CN105488173A - Method for recovering and extracting historical records of 360 browser - Google Patents

Abstract

The invention discloses a method for recovering and extracting historical records of a 360 browser. The method comprises the following steps: obtaining a database; determining the sizes of pages; finding out a root page of a table; finding out a data table to mark all pages; forming a B tree; reading contents of the pages; distinguishing and marking normal data, deleted data and fragmented data in the pages; marking all the pages; performing structural division of bottom data corresponding to a leaf page; converting corresponding data into a visual type; distinguishing data states; and classifying and sorting the data. The method disclosed by the invention has the benefits that: the deleted data and the fragmented data in the historical records of the 360 browser can be found out; the data can be distinguished and disposed; the recovery success rate is high; the working efficiency is increased; and the recovered data are more visualized to display.

Description

A kind of recovery extracting method of 360 browser history records

Technical field

The present invention relates to field of information security technology, particularly a kind of recovery extracting method of 360 browser history records.

Background technology

In the 21 century that informationization develops rapidly, computer technology is maked rapid progress, closely bound up with daily life, the fast development of network causes the behavior utilizing computing machine to carry out the network crime to increase gradually, and browser history vestige becomes the emphasis of computer forensics.

At present, based on 360 browsers of Windows7 and 8 systems, the method for keeping records is generally preserved by the mode of SQLite database; Do not have instrument or method to carry out resolving and extracting for this file layout on the market, thus run into this browser history vestige deleted after, if do not have resolve method, whole link of solving a case just has reached an impasse.

Summary of the invention

The present invention is directed to the defect of prior art, provide a kind of recovery extracting method of 360 browser history records, effectively can solve above-mentioned prior art Problems existing.

A recovery extracting method for 360 browser history records, comprises step below:

S1: the database obtaining storage 360 browser history record;

S2: the size of searching page in database file head determination database file;

S3: the root page finding table from the rootpage field of SQLite_Matter table, the size * (root page-1) of the start address=page of root page;

S4: find the tables of data depositing 360 browser history records, from the root page of table, travels through all pages successively, judges page type, if leaf page, then record this page of page number; If inner page, then search all leaf pages of this inner page, record the page number of this inner page and the page number of all leaf pages;

S5: after all pages have all traveled through, returns all page numbers, and makes page number logically form B tree;

S6: according to B tree, take out page number successively, read page content;

S7: for each page, judges page type, distinguishes normal data with the management byte in this page, deletes data, crumb data marking; Mark all pages;

S8: the bottom data of all leaf page correspondences is carried out structure division, its structure divides consistent with 360 database master data features; The size that described structure divides each record in a table by 360 database master data features divides with the size of each field in record.

S9: according to the stage extraction bottom data in page, and the data type combining correspondence converts data to visual type;

S10: separate data and the crumb data that S9 extracts the deletion in data in conjunction with the mark zone in S7;

S11: classify according to data mode, access time and the data of browser access network address to the extraction of S10 and sort; Then according to the ascending order of access time or descending respectively by the data of deleting and crumb data sequence, and to combine with the order of data mode, access time and URL address.

Compared with prior art the invention has the advantages that: can find the deleted data in 360 historical records and crumb data, and distinguish and disposal data, revert to power high, increase work efficiency, the data recovered present more directly perceived.

Embodiment

For making object of the present invention, technical scheme and advantage clearly understand, by the following examples, the present invention is described in further details.

A recovery extracting method for 360 browser history records, comprises step below:

S1: the database obtaining storage 360 browser history record, its path is: " C: Users Administrator AppData Roaming 360se6 UserData Default History ";

S2: the size of searching page in database file head determination database file.Analyze this database file head, can know that the size of B_Tree page is 0x1000;

S3: the root page finding table from the rootpage field of SQLite_Matter table, the size * (root page-1) of the start address=page of root page;

S4: the tables of data depositing the historical record of browser in this example is urls.From the root page of urls table, travel through the page that all urls show successively, judge page type, if table leaf page, then record this page of page number; If show inner page, then search all leaf pages of this inner page, record the page number of this inner page and the page number of all leaf pages;

S5: after the page that all urls of belonging to show all has traveled through, return all page numbers, and make page number logically form B tree;

S6: according to the B tree of urls table, take out page number successively, read page content;

S7: for each page, judges page type, distinguishes normal data with the management byte (managing byte in page head zone, the Data Position in flag page) in this page, deletes data, crumb data; If this page is inner page, due to not store data, so only make marks;

If leaf page, then the unit of leaf page is resolved, if unit contains overflow page, the crumb data in overflow page is marked;

Mark obtains urls and shows all pages.

S8: the bottom data of all leaf page correspondences is carried out structure division, its structure divides consistent with 360 database master data features; Described structure divides and divides with the size of each field in record by the size of each record in a table.

The master data feature in 360 browser data storehouses is as follows:

The field of obtaining information comparatively core has: [url]: browser access network address, [Title]: access theme, [last_visit_time]: access time.

S9: according to the stage extraction bottom data in page, and the data type combining correspondence converts data to visual type;

S10: separate data and the crumb data that S9 extracts the deletion in data in conjunction with the mark zone in S7;

S11: according to data mode (data mode is normal data, the data of deletion and crumb data), access time and browser access network address the data of the deletion of S10 and crumb data classified and sort; Then according to the ascending order of access time or descending by data sorting, and to combine with the order of data mode, access time and URL address.

Those of ordinary skill in the art will appreciate that, embodiment described here is to help reader understanding's implementation method of the present invention, should be understood to that protection scope of the present invention is not limited to so special statement and embodiment.Those of ordinary skill in the art can make various other various concrete distortion and combination of not departing from essence of the present invention according to these technology enlightenment disclosed by the invention, and these distortion and combination are still in protection scope of the present invention.

Claims (1)

1. a recovery extracting method for 360 browser history records, comprises step below:

S1: the database obtaining storage 360 browser history record;

S2: the size of searching page in database file head determination database file;

S3: the root page finding table from the rootpage field of SQLite_Matter table, the size * (root page-1) of the start address=page of root page;

S4: find the tables of data depositing 360 browser history records, from the root page of table, travels through all pages successively, judges page type, if leaf page, then record this page of page number; If inner page, then search all leaf pages of this inner page, record the page number of this inner page and the page number of all leaf pages;

S5: after all pages have all traveled through, returns all page numbers, and makes page number logically form B tree;

S6: according to B tree, take out page number successively, read page content;

S7: for each page, judges page type, distinguishes normal data, deletes data, crumb data marking, mark all pages with the management byte in this page;

S8: the bottom data of all leaf page correspondences is carried out structure division, its structure divides consistent with 360 database master data features; The size that described structure divides each record in a table by 360 database master data features divides with the size of each field in record;

S9: according to the stage extraction bottom data in page, and the data type combining correspondence converts data to visual type;

S10: separate data and the crumb data that S9 extracts the deletion in data in conjunction with the mark zone in S7;

S11: classify according to data mode, access time and the data of browser access network address to the extraction of S10 and sort; Then according to the ascending order of access time or descending respectively by the data of deleting and crumb data sequence, and to combine with the order of data mode, access time and URL address.