CN105868056A - Method, device and safety virtual machine for acquiring deleted files in Windows virtual machines - Google Patents
Method, device and safety virtual machine for acquiring deleted files in Windows virtual machines Download PDFInfo
- Publication number
- CN105868056A CN105868056A CN201610214439.3A CN201610214439A CN105868056A CN 105868056 A CN105868056 A CN 105868056A CN 201610214439 A CN201610214439 A CN 201610214439A CN 105868056 A CN105868056 A CN 105868056A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- deleted document
- information
- windows
- deleted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1458—Management of the backup or restore process
- G06F11/1469—Backup restoration techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
Abstract
The invention discloses a method, a device and a safety virtual machine for acquiring deleted files in Windows virtual machines. The method includes mounting recycle bin record files of target virtual machines into the preset safety virtual machine after safety inspection request messages with target virtual machine identities are received; transmitting the safety inspection request messages to the safety virtual machine, and allowing the safety virtual machine to load the recycle bin record files of the target virtual machine into memories and analyze the recycle bin record files to obtain information of the deleted files in the target virtual machines; receiving safety inspection answer messages transmitted by the safety virtual machine; acquiring the deleted files from the target virtual machines on the basis of information of the deleted files in the target virtual machines. The safety inspection answer messages carry the information of the deleted files in the target virtual machines. The method, the device and the safety virtual machine have the advantages that the recycle bin record files of Windows are analyzed, the information of the deleted files is acquired, and accordingly the deleted files can be acquired without dependence on running states of the Windows in the virtual machines.
Description
Technical field
The present invention relates to virtual machine technique field, be specifically related to a kind of acquisition Windows virtual
The method of deleted document, device and secure virtual machine in machine.
Background technology
Virtual machine technique, is defined as the software simulated implementation of hardware device.Virtual machine
(Virtual Machine) refers to have complete hardware system function, fortune by what software was simulated
Row complete computer in a completely isolated environment.
Cloud computing system provide a kind of solution saving computing cost of user, user without
Great amount of cost is spent to buy hardware, as long as i.e. can reach multiple stage entity by the application of virtual machine
The computing purpose of machine.
Cloud computing system includes: cloud terminal, main frame and cloud management server, and wherein, cloud is eventually
End can be network computer, such as desktop computer, notebook computer, panel computer etc.;Main frame
Can be that network side provides memory space, software and the clothes of other computer functions for cloud terminal
Business device, can dispose multiple virtual machine on main frame;Cloud management server can be network side
Server, it is provided that user's management, key management etc. service.Main frame and cloud management server
Also referred to as cloud platform.User logs in cloud platform by cloud terminal remote, and the identity of user is led to
After crossing certification, then can use the function of virtual machine on main frame.
When the multiple virtual machines disposed on main frame are carried out security risk inspection, in virtual machine
The recovery of deleted document and inspection are important means of assessment secure virtual machine rank.
Windows virtual machine is the virtual machine being provided with Windows operating system,
Windows operating system (hereinafter referred Windows) was typically deleted in the deletion file time-division
With permanent delet two ways.General deletion refers to that Windows puts files into recycle bin
In, user can see deleted file in recycle bin, and can carry out it also
Former.Permanent delet refers to that file complete deletion, deleted file can not be led to by Windows
Cross Windows to reduce.Herein only for general situation about deleting.
In conventional mounting has the computer of Windows, the interface provided by Windows
Obtain the information of Windows deleted document.The interface that Windows provides includes
Window application DLL (Application Programming Interface,
API), application program, order etc..The method is equally applicable for Windows virtual machine.
In existing acquisition Windows virtual machine, there are the following problems for the method for deleted document:
1, the fortune of Windows during prior art depends on checked Windows virtual machine
Row state.
When only in checked Windows virtual machine, Windows runs, prior art
Just can obtain the information of deleted document.
2, prior art depends on the interface that Windows provides.
For installing the virtual machine of the operating system of non-Windows, prior art is unavailable.
Summary of the invention
In view of the above problems, the present invention proposes and overcomes the problems referred to above or solve at least in part
Certainly a kind of of the problems referred to above obtains the method for deleted document, device in Windows virtual machine
And secure virtual machine.
For this purpose it is proposed, first aspect, the present invention proposes a kind of acquisition in Windows virtual machine
The method of deleted document, including:
Receiving the security check request message carrying target Windows virtual machine mark
After, the recycle bin log file of described target Windows virtual machine is mounted to the safety preset
In virtual machine;
Described security check request message is sent to described secure virtual machine, so that described safety
The recycle bin log file of described target Windows virtual machine is loaded in internal memory by virtual machine
And analyze, obtain the information of deleted document in described target Windows virtual machine;
Receiving the safety inspection response message that described secure virtual machine sends, described safety inspection should
Answer and message carries the information of deleted document in described target Windows virtual machine;
Based on the information of deleted document in described target Windows virtual machine, from described
Windows virtual machine obtains deleted document.
Optionally, the information of described deleted document include deleted document attribute information and
The index information of deleted document;Wherein, the index information of described deleted document is used for referring to
Show the store path of the initial data of described deleted document;
Described based on the information of deleted document in described target Windows virtual machine, from institute
State acquisition deleted document in Windows virtual machine, including:
Index information based on described deleted document, obtains from described Windows virtual machine
Take the initial data of described deleted document;
The initial data of the attribute information of described deleted document with described deleted document is closed
And, obtain described deleted document.
Optionally, described obtain after deleted document from described Windows virtual machine,
Described method also includes:
Unload the recovery of the described target Windows virtual machine of carry in described secure virtual machine
Stand log file.
Second aspect, the present invention also provides for a kind of acquisition in Windows virtual machine and has deleted literary composition
The device of part, including:
Carry unit, for receiving the safety carrying target Windows virtual machine mark
After checking request message, by the recycle bin log file carry of described target Windows virtual machine
In default secure virtual machine;
Transmitting element, for being sent to described secure virtual by described security check request message
Machine, so that described secure virtual machine is by the recycle bin record literary composition of described target Windows virtual machine
Part is loaded in internal memory and analyzes, and obtains deleted document in described target Windows virtual machine
Information;
Receive unit, for receiving the safety inspection response message that described secure virtual machine sends,
Described safety inspection response message carries in described target Windows virtual machine and deletes
The information of file;
Acquiring unit, for based on deleted document in described target Windows virtual machine
Information, obtains deleted document from described Windows virtual machine.
Optionally, the information of described deleted document include deleted document attribute information and
The index information of deleted document;Wherein, the index information of described deleted document is used for referring to
Show the store path of the initial data of described deleted document;
Described acquiring unit, for index information based on described deleted document, from described
Windows virtual machine obtains the initial data of described deleted document;Delete described
The attribute information of file merges with the initial data of described deleted document, obtain described in delete
Except file.
Optionally, described device also includes:
Unloading unit, for obtaining from described Windows virtual machine in described acquiring unit
After deleted document, unload described target Windows of carry in described secure virtual machine
The recycle bin log file of virtual machine.
The third aspect, the present invention also provides for a kind of acquisition in Windows virtual machine and has deleted literary composition
The method of part, including:
Identify at the target Windows virtual machine that carries receiving the transmission of cloud management server
Security check request message after, by the described target Windows virtual machine of carry in advance return
Receive station log file be loaded in internal memory and analyze, obtain in described target Windows virtual machine
The information of deleted document;
Safety inspection response message, described safety inspection response is sent to described cloud management server
Message carries the information of deleted document in described target Windows virtual machine, so that institute
State cloud management server based on the information of deleted document in described target Windows virtual machine,
Deleted document is obtained from described Windows virtual machine.
Optionally, described to described cloud management server transmission safety inspection response message, institute
State safety inspection response message carries in described target Windows virtual machine and deleted literary composition
The information of part, so that described cloud management server is based in described target Windows virtual machine
The information of deleted document, obtains deleted document, bag from described Windows virtual machine
Include:
Sending safety inspection response message to described cloud management server, described safety inspection should
Answer and message carries the attribute information of deleted document in described target Windows virtual machine
With the index information of deleted document, the index information of described deleted document is used for indicating institute
State the store path of the initial data of deleted document so that described cloud management server based on
The index information of described deleted document, from described Windows virtual machine described in acquisition
Delete the initial data of file;And the attribute information of described deleted document is deleted with described
Except the initial data of file merges, obtain described deleted document.
Fourth aspect, the present invention also provides for a kind of secure virtual machine, including:
Processing unit, for receive cloud management server send carry target
After the security check request message of Windows virtual machine mark, by the described target of carry in advance
The recycle bin log file of Windows virtual machine is loaded in internal memory and analyzes, and obtains described mesh
The information of deleted document in mark Windows virtual machine;
Transmitting element, for sending safety inspection response message, institute to described cloud management server
State safety inspection response message carries in described target Windows virtual machine and deleted literary composition
The information of part so that described cloud management server based in described target Windows virtual machine
Delete the information of file, from described Windows virtual machine, obtain deleted document.
Optionally, described transmitting element, for sending safety inspection to described cloud management server
Look into response message, described safety inspection response message carries described target Windows empty
The attribute information of deleted document and the index information of deleted document in plan machine, described delete
Except the index information of file is for indicating the storage road of the initial data of described deleted document
Footpath, so that described cloud management server index information based on described deleted document, from institute
State the initial data obtaining described deleted document in Windows virtual machine;And by described
The attribute information deleting file merges with the initial data of described deleted document, obtains described
Deleted document.
Compared to prior art, the acquisition Windows virtual machine that the present invention proposes is deleted
The method and device of file, is come by the content analyzing the recycle bin log file of Windows
Obtain the information of Windows deleted document, such that it is able to recover the interior of deleted file
Hold, i.e. obtain deleted document, do not rely in checked Windows virtual machine
The running status of Windows, especially, it is suitable for be in off-mode
Windows virtual machine (i.e. off-line Windows virtual machine).
Further, deleted document in the acquisition Windows virtual machine that the present invention proposes
Method and device, is obtained by the content analyzing the recycle bin log file of Windows
The information of Windows deleted document, such that it is able to recover the content of deleted file,
I.e. obtain deleted document, do not rely on the interface that Windows provides, it is adaptable to install non-
The virtual machine of the operating system of Windows.
Accompanying drawing explanation
Fig. 1 a kind of obtains in Windows virtual machine for what first embodiment of the invention provided
Delete the method flow diagram of file;
Fig. 2 a kind of obtains in Windows virtual machine for what second embodiment of the invention provided
Delete the structure drawing of device of file;
Fig. 3 a kind of obtains in Windows virtual machine for what third embodiment of the invention provided
Delete the method flow diagram of file;
A kind of secure virtual machine structure chart that Fig. 4 provides for fourth embodiment of the invention.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below will
In conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly
Chu ground describe, it is clear that described embodiment be a part of embodiment of the present invention rather than
Whole embodiments.
As it is shown in figure 1, the open one of the present embodiment obtains in Windows virtual machine and deletes
The method of file, it may include following steps 101~104:
101, the security check request carrying target Windows virtual machine mark is being received
After message, it is mounted to the recycle bin log file of described target Windows virtual machine to preset
In secure virtual machine.
In the present embodiment disclosed acquisition Windows virtual machine, the method for deleted document holds
Row main body may be disposed in the cloud management server of cloud platform or for the cloud management service of cloud platform
Device.
In the present embodiment, in step 101, the dispensing device of " security check request message " can set
It is placed in the main frame of cloud platform or is arranged in cloud terminal.Further, " security check request
Message " can manually be triggered described dispensing device by the administrative staff of cloud platform and be transmitted or often
Every preset duration, such as 24 hours, described dispensing device sent that " security check request disappears automatically
Breath ".
In the present embodiment, secure virtual machine may be disposed in the main frame of cloud platform.
In the present embodiment, carry recycle bin log file is not by checked Windows virtual machine
The impact of the running status of middle Windows, the most not virtual by the Windows being in off-mode
The machine i.e. impact of off-line Windows virtual machine.
102, described security check request message is sent to described secure virtual machine, so that institute
State secure virtual machine to be loaded into by the recycle bin log file of described target Windows virtual machine
In internal memory and analyze, obtain the information of deleted document in described target Windows virtual machine.
In the present embodiment, recycle bin log file has for the Windows of different kernel versions
Difference.Specifically, the letter of all deleted documents in version recycle bin before Windows Vista
Breath record is in same log file.In Vista and version of window recycle bin afterwards,
Each deleted document correspondingly has a log file to carry out information record.Therefore, this reality
Execute in example, can be by all equal carries of recycle bin log file of described target Windows virtual machine
In secure virtual machine, so that in all recycle bin log files are all loaded into by secure virtual machine
In depositing and analyze.
In the present embodiment, the analysis of recycle bin log file can be used default by secure virtual machine
Or existing file-level semantic analysis is analyzed, the present embodiment repeats no more semantic analysis
Concrete grammar.
103, the safety inspection response message that described secure virtual machine sends, described safety are received
Check in response message and carry the letter of deleted document in described target Windows virtual machine
Breath.
104, based on the information of deleted document in described target Windows virtual machine, from
Described Windows virtual machine obtains deleted document.
In the present embodiment, owing to there being a recycle bin under each disk partition in Windows
Catalogue, therefore for off-line Windows virtual machine, recovers to need during deleted document in recycle bin
Disk partition to recover one by one.
Visible, the present embodiment is disclosed obtains the side of deleted document in Windows virtual machine
Method, obtains Windows by the content analyzing the recycle bin log file of Windows
The information of deleted document, such that it is able to recover the content of deleted file, has i.e. obtained
Delete file, do not rely on the operation shape of Windows in checked Windows virtual machine
State, especially, it is suitable for be in the Windows virtual machine of off-mode (i.e.
Off-line Windows virtual machine).
Further, the present embodiment is disclosed obtains deleted document in Windows virtual machine
Method, obtained by the content of recycle bin log file analyzing Windows
The information of Windows deleted document, such that it is able to recover the content of deleted file,
I.e. obtain deleted document, do not rely on the interface that Windows provides, it is adaptable to install non-
The virtual machine of the operating system of Windows.
In a specific example one, described in the step 102 shown in Fig. 1, delete literary composition
The information of part, including: the attribute information of deleted document and the index information of deleted document;
Wherein, the index information of described deleted document is for indicating the original of described deleted document
The store path of data.
In the present embodiment, the attribute information of described deleted document can include the most having deleted literary composition
The information such as the size of part, erasing time, raw filename, for indicating deleted document
Essential information.
In the present embodiment, provide the step 104 shown in Fig. 1: " based on described target Windows
The information of deleted document in virtual machine, obtains from described Windows virtual machine and deletes
File " a kind of preferred embodiment, specifically include the step not shown in Fig. 1
1041~1042:
1041, index information based on described deleted document, virtual from described Windows
Machine obtains the initial data of described deleted document.
1042, original by the attribute information of described deleted document and described deleted document
Data merge, and obtain described deleted document.
Visible, the present embodiment is disclosed obtains the side of deleted document in Windows virtual machine
Method, obtains Windows by the content analyzing the recycle bin log file of Windows
The attribute information of deleted document and index information, such that it is able to recover deleted file
Content, i.e. obtains deleted document, does not relies in checked Windows virtual machine
The running status of Windows, especially, it is suitable for be in off-mode
Windows virtual machine (i.e. off-line Windows virtual machine).
Further, the present embodiment is disclosed obtains deleted document in Windows virtual machine
Method, obtained by the content of recycle bin log file analyzing Windows
The attribute information of Windows deleted document and index information, deleted such that it is able to recover
Except the content of file, i.e. obtain deleted document, do not rely on the interface that Windows provides,
It is applicable to install the virtual machine of the operating system of non-Windows.
In a specific example two, the step 104 shown in Fig. 1 is " based on described target
The information of deleted document in Windows virtual machine, obtains from described Windows virtual machine
Take deleted document " after, the method for the present embodiment also includes the step not shown in Fig. 1
105:
105, the described target Windows virtual machine of carry in described secure virtual machine is unloaded
Recycle bin log file.
The present embodiment is disclosed obtains the method for deleted document in Windows virtual machine,
Obtain in Windows virtual machine after deleted document, carry in unloading secure virtual machine
The recycle bin log file of target Windows virtual machine, to save hardware resource.
As in figure 2 it is shown, the open one of the present embodiment obtains in Windows virtual machine and deletes
The device of file, it may include with lower unit: carry unit 21, transmitting element 22, reception list
Unit 23 and acquiring unit 24.
Carry unit 21, for receiving the peace carrying target Windows virtual machine mark
After total inspection request message, the recycle bin log file of described target Windows virtual machine is hung
It is downloaded in the secure virtual machine preset;
Transmitting element 22, for being sent to described secure virtual by described security check request message
Machine, so that described secure virtual machine is by the recycle bin record literary composition of described target Windows virtual machine
Part is loaded in internal memory and analyzes, and obtains deleted document in described target Windows virtual machine
Information;
Receiving unit 23, the safety inspection response sent for receiving described secure virtual machine disappears
Breath, carries in described target Windows virtual machine in described safety inspection response message and deletes
Information except file;
Acquiring unit 24, for based on deleted document in described target Windows virtual machine
Information, from described Windows virtual machine obtain deleted document.
In the present embodiment disclosed acquisition Windows virtual machine, the device of deleted document can set
It is placed in the cloud management server of cloud platform or is the cloud management server of cloud platform.
The present embodiment is disclosed obtains the device of deleted document in Windows virtual machine, can
Realize the method flow of deleted document in the acquisition Windows virtual machine shown in Fig. 1, because of
This, the effect of the device in the present embodiment and explanation can be found in the embodiment of the method shown in Fig. 1,
Do not repeat them here.
In a specific example three, delete described in the device embodiment shown in Fig. 2
The information of file includes the attribute information of deleted document and the index information of deleted document;
Wherein, the index information of described deleted document is for indicating the original of described deleted document
The store path of data.
In the present embodiment, provide the preferred embodiment of the acquiring unit 24 shown in Fig. 2, tool
Body is: acquiring unit 24, for index information based on described deleted document, from described
Windows virtual machine obtains the initial data of described deleted document;Delete described
The attribute information of file merges with the initial data of described deleted document, obtain described in delete
Except file.
The present embodiment is disclosed obtains the device of deleted document in Windows virtual machine, can
Realize the side of deleted document in the acquisition Windows virtual machine described in specific example one
Method flow process, therefore, effect and the explanation of the device in the present embodiment can be found in specific example
One, do not repeat them here.
In a specific example four, the device shown in Fig. 2 also includes not shown in Fig. 2
: unloading unit 25, it is used in described acquiring unit 24 from described Windows virtual machine
After middle acquisition deleted document, unload the described target of carry in described secure virtual machine
The recycle bin log file of Windows virtual machine.
The present embodiment is disclosed obtains the device of deleted document in Windows virtual machine, can
Realize the side of deleted document in the acquisition Windows virtual machine described in specific example two
Method flow process, therefore, effect and the explanation of the device in the present embodiment can be found in specific example
Two, do not repeat them here.
As it is shown on figure 3, the open one of the present embodiment obtains in Windows virtual machine and deletes
The method of file, it may include following steps 301~302:
301, receive cloud management server send carry target Windows virtual machine
After the security check request message of mark, by the described target Windows virtual machine of carry in advance
Recycle bin log file be loaded in internal memory and analyze, obtain described target Windows virtual
The information of deleted document in machine.
The present embodiment obtains the execution master of the method for deleted document in Windows virtual machine
Body is secure virtual machine.In the present embodiment, secure virtual machine may be disposed in the main frame of cloud platform.
302, safety inspection response message, described safety inspection are sent to described cloud management server
Look into and response message carry the information of deleted document in described target Windows virtual machine,
So that described cloud management server is based on deleted document in described target Windows virtual machine
Information, from described Windows virtual machine obtain deleted document.
In the present embodiment, recycle bin log file has for the Windows of different kernel versions
Difference.Specifically, the letter of all deleted documents in version recycle bin before Windows Vista
Breath record is in same log file.In Vista and version of window recycle bin afterwards,
Each deleted document correspondingly has a log file to carry out information record.Therefore, this reality
Execute in example, can be by all equal carries of recycle bin log file of described target Windows virtual machine
In secure virtual machine, so that in all recycle bin log files are all loaded into by secure virtual machine
In depositing and analyze.
In the present embodiment, the analysis of recycle bin log file can be used default by secure virtual machine
Or existing file-level semantic analysis is analyzed, the present embodiment repeats no more semantic analysis
Concrete grammar.
Visible, the present embodiment is disclosed obtains the side of deleted document in Windows virtual machine
Method, obtains Windows by the content analyzing the recycle bin log file of Windows
The information of deleted document, such that it is able to recover the content of deleted file, has i.e. obtained
Delete file, do not rely on the operation shape of Windows in checked Windows virtual machine
State, especially, it is suitable for be in the Windows virtual machine of off-mode (i.e.
Off-line Windows virtual machine).
Further, the present embodiment is disclosed obtains deleted document in Windows virtual machine
Method, obtained by the content of recycle bin log file analyzing Windows
The information of Windows deleted document, such that it is able to recover the content of deleted file,
I.e. obtain deleted document, do not rely on the interface that Windows provides, it is adaptable to install non-
The virtual machine of the operating system of Windows.
In a specific example five, the present embodiment provides the step 302 shown in Fig. 3: " to
Described cloud management server sends safety inspection response message, described safety inspection response message
In carry the information of deleted document in described target Windows virtual machine, so that described
Cloud management server based on the information of deleted document in described target Windows virtual machine,
From described Windows virtual machine obtain deleted document " a kind of preferred embodiment,
Specific as follows:
302, safety inspection response message, described safety inspection are sent to described cloud management server
Look into and response message carries the attribute of deleted document in described target Windows virtual machine
Information and the index information of deleted document, the index information of described deleted document is used for referring to
Show the store path of the initial data of described deleted document, so that described cloud management server
Index information based on described deleted document, obtains institute from described Windows virtual machine
State the initial data of deleted document;And by the attribute information of described deleted document with described
The initial data of deleted document merges, and obtains described deleted document.
In the present embodiment, the attribute information of described deleted document can include the most having deleted literary composition
The information such as the size of part, erasing time, raw filename, for indicating deleted document
Essential information.
Visible, the present embodiment is disclosed obtains the side of deleted document in Windows virtual machine
Method, obtains Windows by the content analyzing the recycle bin log file of Windows
The attribute information of deleted document and index information, such that it is able to recover deleted file
Content, i.e. obtains deleted document, does not relies in checked Windows virtual machine
The running status of Windows, especially, it is suitable for be in off-mode
Windows virtual machine (i.e. off-line Windows virtual machine).
Further, the present embodiment is disclosed obtains deleted document in Windows virtual machine
Method, obtained by the content of recycle bin log file analyzing Windows
The attribute information of Windows deleted document and index information, deleted such that it is able to recover
Except the content of file, i.e. obtain deleted document, do not rely on the interface that Windows provides,
It is applicable to install the virtual machine of the operating system of non-Windows.
As shown in Figure 4, the open a kind of secure virtual machine of the present embodiment, it may include with lower unit:
Processing unit 41 and transmitting element 42.
Processing unit 41, for receive cloud management server send carry target
After the security check request message of Windows virtual machine mark, by the described target of carry in advance
The recycle bin log file of Windows virtual machine is loaded in internal memory and analyzes, and obtains described mesh
The information of deleted document in mark Windows virtual machine;
Transmitting element 42, for sending safety inspection response message to described cloud management server,
Described safety inspection response message carries in described target Windows virtual machine and deletes
The information of file, so that described cloud management server is based in described target Windows virtual machine
The information of deleted document, obtains deleted document from described Windows virtual machine.
In the present embodiment, secure virtual machine may be disposed in the main frame of cloud platform.
Secure virtual machine disclosed in the present embodiment, can realize the acquisition Windows shown in Fig. 3
The method flow of deleted document in virtual machine, therefore, the secure virtual machine in the present embodiment
Effect and explanation can be found in Fig. 3, do not repeat them here.
In a specific example, the one providing the transmitting element 42 shown in Fig. 4 is excellent
Select embodiment, specific as follows:
Transmitting element 42, for sending safety inspection response message to described cloud management server,
Described safety inspection response message carries in described target Windows virtual machine and deletes
The attribute information of file and the index information of deleted document, the index letter of described deleted document
Breath is for indicating the store path of the initial data of described deleted document, so that described cloud management
Server index information based on described deleted document, obtains from described Windows virtual machine
Take the initial data of described deleted document;And by the attribute information of described deleted document and institute
The initial data stating deleted document merges, and obtains described deleted document.
In the present embodiment, the attribute information of described deleted document can include the most having deleted literary composition
The information such as the size of part, erasing time, raw filename, for indicating deleted document
Essential information.
Secure virtual machine disclosed in the present embodiment, can realize obtaining shown in specific example five
Take the method flow of deleted document in Windows virtual machine, therefore, in the present embodiment
The effect of secure virtual machine and explanation can be found in specific example five, do not repeat them here.
It will be understood by those skilled in the art that and each unit in embodiment can be combined into one
Individual unit, and multiple subelement can be put them in addition.Except such feature and/
Or at least some in process or unit is mutually exclusive part, any combination can be used
To all features disclosed in this specification and so disclosed any method or equipment
All processes or unit are combined.Unless expressly stated otherwise, disclosed in this specification
Each feature can be replaced by the alternative features providing identical, equivalent or similar purpose.
Although it will be appreciated by those of skill in the art that embodiments more described herein include
Some feature included in other embodiments rather than further feature, but different embodiment
The combination of feature mean to be within the scope of the present invention and formed different enforcement
Example.
It will be understood by those skilled in the art that each unit in embodiment can realize with hardware,
Or realize with the software module run on one or more processor, or with them
Combination realize.It will be understood by those of skill in the art that and can use micro-place in practice
Reason device or digital signal processor (DSP) realize according to embodiments of the present invention some
Or all some or all functions of parts.The present invention is also implemented as performing
Part or all equipment of method as described herein or device program are (such as,
Computer program and computer program).
Although be described in conjunction with the accompanying embodiments of the present invention, but those skilled in the art
Various modifications and variations can be made without departing from the spirit and scope of the present invention,
Within the scope of such amendment and modification each fall within and are defined by the appended claims.
Claims (10)
1. obtain the method for deleted document in Windows virtual machine, it is characterised in that
Including:
Receiving the security check request message carrying target Windows virtual machine mark
After, the recycle bin log file of described target Windows virtual machine is mounted to the safety preset
In virtual machine;
Described security check request message is sent to described secure virtual machine, so that described safety
The recycle bin log file of described target Windows virtual machine is loaded in internal memory by virtual machine
And analyze, obtain the information of deleted document in described target Windows virtual machine;
Receiving the safety inspection response message that described secure virtual machine sends, described safety inspection should
Answer and message carries the information of deleted document in described target Windows virtual machine;
Based on the information of deleted document in described target Windows virtual machine, from described
Windows virtual machine obtains deleted document.
Method the most according to claim 1, it is characterised in that described deleted document
Information include the attribute information of deleted document and the index information of deleted document;Wherein,
The index information of described deleted document is for indicating the initial data of described deleted document
Store path;
Described based on the information of deleted document in described target Windows virtual machine, from institute
State acquisition deleted document in Windows virtual machine, including:
Index information based on described deleted document, obtains from described Windows virtual machine
Take the initial data of described deleted document;
The initial data of the attribute information of described deleted document with described deleted document is closed
And, obtain described deleted document.
Method the most according to claim 1, it is characterised in that described from described
After obtaining deleted document in Windows virtual machine, described method also includes:
Unload the recovery of the described target Windows virtual machine of carry in described secure virtual machine
Stand log file.
4. obtain the device of deleted document in Windows virtual machine, it is characterised in that
Including:
Carry unit, for receiving the safety carrying target Windows virtual machine mark
After checking request message, by the recycle bin log file carry of described target Windows virtual machine
In default secure virtual machine;
Transmitting element, for being sent to described secure virtual by described security check request message
Machine, so that described secure virtual machine is by the recycle bin record literary composition of described target Windows virtual machine
Part is loaded in internal memory and analyzes, and obtains deleted document in described target Windows virtual machine
Information;
Receive unit, for receiving the safety inspection response message that described secure virtual machine sends,
Described safety inspection response message carries in described target Windows virtual machine and deletes
The information of file;
Acquiring unit, for based on deleted document in described target Windows virtual machine
Information, obtains deleted document from described Windows virtual machine.
Device the most according to claim 4, it is characterised in that described deleted document
Information include the attribute information of deleted document and the index information of deleted document;Wherein,
The index information of described deleted document is for indicating the initial data of described deleted document
Store path;
Described acquiring unit, for index information based on described deleted document, from described
Windows virtual machine obtains the initial data of described deleted document;Delete described
The attribute information of file merges with the initial data of described deleted document, obtain described in delete
Except file.
Device the most according to claim 4, it is characterised in that described device also includes:
Unloading unit, for obtaining from described Windows virtual machine in described acquiring unit
After deleted document, unload described target Windows of carry in described secure virtual machine
The recycle bin log file of virtual machine.
7. obtain the method for deleted document in Windows virtual machine, it is characterised in that
Including:
Identify at the target Windows virtual machine that carries receiving the transmission of cloud management server
Security check request message after, by the described target Windows virtual machine of carry in advance return
Receive station log file be loaded in internal memory and analyze, obtain in described target Windows virtual machine
The information of deleted document;
Safety inspection response message, described safety inspection response is sent to described cloud management server
Message carries the information of deleted document in described target Windows virtual machine, so that institute
State cloud management server based on the information of deleted document in described target Windows virtual machine,
Deleted document is obtained from described Windows virtual machine.
Method the most according to claim 7, it is characterised in that described to described cloud pipe
Reason server sends safety inspection response message, carries in described safety inspection response message
The information of deleted document in described target Windows virtual machine, so that described cloud management clothes
Business device is based on the information of deleted document in described target Windows virtual machine, from described
Windows virtual machine obtains deleted document, including:
Sending safety inspection response message to described cloud management server, described safety inspection should
Answer and message carries the attribute information of deleted document in described target Windows virtual machine
With the index information of deleted document, the index information of described deleted document is used for indicating institute
State the store path of the initial data of deleted document so that described cloud management server based on
The index information of described deleted document, from described Windows virtual machine described in acquisition
Delete the initial data of file;And the attribute information of described deleted document is deleted with described
Except the initial data of file merges, obtain described deleted document.
9. secure virtual machine, it is characterised in that including:
Processing unit, for receive cloud management server send carry target
After the security check request message of Windows virtual machine mark, by the described target of carry in advance
The recycle bin log file of Windows virtual machine is loaded in internal memory and analyzes, and obtains described mesh
The information of deleted document in mark Windows virtual machine;
Transmitting element, for sending safety inspection response message, institute to described cloud management server
State safety inspection response message carries in described target Windows virtual machine and deleted literary composition
The information of part so that described cloud management server based in described target Windows virtual machine
Delete the information of file, from described Windows virtual machine, obtain deleted document.
Secure virtual machine the most according to claim 9, it is characterised in that
Described transmitting element, disappears for sending safety inspection response to described cloud management server
Breath, carries in described target Windows virtual machine in described safety inspection response message
Delete attribute information and the index information of deleted document of file, described deleted document
Index information is for indicating the store path of the initial data of described deleted document, so that institute
State cloud management server index information based on described deleted document, from described Windows
Virtual machine obtains the initial data of described deleted document;And by described deleted document
Attribute information merges with the initial data of described deleted document, obtains described deleted document.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610214439.3A CN105868056B (en) | 2016-04-07 | 2016-04-07 | Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610214439.3A CN105868056B (en) | 2016-04-07 | 2016-04-07 | Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105868056A true CN105868056A (en) | 2016-08-17 |
CN105868056B CN105868056B (en) | 2019-06-21 |
Family
ID=56637082
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610214439.3A Active CN105868056B (en) | 2016-04-07 | 2016-04-07 | Obtain the method, apparatus and secure virtual machine of deleted document in Windows virtual machine |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105868056B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107463427A (en) * | 2017-06-29 | 2017-12-12 | 北京北信源软件股份有限公司 | The acquisition methods and device of a kind of VME operating system type and version |
CN107800663A (en) * | 2016-08-31 | 2018-03-13 | 华为数字技术(苏州)有限公司 | The detection method and device of flow off-line files |
CN108009000A (en) * | 2016-10-31 | 2018-05-08 | 江苏神州信源系统工程有限公司 | A kind of method that historical record in Windows virtual machines is obtained under virtualized environment |
CN109117251A (en) * | 2018-08-09 | 2019-01-01 | 郑州云海信息技术有限公司 | A kind of implementation method, device and the readable storage medium storing program for executing of virtual machine recycle bin |
CN112732406A (en) * | 2021-01-12 | 2021-04-30 | 华云数据控股集团有限公司 | Cloud platform virtual machine recovery method and computer equipment |
CN113032351A (en) * | 2021-03-31 | 2021-06-25 | 建信金融科技有限责任公司 | Recovery method and device of network file system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102289513A (en) * | 2011-09-05 | 2011-12-21 | 盛乐信息技术(上海)有限公司 | Method and system for obtaining internal files of virtual machine |
TW201220197A (en) * | 2010-11-12 | 2012-05-16 | Alibaba Group Holding Ltd | for improving the safety and reliability of data storage in a virtual machine based on cloud calculation and distributed storage environment |
CN102662981A (en) * | 2012-03-13 | 2012-09-12 | 中国人民大学 | Windows recycle bin delete record forensics method based on feature scan |
CN105468433A (en) * | 2015-11-19 | 2016-04-06 | 北京北信源软件股份有限公司 | Method and system for acquiring disc data of virtual machines |
-
2016
- 2016-04-07 CN CN201610214439.3A patent/CN105868056B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TW201220197A (en) * | 2010-11-12 | 2012-05-16 | Alibaba Group Holding Ltd | for improving the safety and reliability of data storage in a virtual machine based on cloud calculation and distributed storage environment |
CN102289513A (en) * | 2011-09-05 | 2011-12-21 | 盛乐信息技术(上海)有限公司 | Method and system for obtaining internal files of virtual machine |
CN102662981A (en) * | 2012-03-13 | 2012-09-12 | 中国人民大学 | Windows recycle bin delete record forensics method based on feature scan |
CN105468433A (en) * | 2015-11-19 | 2016-04-06 | 北京北信源软件股份有限公司 | Method and system for acquiring disc data of virtual machines |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107800663A (en) * | 2016-08-31 | 2018-03-13 | 华为数字技术(苏州)有限公司 | The detection method and device of flow off-line files |
CN107800663B (en) * | 2016-08-31 | 2020-04-28 | 华为数字技术(苏州)有限公司 | Method and device for detecting flow offline file |
CN108009000A (en) * | 2016-10-31 | 2018-05-08 | 江苏神州信源系统工程有限公司 | A kind of method that historical record in Windows virtual machines is obtained under virtualized environment |
CN107463427A (en) * | 2017-06-29 | 2017-12-12 | 北京北信源软件股份有限公司 | The acquisition methods and device of a kind of VME operating system type and version |
CN109117251A (en) * | 2018-08-09 | 2019-01-01 | 郑州云海信息技术有限公司 | A kind of implementation method, device and the readable storage medium storing program for executing of virtual machine recycle bin |
CN109117251B (en) * | 2018-08-09 | 2020-10-30 | 郑州云海信息技术有限公司 | Method and device for realizing virtual machine recycle bin and readable storage medium |
CN112732406A (en) * | 2021-01-12 | 2021-04-30 | 华云数据控股集团有限公司 | Cloud platform virtual machine recovery method and computer equipment |
CN113032351A (en) * | 2021-03-31 | 2021-06-25 | 建信金融科技有限责任公司 | Recovery method and device of network file system |
CN113032351B (en) * | 2021-03-31 | 2023-01-13 | 中国建设银行股份有限公司 | Recovery method and device of network file system |
Also Published As
Publication number | Publication date |
---|---|
CN105868056B (en) | 2019-06-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105868056A (en) | Method, device and safety virtual machine for acquiring deleted files in Windows virtual machines | |
US20210286788A1 (en) | Systems and methods for scalable delocalized information governance | |
US10148675B1 (en) | Block-level forensics for distributed computing systems | |
US9787706B1 (en) | Modular architecture for analysis database | |
CN101593249B (en) | Suspicious file analyzing method and suspicious file analyzing system | |
CN110795257A (en) | Method, device and equipment for processing multi-cluster operation records and storage medium | |
US8250138B2 (en) | File transfer security system and method | |
CN105631026A (en) | Security data analysis system | |
US20120278580A1 (en) | Data storage reclamation systems and methods | |
CN104268473B (en) | Method and device for detecting application programs | |
CN110188103A (en) | Data account checking method, device, equipment and storage medium | |
CN107171894A (en) | The method of terminal device, distributed high in the clouds detecting system and pattern detection | |
US10216601B2 (en) | Agent dynamic service | |
CN105468433A (en) | Method and system for acquiring disc data of virtual machines | |
CN107644161A (en) | Safety detecting method, device and the equipment of sample | |
CN113469866A (en) | Data processing method and device and server | |
CN103268448A (en) | Method and system for dynamically detecting safety of mobile applications | |
US8600995B1 (en) | User role determination based on content and application classification | |
US10970392B2 (en) | Grouping application components for classification and malware detection | |
CN104298918A (en) | Virus scanning method and system based on data block in virtual machine | |
CN106529281A (en) | Executable file processing method and device | |
CN108595957A (en) | Main browser page altering detecting method, device and storage medium | |
Satrya et al. | A novel Android memory forensics for discovering remnant data | |
CN110018761B (en) | Method, device and terminal for managing recently used files | |
JP2020068019A (en) | Information analyzer, method for analyzing information, information analysis system, and program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |