CN105224877B - A kind of confidential data sweep-out method - Google Patents

A kind of confidential data sweep-out method Download PDF

Info

Publication number
CN105224877B
CN105224877B CN201510640550.4A CN201510640550A CN105224877B CN 105224877 B CN105224877 B CN 105224877B CN 201510640550 A CN201510640550 A CN 201510640550A CN 105224877 B CN105224877 B CN 105224877B
Authority
CN
China
Prior art keywords
key
record
data
bytes
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510640550.4A
Other languages
Chinese (zh)
Other versions
CN105224877A (en
Inventor
梁效宁
许超明
赵飞
黄旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shaanxi University of technology Ruidi Information Technology Co.,Ltd.
Original Assignee
SICHUAN XLY INFORMATION SAFETY TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SICHUAN XLY INFORMATION SAFETY TECHNOLOGY Co Ltd filed Critical SICHUAN XLY INFORMATION SAFETY TECHNOLOGY Co Ltd
Priority to CN201510640550.4A priority Critical patent/CN105224877B/en
Publication of CN105224877A publication Critical patent/CN105224877A/en
Application granted granted Critical
Publication of CN105224877B publication Critical patent/CN105224877B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2143Clearing memory, e.g. to prevent the data from being stolen

Abstract

The invention discloses a kind of confidential data sweep-out method, comprise the following steps:S1:Look for system partitioning information;S2:Obtain registry file storage information;S3:The clear area and normal region of registry file, the concerning security matters mark information looked in region are obtained, and obtains its physical storage locations;S4:Wipe concerning security matters vestige.The present invention obtains the normal region and clear area of registry file according to the value of Cell_Length in registry file, deleted registry data is marked from the normal region of the registry file and clear area, the classified information that this method effectively can prevent from recording in registration table is resumed or spread, all data are thoroughly removed, allow the physical location for storing confidential data in the past thoroughly to be clashed.

Description

A kind of confidential data sweep-out method
Technical field
The present invention relates to field of information security technology, more particularly to a kind of confidential data sweep-out method.
Background technology
Registration table is the core database of Windows operating system, deposits various parameters, directly control Windows Startup, hardware drive program loading and some window applications operation.In 21 generation that informationization develops rapidly Record, computer technology is maked rapid progress, closely bound up with daily life, and electronic information is the main carriers of data, numerous Enterprises and institutions, the electronic data that state security department uses all are height concerning security matters, and their data vestige is also quilt safely Pay much attention to, all confidential datas all arbitrarily cannot read or be resumed, once spread, caused by influence be can not Estimate, but for data storage characteristic, stored confidential data in a computer, even being deleted, can also make Restored it with data reconstruction method, so important confidential data just has the possibility for being resumed, spreading, in order to avoid these are existing The generation of elephant.
Also it can find without a kind of technology on the market at present and clash confidential data.
The content of the invention
The defects of present invention is directed to prior art, there is provided a kind of confidential data sweep-out method, can effectively solve the problem that above-mentioned The problem of prior art is present.
A kind of confidential data sweep-out method, comprises the following steps:
S1:MBR disk partition tables are opened, parsing MBR disk partition tables obtain system partitioning information;
S2:File system is found according to partition information, it is rear to obtain registry file storage information;
S3:According to the clear area of Cell Length value acquisition registry file in registry file information and normally Region, judge to whether there is concerning security matters mark information in its data, and obtain its physical storage locations;
S4:It is according to the physical storage location information marked in S3, the markd physical storage location information of institute is all clear Remove.
The detailed step of the S3 is as follows:
S301:Data block mark is retrieved since registry file head, S302 is performed after finding data block mark;
S302:Judge whether the value of the byte of current location+4 exceeds the magnitude range of registry file;If so, then tie Beam;If it is not, read block mark after 4 bytes value, perform S303;
S303:Judge the Cell Length of 4 bytes value:
If Cell Length value performs to be clear area by the Cell belonging to Cell Length just S304;
It is normal region by the Cell belonging to Cell Length if Cell Length value is negative, performs S304;
S304:Judge whether the Cell Length of normal region or clear area size is correct;If correct, perform S305;If mistake, 32 bytes are offset backward from current location, perform S302;
S305:Identified corresponding to search key or key assignments, record the key or key assignments found;
S306:Judge whether key record or key assignments record are correct, record correct key record or key assignments record;
S307:Distinguish whether key or key assignments record are confidential data, and record its physical storage locations,
S308:Determine whether the afterbody of data block, data block header mark is retrieved backward from current location if then performing Remember " hbin ", S302 is performed after finding, if it is not, then offseting 32 bytes backward from current location, perform S302.
Preferably, judge that the standard of Cell Length size is as follows in the S304:
If storage is key data, then Cell Length have to be larger than 0x4C;
If storage is key assignments data, then Cell Length have to be larger than 0x14.
Preferably, judge whether correct standard is for key record or key assignments record in the S306:
The correct standard of key record is:Four, head byte is 0x6E6B2000, four bytes for offseting 0x18~0x1C Four bytes for 0x00000000 and skew 0x20~0x23 are 0xFFFFFFFF;
Judge that key assignments record is that correct standard is:Two, head byte is 0x766B and offsets two of 0x12~0x13 Byte is 0x0000.
Preferably, distinguish key or key assignments record in the S307 by artificially providing concerning security matters feature, by this feature with The characteristic matching of key or key assignments, concerning security matters vestige is considered if meeting, is marked, and not thinks it is concerning security matters if not meeting Vestige.
Compared with prior art the advantage of the invention is that:Value according to Cell_Length in registry file obtains note The normal region and clear area of volume list file, mark from the normal region of the registry file and clear area and are deleted The registry data removed, the classified information that this method effectively can prevent from recording in registration table are resumed or spread, by institute Some data are thoroughly removed, and allow the physical location for storing confidential data in the past thoroughly to be clashed.
Embodiment
For the objects, technical solutions and advantages of the present invention are more clearly understood, by the following examples, the present invention is done into One step describes in detail.
A kind of confidential data sweep-out method, comprises the following steps:
S1:MBR disk partition tables are opened, parsing MBR disk partition tables obtain system partitioning information;
S2:Partition information in S1 can find file system, rear to obtain registry file storage information;Such as: Windows 2000/XP registry files be stored in " WINNT system32 config " files, including " Default ", " SAM ", " Security " (Windows 2000 is without this file), " Software " and " System ";
S3:Value according to Cell Length in registry file obtains the clear area and normal region of registry file, What the clear area and normal region were identified as the Cell where data, judge to whether there is concerning security matters mark information in its data, And obtain its physical storage locations;
S4:It is according to the physical storage location information marked in S3, the markd physical storage location information of institute is all clear Remove, removing can use random character, and " 0xff or 0x00 " are filled or filled repeatedly (extremely using self-defining character " 0Xxly " It is few 5 times) because storage medium data can not be resumed after being capped repeatedly.
The detailed step of the S3 is as follows:
S301:Data block header mark " hbin " is retrieved since registry file head, is held after finding data block mark Row S302;
S302:Judge whether the value of the byte of current location+4 exceeds the magnitude range of registry file;If so, then tie Beam;If it is not, read block mark after 4 bytes value, perform S303;
S303:Judge the Cell Length of 4 bytes value:
If Cell Length value performs to be clear area by the Cell belonging to Cell Length just S304;
It is normal region by the Cell belonging to Cell Length if Cell Length value is negative, performs S304;
S304:Judge whether the Cell Length of the normal region and clear area size is correct;
If storage is key data, then Cell Length have to be larger than 0x4C;
If storage is key assignments data, then Cell Length have to be larger than 0x14.
If correct, S305 is performed;If mistake, 32 bytes are offset backward from current location, perform S302.
S305:Identified corresponding to search key or key assignments, record the key or key assignments found;
It is identified as corresponding to key:The head signature of key for 0x6E6B, the 3rd byte of key be fixed as 0x20, the 4th it is solid Fixed reserve bytes are 0x00;It is identified as corresponding to key assignments:The head signature 0x766B of key assignments.
S306:Judge whether key record or key assignments record are correct, record correct key record or key assignments record;
The correct standard of key record is:
Four, head byte is 0x6E6B2000, skew 0x18~0x1C four bytes are 0x00000000 and skew 0x20~0,x23 four bytes are 0xFFFFFFFF;
Judge that key assignments record is that correct standard is:
Two, head byte is 0x766B and skew 0x12~0,x13 two bytes are 0x0000.
S307:Distinguish whether key or key assignments record are confidential data, and record its physical storage locations;Distinguish key or key Value record is by artificially providing concerning security matters feature, is matched by this feature with the feature of above-mentioned key or key assignments, if meeting It is considered concerning security matters vestige, is marked.
S308:Determine whether the afterbody of data block, data block header mark is retrieved backward from current location if then performing Remember " hbin ", S302 is performed after finding, if it is not, then offseting 32 bytes backward from current location, perform S302.
One of ordinary skill in the art will be appreciated that embodiment described here is to aid in reader and understands this hair Bright implementation, it should be understood that protection scope of the present invention is not limited to such especially statement and embodiment.Ability The those of ordinary skill in domain can be made according to these technical inspirations disclosed by the invention it is various do not depart from essence of the invention its Its various specific deformations and combination, these deformations and combination are still within the scope of the present invention.

Claims (4)

1. a kind of confidential data sweep-out method, it is characterised in that comprise the following steps:
S1:MBR disk partition tables are opened, parsing MBR disk partition tables obtain system partitioning information;
S2:File system is found according to partition information, it is rear to obtain registry file storage information;
S3:Value according to Cell Length in registry file information obtains the clear area and normal region of registry file, Judge to whether there is concerning security matters mark information in its data, and obtain its physical storage locations;
S4:According to the physical storage location information marked in S3, the markd physical storage location information of institute is all removed;
The detailed step of the S3 is as follows:
S301:Data block mark is retrieved since registry file head, S302 is performed after finding data block mark;
S302:Judge whether the value of the byte of current location+4 exceeds the magnitude range of registry file;If so, then terminate;If No, the value of 4 bytes, performs S303 after read block mark;
S303:Judge the Cell Length of 4 bytes value:
If Cell Length value performs S304 to be clear area by the Cell belonging to Cell Length just;
It is normal region by the Cell belonging to Cell Length if Cell Length value is negative, performs S304;
S304:Judge whether the Cell Length of normal region or clear area size is correct;If correct, S305 is performed;If Mistake, offset 32 bytes backward from current location, perform S302;
S305:Identified corresponding to search key or key assignments, record the key or key assignments found;
S306:Judge whether key record or key assignments record are correct, record correct key record or key assignments record;
S307:Distinguish whether key or key assignments record are confidential data, and record its physical storage locations;
S308:Determine whether the afterbody of data block, data block header mark is retrieved backward from current location if then performing " hbin ", S302 is performed after finding, if it is not, then offseting 32 bytes backward from current location, perform S302.
A kind of 2. confidential data sweep-out method according to claim 1, it is characterised in that:Judge Cell in the S304 The standard of Length size is as follows:
If storage is key data, then Cell Length have to be larger than 0x4C;
If storage is key assignments data, then Cell Length have to be larger than 0x14.
A kind of 3. confidential data sweep-out method according to claim 1, it is characterised in that:Key record or key are judged in the S306 Whether correct standard is value record:
The correct standard of key record is:Four, head byte is 0x6E6B2000, skew 0x18~0x1C four bytes are 0x00000000 and skew 0x20~0,x23 four bytes are 0xFFFFFFFF;
Judge that key assignments record is that correct standard is:Two, head byte is 0x766B and offsets 0x12~0,x13 two bytes For 0x0000.
A kind of 4. confidential data sweep-out method according to claim 1, it is characterised in that:Key or key assignments note are distinguished in the S307 Record, by this feature and the characteristic matching of key or key assignments, is considered concerning security matters trace by artificially providing concerning security matters feature if meeting Mark, marked, not think it is concerning security matters vestige if not meeting.
CN201510640550.4A 2015-09-30 2015-09-30 A kind of confidential data sweep-out method Active CN105224877B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510640550.4A CN105224877B (en) 2015-09-30 2015-09-30 A kind of confidential data sweep-out method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510640550.4A CN105224877B (en) 2015-09-30 2015-09-30 A kind of confidential data sweep-out method

Publications (2)

Publication Number Publication Date
CN105224877A CN105224877A (en) 2016-01-06
CN105224877B true CN105224877B (en) 2018-01-26

Family

ID=54993839

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510640550.4A Active CN105224877B (en) 2015-09-30 2015-09-30 A kind of confidential data sweep-out method

Country Status (1)

Country Link
CN (1) CN105224877B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102663059A (en) * 2012-03-30 2012-09-12 奇智软件(北京)有限公司 Method and system for automatically cleaning redundant items in computer terminal
CN102902672A (en) * 2011-07-25 2013-01-30 腾讯科技(深圳)有限公司 Method and device for cleaning file system
CN103092726A (en) * 2013-01-16 2013-05-08 厦门市美亚柏科信息股份有限公司 Recovery method and recovery device of registry deleted data
CN104239091A (en) * 2014-08-25 2014-12-24 北京金山安全软件有限公司 File cleaning method and device and terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102902672A (en) * 2011-07-25 2013-01-30 腾讯科技(深圳)有限公司 Method and device for cleaning file system
CN102663059A (en) * 2012-03-30 2012-09-12 奇智软件(北京)有限公司 Method and system for automatically cleaning redundant items in computer terminal
CN103092726A (en) * 2013-01-16 2013-05-08 厦门市美亚柏科信息股份有限公司 Recovery method and recovery device of registry deleted data
CN104239091A (en) * 2014-08-25 2014-12-24 北京金山安全软件有限公司 File cleaning method and device and terminal

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
当心软件泄密 彻底清理应用软件的运行痕迹;小瓢虫;《网络与信息》;20050930;第2005年卷(第9期);第52页 *
我的秘密你别猜—电脑使用记录大清理;风雨彩虹;《电脑爱好者 普及版》;20070630;第2007年卷(第6期);第16-18页 *

Also Published As

Publication number Publication date
CN105224877A (en) 2016-01-06

Similar Documents

Publication Publication Date Title
US9442833B1 (en) Managing device identity
US20170083702A1 (en) Detecting Software Attacks on Processes in Computing Devices
CN103092726A (en) Recovery method and recovery device of registry deleted data
CN107679421A (en) A kind of movable memory apparatus monitoring means of defence and system
Vidas The acquisition and analysis of random access memory
WO2014012459A1 (en) Method, apparatus and client device for extracting signature information from application installation packages
CN109376530B (en) Process mandatory behavior control method and system based on mark
CN105224877B (en) A kind of confidential data sweep-out method
CN104794025B (en) The method of rapid verification storage device
Jones et al. A method and implementation for the empirical study of deleted file persistence in digital devices and media
CN107729748A (en) A kind of method for describing file running orbit figure in sandbox
US20120060014A1 (en) Electronic device and method for protecting electronic keys using the same
US8015342B2 (en) Method of managing and restoring identifier of storage device and apparatus therefor
CN106254806A (en) A kind of Video data guard method and device
CN103942293A (en) Self-destroying protection method based on malicious invasion of file system and device thereof
CN109901783A (en) A kind of information technology for eliminating of storage medium
CN103049534A (en) Method for quickly destroying data of database
CN106407034A (en) Method for parsing catalogue of defect hard disk for data recovery
CN102236748A (en) Computer software protection method
Bhushan et al. An overview on handling anti forensic issues in android devices using forensic automator tool
Singh et al. Recovery of forensic artifacts from deleted jump lists
KR101845284B1 (en) Malicious code detection system and malicious code detecting method
Cox et al. Potential difficulties during investigations due to solid state drive (SSD) technology
CN104182705A (en) Mobile storage media use information automatic checking method
CN101201882B (en) Operating system protection method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Liang Xiaoning

Inventor after: Xu Chaoming

Inventor after: Zhao Fei

Inventor after: Huang Xu

Inventor before: Liang Xiaoning

Inventor before: Xu Chaoming

Inventor before: Zhao Fei

CB03 Change of inventor or designer information
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20190114

Address after: 710072 West Section 69 of South Second Ring Road, Beilin District, Xi'an City, Shaanxi Province

Patentee after: Shaanxi CISCO Rudi Network Security Technology Co., Ltd.

Address before: No. 183 Songshan Road, Neijiang, Sichuan, Sichuan

Patentee before: SICHUAN XLY INFORMATION SAFETY TECHNOLOGY CO., LTD.

TR01 Transfer of patent right
CP03 Change of name, title or address

Address after: 710000 19th floor, block B, innovation and technology building, Northwest University of technology, No. 127, Youyi West Road, Beilin District, Xi'an City, Shaanxi Province

Patentee after: Shaanxi University of technology Ruidi Information Technology Co.,Ltd.

Address before: 710072 West Section 69 of South Second Ring Road, Beilin District, Xi'an City, Shaanxi Province

Patentee before: Shaanxi CISCO Rudi Network Security Technology Co.,Ltd.

CP03 Change of name, title or address