CN102207898A - Electronic data recovery method - Google Patents
Electronic data recovery method Download PDFInfo
- Publication number
- CN102207898A CN102207898A CN 201110192888 CN201110192888A CN102207898A CN 102207898 A CN102207898 A CN 102207898A CN 201110192888 CN201110192888 CN 201110192888 CN 201110192888 A CN201110192888 A CN 201110192888A CN 102207898 A CN102207898 A CN 102207898A
- Authority
- CN
- China
- Prior art keywords
- file
- data
- skew
- attribute
- directory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention belongs to the field of computers and in particular relates to an electronic data recovery method, which comprises the following steps of: (1) opening a target disk and transferring to a root directory area; (2) scanning directory entries one by one to find the directory entry which starts with E5; (3) if an offset 0BH is 10H or 20H and the offset 0BH is 0FH, continuing to downwards search the directory entry of which position data is 10H or 20H; (4) reading offsets 14 to 15H and offsets 1A to 1BH which serve as cluster numbers of file storage in a sequence of 15H14H1BH1AH; (5) setting offsets 1C to 1FH as file sizes (B), starting transferring 1FH1EH1DH1CH bytes downwards from a found initial position, and selecting as end of block; and (6) copying a selected part to an assigned position. The method greatly improves the probability of data recovery and provides guarantee for comprehensive and objective accomplishment of an electronic material evidence appraisal task.
Description
Technical field
The invention belongs to computer realm, relate in particular to a kind of electronic data restoration methods.
Background technology
In the 21 century that informationization develops rapidly, computer technology is maked rapid progress, and is closely bound up with daily life, and often losing of storage device data can be given the individual, even unit brings endless worry and trouble.And in the public security field, perhaps these data are exactly the electronic evidence of case.If the reviewer can obtain the data in the multicomputer more, so just more help the detection early of case, also just can provide how reliable evidence to court.This collects evidence to data, particularly resumes work and just has higher requirement.
At present, use the most popular data evidence obtaining to recover business software on the domestic and international market FinalData, EnCase, WinHex, EasyRecovery and evidence obtaining great master etc. are arranged.Wherein, back two is that the data evidence obtaining of China recent years independent development recovers software, and evidence obtaining great master FM2008 is with its advantage such as convenient, powerful, and the public security field is popularized at home rapidly.Yet during the data of under utilizing these software rejuvenations FAT32 zoned format, deleting, run into the phenomenon that recovers the mess code file through regular meeting, phenomenon as shown in Figure 1.
People are generally covered the data space of this behavior explains by this document by other data.But when experiment, just deleted file recovers immediately, also this phenomenon can occur, explains just unworkable with covering.
Through research, find its reason be people to the principle of file delete know thorough not enough so that make the mistake and understand the phenomenon of some deletions.
Summary of the invention
The present invention is intended to overcome the deficiencies in the prior art part and provides a kind of deleted file or file data to revert to the power height, adapts to widely, can significantly promote the electronic data restoration methods that the electronics material evidence is identified efficient.
For achieving the above object, the present invention is achieved in that a kind of electronic data restoration methods, can recover the file that the FAT32 file system is lost pointer, can realize as follows: (1) opens destination disk, and forwards root directory area to; (2) scanning directory item one by one finds the directory entry with the E5 beginning; (3) skew 0BH is 10H or 20H, and 10H represents that it is a file, and 20H represents that it is a file; Simultaneously, skew 0BH is 0FH, continues to search out the directory entry that this position data is 10H or 20H downwards; (4) skew 14~15H and skew 1A~1BH be file storage bunch number, read order for 15H14H1BH1AH, number find the file reference position according to this bunch, be chosen as BOB(beginning of block); (5) directory entry skew 1C~1FH is file size (B), begins to shift 1FH1EH1DH1CH byte downwards from the reference position that finds, and is chosen as block end; (6) selected portion is copied to assigned address.
The present invention also provides another kind of electronic data restoration methods, can recover the file that new technology file system is lost pointer, and it can be realized as follows: (1) opens destination disk, forwards the MFT file area to; (2) check the filename of wanting recovery file from last two row of 30H attribute; (3) if 80H attribute skew 08H is 01H, find the position of 80H attribute skew 40H, these data are " XYH "; (4) read data among the H of 80H attribute skew (40+Y+1) H~(40+Y+X), write down this data, this is a file starting cluster number; (5) data among 80H attribute skew (40+Y) H be file shared bunch, unit is bunch to write down this data; (6) according to file initial sector=(file starting cluster * 8); End of file sector=(family that file starting cluster+file is shared) * 8; Forward the file initial sector to, select BOB(beginning of block), forward the sector of the end of file to, select block end; (7) file copy is arrived assigned address; (8) step (2) is finished, if 80H attribute skew 08H is 00H; (9) file content just in this MFT, is directly read file content from the 80H attribute; (10) execution in step (7) that continues.
Data reconstruction method of the present invention is compared with at present domestic and international frequently-used data evidence collecting method, and remarkable advantages is arranged, and has greatly promoted the possibility that data are recovered, for the task of objectively finishing the evaluation of electronics material evidence provides assurance comprehensively.
The restoration result table of deletion control experiment.
| ? | DOC | TXT | EXE | RAR | BMP | File | |
| WinHex | × | × | × | × | × | × | × |
| Encase | × | × | × | × | × | × | × |
| FinalData | √ | × | × | × | × | √ | √ |
| EasyRecovery | × | × | × | × | × | × | × |
| The evidence obtaining great master | × | √ | × | √ | √ | √ | × |
| Recover4all | × | × | × | × | × | × | × |
| Undelete_plus | × | × | × | × | × | × | × |
| FinalRecovery | √ | √ | × | √ | √ | √ | × |
| Self-editing DataRecovery | √ | √ | √ | √ | √ | √ | √ |
Description of drawings
The invention will be further described below in conjunction with the drawings and specific embodiments.Protection scope of the present invention not only is confined to the statement of following content.
Fig. 1 is the mess code file synoptic diagram of available data restoration methods after recovering.
Fig. 2-1 is the raw data before the file delete.
Fig. 2-2 is the raw data behind the file delete.
Fig. 2-3 recovers the 197271st bunch partial data for data.
Fig. 3 recovers BPB partial parameters information for data.
Fig. 4 is preceding text content for data undelete.
Fig. 5 is back text content for data undelete.
Fig. 6-1 is a pdf document to be tested.
Fig. 6-2 is a TXT file to be tested.
Fig. 6-3 is a RAR file to be tested.
Fig. 6-4 is a DOC file to be tested.
Fig. 6-5 is a PPT file to be tested.
Fig. 6-6 is a BMP file to be tested.
Fig. 7-1 is the pdf document of available data restoration methods after recovering.
Fig. 7-2 is the TXT file of available data restoration methods after recovering.
Fig. 7-3 is the RAR file of available data restoration methods after recovering.
Fig. 7-4 is the DOC file of available data restoration methods after recovering.
Fig. 7-5 is the PPT file of available data restoration methods after recovering.
Fig. 7-6 is the BMP file of available data restoration methods after recovering.
The pdf document that Fig. 8-1 recovers for the evidence obtaining great master.
The TXT file that Fig. 8-2 recovers for the evidence obtaining great master.
The RAR file that Fig. 8-3 recovers for the evidence obtaining great master.
The DOC file that Fig. 8-4 recovers for the evidence obtaining great master.
The PPT file that Fig. 8-5 recovers for the evidence obtaining great master.
The BMP file that Fig. 8-6 recovers for the evidence obtaining great master.
Fig. 9-1 is restoration methods of the present invention pdf document after recovering.
Fig. 9-2 is restoration methods of the present invention RAR file after recovering.
Fig. 9-3 is restoration methods of the present invention DOC file after recovering.
Fig. 9-4 is restoration methods of the present invention PPT file after recovering.
Fig. 9-5 is restoration methods of the present invention BMP file after recovering.
Fig. 9-6 is restoration methods of the present invention TXT file after recovering.
Fig. 9-7 recovers test file 131766.TXT file content for the present invention.
Fig. 9-8 recovers test file 197302.TXT file content for the present invention.
Figure 10 is restoration methods FB(flow block) under the NTFS subregion of the present invention.
Figure 11 is restoration methods FB(flow block) under the FAT32 subregion of the present invention.
Embodiment
1, the principle of data recovery.
In the FAT32 file system, the starting cluster of file number is made of the sixteen bit byte altogether, and low eight bit data wherein is stored in relativity shift 1AH-1BH place, and high eight-bit then is stored in relativity shift 1AH-1BH place.Can be by calculating, obtain first bunch number of this document raw data.With Fig. 2-1, Fig. 2-2 is example, the data at relativity shift 1AH-1BH place are " 97 02 ", the data at relativity shift 1AH-1BH place are " 03 00 ", according to data byte is the principle of storing by from low to high, the starting cluster of this document number then is " 00 03 02 97 " so, and changing into the decimal system is 197271.By the contrast to bunch data at number 197291 places and Fig. 2-1, the data of provable this bunch are the first bunch of contents of this document, see Fig. 2-3.
Data reconstruction method generally is the data starting cluster number that finds the file correspondence at the FDT place, then according to the file data that bunch number finds in the DATA district, a reading of data and a newly-built file of the same type deposit data wherein in, just can successfully recover this deleted file.
2, data are recovered the problem and the solution of existence.
Above-mentioned data are recovered principle can not recover all deleted files, and except reasons such as data cover, data storage is discontinuous, after a very important reason was deleted file in addition, this document also had the file of other changes.In file delete principle part, behind the file delete, the data in its corresponding FDT are modified.Owing to also have other parts to revise, make common data recover software and can only recover the file that first byte is changed to E5.For the file that other parts change, the file data that recovers to come out is a mess code.
To recover test file .txt is example, and its start sector number is converted, and the initial sector before and after its deletion is respectively 1582432 and 9568.By the BPB parameter list, each has clustered round 8 sectors can to obtain this storer, and 32 reserve sectors are arranged, and 2 FAT, each FAT have 2000 sectors, see Fig. 3.
Owing to bunch number be to begin from DATA district to calculate, and since 2 countings, the preceding starting cluster of deletion number is so: (1582432-20002-32) 8+2=197302.
Convert sexadecimal to and then be 000302B6H.
And the starting cluster after the deletion number is: (9568-20002-32) 8+2=694.
Convert sexadecimal to and then be 000002B6H.Well imagine that their corresponding respectively data are also no longer identical, see Fig. 4, Fig. 5.
So what the text that recovers to come out showed naturally all is mess code.The reason of problem generation so far finds, and that is exactly only to recover deleted marker.
The way that solves will be recovered other parts that deleted file is modified naturally.
Hard disk with 1T is an example, calculates by 16 sectors of each bunch, and it has 134217728 bunches at most, and promptly 8000000H, a high position is 800H, promptly metric 2048.If fill up since 0 to a starting cluster high position, attempt one by one, have only 2049 possibilities at most.If they are recovered out one by one, it is correct that data wherein must be arranged.But manually these 2049 files being screened, will be very consuming time.Though can not allow computing machine oneself accurately locate, but can allow it help data are screened.Most of file layout of Windows operating system all has its identification code, and for example, preceding four data of pdf document must be " 25 50 44 46 ", i.e. character string " %PDF ".Obviously, by obtaining the type of file, at the identification code of the type, data are compared eliminating then, recovery scope so will be reduced widely.
The present invention supports FAT32 and the NTFS two classes behaviour file system under the Windows, can the deleted file under this two class files system be recovered.
Referring to Figure 11,, can realize as follows: S2101: open destination disk, and forward root directory area to for FAT32 behaviour file system; S2102: scanning directory item one by one, find the directory entry with the E5 beginning; S2107: skew 0BH is 10H or 20H, and 10H represents that it is a file, and 20H represents that it is a file; S2103: skew 0BH is 0FH, continues to search out the directory entry that this position data is 10H or 20H downwards; S2108: skew 14~15H and skew 1A~1BH be file storage bunch number, read order for 15H14H1BH1AH, number find the file reference position according to this bunch, be chosen as BOB(beginning of block); S2109: directory entry skew 1C~1FH is file size (B), begins to shift 1FH1EH1DH1CH byte downwards from the reference position that finds, and is chosen as block end; S2106: click by right key and select piece local arbitrarily, selected portion is copied to assigned address.
Referring to Figure 10,, can realize as follows: S1101: open destination disk, forward the MFT file area to for NTFS behaviour file system; S1102: check the filename of wanting recovery file from last two row of 30H attribute; S1106:80H attribute skew 08H is 01H; S1107: find the position of 80H attribute skew 40H, these data are " XYH "; S1108: read the data among the H of 80H attribute skew (40+Y+1) H~(40+Y+X), write down this data, this is a file starting cluster number; Data among S1109:80H attribute skew (40+Y) H be file shared bunch, unit is bunch to write down this data; S1110: according to following formula: file initial sector=(file starting cluster * 8); End of file sector=(family that file starting cluster+file is shared) * 8; Forward the file initial sector to, select BOB(beginning of block), forward the sector of the end of file to, select block end; S1105: file copy is arrived assigned address; S1103: step S1102 is finished, if 80H attribute skew 08H is 00H; S1104: file content just in this MFT, is directly read file content from the 80H attribute; The execution in step that continues S1105.
In view of the present invention is based on the Windows operating system platform, need to support FAT32 and two kinds of file system of NTFS, so realize according to following steps.
The first step: before disk is read, obtain the file system of disk; Second step: obtain the BPB parameter, obtain important informations such as root directory start address according to parameter information; The 3rd step: traversal subregion sector data, and with the binary tree structure storage, wherein, the left child of node points to the next stage file, right child then points to the one-level file.The traversal method of FAT32 and NTFS is different, because information such as file attribute is to be stored among the FDT in the FAT32 file system, root directory FDT start sector number can obtain by formula (4.1): start sector number=DBR sector number (32)+FAT sector number * 2+ (FDT starting cluster number-2) * every bunch of sector number.
Notice that 63 sectors of MBR belong to hiding sector, do not participate in the logic sector computing; Sub-directory FDT start sector number is distributed in the DATA district, does not have fixing position.So when setting up FAT file system binary tree, be root node, when running into sub-directory, adopt recursive algorithm to carry out the next stage traversal earlier with the root directory.And new technology file system, All Files De $MFT item is all unified when setting up binary tree, to insert file under the parent directory one by one in the Cun Fangzai $MFT meta file, when parent directory does not insert in binary tree as yet, then search for the parent directory of parent directory, do not insert yet, the upper level catalogue is reviewed in recycle, until in main binary tree, finding the upper level catalogue, and be inserted under the parent directory that finds, otherwise, insert and lose under the file directory.
The 4th step: the related data of will not delete with deleted file is presented at respectively in each piecemeal at interface; The 5th step: obtain the relevant information of user's filesselected, as: file start sector number, file size, file attribute etc., the line data of going forward side by side recovers, and rejuvenation essence is exactly to create the process with same data file.
The present invention is based on MFC (Microsoft Foundation Classes, microsoft foundation class) single document structure, software interface is made of several Shipping Options Pages.
By clicking " opening disk " option in the menu bar, eject a dialog box, allow the user select the disk that need open.
After selecting " determining ", software is the traversal disk space automatically, and enters working interface.All information of the disk partition that each is opened will be presented in the independent Shipping Options Page.That each Shipping Options Page is divided into is upper left, upper right, four of lower-left and bottom rights, and the size of each piece is fixing, can adjust according to user's request oneself.Wherein, upper left shows the All Files and the file of this subregion with the form of tree; Upper right portion is with all next stage files of the form explicit user filesselected folder of tabulation, and relevant information, as: file extension, file size, creation-time date, file attribute, start sector number etc.; Bottom left section then shows the relevant information of this subregion with the form of dialog box, as sequence number, file system, space size etc.; Lower right-most portion is to show sector data with hexadecimal form.
Right click menu has two selections, first option, promptly " recovering/duplicate ... ", can duplicate or deleted file is carried out recovery operation normal file.Second option promptly " forwards directory entry to ", the interface lower right-most portion can be shown the entry data of filesselected.Certainly, the user can also show the data of other skews place by using " position " option in the menu bar, as: FAT1 in the FAT file system and FAT2, and FDT.
If select " side-play amount " option in " position ", the deviation post that the user can self-defined video data so.Here there are two places to it is noted that one is to pass through the Radio control, select the relative position of skew, as: beginning, current location etc.; Another is exactly to select the unit of off-set value, as sexadecimal or metric byte, sexadecimal or metric sector etc. by the Button control behind the Edit control.
In addition, the present invention can also show the BPB parameter of subregion by " BPB masterplate " option under menu bar " opening disk ".
Data are recovered the software control experiment.
Experiment place: China College of Criminal Police electronic evidence-collecting laboratory.
Experimental situation: Windows 2000.
Experiment equipment: one of USB flash disk, capacity 1G.
Tested object: WinHex 15.1, FinalData 2.0, Encase 4.20, evidence obtaining great master 2008 v1.10.2742, and data reconstruction method of the present invention.
Prepare before the experiment: the file of at first under the file of " test file " by name under the USB flash disk root directory, storing six types of PDF, PPT, DOC, TXT, RAR and BMP etc.
Referring to Fig. 6-1, Fig. 6-2, Fig. 6-3, Fig. 6-4, Fig. 6-5 and Fig. 6-6, with above-mentioned file as file to be measured.Then, by the Shift+Del Macintosh, with the thoroughly deletion under operating system of above-mentioned six files.
Behind the deleted file, recover software by each again and respectively they are carried out the data recovery, and compare.
Wherein, WinHex, FinalData, three kinds of softwares of Encase enterprise version are all failed to the recovery of six files, all are phenomenons such as appearance corrupted data, mess code in various degree, see Fig. 7-1~Fig. 7-6.
In addition, evidence obtaining great master's recovery effects obviously is better than former three, but pdf document and TXT file recover also failure.See Fig. 8-1~Fig. 8-6.
The present invention has then successfully recovered six all files, sees Fig. 9-1-Fig. 9-5.
Wherein, the TXT file has then recovered out four files, comprises three mess code files and a correct file, and the numeral of filename back is represented starting cluster number separately respectively, sees Fig. 9-6~Fig. 9-8.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (2)
1. an electronic data restoration methods is characterized in that, can recover the file that the FAT32 file system is lost pointer, realizes as follows:
(1) opens destination disk, and forward root directory area to;
(2) scanning directory item one by one finds the directory entry with the E5 beginning;
(3) skew 0BH is 10H or 20H; Simultaneously, skew 0BH is 0FH, continues to search out the directory entry that this position data is 10H or 20H downwards;
(4) skew 14~15H and skew 1A~1BH be file storage bunch number, read order for 15H14H1BH1AH, number find the file reference position according to this bunch, be chosen as BOB(beginning of block);
(5) directory entry skew 1C~1FH is file size (B), begins to shift 1FH1EH1DH1CH byte downwards from the reference position that finds, and is chosen as block end;
(6) selected portion is copied to assigned address.
2. an electronic data restoration methods is characterized in that, can recover the file that new technology file system is lost pointer, realizes as follows:
(1) opens destination disk, forward the MFT file area to;
(2) check the filename of wanting recovery file from last two row of 30H attribute;
(3) if 80H attribute skew 08H is 01H, find the position of 80H attribute skew 40H, these data are " XYH ";
(4) read data among the H of 80H attribute skew (40+Y+1) H~(40+Y+X);
(5) data among 80H attribute skew (40+Y) H be file shared bunch;
(6) according to file initial sector=(file starting cluster * 8); End of file sector=(family that file starting cluster+file is shared) * 8; Forward the file initial sector to, select BOB(beginning of block), forward the sector of the end of file to, select block end;
(7) file copy is arrived assigned address;
(8) step (2) is finished, if 80H attribute skew 08H is 00H;
(9) file content just in this MFT, is directly read file content from the 80H attribute;
(10) execution in step (7) that continues.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110192888 CN102207898B (en) | 2011-07-11 | 2011-07-11 | Electronic data recovery method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110192888 CN102207898B (en) | 2011-07-11 | 2011-07-11 | Electronic data recovery method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102207898A true CN102207898A (en) | 2011-10-05 |
| CN102207898B CN102207898B (en) | 2013-01-16 |
Family
ID=44696746
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201110192888 Active CN102207898B (en) | 2011-07-11 | 2011-07-11 | Electronic data recovery method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102207898B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102662981A (en) * | 2012-03-13 | 2012-09-12 | 中国人民大学 | Windows recycle bin delete record forensics method based on feature scan |
| CN105808384A (en) * | 2016-03-14 | 2016-07-27 | 云南大学 | Method for recovering simultaneously damaged MBR and FAT32 system parameters |
| CN107704341A (en) * | 2017-08-31 | 2018-02-16 | 湖北灰科信息技术有限公司 | File access pattern method, apparatus and electronic equipment |
| CN108170372A (en) * | 2017-12-08 | 2018-06-15 | 厦门集微科技有限公司 | data processing method and device based on cloud hard disk |
| CN108614747A (en) * | 2016-12-12 | 2018-10-02 | 中国航空工业集团公司西安航空计算技术研究所 | Data reconstruction method based on IRIG106 standard storages |
| CN109582501A (en) * | 2018-11-28 | 2019-04-05 | 万兴科技股份有限公司 | File access pattern method, apparatus, computer equipment and storage medium |
| CN113312007A (en) * | 2021-06-29 | 2021-08-27 | 成都易我科技开发有限责任公司 | Method and device for counting directory and file sizes in NTFS file system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1744051A (en) * | 2005-05-30 | 2006-03-08 | 杨来 | Data recovery technique based on packet structure |
-
2011
- 2011-07-11 CN CN 201110192888 patent/CN102207898B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1744051A (en) * | 2005-05-30 | 2006-03-08 | 杨来 | Data recovery technique based on packet structure |
Non-Patent Citations (4)
| Title |
|---|
| 《信息技术》 20101231 张娜等 WindowsFAT32和NTFS下的数据恢复研究 第162-164,199页 1-2 , 第5期 * |
| 《科学技术与工程》 20100331 鲁恩铭等 WindowsNTFS下格式化数据恢复方案设计与实现 第2013-2017页 1-2 第10卷, 第9期 * |
| 《科技信息(计算机与网络)》 20101231 赵晓柯 基于WindowsFAT32的数据恢复原理分析及算法研究 第222-223页 1-2 , * |
| 《计算机工程与设计》 20080131 赵双峰等 WindowsNTFS下数据恢复的研究与实现 第306-308页 1-2 第29卷, 第2期 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102662981A (en) * | 2012-03-13 | 2012-09-12 | 中国人民大学 | Windows recycle bin delete record forensics method based on feature scan |
| CN105808384A (en) * | 2016-03-14 | 2016-07-27 | 云南大学 | Method for recovering simultaneously damaged MBR and FAT32 system parameters |
| CN108614747A (en) * | 2016-12-12 | 2018-10-02 | 中国航空工业集团公司西安航空计算技术研究所 | Data reconstruction method based on IRIG106 standard storages |
| CN108614747B (en) * | 2016-12-12 | 2021-12-24 | 中国航空工业集团公司西安航空计算技术研究所 | Data recovery method based on IRIG106 standard storage |
| CN107704341A (en) * | 2017-08-31 | 2018-02-16 | 湖北灰科信息技术有限公司 | File access pattern method, apparatus and electronic equipment |
| CN108170372A (en) * | 2017-12-08 | 2018-06-15 | 厦门集微科技有限公司 | data processing method and device based on cloud hard disk |
| CN109582501A (en) * | 2018-11-28 | 2019-04-05 | 万兴科技股份有限公司 | File access pattern method, apparatus, computer equipment and storage medium |
| CN109582501B (en) * | 2018-11-28 | 2021-09-03 | 万兴科技股份有限公司 | File recovery method and device, computer equipment and storage medium |
| CN113312007A (en) * | 2021-06-29 | 2021-08-27 | 成都易我科技开发有限责任公司 | Method and device for counting directory and file sizes in NTFS file system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102207898B (en) | 2013-01-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102207898B (en) | Electronic data recovery method | |
| US7353241B2 (en) | Method, medium and system for recovering data using a timeline-based computing environment | |
| JP5656563B2 (en) | Document management system, document management system control method, and program | |
| US7117294B1 (en) | Method and system for archiving and compacting data in a data storage array | |
| KR100877063B1 (en) | Apparatus and method for managing data | |
| CN104915268A (en) | Desktop layout storage and recovery method and device thereof, terminal equipment and system | |
| CN103577329B (en) | Snapshot management method and device | |
| CN103902632A (en) | File system building method and device in key-value storage system, and electronic device | |
| CN103365744A (en) | System and method using metadata image backup and traditional backup | |
| CN110018998B (en) | File management method and system, electronic equipment and storage medium | |
| WO2015120071A2 (en) | Content based organization of file systems | |
| CN104160397A (en) | Location independent files | |
| US10496612B2 (en) | Method for reliable and efficient filesystem metadata conversion | |
| CN102227728A (en) | Device and method for filtering file system | |
| US9069883B2 (en) | Document management method and document management apparatus using the same | |
| CN103019891A (en) | Method and system for restoring deleted file | |
| CN102945277A (en) | Image file retrieval method and image file retrieval device | |
| CN101866356B (en) | Structural management method for disk directory information | |
| CN102932476B (en) | Network storage synchro system | |
| CN111176901B (en) | HDFS deleted file recovery method, terminal device and storage medium | |
| CN112800007A (en) | Directory entry expansion method and system suitable for FAT32 file system | |
| CN107562898A (en) | A kind of method that recycle bin is created based on KUX operating systems | |
| KR100987320B1 (en) | Data processing apparatus and Data procssing method, using FAT file system capable of fast file recovery | |
| CN106227830A (en) | Storage and the method and apparatus reading file | |
| CN100498777C (en) | Managing lists and other items in an electronic file system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160127 Address after: 110000, 861-7, deep groove village, Dongling District, Liaoning, Shenyang Patentee after: Safe (Shenyang) integrated Co., Ltd of electronic system Address before: Thavorn street in Huanggu District of Shenyang city of Liaoning Province, No. 83 110854 Patentee before: Qin Yuhai |
|
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 110000, 861-7, deep groove village, Dongling District, Liaoning, Shenyang Patentee after: SHENYANG CONTAIN ELECTRONIC SCIENCE AND TECHNOLOGY CO., LTD. Address before: 110000, 861-7, deep groove village, Dongling District, Liaoning, Shenyang Patentee before: Safe (Shenyang) integrated Co., Ltd of electronic system |