CN105868056B - Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine - Google Patents

Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine Download PDF

Info

Publication number
CN105868056B
CN105868056B CN201610214439.3A CN201610214439A CN105868056B CN 105868056 B CN105868056 B CN 105868056B CN 201610214439 A CN201610214439 A CN 201610214439A CN 105868056 B CN105868056 B CN 105868056B
Authority
CN
China
Prior art keywords
virtual machine
deleted document
deleted
information
document
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610214439.3A
Other languages
Chinese (zh)
Other versions
CN105868056A (en
Inventor
党艳平
李健波
陈红逵
潘学树
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing VRV Software Corp Ltd
Original Assignee
Beijing VRV Software Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing VRV Software Corp Ltd filed Critical Beijing VRV Software Corp Ltd
Priority to CN201610214439.3A priority Critical patent/CN105868056B/en
Publication of CN105868056A publication Critical patent/CN105868056A/en
Application granted granted Critical
Publication of CN105868056B publication Critical patent/CN105868056B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1458Management of the backup or restore process
    • G06F11/1469Backup restoration techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The present invention discloses the method, apparatus and secure virtual machine for obtaining deleted document in Windows virtual machine, method includes: after receiving the security check request message for carrying target virtual machine mark, by the recycle bin record file mount of target virtual machine into preset secure virtual machine;Secure virtual machine is sent by security check request message, so that the recycle bin record file of target virtual machine is loaded into memory and is analyzed by secure virtual machine, obtains the information of deleted document in target virtual machine;The safety inspection response message that secure virtual machine is sent is received, the information of deleted document in target virtual machine is carried in safety inspection response message;Based on the information of deleted document in target virtual machine, deleted document is obtained from target virtual machine.The present invention records file by the recycle bin of analysis Windows, obtains the information of deleted document, to obtain deleted document, does not depend on the operating status of Windows in virtual machine.

Description

Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine
Technical field
The present invention relates to virtual machine technique fields, and in particular to a kind of to obtain deleted document in Windows virtual machine Method, apparatus and secure virtual machine.
Background technique
Virtual machine technique is defined as the software simulated implementation of hardware device.Virtual machine (Virtual Machine) refers to logical Cross software simulation with complete hardware system function, operate in complete computer in a completely isolated environment.
Cloud computing system provides a kind of solution for saving operation cost of user, and user is without spending great amount of cost to buy Hardware, as long as can reach the operation purpose of more physical machines by the application of virtual machine.
Cloud computing system includes: cloud terminal, host and cloud management server, wherein and cloud terminal can be network computer, Such as desktop computer, laptop, tablet computer;Host can for network side for cloud terminal provide memory space, software and its The server of his computer function can dispose multiple virtual machines on host;Cloud management server can be the clothes of network side Business device provides the service such as user management, key management.Host and cloud management server are also referred to as cloud platform.User passes through cloud Terminal remote, which logs in cloud platform, then can be used the function of the virtual machine on host after the identity of user is by certification.
Recovery when carrying out security risk inspection to the multiple virtual machines disposed on host, to deleted document in virtual machine It is an important means for assessing secure virtual machine rank with checking.
Windows virtual machine is the virtual machine for being equipped with Windows operating system, Windows operating system (hereinafter referred Windows it) is generally deleted and permanent delet two ways in the deletion file time-division.General delete refers to that Windows puts file Enter into recycle bin, user can see deleted file in recycle bin, and can restore to it.Permanent delet Refer to Windows for file complete deletion, deleted file cannot be restored by Windows.Herein only for general The case where deletion.
In the computer that conventional mounting has Windows, the interface provided by Windows obtains Windows and has deleted The information of file.The interface that Windows is provided includes window application programming interface (Application Programming Interface, API), application program, order etc..This method is equally applicable for Windows virtual machine.
There are the following problems for the existing method for obtaining deleted document in Windows virtual machine:
1, operating status of the prior art dependent on Windows in examined Windows virtual machine.
Only in examined Windows virtual machine when Windows operation, the prior art can just obtain deleted document Information.
2, the interface that the prior art depends on Windows to provide.
For installing the virtual machine of the operating system of non-Windows, the prior art is unavailable.
Summary of the invention
In view of the above problems, the invention proposes overcome the above problem or at least be partially solved one kind of the above problem Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine.
For this purpose, in a first aspect, the present invention propose it is a kind of acquisition Windows virtual machine in deleted document method, Include:
After receiving the security check request message for carrying target Windows virtual machine mark, by the target The recycle bin record file mount of Windows virtual machine is into preset secure virtual machine;
The secure virtual machine is sent by the security check request message, so that the secure virtual machine is by the mesh The recycle bin record file of mark Windows virtual machine is loaded into memory and analyzes, and obtains in the target Windows virtual machine The information of deleted document;
The safety inspection response message that the secure virtual machine is sent is received, is carried in the safety inspection response message The information of deleted document in the target Windows virtual machine;
Based on the information of deleted document in the target Windows virtual machine, obtained from the Windows virtual machine Deleted document.
Optionally, the information of the deleted document includes the attribute information of deleted document and the index of deleted document Information;Wherein, the index information of the deleted document is used to indicate the store path of the initial data of the deleted document;
The information based on deleted document in the target Windows virtual machine, from the Windows virtual machine Obtain deleted document, comprising:
Based on the index information of the deleted document, the deleted document is obtained from the Windows virtual machine Initial data;
The attribute information of the deleted document is merged with the initial data of the deleted document, obtains described deleted Except file.
Optionally, described after obtaining deleted document in the Windows virtual machine, the method also includes:
Unload the recycle bin record file of the target Windows virtual machine of carry in the secure virtual machine.
Second aspect, the present invention also provides a kind of devices of deleted document in acquisition Windows virtual machine, comprising:
Carry unit, for receive carry target Windows virtual machine mark security check request message after, By the recycle bin record file mount of the target Windows virtual machine into preset secure virtual machine;
Transmission unit, for sending the secure virtual machine for the security check request message, so that the safety The recycle bin record file of the target Windows virtual machine is loaded into memory and is analyzed by virtual machine, obtains the target The information of deleted document in Windows virtual machine;
Receiving unit, the safety inspection response message sent for receiving the secure virtual machine, the safety inspection are answered Answer the information that deleted document in the target Windows virtual machine is carried in message;
Acquiring unit, for the information based on deleted document in the target Windows virtual machine, from described Deleted document is obtained in Windows virtual machine.
Optionally, the information of the deleted document includes the attribute information of deleted document and the index of deleted document Information;Wherein, the index information of the deleted document is used to indicate the store path of the initial data of the deleted document;
The acquiring unit is obtained from the Windows virtual machine for the index information based on the deleted document Take the initial data of the deleted document;By the original number of the attribute information of the deleted document and the deleted document According to merging, the deleted document is obtained.
Optionally, described device further include:
Unloading unit, for after obtaining deleted document in the Windows virtual machine, being unloaded in the acquiring unit Carry the recycle bin record file of the target Windows virtual machine of carry in the secure virtual machine.
The third aspect, the present invention also provides a kind of methods of deleted document in acquisition Windows virtual machine, comprising:
Disappear in the security check request for carrying target Windows virtual machine mark for receiving the transmission of cloud management server After breath, the recycle bin record file of the target Windows virtual machine of preparatory carry is loaded into memory and is analyzed, is obtained The information of deleted document in the target Windows virtual machine;
Safety inspection response message is sent to the cloud management server, is carried in the safety inspection response message The information of deleted document in target Windows virtual machine is stated, so that the cloud management server is based on the target Windows The information of deleted document in virtual machine obtains deleted document from the Windows virtual machine.
Optionally, described to send safety inspection response message to the cloud management server, the safety inspection response disappears The information of deleted document in the target Windows virtual machine is carried in breath, so that the cloud management server is based on institute The information for stating deleted document in target Windows virtual machine obtains deleted document from the Windows virtual machine, packet It includes:
Safety inspection response message is sent to the cloud management server, is carried in the safety inspection response message The attribute information of deleted document and the index information of deleted document in target Windows virtual machine are stated, it is described to have deleted text The index information of part is used to indicate the store path of the initial data of the deleted document, so that the cloud management server base In the index information of the deleted document, the initial data of the deleted document is obtained from the Windows virtual machine; And merge the attribute information of the deleted document with the initial data of the deleted document, it obtains described having deleted text Part.
Fourth aspect, the present invention also provides a kind of secure virtual machines, comprising:
Processing unit, for receive cloud management server transmission carry target Windows virtual machine mark After security check request message, the recycle bin record file of the target Windows virtual machine of preparatory carry is loaded into interior It in depositing and analyzes, obtains the information of deleted document in the target Windows virtual machine;
Transmission unit, for sending safety inspection response message, the safety inspection response to the cloud management server The information of deleted document in the target Windows virtual machine is carried in message, so that the cloud management server is based on The information of deleted document in the target Windows virtual machine, obtains deleted document from the Windows virtual machine.
Optionally, the transmission unit, for sending safety inspection response message, the peace to the cloud management server The attribute information and deleted document of deleted document in the target Windows virtual machine are carried in total inspection response message Index information, the index information of the deleted document is used to indicate the storage road of the initial data of the deleted document Diameter, so that the index information of the cloud management server based on the deleted document, obtains from the Windows virtual machine The initial data of the deleted document;And by the original number of the attribute information of the deleted document and the deleted document According to merging, the deleted document is obtained.
Compared with the prior art, the method and device proposed by the present invention for obtaining deleted document in Windows virtual machine, Recycle bin by analyzing Windows records the content of file to obtain the information of Windows deleted document, so as to extensive It appears again the content of deleted file, i.e. acquisition deleted document, independent of Windows in examined Windows virtual machine Operating status, particularly, it is suitable for (i.e. offline Windows is virtual in the Windows virtual machine of off-mode Machine).
Further, the method and device proposed by the present invention for obtaining deleted document in Windows virtual machine, by dividing The content of the recycle bin record file of analysis Windows obtains the information of Windows deleted document, so as to recover by The content of file is deleted, i.e. acquisition deleted document, independent of the interface that Windows is provided, is suitable for installation non-Windows Operating system virtual machine.
Detailed description of the invention
The method stream of deleted document in a kind of acquisition Windows virtual machine that Fig. 1 provides for first embodiment of the invention Cheng Tu;
The device knot of deleted document in a kind of acquisition Windows virtual machine that Fig. 2 provides for second embodiment of the invention Composition;
The method stream of deleted document in a kind of acquisition Windows virtual machine that Fig. 3 provides for third embodiment of the invention Cheng Tu;
Fig. 4 is a kind of secure virtual machine structure chart that fourth embodiment of the invention provides.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical solution in the embodiment of the present invention is explicitly described, it is clear that described embodiment is the present invention A part of the embodiment, instead of all the embodiments.
As shown in Figure 1, the present embodiment discloses a kind of method for obtaining deleted document in Windows virtual machine, it may include Following steps 101~104:
101, after receiving the security check request message for carrying target Windows virtual machine mark, by the mesh The recycle bin record file mount of Windows virtual machine is marked into preset secure virtual machine.
The disclosed executing subject for obtaining the method for deleted document in Windows virtual machine of the present embodiment may be disposed at cloud Cloud management server in the cloud management server of platform or for cloud platform.
In the present embodiment, the sending device of " security check request message " may be disposed at the host of cloud platform in step 101 In or be set in cloud terminal.Further, " security check request message " can manually trigger institute by the administrative staff of cloud platform State that sending device send or every preset duration, such as 24 hours, the sending device sent that " safety inspection is asked automatically Seek message ".
In the present embodiment, secure virtual machine be may be disposed in the host of cloud platform.
In the present embodiment, carry recycle bin records file not by the operation of Windows in examined Windows virtual machine The influence of state is not also influenced by Windows virtual machine, that is, offline Windows virtual machine in off-mode.
102, the secure virtual machine is sent by the security check request message, so that the secure virtual machine is by institute The recycle bin record file for stating target Windows virtual machine is loaded into memory and analyzes, and it is virtual to obtain the target Windows The information of deleted document in machine.
In the present embodiment, recycle bin records file can be variant for the Windows of different kernel versions.Specifically, The information of all deleted documents is recorded in the same record file in version recycle bin before Windows Vista.Vista And in version of window recycle bin later, each deleted document correspondingly has a record file to carry out information record. Therefore, in the present embodiment, all recycle bins of the target Windows virtual machine can be recorded file and is mounted to secure virtual In machine, so that all recycle bins record file is loaded into memory and is analyzed by secure virtual machine.
In the present embodiment, preset or existing file-level is can be used to the analysis of recycle bin record file in secure virtual machine Semantic analysis is analyzed, the specific method for semantic analysis that this embodiment is not repeated.
103, the safety inspection response message that the secure virtual machine is sent is received, is taken in the safety inspection response message Information with deleted document in the target Windows virtual machine.
104, the information based on deleted document in the target Windows virtual machine, from the Windows virtual machine Obtain deleted document.
In the present embodiment, due to there is a recycle bin directory under each disk partition in Windows, for from Line Windows virtual machine needs disk partition one by one to be restored when restoring deleted document in recycle bin.
As it can be seen that the disclosed method for obtaining deleted document in Windows virtual machine of the present embodiment, passes through analysis The recycle bin of Windows records the content of file to obtain the information of Windows deleted document, is deleted so as to recover Except the content of file, i.e. acquisition deleted document, the operation shape independent of Windows in examined Windows virtual machine State, particularly, it is suitable for being in the Windows virtual machine (i.e. offline Windows virtual machine) of off-mode.
Further, the disclosed method for obtaining deleted document in Windows virtual machine of the present embodiment, passes through analysis The recycle bin of Windows records the content of file to obtain the information of Windows deleted document, is deleted so as to recover Except the content of file, i.e. acquisition deleted document, independent of the interface that Windows is provided, suitable for installing non-Windows The virtual machine of operating system.
In a specific example one, the information of deleted document described in step 102 shown in FIG. 1, comprising: deleted Except the attribute information of file and the index information of deleted document;Wherein, the index information of the deleted document is used to indicate The store path of the initial data of the deleted document.
In the present embodiment, when the attribute information of the deleted document may include the size of such as deleted document, delete Between, the information such as raw filename, be used to indicate the essential information of deleted document.
In the present embodiment, step 104 shown in FIG. 1 is provided: " based on having deleted text in the target Windows virtual machine The information of part obtains deleted document from the Windows virtual machine " a kind of preferred embodiment, specifically include in Fig. 1 Unshowned step 1041~1042:
1041, the index information based on the deleted document obtains described deleted from the Windows virtual machine The initial data of file.
1042, the attribute information of the deleted document is merged with the initial data of the deleted document, obtains institute State deleted document.
As it can be seen that the disclosed method for obtaining deleted document in Windows virtual machine of the present embodiment, passes through analysis The recycle bin of Windows records the content of file to obtain the attribute information and index information of Windows deleted document, thus The content of deleted file can be recovered, i.e. acquisition deleted document, independent of in examined Windows virtual machine The operating status of Windows, particularly, it is suitable for the Windows virtual machine in off-mode is (i.e. offline Windows virtual machine).
Further, the disclosed method for obtaining deleted document in Windows virtual machine of the present embodiment, passes through analysis The recycle bin of Windows records the content of file to obtain the attribute information and index information of Windows deleted document, thus The content of deleted file can be recovered, i.e., acquisition deleted document is suitable for independent of the interface that Windows is provided The virtual machine of the operating system of non-Windows is installed.
In a specific example two, step 104 shown in FIG. 1 in the target Windows virtual machine " based on having deleted Except the information of file, deleted document is obtained from the Windows virtual machine " after, the method for the present embodiment further includes Fig. 1 In unshowned step 105:
105, the recycle bin for unloading the target Windows virtual machine of carry in the secure virtual machine records file.
The disclosed method for obtaining deleted document in Windows virtual machine of the present embodiment, is obtaining Windows virtual machine After middle deleted document, the recycle bin for unloading the target Windows virtual machine of carry in secure virtual machine records file, with section About hardware resource.
As shown in Fig. 2, the present embodiment discloses a kind of device for obtaining deleted document in Windows virtual machine, it may include With lower unit: carry unit 21, transmission unit 22, receiving unit 23 and acquiring unit 24.
Carry unit 21, for receiving the security check request message for carrying target Windows virtual machine mark Afterwards, by the recycle bin record file mount of the target Windows virtual machine into preset secure virtual machine;
Transmission unit 22, for sending the secure virtual machine for the security check request message, so that the peace The recycle bin record file of the target Windows virtual machine is loaded into memory and is analyzed by full virtual machine, obtains the mesh Mark the information of deleted document in Windows virtual machine;
Receiving unit 23, the safety inspection response message sent for receiving the secure virtual machine, the safety inspection The information of deleted document in the target Windows virtual machine is carried in response message;
Acquiring unit 24, for the information based on deleted document in the target Windows virtual machine, from described Deleted document is obtained in Windows virtual machine.
The disclosed device for obtaining deleted document in Windows virtual machine of the present embodiment may be disposed at the cloud pipe of cloud platform Manage the cloud management server in server or for cloud platform.
The disclosed device for obtaining deleted document in Windows virtual machine of the present embodiment is, it can be achieved that acquisition shown in FIG. 1 The method flow of deleted document in Windows virtual machine, therefore, the effect and explanation of the device in the present embodiment can be found in figure Embodiment of the method shown in 1, details are not described herein.
In a specific example three, the information of deleted document described in Installation practice shown in Fig. 2 includes Delete the attribute information of file and the index information of deleted document;Wherein, the index information of the deleted document is for referring to Show the store path of the initial data of the deleted document.
In the present embodiment, the preferred embodiment of acquiring unit 24 shown in Fig. 2 is provided, specifically: acquiring unit 24 is used In the index information based on the deleted document, the original of the deleted document is obtained from the Windows virtual machine Data;The attribute information of the deleted document is merged with the initial data of the deleted document, obtains described deleted File.
The disclosed device for obtaining deleted document in Windows virtual machine of the present embodiment is, it can be achieved that specific example one Described in obtain Windows virtual machine in deleted document method flow, therefore, the effect of the device in the present embodiment and Illustrate to can be found in specific example one, details are not described herein.
In a specific example four, device shown in Fig. 2 further includes unshowned in Fig. 2: unloading unit 25 is used for In the acquiring unit 24 after obtaining deleted document in the Windows virtual machine, unload in the secure virtual machine The recycle bin of the target Windows virtual machine of carry records file.
The disclosed device for obtaining deleted document in Windows virtual machine of the present embodiment is, it can be achieved that specific example two Described in obtain Windows virtual machine in deleted document method flow, therefore, the effect of the device in the present embodiment and Illustrate to can be found in specific example two, details are not described herein.
As shown in figure 3, the present embodiment discloses a kind of method for obtaining deleted document in Windows virtual machine, it may include Following steps 301~302:
301, it is asked in the safety inspection for carrying target Windows virtual machine mark for receiving the transmission of cloud management server After seeking message, the recycle bin record file of the target Windows virtual machine of preparatory carry is loaded into memory and is analyzed, Obtain the information of deleted document in the target Windows virtual machine.
The executing subject that the method for deleted document in Windows virtual machine is obtained in the present embodiment is secure virtual machine. In the present embodiment, secure virtual machine be may be disposed in the host of cloud platform.
302, Xiang Suoshu cloud management server sends safety inspection response message, carries in the safety inspection response message There is the information of deleted document in the target Windows virtual machine, so that the cloud management server is based on the target The information of deleted document in Windows virtual machine obtains deleted document from the Windows virtual machine.
In the present embodiment, recycle bin records file can be variant for the Windows of different kernel versions.Specifically, The information of all deleted documents is recorded in the same record file in version recycle bin before Windows Vista.Vista And in version of window recycle bin later, each deleted document correspondingly has a record file to carry out information record. Therefore, in the present embodiment, all recycle bins of the target Windows virtual machine can be recorded file and is mounted to secure virtual In machine, so that all recycle bins record file is loaded into memory and is analyzed by secure virtual machine.
In the present embodiment, preset or existing file-level is can be used to the analysis of recycle bin record file in secure virtual machine Semantic analysis is analyzed, the specific method for semantic analysis that this embodiment is not repeated.
As it can be seen that the disclosed method for obtaining deleted document in Windows virtual machine of the present embodiment, passes through analysis The recycle bin of Windows records the content of file to obtain the information of Windows deleted document, is deleted so as to recover Except the content of file, i.e. acquisition deleted document, the operation shape independent of Windows in examined Windows virtual machine State, particularly, it is suitable for being in the Windows virtual machine (i.e. offline Windows virtual machine) of off-mode.
Further, the disclosed method for obtaining deleted document in Windows virtual machine of the present embodiment, passes through analysis The recycle bin of Windows records the content of file to obtain the information of Windows deleted document, is deleted so as to recover Except the content of file, i.e. acquisition deleted document, independent of the interface that Windows is provided, suitable for installing non-Windows The virtual machine of operating system.
In a specific example five, the present embodiment provides step 302 shown in Fig. 3: " Xiang Suoshu cloud management server Safety inspection response message is sent, carries in the safety inspection response message and has been deleted in the target Windows virtual machine Except the information of file, so that information of the cloud management server based on deleted document in the target Windows virtual machine, Obtain deleted document from the Windows virtual machine " a kind of preferred embodiment, it is specific as follows:
302, Xiang Suoshu cloud management server sends safety inspection response message, carries in the safety inspection response message There are the attribute information of deleted document and the index information of deleted document in the target Windows virtual machine, it is described to have deleted Except the index information of file is used to indicate the store path of the initial data of the deleted document, so that the cloud management service Index information of the device based on the deleted document obtains the original of the deleted document from the Windows virtual machine Data;And merge the attribute information of the deleted document with the initial data of the deleted document, obtain described deleted Except file.
In the present embodiment, when the attribute information of the deleted document may include the size of such as deleted document, delete Between, the information such as raw filename, be used to indicate the essential information of deleted document.
As it can be seen that the disclosed method for obtaining deleted document in Windows virtual machine of the present embodiment, passes through analysis The recycle bin of Windows records the content of file to obtain the attribute information and index information of Windows deleted document, thus The content of deleted file can be recovered, i.e. acquisition deleted document, independent of in examined Windows virtual machine The operating status of Windows, particularly, it is suitable for the Windows virtual machine in off-mode is (i.e. offline Windows virtual machine).
Further, the disclosed method for obtaining deleted document in Windows virtual machine of the present embodiment, passes through analysis The recycle bin of Windows records the content of file to obtain the attribute information and index information of Windows deleted document, thus The content of deleted file can be recovered, i.e., acquisition deleted document is suitable for independent of the interface that Windows is provided The virtual machine of the operating system of non-Windows is installed.
As shown in figure 4, the present embodiment discloses a kind of secure virtual machine, it may include with lower unit: processing unit 41 and hair Send unit 42.
Processing unit 41, for being identified in the target Windows virtual machine that carries for receiving the transmission of cloud management server Security check request message after, the recycle bin of the target Windows virtual machine of preparatory carry record file is loaded into It in memory and analyzes, obtains the information of deleted document in the target Windows virtual machine;
Transmission unit 42, for sending safety inspection response message to the cloud management server, the safety inspection is answered The information that deleted document in the target Windows virtual machine is carried in message is answered, so that the cloud management server base The information of deleted document in the target Windows virtual machine, obtains from the Windows virtual machine and has deleted text Part.
In the present embodiment, secure virtual machine be may be disposed in the host of cloud platform.
Secure virtual machine disclosed in the present embodiment is, it can be achieved that deleted document in acquisition Windows virtual machine shown in Fig. 3 Method flow, therefore, the effect of the secure virtual machine in the present embodiment and explanation can be found in Fig. 3, and details are not described herein.
In a specific example, a kind of preferred embodiment of transmission unit 42 shown in Fig. 4 is provided, specifically such as Under:
Transmission unit 42, for sending safety inspection response message to the cloud management server, the safety inspection is answered It answers and carries the index of the attribute information of deleted document and deleted document letter in the target Windows virtual machine in message Breath, the index information of the deleted document is used to indicate the store path of the initial data of the deleted document, so that institute Index information of the cloud management server based on the deleted document is stated, described deleted is obtained from the Windows virtual machine Except the initial data of file;And merge the attribute information of the deleted document with the initial data of the deleted document, Obtain the deleted document.
In the present embodiment, when the attribute information of the deleted document may include the size of such as deleted document, delete Between, the information such as raw filename, be used to indicate the essential information of deleted document.
Secure virtual machine disclosed in the present embodiment is, it can be achieved that obtain Windows virtual machine shown in specific example five The method flow of middle deleted document, therefore, the effect and explanation of the secure virtual machine in the present embodiment can be found in specific example Son five, details are not described herein.
It will be understood by those skilled in the art that each unit in embodiment can be combined into a unit, and furthermore They can be divided into multiple subelements.In addition to such feature and/or at least some of process or unit are to arrange mutually Reprimand place to all features disclosed in this specification and so disclosed any method or can be set using any combination Standby all process or units are combined.Unless expressly stated otherwise, each feature disclosed in this specification can be by mentioning It is replaced for the alternative features of identical, equivalent, or similar purpose.
It will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments is wrapped Certain features for including rather than other feature, but the combination of the feature of different embodiments mean in the scope of the present invention it It is interior and form different embodiments.
It will be understood by those skilled in the art that each unit in embodiment can be implemented in hardware, or at one or The software module run on the multiple processors of person is realized, or is implemented in a combination thereof.Those skilled in the art should manage Solution, can be used in practice microprocessor or digital signal processor (DSP) to realize according to an embodiment of the present invention one The some or all functions of a little or whole components.The present invention is also implemented as executing method as described herein Some or all device or device programs (for example, computer program and computer program product).
Although the embodiments of the invention are described in conjunction with the attached drawings, but those skilled in the art can not depart from this hair Various modifications and variations are made in the case where bright spirit and scope, such modifications and variations are each fallen within by appended claims Within limited range.

Claims (6)

1. the method for obtaining deleted document in Windows virtual machine characterized by comprising
After receiving the security check request message for carrying target Windows virtual machine mark, by the target Windows The recycle bin record file mount of virtual machine is into preset secure virtual machine equipment;
The secure virtual machine equipment is sent by the security check request message, so that the secure virtual machine equipment is by institute The recycle bin record file for stating target Windows virtual machine is loaded into memory and analyzes, and it is virtual to obtain the target Windows The information of deleted document in machine;
The safety inspection response message that the secure virtual machine equipment is sent is received, is carried in the safety inspection response message The information of deleted document in the target Windows virtual machine;
Based on the information of deleted document in the target Windows virtual machine, obtained from the target Windows virtual machine Deleted document;The information of the deleted document includes the attribute information of deleted document and the index letter of deleted document Breath;Wherein, the index information of the deleted document is used to indicate the store path of the initial data of the deleted document;
The information based on deleted document in the target Windows virtual machine, from the target Windows virtual machine Obtain deleted document, comprising:
Based on the index information of the deleted document, the deleted document is obtained from the target Windows virtual machine Initial data;
The attribute information of the deleted document is merged with the initial data of the deleted document, obtains described having deleted text Part.
2. the method according to claim 1, wherein described obtain from the target Windows virtual machine After deleting file, the method also includes:
Unload the recycle bin record file of the target Windows virtual machine of carry in the secure virtual machine equipment.
3. obtaining the device of deleted document in Windows virtual machine characterized by comprising
Carry unit, for receive carry target Windows virtual machine mark security check request message after, by institute The recycle bin record file mount of target Windows virtual machine is stated into preset secure virtual machine equipment;
Transmission unit, for sending the secure virtual machine equipment for the security check request message, so that the safety The recycle bin record file of the target Windows virtual machine is loaded into memory and is analyzed by virtual machine facility, is obtained described The information of deleted document in target Windows virtual machine;
Receiving unit, the safety inspection response message sent for receiving the secure virtual machine equipment, the safety inspection are answered Answer the information that deleted document in the target Windows virtual machine is carried in message;
Acquiring unit, for the information based on deleted document in the target Windows virtual machine, from the target Deleted document is obtained in Windows virtual machine;The information of the deleted document include deleted document attribute information and The index information of deleted document;Wherein, the index information of the deleted document is used to indicate the original of the deleted document The store path of beginning data;
The acquiring unit is obtained from the target Windows virtual machine for the index information based on the deleted document Take the initial data of the deleted document;By the original number of the attribute information of the deleted document and the deleted document According to merging, the deleted document is obtained.
4. device according to claim 3, which is characterized in that described device further include:
Unloading unit, for after obtaining deleted document in the target Windows virtual machine, being unloaded in the acquiring unit Carry the recycle bin record file of the target Windows virtual machine of carry in the secure virtual machine equipment.
5. the method for obtaining deleted document in Windows virtual machine characterized by comprising
In the security check request message for carrying target Windows virtual machine mark for receiving the transmission of cloud management server Afterwards, the recycle bin record file of the target Windows virtual machine of preparatory carry is loaded into secure virtual machine equipment It in depositing and analyzes, obtains the information of deleted document in the target Windows virtual machine;
Safety inspection response message is sent to the cloud management server, carries the mesh in the safety inspection response message The information of deleted document in Windows virtual machine is marked, so that the cloud management server is virtual based on the target Windows The information of deleted document in machine obtains deleted document from the target Windows virtual machine;It is described to the cloud management Server sends safety inspection response message, carries the target Windows virtual machine in the safety inspection response message The information of middle deleted document, so that the cloud management server is based on deleted document in the target Windows virtual machine Information, obtain deleted document from the target Windows virtual machine, comprising:
Safety inspection response message is sent to the cloud management server, carries the mesh in the safety inspection response message The attribute information of deleted document and the index information of deleted document in Windows virtual machine are marked, the deleted document Index information is used to indicate the store path of the initial data of the deleted document, so that the cloud management server is based on institute The index information for stating deleted document obtains the initial data of the deleted document from the target Windows virtual machine; And merge the attribute information of the deleted document with the initial data of the deleted document, it obtains described having deleted text Part.
6. secure virtual machine equipment characterized by comprising
Processing unit, in the safety for carrying target Windows virtual machine mark for receiving the transmission of cloud management server After checking request message, the recycle bin record file of the target Windows virtual machine of preparatory carry is loaded into safe void It in the memory of quasi- machine equipment and analyzes, obtains the information of deleted document in the target Windows virtual machine;
Transmission unit, for sending safety inspection response message, the safety inspection response message to the cloud management server In carry the attribute information of deleted document and the index information of deleted document, institute in the target Windows virtual machine State deleted document index information be used to indicate the deleted document initial data store path so that the cloud pipe Index information of the server based on the deleted document is managed, described deleted is obtained from the target Windows virtual machine The initial data of file;And merge the attribute information of the deleted document with the initial data of the deleted document, it obtains To the deleted document.
CN201610214439.3A 2016-04-07 2016-04-07 Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine Active CN105868056B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610214439.3A CN105868056B (en) 2016-04-07 2016-04-07 Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610214439.3A CN105868056B (en) 2016-04-07 2016-04-07 Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine

Publications (2)

Publication Number Publication Date
CN105868056A CN105868056A (en) 2016-08-17
CN105868056B true CN105868056B (en) 2019-06-21

Family

ID=56637082

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610214439.3A Active CN105868056B (en) 2016-04-07 2016-04-07 Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine

Country Status (1)

Country Link
CN (1) CN105868056B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107800663B (en) * 2016-08-31 2020-04-28 华为数字技术(苏州)有限公司 Method and device for detecting flow offline file
CN108009000A (en) * 2016-10-31 2018-05-08 江苏神州信源系统工程有限公司 A kind of method that historical record in Windows virtual machines is obtained under virtualized environment
CN107463427A (en) * 2017-06-29 2017-12-12 北京北信源软件股份有限公司 The acquisition methods and device of a kind of VME operating system type and version
CN109117251B (en) * 2018-08-09 2020-10-30 郑州云海信息技术有限公司 Method and device for realizing virtual machine recycle bin and readable storage medium
CN112732406B (en) * 2021-01-12 2021-12-24 华云数据控股集团有限公司 Cloud platform virtual machine recovery method and computer equipment
CN113032351B (en) * 2021-03-31 2023-01-13 中国建设银行股份有限公司 Recovery method and device of network file system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102289513A (en) * 2011-09-05 2011-12-21 盛乐信息技术(上海)有限公司 Method and system for obtaining internal files of virtual machine
CN102662981A (en) * 2012-03-13 2012-09-12 中国人民大学 Windows recycle bin delete record forensics method based on feature scan
CN105468433A (en) * 2015-11-19 2016-04-06 北京北信源软件股份有限公司 Method and system for acquiring disc data of virtual machines

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102467408B (en) * 2010-11-12 2014-03-19 阿里巴巴集团控股有限公司 Method and device for accessing data of virtual machine

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102289513A (en) * 2011-09-05 2011-12-21 盛乐信息技术(上海)有限公司 Method and system for obtaining internal files of virtual machine
CN102662981A (en) * 2012-03-13 2012-09-12 中国人民大学 Windows recycle bin delete record forensics method based on feature scan
CN105468433A (en) * 2015-11-19 2016-04-06 北京北信源软件股份有限公司 Method and system for acquiring disc data of virtual machines

Also Published As

Publication number Publication date
CN105868056A (en) 2016-08-17

Similar Documents

Publication Publication Date Title
CN105868056B (en) Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine
US10148675B1 (en) Block-level forensics for distributed computing systems
US9906547B2 (en) Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history
US10534659B2 (en) Policy based dynamic data collection for problem analysis
US10437996B1 (en) Classifying software modules utilizing similarity-based queries
US10210190B1 (en) Roll back of scaled-out data
US20200320215A1 (en) Protecting data based on a sensitivity level for the data
US8250138B2 (en) File transfer security system and method
US10652255B2 (en) Forensic analysis
CN106663041B (en) Method and apparatus for recovering usability of cloud-based services from system failures
CN110188103A (en) Data account checking method, device, equipment and storage medium
CN111190962B (en) File synchronization method and device and local terminal
CN110737726B (en) Method and device for determining test data of interface to be tested
US20200082077A1 (en) Identifying malware based on content item identifiers
US10275396B1 (en) Techniques for data classification based on sensitive data
CN113254320A (en) Method and device for recording user webpage operation behaviors
US10693897B2 (en) Behavioral and account fingerprinting
CN113469866A (en) Data processing method and device and server
CN107402846B (en) File processing method and device
CN106845272A (en) The leakage-preventing method and system of threat monitoring and data based on terminal agent
US10200374B1 (en) Techniques for detecting malicious files
Satrya et al. A novel Android memory forensics for discovering remnant data
CN106899630B (en) Thumbnail display method and device for pictures in network disk
CN110018761B (en) Method, device and terminal for managing recently used files
US20160026390A1 (en) Method of deleting information, computer program product and computer system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant