28 | 2021-11-09 | 万兴科技股份有限公司 | Disk file scanning method and device, computer equipment and storage medium |
| CN109582501B (en) * | 2018-11-28 | 2021-09-03 | 万兴科技股份有限公司 | File recovery method and device, computer equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH08227372A (en) * | 1995-02-20 | 1996-09-03 | Canon Inc | Data processor |
-
2005
- 2005-10-17 CN CNB2005101003031A patent/CN100353329C/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH08227372A (en) * | 1995-02-20 | 1996-09-03 | Canon Inc | Data processor |
Non-Patent Citations (2)
| Title |
|---|
| WIN2003 FAT32格式文件定位机理剖析与应用技术 孙维连,胡佳山,秦凡江.佳木斯大学学报(自然科学版),第23卷第3期 2005 * |
| 亡羊补牢 为时不晚 恢复硬盘数据 新电脑,第5期 2003 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1773462A (en) | 2006-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100353329C (en) | Method for recovering deleted file of FAT32 partition | |
| CN102243699B (en) | Malicious code detection method and system | |
| US9690788B2 (en) | File type recognition analysis method and system | |
| US5448474A (en) | Method for isolation of Chinese words from connected Chinese text | |
| CN100446000C (en) | Method for re-setting up catalogue structure and restoring data in FAI volume | |
| CN100407159C (en) | Method for recovering files deleted from FAT32 document system | |
| CN101354715A (en) | Systems, methods and computer program products for operating a data processing system | |
| US7602972B1 (en) | Method and apparatus for identifying white space tables within a document | |
| CN110309019B (en) | Method for rapidly recovering and extracting deleted files in APFS (advanced persistent file system) | |
| CN109241780B (en) | Method, device and equipment for detecting hidden information of image | |
| EP1973043A1 (en) | Method for inserting and playing a slide in a file | |
| US9613089B2 (en) | Form template refactoring | |
| CN106354746B (en) | Search method and search device | |
| EP3312740B1 (en) | Data search program, data search device, and data search method | |
| CN103870364B (en) | A kind of final version restoration methods of YAFFS2 files based on timestamp | |
| CN110287338B (en) | Industry hotspot determination method, device, equipment and medium | |
| CN102662981B (en) | Windows recycle bin delete record forensics method based on feature scan | |
| US20050235234A1 (en) | Method and computer program for verifying an incremental change to an integrated circuit design | |
| US8615522B2 (en) | Computing device, storage medium and method for outputting dimension data using the computing device | |
| US9009026B2 (en) | Information processing apparatus, non-transitory computer readable medium storing information processing program, and information processing method | |
| JP4734400B2 (en) | Document search apparatus and program | |
| CN108132971B (en) | Analysis method and device for database fragment files | |
| US6357002B1 (en) | Automated extraction of BIOS identification information for a computer system from any of a plurality of vendors | |
| CN110457239B (en) | Method for extracting solid state disk basic key | |
| CN104200163A (en) | Virus detection method and virus detection engine |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Jinshan computer Building No. 8 Jingshan Hill Road, Lane 519015 Zhuhai Jida Lianshan Guangdong city of Zhuhai Province Patentee after: Zhuhai Kingsoft Software Co.,Ltd. Address before: Jinshan computer Building No. 8 Jingshan Hill Road, Lane 519015 Zhuhai Jida Lianshan Guangdong city of Zhuhai Province Patentee before: Zhuhai Kingsoft Software Co.,Ltd. |
|
| ASS | Succession or assignment of patent right |
Owner name: KINGSOFT CORPORATION LIMITED Free format text: FORMER OWNER: ZHUHAI KINGSOFT SOFTWARE CO., LTD. Effective date: 20140901 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 519015 ZHUHAI, GUANGDONG PROVINCE TO: 100085 HAIDIAN, BEIJING |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20140901 Address after: Kingsoft No. 33 building, 100085 Beijing city Haidian District Xiaoying Road Patentee after: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. Address before: Jinshan computer Building No. 8 Jingshan Hill Road, Lane 519015 Zhuhai Jida Lianshan Guangdong city of Zhuhai Province Patentee before: Zhuhai Kingsoft Software Co.,Ltd. |
|
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20060517 Assignee: Zhuhai Kingsoft Software Co.,Ltd. Assignor: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. Contract record no.: 2014990000778 Denomination of invention: Method for recovering deleted file of FAT32 partition Granted publication date: 20071205 License type: Common License Record date: 20140926 |
|
| LICC | Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model |