CN102693387A - Data wiping method for NTFS (new technology file system) - Google Patents
Data wiping method for NTFS (new technology file system) Download PDFInfo
- Publication number
- CN102693387A CN102693387A CN2012101782204A CN201210178220A CN102693387A CN 102693387 A CN102693387 A CN 102693387A CN 2012101782204 A CN2012101782204 A CN 2012101782204A CN 201210178220 A CN201210178220 A CN 201210178220A CN 102693387 A CN102693387 A CN 102693387A
- Authority
- CN
- China
- Prior art keywords
- file
- data
- mft
- document
- item
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to a data wiping method for an NTFS (new technology file system). The method includes the following steps of firstly, opening an X disk, namely a volume of the NTFS, in the Windows, and reading front 512 bytes of the volume, namely a starting sector; secondly, searching the ID (identity) of a file according to the path of the file to be deleted; and thirdly, wiping related information of the file. A system of the file is analyzed directly from disk data at the bottom, all file data on the disk can be accessed directly, and influence of an operation system is avoided, so that the highest authority is acquired for the file data on the disk, and deletion of the file data is guaranteed and cannot be recovered.
Description
Technical field
The present invention relates to a kind of data erase method, particularly a kind of data erase method to new technology file system.
Background technology
Along with fast development of information technology, information security causes people's attention all the more.Data security is important ingredient in the information security especially, and particularly various individual privacy data or trade secret information such as individual, commercial electronic letter, commercial contract, private photos etc., often become the object that is stolen.And a major reason that causes data disclosure to be user data wipe thorough problem.
For the data that no longer need, value no longer with a grain of salt, and let out and can cause causing very big loss, just need carry out wiping of data.Present data erase measure is divided into two types: a kind of is physical destroying, adopts physical crushing usually, uses aggressive solvent corrosion storage medium; Another kind is the obliterated data that needs the retention data storage medium, and just need use the method for software erase this moment, and the mode of taking is generally the position that the interface that provides through operating system obtains file data, thereby it is wiped processing.
The simple usually Windows of the use operating system of domestic consumer realizes the software erase of data; But normal deleted file can not thoroughly be disposed file from hard disk under Windows; Use data to recover software and be easy to it is recovered, there is the possibility that is resumed in user's significant data.
To some significant datas, the user adopts special data destroying software sometimes.At present on the market data destroying software mostly is all erasable one time of the space with whole magnetic disk of violence, perhaps with erasable one time of the clearance spaces of disk, to guarantee that the information data that does not have to have been deleted is revealed.This method will spend great amount of time, increases the loss of disk.
For wiping of single file,, be the logical place that obtains file through the API of operating system mostly, thereby processing is wiped in this position though some file destruction software also can be accomplished this point on the market.The restriction that is implemented in the file system that receives operating system to a great extent of this method, for example operating system possibly mask the visit to some file, possibly cause the information of obtaining wrong etc.And this data erase just wipes the solid data content of file, can not guarantee that all properties of file all is wiped free of or disposes, possible holiday critical data, and many times this situation is flagrant.For example NTFS need be with the data that much can represent data file information (like the time of file foundation, last access time, file size and filename or the like in file of storage; For picture in addition also have thumbnail) have many other positions; These redundant datas have guaranteed the inquiry of the file system of operating system, the efficient of reading and writing of files; If but deleted file solid data only, and the words of not removing these file attribute informations will cause great data disclosure.
Summary of the invention
The object of the present invention is to provide a kind of method of under new technology file system, fast, conveniently, thoroughly wiping file and file-related information.
The thought that the present invention is based on is: direct resolution file system from the bottom data in magnetic disk; Rather than the api function that uses operating system to provide is inquired about the relevant information about file; Can directly have access to the data of All Files on the disk like this, and not receive the influence of operating system, thereby the file data on the disk is obtained the highest weight limit; Because operating system possibly mask the visit to some file, possibly cause the information of obtaining wrong.Through parsing to file system, obtain the position that file is stored on disk, thereby can wipe file itself and relevant information thereof fully through the method that overrides repeatedly, guaranteed that file data can not be resumed.
The objective of the invention is to realize through following technical scheme:
A kind of data erase method of new technology file system may further comprise the steps:
One, according to the path of want deleted file or file, obtain the volume at this document place, under Windows, using CreateFile to open X dish like the character string of ": " as name with shape is the volume of NTFS; Use ReadFile to read preceding 512 bytes of this volume then; Be initial sector, obtain following parameter: the Logic Cluster at the contained sector number of the byte number of each sector, each bunch, main MFT place number, the number of clusters of file logging (File Record), the number of clusters of index record (Index Record);
Two,, search this document ID according to the path of want deleted file:
According to the path of want deleted file, in the B+ tree that constitutes by file or folder MFT item, navigate to corresponding file or folder, and obtain the file ID of this document;
Three, wipe file-related information:
After having obtained file ID, according to the position of following formula locating file MFT item on disk:
The byte number of each bunch of Logic Cluster * of the byte number+main MFT of file MFT item side-play amount=each MFT item of file ID *;
Then according to the structure of file MFT item head, 0x17 byte and 0x02 byte step-by-step and, result if 0 is judged as file, otherwise are judged as file;
If file is then carried out all fragments that on disk, distribute file and is wiped through the overwrite method of appointment, make that the document body data are thoroughly wiped, can not recover;
If file then needs to delete son file in the file and file earlier, delete this document folder at last.
Beneficial effect
The present invention is direct resolution file system from the bottom data in magnetic disk; Can directly have access to the data of All Files on the disk; And do not receive the influence of operating system, thus the file data on the disk is obtained the highest weight limit, guaranteed the deletion of file data and can not be resumed.
Description of drawings
Fig. 1 is the process flow diagram of data erase method among the embodiment;
Embodiment
Below in conjunction with accompanying drawing, specify preferred implementation of the present invention.
Realized a kind of data erase method in the present embodiment, may further comprise the steps:
One, according to the path of want deleted file or file, obtain the volume at this document place, under Windows, using CreateFile to open X dish like the character string of ": " as name with shape is the volume of NTFS, uses ": " such as opening the C dish; Use ReadFile to read preceding 512 bytes of this volume then; Be initial sector, obtain following parameter: the Logic Cluster at the contained sector number of the byte number of each sector, each bunch, main MFT place number, the number of clusters of file logging (File Record), the number of clusters of index record (Index Record);
Each twists in when realizing NTFS, and some basic parameters of taking maybe be different, therefore need when loading a volume, read some basic parameters of this volume.
Two,, search this document ID according to the path of want deleted file;
In NTFS, the corresponding MFT item of each file or folder constitutes the node one by one of B+ tree, and its file does not have child node, and it must be a leaf node, and file possibly be a leafy node, also possibly be branch node.In the MFT of each file item, the resident De $INDEX_ROOT that has of expression file system structure is that 0x90 attribute and non-resident De $INDEX_ALLOCATION are the 0xA0 attribute.Comprised the variable Index Entry of number in the $INDEX_ROOT attribute, each has all described some essential informations of the include file ID of file or sub-folder under this document folder.If child node is too much then also have attribute, with the Index Entry information stores of child node to the disk of its indication bunch in.Thus, if child node be file then can recurrence go down again, thereby finally can travel through complete B+ tree, obtain the information of All Files and file in the file system.
According to the path of want deleted file, in the B+ tree that constitutes by file or folder MFT item, navigate to corresponding file or folder, and obtain the file ID of this document;
Three, wipe file-related information;
After having obtained file ID, according to the position of following formula locating file MFT item on disk:
The byte number of each bunch of Logic Cluster * of the byte number+main MFT of file MFT item side-play amount=each MFT item of file ID *;
Then according to the structure of file MFT item head, 0x17 byte and 0x02 byte step-by-step and, result if 0 is judged as file, otherwise are judged as file;
If file; Then carry out overwrite method through appointment of all fragments of on disk, distributing file (like a zero filling or fill out one or fill out random number; 7 times erasing-writing methods of the DoD 5220-22-M of U.S. Department of Defense standard; 35 times erasing-writing methods of Gutmann method etc.) wipe, make that the document body data are thoroughly wiped, can not recover; Can also optionally delete or forge processing to file MFT item as required afterwards; Comprise creation-time, modification time, file size in the attribute structure to some essential informations about this document in the file MFT item; And the optional data at file MFT end stream peels off like the thumbnail of picture file, prevents that the file peripheral information from being revealed.
If file then needs to delete son file in the file and file earlier, delete this document folder at last.Each empty folder was at first wiped the content of the non-resident De $INDEX_ALLOCATION of this document attribute before deleting, and handled the content in the MFT item of file according to the same mode of deleted file afterwards.
The present invention is not limited only to above embodiment, everyly utilizes mentality of designing of the present invention, does the design of some simple change, all should count within protection scope of the present invention.
Claims (3)
1. the data erase method of a new technology file system is characterized in that, may further comprise the steps:
One, according to the path of want deleted file or file, obtain the volume at this document place, under Windows, using CreateFile to open X dish like the character string of ": " as name with shape is the volume of NTFS; Use ReadFile to read preceding 512 bytes of this volume then, i.e. initial sector obtains following parameter: the Logic Cluster at the contained sector number of the byte number of each sector, each bunch, main MFT place number, the number of clusters of file logging, the number of clusters of index record;
Two,, search this document ID according to the path of want deleted file:
According to the path of want deleted file, in the B+ tree that constitutes by file or folder MFT item, navigate to corresponding file or folder, and obtain the file ID of this document;
Three, wipe file-related information:
After having obtained file ID, according to the position of following formula locating file MFT item on disk:
The byte number of each bunch of Logic Cluster * of the byte number+main MFT of file MFT item side-play amount=each MFT item of file ID *;
Then according to the structure of file MFT item head, 0x17 byte and 0x02 byte step-by-step and, result if 0 is judged as file, otherwise are judged as file;
If file is then carried out all fragments that on disk, distribute file and is wiped through the overwrite method of appointment, make that the document body data are thoroughly wiped, can not recover;
If file then needs to delete son file in the file and file earlier, delete this document folder at last.
2. a kind of data erase method according to claim 1; It is characterized in that; After wiping the document body data, delete or forge processing to file MFT item as required, comprise creation-time, modification time, file size in the attribute structure to some essential informations about this document in the file MFT item; And the optional data at file MFT end stream peels off, and prevents that the file peripheral information from being revealed.
3. a kind of data erase method according to claim 2; It is characterized in that; Each empty folder is before deleting; At first wipe the content of the non-resident De $INDEX_ALLOCATION of this document attribute, handle the content in the MFT item of file according to the same mode of deleted file afterwards.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101782204A CN102693387A (en) | 2012-06-01 | 2012-06-01 | Data wiping method for NTFS (new technology file system) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101782204A CN102693387A (en) | 2012-06-01 | 2012-06-01 | Data wiping method for NTFS (new technology file system) |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102693387A true CN102693387A (en) | 2012-09-26 |
Family
ID=46858812
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012101782204A Pending CN102693387A (en) | 2012-06-01 | 2012-06-01 | Data wiping method for NTFS (new technology file system) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102693387A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049534A (en) * | 2012-12-23 | 2013-04-17 | 北京人大金仓信息技术股份有限公司 | Method for quickly destroying data of database |
| CN104166723A (en) * | 2014-08-25 | 2014-11-26 | 厦门市美亚柏科信息股份有限公司 | Data shredding method and device for resilient file system |
| CN105243090A (en) * | 2015-09-10 | 2016-01-13 | 北京北信源软件股份有限公司 | Exclusive file acquisition method and system |
| CN105740103A (en) * | 2016-02-02 | 2016-07-06 | 厦门市美亚柏科信息股份有限公司 | NTFS ((New Technology File System) deletion file recovery method and device based on log |
| CN106055990A (en) * | 2016-05-30 | 2016-10-26 | 厦门市美亚柏科信息股份有限公司 | Thorough data crushing method and device of NTFS (New Technology File System) |
| CN106372080A (en) * | 2015-07-22 | 2017-02-01 | 安恒通(北京)科技有限公司 | File clearing method, apparatus and system |
| CN106548093A (en) * | 2015-09-18 | 2017-03-29 | 四川效率源信息安全技术股份有限公司 | The method for deleting of confidential data in FAT32 file system |
| CN106548086A (en) * | 2015-09-18 | 2017-03-29 | 四川效率源信息安全技术股份有限公司 | The method for deleting of confidential data in new technology file system |
| CN109683819A (en) * | 2018-12-18 | 2019-04-26 | 武汉大学 | A kind of content of disk file irreversibly soft delet method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1928870A (en) * | 2006-09-28 | 2007-03-14 | 珠海金山软件股份有限公司 | Method for completely crashing file data in NTFS roll |
| CN102332014A (en) * | 2011-09-14 | 2012-01-25 | 奇智软件(北京)有限公司 | Method and device for deleting file |
-
2012
- 2012-06-01 CN CN2012101782204A patent/CN102693387A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1928870A (en) * | 2006-09-28 | 2007-03-14 | 珠海金山软件股份有限公司 | Method for completely crashing file data in NTFS roll |
| CN102332014A (en) * | 2011-09-14 | 2012-01-25 | 奇智软件(北京)有限公司 | Method and device for deleting file |
Non-Patent Citations (2)
| Title |
|---|
| 赵振洲等: "NTFS文件系统文件删除与恢复", 《北京政法职业学院学报》 * |
| 马林: "《重生 Windows数据恢复技术极限剖析》", 30 June 2011, 清华大学出版社 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103049534A (en) * | 2012-12-23 | 2013-04-17 | 北京人大金仓信息技术股份有限公司 | Method for quickly destroying data of database |
| CN103049534B (en) * | 2012-12-23 | 2018-06-01 | 北京人大金仓信息技术股份有限公司 | A kind of method of quick destruction database data |
| CN104166723A (en) * | 2014-08-25 | 2014-11-26 | 厦门市美亚柏科信息股份有限公司 | Data shredding method and device for resilient file system |
| CN106372080A (en) * | 2015-07-22 | 2017-02-01 | 安恒通(北京)科技有限公司 | File clearing method, apparatus and system |
| CN105243090A (en) * | 2015-09-10 | 2016-01-13 | 北京北信源软件股份有限公司 | Exclusive file acquisition method and system |
| CN106548093A (en) * | 2015-09-18 | 2017-03-29 | 四川效率源信息安全技术股份有限公司 | The method for deleting of confidential data in FAT32 file system |
| CN106548086A (en) * | 2015-09-18 | 2017-03-29 | 四川效率源信息安全技术股份有限公司 | The method for deleting of confidential data in new technology file system |
| CN105740103A (en) * | 2016-02-02 | 2016-07-06 | 厦门市美亚柏科信息股份有限公司 | NTFS ((New Technology File System) deletion file recovery method and device based on log |
| CN105740103B (en) * | 2016-02-02 | 2018-10-09 | 厦门市美亚柏科信息股份有限公司 | A kind of NTFS deletion file access pattern method and apparatus based on daily record |
| CN106055990A (en) * | 2016-05-30 | 2016-10-26 | 厦门市美亚柏科信息股份有限公司 | Thorough data crushing method and device of NTFS (New Technology File System) |
| CN106055990B (en) * | 2016-05-30 | 2018-11-27 | 厦门市美亚柏科信息股份有限公司 | A kind of thorough breaking method of data of new technology file system and device |
| CN109683819A (en) * | 2018-12-18 | 2019-04-26 | 武汉大学 | A kind of content of disk file irreversibly soft delet method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102693387A (en) | Data wiping method for NTFS (new technology file system) | |
| US7640404B2 (en) | File system write filtering for selectively permitting or preventing data from being written to write-protected storage | |
| US8260792B1 (en) | System and method for committing data objects to be immutable | |
| US9317218B1 (en) | Memory efficient sanitization of a deduplicated storage system using a perfect hash function | |
| US6850929B2 (en) | System and method for managing file system extended attributes | |
| EP2363815B1 (en) | System for permanent file deletion | |
| US20120047154A1 (en) | Card-based management of discardable files | |
| CN101763317A (en) | Data eliminating method of magnetic medium | |
| US20200364181A1 (en) | Event based retention of read only files | |
| US11144508B2 (en) | Region-integrated data deduplication implementing a multi-lifetime duplicate finder | |
| JP5715964B2 (en) | Managing downloadable files | |
| CN105493080B (en) | The method and apparatus of data de-duplication based on context-aware | |
| US20150120740A1 (en) | File system implementing write once read many (worm) | |
| CN111104377A (en) | File management method, electronic device and computer-readable storage medium | |
| US8996586B2 (en) | Virtual storage of portable media files | |
| CN111382126B (en) | System and method for deleting file and preventing file recovery | |
| CN109582501B (en) | File recovery method and device, computer equipment and storage medium | |
| KR100987320B1 (en) | Data processing apparatus and Data procssing method, using FAT file system capable of fast file recovery | |
| CN103257928A (en) | Method and system for data management of flash memory equipment | |
| CN103164341A (en) | Method and system for fast erasing files in mass storage device | |
| KR101539617B1 (en) | File wiping method according to file type structure in mobile system, and apparatus thereof | |
| EP3674876B1 (en) | System and method of deletion of files and counteracting their restoration | |
| CN114265828A (en) | Line migration elimination method and device, computer equipment and storage medium | |
| Darnowski et al. | Writing and Deleting files on hard drives with NTFS | |
| RU96433U1 (en) | FILE REMOVAL SYSTEM (FILE SHREDDER) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120926 |