CN105868056A - Method, device and safety virtual machine for acquiring deleted files in Windows virtual machines - Google Patents

Method, device and safety virtual machine for acquiring deleted files in Windows virtual machines Download PDF

Info

Publication number
CN105868056A
CN105868056A CN201610214439.3A CN201610214439A CN105868056A CN 105868056 A CN105868056 A CN 105868056A CN 201610214439 A CN201610214439 A CN 201610214439A CN 105868056 A CN105868056 A CN 105868056A
Authority
CN
China
Prior art keywords
virtual machine
deleted document
information
windows
deleted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610214439.3A
Other languages
Chinese (zh)
Other versions
CN105868056B (en
Inventor
党艳平
李健波
陈红逵
潘学树
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing VRV Software Corp Ltd
Original Assignee
Beijing VRV Software Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing VRV Software Corp Ltd filed Critical Beijing VRV Software Corp Ltd
Priority to CN201610214439.3A priority Critical patent/CN105868056B/en
Publication of CN105868056A publication Critical patent/CN105868056A/en
Application granted granted Critical
Publication of CN105868056B publication Critical patent/CN105868056B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1458Management of the backup or restore process
    • G06F11/1469Backup restoration techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors

Abstract

The invention discloses a method, a device and a safety virtual machine for acquiring deleted files in Windows virtual machines. The method includes mounting recycle bin record files of target virtual machines into the preset safety virtual machine after safety inspection request messages with target virtual machine identities are received; transmitting the safety inspection request messages to the safety virtual machine, and allowing the safety virtual machine to load the recycle bin record files of the target virtual machine into memories and analyze the recycle bin record files to obtain information of the deleted files in the target virtual machines; receiving safety inspection answer messages transmitted by the safety virtual machine; acquiring the deleted files from the target virtual machines on the basis of information of the deleted files in the target virtual machines. The safety inspection answer messages carry the information of the deleted files in the target virtual machines. The method, the device and the safety virtual machine have the advantages that the recycle bin record files of Windows are analyzed, the information of the deleted files is acquired, and accordingly the deleted files can be acquired without dependence on running states of the Windows in the virtual machines.

Description

Obtain the method for deleted document in Windows virtual machine, device and safety empty Plan machine
Technical field
The present invention relates to virtual machine technique field, be specifically related to a kind of acquisition Windows virtual The method of deleted document, device and secure virtual machine in machine.
Background technology
Virtual machine technique, is defined as the software simulated implementation of hardware device.Virtual machine (Virtual Machine) refers to have complete hardware system function, fortune by what software was simulated Row complete computer in a completely isolated environment.
Cloud computing system provide a kind of solution saving computing cost of user, user without Great amount of cost is spent to buy hardware, as long as i.e. can reach multiple stage entity by the application of virtual machine The computing purpose of machine.
Cloud computing system includes: cloud terminal, main frame and cloud management server, and wherein, cloud is eventually End can be network computer, such as desktop computer, notebook computer, panel computer etc.;Main frame Can be that network side provides memory space, software and the clothes of other computer functions for cloud terminal Business device, can dispose multiple virtual machine on main frame;Cloud management server can be network side Server, it is provided that user's management, key management etc. service.Main frame and cloud management server Also referred to as cloud platform.User logs in cloud platform by cloud terminal remote, and the identity of user is led to After crossing certification, then can use the function of virtual machine on main frame.
When the multiple virtual machines disposed on main frame are carried out security risk inspection, in virtual machine The recovery of deleted document and inspection are important means of assessment secure virtual machine rank.
Windows virtual machine is the virtual machine being provided with Windows operating system, Windows operating system (hereinafter referred Windows) was typically deleted in the deletion file time-division With permanent delet two ways.General deletion refers to that Windows puts files into recycle bin In, user can see deleted file in recycle bin, and can carry out it also Former.Permanent delet refers to that file complete deletion, deleted file can not be led to by Windows Cross Windows to reduce.Herein only for general situation about deleting.
In conventional mounting has the computer of Windows, the interface provided by Windows Obtain the information of Windows deleted document.The interface that Windows provides includes Window application DLL (Application Programming Interface, API), application program, order etc..The method is equally applicable for Windows virtual machine.
In existing acquisition Windows virtual machine, there are the following problems for the method for deleted document:
1, the fortune of Windows during prior art depends on checked Windows virtual machine Row state.
When only in checked Windows virtual machine, Windows runs, prior art Just can obtain the information of deleted document.
2, prior art depends on the interface that Windows provides.
For installing the virtual machine of the operating system of non-Windows, prior art is unavailable.
Summary of the invention
In view of the above problems, the present invention proposes and overcomes the problems referred to above or solve at least in part Certainly a kind of of the problems referred to above obtains the method for deleted document, device in Windows virtual machine And secure virtual machine.
For this purpose it is proposed, first aspect, the present invention proposes a kind of acquisition in Windows virtual machine The method of deleted document, including:
Receiving the security check request message carrying target Windows virtual machine mark After, the recycle bin log file of described target Windows virtual machine is mounted to the safety preset In virtual machine;
Described security check request message is sent to described secure virtual machine, so that described safety The recycle bin log file of described target Windows virtual machine is loaded in internal memory by virtual machine And analyze, obtain the information of deleted document in described target Windows virtual machine;
Receiving the safety inspection response message that described secure virtual machine sends, described safety inspection should Answer and message carries the information of deleted document in described target Windows virtual machine;
Based on the information of deleted document in described target Windows virtual machine, from described Windows virtual machine obtains deleted document.
Optionally, the information of described deleted document include deleted document attribute information and The index information of deleted document;Wherein, the index information of described deleted document is used for referring to Show the store path of the initial data of described deleted document;
Described based on the information of deleted document in described target Windows virtual machine, from institute State acquisition deleted document in Windows virtual machine, including:
Index information based on described deleted document, obtains from described Windows virtual machine Take the initial data of described deleted document;
The initial data of the attribute information of described deleted document with described deleted document is closed And, obtain described deleted document.
Optionally, described obtain after deleted document from described Windows virtual machine, Described method also includes:
Unload the recovery of the described target Windows virtual machine of carry in described secure virtual machine Stand log file.
Second aspect, the present invention also provides for a kind of acquisition in Windows virtual machine and has deleted literary composition The device of part, including:
Carry unit, for receiving the safety carrying target Windows virtual machine mark After checking request message, by the recycle bin log file carry of described target Windows virtual machine In default secure virtual machine;
Transmitting element, for being sent to described secure virtual by described security check request message Machine, so that described secure virtual machine is by the recycle bin record literary composition of described target Windows virtual machine Part is loaded in internal memory and analyzes, and obtains deleted document in described target Windows virtual machine Information;
Receive unit, for receiving the safety inspection response message that described secure virtual machine sends, Described safety inspection response message carries in described target Windows virtual machine and deletes The information of file;
Acquiring unit, for based on deleted document in described target Windows virtual machine Information, obtains deleted document from described Windows virtual machine.
Optionally, the information of described deleted document include deleted document attribute information and The index information of deleted document;Wherein, the index information of described deleted document is used for referring to Show the store path of the initial data of described deleted document;
Described acquiring unit, for index information based on described deleted document, from described Windows virtual machine obtains the initial data of described deleted document;Delete described The attribute information of file merges with the initial data of described deleted document, obtain described in delete Except file.
Optionally, described device also includes:
Unloading unit, for obtaining from described Windows virtual machine in described acquiring unit After deleted document, unload described target Windows of carry in described secure virtual machine The recycle bin log file of virtual machine.
The third aspect, the present invention also provides for a kind of acquisition in Windows virtual machine and has deleted literary composition The method of part, including:
Identify at the target Windows virtual machine that carries receiving the transmission of cloud management server Security check request message after, by the described target Windows virtual machine of carry in advance return Receive station log file be loaded in internal memory and analyze, obtain in described target Windows virtual machine The information of deleted document;
Safety inspection response message, described safety inspection response is sent to described cloud management server Message carries the information of deleted document in described target Windows virtual machine, so that institute State cloud management server based on the information of deleted document in described target Windows virtual machine, Deleted document is obtained from described Windows virtual machine.
Optionally, described to described cloud management server transmission safety inspection response message, institute State safety inspection response message carries in described target Windows virtual machine and deleted literary composition The information of part, so that described cloud management server is based in described target Windows virtual machine The information of deleted document, obtains deleted document, bag from described Windows virtual machine Include:
Sending safety inspection response message to described cloud management server, described safety inspection should Answer and message carries the attribute information of deleted document in described target Windows virtual machine With the index information of deleted document, the index information of described deleted document is used for indicating institute State the store path of the initial data of deleted document so that described cloud management server based on The index information of described deleted document, from described Windows virtual machine described in acquisition Delete the initial data of file;And the attribute information of described deleted document is deleted with described Except the initial data of file merges, obtain described deleted document.
Fourth aspect, the present invention also provides for a kind of secure virtual machine, including:
Processing unit, for receive cloud management server send carry target After the security check request message of Windows virtual machine mark, by the described target of carry in advance The recycle bin log file of Windows virtual machine is loaded in internal memory and analyzes, and obtains described mesh The information of deleted document in mark Windows virtual machine;
Transmitting element, for sending safety inspection response message, institute to described cloud management server State safety inspection response message carries in described target Windows virtual machine and deleted literary composition The information of part so that described cloud management server based in described target Windows virtual machine Delete the information of file, from described Windows virtual machine, obtain deleted document.
Optionally, described transmitting element, for sending safety inspection to described cloud management server Look into response message, described safety inspection response message carries described target Windows empty The attribute information of deleted document and the index information of deleted document in plan machine, described delete Except the index information of file is for indicating the storage road of the initial data of described deleted document Footpath, so that described cloud management server index information based on described deleted document, from institute State the initial data obtaining described deleted document in Windows virtual machine;And by described The attribute information deleting file merges with the initial data of described deleted document, obtains described Deleted document.
Compared to prior art, the acquisition Windows virtual machine that the present invention proposes is deleted The method and device of file, is come by the content analyzing the recycle bin log file of Windows Obtain the information of Windows deleted document, such that it is able to recover the interior of deleted file Hold, i.e. obtain deleted document, do not rely in checked Windows virtual machine The running status of Windows, especially, it is suitable for be in off-mode Windows virtual machine (i.e. off-line Windows virtual machine).
Further, deleted document in the acquisition Windows virtual machine that the present invention proposes Method and device, is obtained by the content analyzing the recycle bin log file of Windows The information of Windows deleted document, such that it is able to recover the content of deleted file, I.e. obtain deleted document, do not rely on the interface that Windows provides, it is adaptable to install non- The virtual machine of the operating system of Windows.
Accompanying drawing explanation
Fig. 1 a kind of obtains in Windows virtual machine for what first embodiment of the invention provided Delete the method flow diagram of file;
Fig. 2 a kind of obtains in Windows virtual machine for what second embodiment of the invention provided Delete the structure drawing of device of file;
Fig. 3 a kind of obtains in Windows virtual machine for what third embodiment of the invention provided Delete the method flow diagram of file;
A kind of secure virtual machine structure chart that Fig. 4 provides for fourth embodiment of the invention.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below will In conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly Chu ground describe, it is clear that described embodiment be a part of embodiment of the present invention rather than Whole embodiments.
As it is shown in figure 1, the open one of the present embodiment obtains in Windows virtual machine and deletes The method of file, it may include following steps 101~104:
101, the security check request carrying target Windows virtual machine mark is being received After message, it is mounted to the recycle bin log file of described target Windows virtual machine to preset In secure virtual machine.
In the present embodiment disclosed acquisition Windows virtual machine, the method for deleted document holds Row main body may be disposed in the cloud management server of cloud platform or for the cloud management service of cloud platform Device.
In the present embodiment, in step 101, the dispensing device of " security check request message " can set It is placed in the main frame of cloud platform or is arranged in cloud terminal.Further, " security check request Message " can manually be triggered described dispensing device by the administrative staff of cloud platform and be transmitted or often Every preset duration, such as 24 hours, described dispensing device sent that " security check request disappears automatically Breath ".
In the present embodiment, secure virtual machine may be disposed in the main frame of cloud platform.
In the present embodiment, carry recycle bin log file is not by checked Windows virtual machine The impact of the running status of middle Windows, the most not virtual by the Windows being in off-mode The machine i.e. impact of off-line Windows virtual machine.
102, described security check request message is sent to described secure virtual machine, so that institute State secure virtual machine to be loaded into by the recycle bin log file of described target Windows virtual machine In internal memory and analyze, obtain the information of deleted document in described target Windows virtual machine.
In the present embodiment, recycle bin log file has for the Windows of different kernel versions Difference.Specifically, the letter of all deleted documents in version recycle bin before Windows Vista Breath record is in same log file.In Vista and version of window recycle bin afterwards, Each deleted document correspondingly has a log file to carry out information record.Therefore, this reality Execute in example, can be by all equal carries of recycle bin log file of described target Windows virtual machine In secure virtual machine, so that in all recycle bin log files are all loaded into by secure virtual machine In depositing and analyze.
In the present embodiment, the analysis of recycle bin log file can be used default by secure virtual machine Or existing file-level semantic analysis is analyzed, the present embodiment repeats no more semantic analysis Concrete grammar.
103, the safety inspection response message that described secure virtual machine sends, described safety are received Check in response message and carry the letter of deleted document in described target Windows virtual machine Breath.
104, based on the information of deleted document in described target Windows virtual machine, from Described Windows virtual machine obtains deleted document.
In the present embodiment, owing to there being a recycle bin under each disk partition in Windows Catalogue, therefore for off-line Windows virtual machine, recovers to need during deleted document in recycle bin Disk partition to recover one by one.
Visible, the present embodiment is disclosed obtains the side of deleted document in Windows virtual machine Method, obtains Windows by the content analyzing the recycle bin log file of Windows The information of deleted document, such that it is able to recover the content of deleted file, has i.e. obtained Delete file, do not rely on the operation shape of Windows in checked Windows virtual machine State, especially, it is suitable for be in the Windows virtual machine of off-mode (i.e. Off-line Windows virtual machine).
Further, the present embodiment is disclosed obtains deleted document in Windows virtual machine Method, obtained by the content of recycle bin log file analyzing Windows The information of Windows deleted document, such that it is able to recover the content of deleted file, I.e. obtain deleted document, do not rely on the interface that Windows provides, it is adaptable to install non- The virtual machine of the operating system of Windows.
In a specific example one, described in the step 102 shown in Fig. 1, delete literary composition The information of part, including: the attribute information of deleted document and the index information of deleted document; Wherein, the index information of described deleted document is for indicating the original of described deleted document The store path of data.
In the present embodiment, the attribute information of described deleted document can include the most having deleted literary composition The information such as the size of part, erasing time, raw filename, for indicating deleted document Essential information.
In the present embodiment, provide the step 104 shown in Fig. 1: " based on described target Windows The information of deleted document in virtual machine, obtains from described Windows virtual machine and deletes File " a kind of preferred embodiment, specifically include the step not shown in Fig. 1 1041~1042:
1041, index information based on described deleted document, virtual from described Windows Machine obtains the initial data of described deleted document.
1042, original by the attribute information of described deleted document and described deleted document Data merge, and obtain described deleted document.
Visible, the present embodiment is disclosed obtains the side of deleted document in Windows virtual machine Method, obtains Windows by the content analyzing the recycle bin log file of Windows The attribute information of deleted document and index information, such that it is able to recover deleted file Content, i.e. obtains deleted document, does not relies in checked Windows virtual machine The running status of Windows, especially, it is suitable for be in off-mode Windows virtual machine (i.e. off-line Windows virtual machine).
Further, the present embodiment is disclosed obtains deleted document in Windows virtual machine Method, obtained by the content of recycle bin log file analyzing Windows The attribute information of Windows deleted document and index information, deleted such that it is able to recover Except the content of file, i.e. obtain deleted document, do not rely on the interface that Windows provides, It is applicable to install the virtual machine of the operating system of non-Windows.
In a specific example two, the step 104 shown in Fig. 1 is " based on described target The information of deleted document in Windows virtual machine, obtains from described Windows virtual machine Take deleted document " after, the method for the present embodiment also includes the step not shown in Fig. 1 105:
105, the described target Windows virtual machine of carry in described secure virtual machine is unloaded Recycle bin log file.
The present embodiment is disclosed obtains the method for deleted document in Windows virtual machine, Obtain in Windows virtual machine after deleted document, carry in unloading secure virtual machine The recycle bin log file of target Windows virtual machine, to save hardware resource.
As in figure 2 it is shown, the open one of the present embodiment obtains in Windows virtual machine and deletes The device of file, it may include with lower unit: carry unit 21, transmitting element 22, reception list Unit 23 and acquiring unit 24.
Carry unit 21, for receiving the peace carrying target Windows virtual machine mark After total inspection request message, the recycle bin log file of described target Windows virtual machine is hung It is downloaded in the secure virtual machine preset;
Transmitting element 22, for being sent to described secure virtual by described security check request message Machine, so that described secure virtual machine is by the recycle bin record literary composition of described target Windows virtual machine Part is loaded in internal memory and analyzes, and obtains deleted document in described target Windows virtual machine Information;
Receiving unit 23, the safety inspection response sent for receiving described secure virtual machine disappears Breath, carries in described target Windows virtual machine in described safety inspection response message and deletes Information except file;
Acquiring unit 24, for based on deleted document in described target Windows virtual machine Information, from described Windows virtual machine obtain deleted document.
In the present embodiment disclosed acquisition Windows virtual machine, the device of deleted document can set It is placed in the cloud management server of cloud platform or is the cloud management server of cloud platform.
The present embodiment is disclosed obtains the device of deleted document in Windows virtual machine, can Realize the method flow of deleted document in the acquisition Windows virtual machine shown in Fig. 1, because of This, the effect of the device in the present embodiment and explanation can be found in the embodiment of the method shown in Fig. 1, Do not repeat them here.
In a specific example three, delete described in the device embodiment shown in Fig. 2 The information of file includes the attribute information of deleted document and the index information of deleted document; Wherein, the index information of described deleted document is for indicating the original of described deleted document The store path of data.
In the present embodiment, provide the preferred embodiment of the acquiring unit 24 shown in Fig. 2, tool Body is: acquiring unit 24, for index information based on described deleted document, from described Windows virtual machine obtains the initial data of described deleted document;Delete described The attribute information of file merges with the initial data of described deleted document, obtain described in delete Except file.
The present embodiment is disclosed obtains the device of deleted document in Windows virtual machine, can Realize the side of deleted document in the acquisition Windows virtual machine described in specific example one Method flow process, therefore, effect and the explanation of the device in the present embodiment can be found in specific example One, do not repeat them here.
In a specific example four, the device shown in Fig. 2 also includes not shown in Fig. 2 : unloading unit 25, it is used in described acquiring unit 24 from described Windows virtual machine After middle acquisition deleted document, unload the described target of carry in described secure virtual machine The recycle bin log file of Windows virtual machine.
The present embodiment is disclosed obtains the device of deleted document in Windows virtual machine, can Realize the side of deleted document in the acquisition Windows virtual machine described in specific example two Method flow process, therefore, effect and the explanation of the device in the present embodiment can be found in specific example Two, do not repeat them here.
As it is shown on figure 3, the open one of the present embodiment obtains in Windows virtual machine and deletes The method of file, it may include following steps 301~302:
301, receive cloud management server send carry target Windows virtual machine After the security check request message of mark, by the described target Windows virtual machine of carry in advance Recycle bin log file be loaded in internal memory and analyze, obtain described target Windows virtual The information of deleted document in machine.
The present embodiment obtains the execution master of the method for deleted document in Windows virtual machine Body is secure virtual machine.In the present embodiment, secure virtual machine may be disposed in the main frame of cloud platform.
302, safety inspection response message, described safety inspection are sent to described cloud management server Look into and response message carry the information of deleted document in described target Windows virtual machine, So that described cloud management server is based on deleted document in described target Windows virtual machine Information, from described Windows virtual machine obtain deleted document.
In the present embodiment, recycle bin log file has for the Windows of different kernel versions Difference.Specifically, the letter of all deleted documents in version recycle bin before Windows Vista Breath record is in same log file.In Vista and version of window recycle bin afterwards, Each deleted document correspondingly has a log file to carry out information record.Therefore, this reality Execute in example, can be by all equal carries of recycle bin log file of described target Windows virtual machine In secure virtual machine, so that in all recycle bin log files are all loaded into by secure virtual machine In depositing and analyze.
In the present embodiment, the analysis of recycle bin log file can be used default by secure virtual machine Or existing file-level semantic analysis is analyzed, the present embodiment repeats no more semantic analysis Concrete grammar.
Visible, the present embodiment is disclosed obtains the side of deleted document in Windows virtual machine Method, obtains Windows by the content analyzing the recycle bin log file of Windows The information of deleted document, such that it is able to recover the content of deleted file, has i.e. obtained Delete file, do not rely on the operation shape of Windows in checked Windows virtual machine State, especially, it is suitable for be in the Windows virtual machine of off-mode (i.e. Off-line Windows virtual machine).
Further, the present embodiment is disclosed obtains deleted document in Windows virtual machine Method, obtained by the content of recycle bin log file analyzing Windows The information of Windows deleted document, such that it is able to recover the content of deleted file, I.e. obtain deleted document, do not rely on the interface that Windows provides, it is adaptable to install non- The virtual machine of the operating system of Windows.
In a specific example five, the present embodiment provides the step 302 shown in Fig. 3: " to Described cloud management server sends safety inspection response message, described safety inspection response message In carry the information of deleted document in described target Windows virtual machine, so that described Cloud management server based on the information of deleted document in described target Windows virtual machine, From described Windows virtual machine obtain deleted document " a kind of preferred embodiment, Specific as follows:
302, safety inspection response message, described safety inspection are sent to described cloud management server Look into and response message carries the attribute of deleted document in described target Windows virtual machine Information and the index information of deleted document, the index information of described deleted document is used for referring to Show the store path of the initial data of described deleted document, so that described cloud management server Index information based on described deleted document, obtains institute from described Windows virtual machine State the initial data of deleted document;And by the attribute information of described deleted document with described The initial data of deleted document merges, and obtains described deleted document.
In the present embodiment, the attribute information of described deleted document can include the most having deleted literary composition The information such as the size of part, erasing time, raw filename, for indicating deleted document Essential information.
Visible, the present embodiment is disclosed obtains the side of deleted document in Windows virtual machine Method, obtains Windows by the content analyzing the recycle bin log file of Windows The attribute information of deleted document and index information, such that it is able to recover deleted file Content, i.e. obtains deleted document, does not relies in checked Windows virtual machine The running status of Windows, especially, it is suitable for be in off-mode Windows virtual machine (i.e. off-line Windows virtual machine).
Further, the present embodiment is disclosed obtains deleted document in Windows virtual machine Method, obtained by the content of recycle bin log file analyzing Windows The attribute information of Windows deleted document and index information, deleted such that it is able to recover Except the content of file, i.e. obtain deleted document, do not rely on the interface that Windows provides, It is applicable to install the virtual machine of the operating system of non-Windows.
As shown in Figure 4, the open a kind of secure virtual machine of the present embodiment, it may include with lower unit: Processing unit 41 and transmitting element 42.
Processing unit 41, for receive cloud management server send carry target After the security check request message of Windows virtual machine mark, by the described target of carry in advance The recycle bin log file of Windows virtual machine is loaded in internal memory and analyzes, and obtains described mesh The information of deleted document in mark Windows virtual machine;
Transmitting element 42, for sending safety inspection response message to described cloud management server, Described safety inspection response message carries in described target Windows virtual machine and deletes The information of file, so that described cloud management server is based in described target Windows virtual machine The information of deleted document, obtains deleted document from described Windows virtual machine.
In the present embodiment, secure virtual machine may be disposed in the main frame of cloud platform.
Secure virtual machine disclosed in the present embodiment, can realize the acquisition Windows shown in Fig. 3 The method flow of deleted document in virtual machine, therefore, the secure virtual machine in the present embodiment Effect and explanation can be found in Fig. 3, do not repeat them here.
In a specific example, the one providing the transmitting element 42 shown in Fig. 4 is excellent Select embodiment, specific as follows:
Transmitting element 42, for sending safety inspection response message to described cloud management server, Described safety inspection response message carries in described target Windows virtual machine and deletes The attribute information of file and the index information of deleted document, the index letter of described deleted document Breath is for indicating the store path of the initial data of described deleted document, so that described cloud management Server index information based on described deleted document, obtains from described Windows virtual machine Take the initial data of described deleted document;And by the attribute information of described deleted document and institute The initial data stating deleted document merges, and obtains described deleted document.
In the present embodiment, the attribute information of described deleted document can include the most having deleted literary composition The information such as the size of part, erasing time, raw filename, for indicating deleted document Essential information.
Secure virtual machine disclosed in the present embodiment, can realize obtaining shown in specific example five Take the method flow of deleted document in Windows virtual machine, therefore, in the present embodiment The effect of secure virtual machine and explanation can be found in specific example five, do not repeat them here.
It will be understood by those skilled in the art that and each unit in embodiment can be combined into one Individual unit, and multiple subelement can be put them in addition.Except such feature and/ Or at least some in process or unit is mutually exclusive part, any combination can be used To all features disclosed in this specification and so disclosed any method or equipment All processes or unit are combined.Unless expressly stated otherwise, disclosed in this specification Each feature can be replaced by the alternative features providing identical, equivalent or similar purpose.
Although it will be appreciated by those of skill in the art that embodiments more described herein include Some feature included in other embodiments rather than further feature, but different embodiment The combination of feature mean to be within the scope of the present invention and formed different enforcement Example.
It will be understood by those skilled in the art that each unit in embodiment can realize with hardware, Or realize with the software module run on one or more processor, or with them Combination realize.It will be understood by those of skill in the art that and can use micro-place in practice Reason device or digital signal processor (DSP) realize according to embodiments of the present invention some Or all some or all functions of parts.The present invention is also implemented as performing Part or all equipment of method as described herein or device program are (such as, Computer program and computer program).
Although be described in conjunction with the accompanying embodiments of the present invention, but those skilled in the art Various modifications and variations can be made without departing from the spirit and scope of the present invention, Within the scope of such amendment and modification each fall within and are defined by the appended claims.

Claims (10)

1. obtain the method for deleted document in Windows virtual machine, it is characterised in that Including:
Receiving the security check request message carrying target Windows virtual machine mark After, the recycle bin log file of described target Windows virtual machine is mounted to the safety preset In virtual machine;
Described security check request message is sent to described secure virtual machine, so that described safety The recycle bin log file of described target Windows virtual machine is loaded in internal memory by virtual machine And analyze, obtain the information of deleted document in described target Windows virtual machine;
Receiving the safety inspection response message that described secure virtual machine sends, described safety inspection should Answer and message carries the information of deleted document in described target Windows virtual machine;
Based on the information of deleted document in described target Windows virtual machine, from described Windows virtual machine obtains deleted document.
Method the most according to claim 1, it is characterised in that described deleted document Information include the attribute information of deleted document and the index information of deleted document;Wherein, The index information of described deleted document is for indicating the initial data of described deleted document Store path;
Described based on the information of deleted document in described target Windows virtual machine, from institute State acquisition deleted document in Windows virtual machine, including:
Index information based on described deleted document, obtains from described Windows virtual machine Take the initial data of described deleted document;
The initial data of the attribute information of described deleted document with described deleted document is closed And, obtain described deleted document.
Method the most according to claim 1, it is characterised in that described from described After obtaining deleted document in Windows virtual machine, described method also includes:
Unload the recovery of the described target Windows virtual machine of carry in described secure virtual machine Stand log file.
4. obtain the device of deleted document in Windows virtual machine, it is characterised in that Including:
Carry unit, for receiving the safety carrying target Windows virtual machine mark After checking request message, by the recycle bin log file carry of described target Windows virtual machine In default secure virtual machine;
Transmitting element, for being sent to described secure virtual by described security check request message Machine, so that described secure virtual machine is by the recycle bin record literary composition of described target Windows virtual machine Part is loaded in internal memory and analyzes, and obtains deleted document in described target Windows virtual machine Information;
Receive unit, for receiving the safety inspection response message that described secure virtual machine sends, Described safety inspection response message carries in described target Windows virtual machine and deletes The information of file;
Acquiring unit, for based on deleted document in described target Windows virtual machine Information, obtains deleted document from described Windows virtual machine.
Device the most according to claim 4, it is characterised in that described deleted document Information include the attribute information of deleted document and the index information of deleted document;Wherein, The index information of described deleted document is for indicating the initial data of described deleted document Store path;
Described acquiring unit, for index information based on described deleted document, from described Windows virtual machine obtains the initial data of described deleted document;Delete described The attribute information of file merges with the initial data of described deleted document, obtain described in delete Except file.
Device the most according to claim 4, it is characterised in that described device also includes:
Unloading unit, for obtaining from described Windows virtual machine in described acquiring unit After deleted document, unload described target Windows of carry in described secure virtual machine The recycle bin log file of virtual machine.
7. obtain the method for deleted document in Windows virtual machine, it is characterised in that Including:
Identify at the target Windows virtual machine that carries receiving the transmission of cloud management server Security check request message after, by the described target Windows virtual machine of carry in advance return Receive station log file be loaded in internal memory and analyze, obtain in described target Windows virtual machine The information of deleted document;
Safety inspection response message, described safety inspection response is sent to described cloud management server Message carries the information of deleted document in described target Windows virtual machine, so that institute State cloud management server based on the information of deleted document in described target Windows virtual machine, Deleted document is obtained from described Windows virtual machine.
Method the most according to claim 7, it is characterised in that described to described cloud pipe Reason server sends safety inspection response message, carries in described safety inspection response message The information of deleted document in described target Windows virtual machine, so that described cloud management clothes Business device is based on the information of deleted document in described target Windows virtual machine, from described Windows virtual machine obtains deleted document, including:
Sending safety inspection response message to described cloud management server, described safety inspection should Answer and message carries the attribute information of deleted document in described target Windows virtual machine With the index information of deleted document, the index information of described deleted document is used for indicating institute State the store path of the initial data of deleted document so that described cloud management server based on The index information of described deleted document, from described Windows virtual machine described in acquisition Delete the initial data of file;And the attribute information of described deleted document is deleted with described Except the initial data of file merges, obtain described deleted document.
9. secure virtual machine, it is characterised in that including:
Processing unit, for receive cloud management server send carry target After the security check request message of Windows virtual machine mark, by the described target of carry in advance The recycle bin log file of Windows virtual machine is loaded in internal memory and analyzes, and obtains described mesh The information of deleted document in mark Windows virtual machine;
Transmitting element, for sending safety inspection response message, institute to described cloud management server State safety inspection response message carries in described target Windows virtual machine and deleted literary composition The information of part so that described cloud management server based in described target Windows virtual machine Delete the information of file, from described Windows virtual machine, obtain deleted document.
Secure virtual machine the most according to claim 9, it is characterised in that
Described transmitting element, disappears for sending safety inspection response to described cloud management server Breath, carries in described target Windows virtual machine in described safety inspection response message Delete attribute information and the index information of deleted document of file, described deleted document Index information is for indicating the store path of the initial data of described deleted document, so that institute State cloud management server index information based on described deleted document, from described Windows Virtual machine obtains the initial data of described deleted document;And by described deleted document Attribute information merges with the initial data of described deleted document, obtains described deleted document.
CN201610214439.3A 2016-04-07 2016-04-07 Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine Active CN105868056B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610214439.3A CN105868056B (en) 2016-04-07 2016-04-07 Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610214439.3A CN105868056B (en) 2016-04-07 2016-04-07 Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine

Publications (2)

Publication Number Publication Date
CN105868056A true CN105868056A (en) 2016-08-17
CN105868056B CN105868056B (en) 2019-06-21

Family

ID=56637082

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610214439.3A Active CN105868056B (en) 2016-04-07 2016-04-07 Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine

Country Status (1)

Country Link
CN (1) CN105868056B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107463427A (en) * 2017-06-29 2017-12-12 北京北信源软件股份有限公司 The acquisition methods and device of a kind of VME operating system type and version
CN107800663A (en) * 2016-08-31 2018-03-13 华为数字技术(苏州)有限公司 The detection method and device of flow off-line files
CN108009000A (en) * 2016-10-31 2018-05-08 江苏神州信源系统工程有限公司 A kind of method that historical record in Windows virtual machines is obtained under virtualized environment
CN109117251A (en) * 2018-08-09 2019-01-01 郑州云海信息技术有限公司 A kind of implementation method, device and the readable storage medium storing program for executing of virtual machine recycle bin
CN112732406A (en) * 2021-01-12 2021-04-30 华云数据控股集团有限公司 Cloud platform virtual machine recovery method and computer equipment
CN113032351A (en) * 2021-03-31 2021-06-25 建信金融科技有限责任公司 Recovery method and device of network file system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102289513A (en) * 2011-09-05 2011-12-21 盛乐信息技术(上海)有限公司 Method and system for obtaining internal files of virtual machine
TW201220197A (en) * 2010-11-12 2012-05-16 Alibaba Group Holding Ltd for improving the safety and reliability of data storage in a virtual machine based on cloud calculation and distributed storage environment
CN102662981A (en) * 2012-03-13 2012-09-12 中国人民大学 Windows recycle bin delete record forensics method based on feature scan
CN105468433A (en) * 2015-11-19 2016-04-06 北京北信源软件股份有限公司 Method and system for acquiring disc data of virtual machines

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201220197A (en) * 2010-11-12 2012-05-16 Alibaba Group Holding Ltd for improving the safety and reliability of data storage in a virtual machine based on cloud calculation and distributed storage environment
CN102289513A (en) * 2011-09-05 2011-12-21 盛乐信息技术(上海)有限公司 Method and system for obtaining internal files of virtual machine
CN102662981A (en) * 2012-03-13 2012-09-12 中国人民大学 Windows recycle bin delete record forensics method based on feature scan
CN105468433A (en) * 2015-11-19 2016-04-06 北京北信源软件股份有限公司 Method and system for acquiring disc data of virtual machines

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107800663A (en) * 2016-08-31 2018-03-13 华为数字技术(苏州)有限公司 The detection method and device of flow off-line files
CN107800663B (en) * 2016-08-31 2020-04-28 华为数字技术(苏州)有限公司 Method and device for detecting flow offline file
CN108009000A (en) * 2016-10-31 2018-05-08 江苏神州信源系统工程有限公司 A kind of method that historical record in Windows virtual machines is obtained under virtualized environment
CN107463427A (en) * 2017-06-29 2017-12-12 北京北信源软件股份有限公司 The acquisition methods and device of a kind of VME operating system type and version
CN109117251A (en) * 2018-08-09 2019-01-01 郑州云海信息技术有限公司 A kind of implementation method, device and the readable storage medium storing program for executing of virtual machine recycle bin
CN109117251B (en) * 2018-08-09 2020-10-30 郑州云海信息技术有限公司 Method and device for realizing virtual machine recycle bin and readable storage medium
CN112732406A (en) * 2021-01-12 2021-04-30 华云数据控股集团有限公司 Cloud platform virtual machine recovery method and computer equipment
CN113032351A (en) * 2021-03-31 2021-06-25 建信金融科技有限责任公司 Recovery method and device of network file system
CN113032351B (en) * 2021-03-31 2023-01-13 中国建设银行股份有限公司 Recovery method and device of network file system

Also Published As

Publication number Publication date
CN105868056B (en) 2019-06-21

Similar Documents

Publication Publication Date Title
CN105868056A (en) Method, device and safety virtual machine for acquiring deleted files in Windows virtual machines
US20210286788A1 (en) Systems and methods for scalable delocalized information governance
US10148675B1 (en) Block-level forensics for distributed computing systems
US9787706B1 (en) Modular architecture for analysis database
CN101593249B (en) Suspicious file analyzing method and suspicious file analyzing system
CN110795257A (en) Method, device and equipment for processing multi-cluster operation records and storage medium
US8250138B2 (en) File transfer security system and method
CN105631026A (en) Security data analysis system
US20120278580A1 (en) Data storage reclamation systems and methods
CN104268473B (en) Method and device for detecting application programs
CN110188103A (en) Data account checking method, device, equipment and storage medium
CN107171894A (en) The method of terminal device, distributed high in the clouds detecting system and pattern detection
US10216601B2 (en) Agent dynamic service
CN105468433A (en) Method and system for acquiring disc data of virtual machines
CN107644161A (en) Safety detecting method, device and the equipment of sample
CN113469866A (en) Data processing method and device and server
CN103268448A (en) Method and system for dynamically detecting safety of mobile applications
US8600995B1 (en) User role determination based on content and application classification
US10970392B2 (en) Grouping application components for classification and malware detection
CN104298918A (en) Virus scanning method and system based on data block in virtual machine
CN106529281A (en) Executable file processing method and device
CN108595957A (en) Main browser page altering detecting method, device and storage medium
Satrya et al. A novel Android memory forensics for discovering remnant data
CN110018761B (en) Method, device and terminal for managing recently used files
JP2020068019A (en) Information analyzer, method for analyzing information, information analysis system, and program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant