CN106777256A - A kind of method that listing file data are redirected in rapid extraction Windows - Google Patents
A kind of method that listing file data are redirected in rapid extraction Windows Download PDFInfo
- Publication number
- CN106777256A CN106777256A CN201611231130.1A CN201611231130A CN106777256A CN 106777256 A CN106777256 A CN 106777256A CN 201611231130 A CN201611231130 A CN 201611231130A CN 106777256 A CN106777256 A CN 106777256A
- Authority
- CN
- China
- Prior art keywords
- file
- destlist
- files
- data
- jumplist
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 16
- 238000000605 extraction Methods 0.000 title claims abstract description 14
- 150000001875 compounds Chemical class 0.000 claims description 9
- 239000000284 extract Substances 0.000 claims description 3
- 230000004048 modification Effects 0.000 claims description 3
- 238000012986 modification Methods 0.000 claims description 3
- 241001269238 Data Species 0.000 abstract description 2
- 210000000056 organ Anatomy 0.000 abstract description 2
- 230000009286 beneficial effect Effects 0.000 abstract 1
- 230000008901 benefit Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/16—File or folder operations, e.g. details of user interfaces specifically adapted to file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/26—Government or public services
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Tourism & Hospitality (AREA)
- Physics & Mathematics (AREA)
- Educational Administration (AREA)
- Economics (AREA)
- Databases & Information Systems (AREA)
- Development Economics (AREA)
- Data Mining & Analysis (AREA)
- Human Computer Interaction (AREA)
- Health & Medical Sciences (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Human Resources & Organizations (AREA)
- Marketing (AREA)
- Primary Health Care (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
A kind of method the invention discloses listing file data are redirected in rapid extraction Windows, comprises the following steps:S1:Read file content and determine whether jumplist files;S2:Objective extraction document subobject;S3:Parsing DestList;S4:Extraction information.Beneficial effects of the present invention are as follows:The full content included in complete parsing jumplist file datas;Valid data in rapid extraction jumplist files, help individual, enterprise, public security organ to recover valid data.
Description
Technical field
The present invention relates to field of information security technology, listing file is redirected in more particularly to a kind of rapid extraction Windows
The method of data.
Background technology
Computer crime makes the public suffer great loss, and the key for hitting computer crime be must find fully,
Reliable, convictive electronic evidence, therefore, the cross discipline of computer and the science of law --- computer forensics (computer
Forensics) receive more and more attention, or even several years turn into FIRST (Forum of Incident Response
Security Teams) safe year can focus.
Computer forensics (Computer Forensics) is also referred to as computor method medical science, and it refers to computer discrimination skill
Art, is analyzed to confirm criminal and computer evidence, and litigate accordingly to computer crime behavior.Namely for meter
Calculation machine is invaded and crime, is carried out evidence acquisition, is preserved, analyzes and show.Computer fingerprint evidence is in computer system running
The content recorded with it of middle generation proves the electromagnetic recording thing of case facts.Technically computer forensics is one to receiving
Invade computer system to be scanned and crack, with the process for rebuilding intrusion event.
For investigation computer crime provides thorough, effectively and safely technology, it is important to ensure the authenticity, completely of evidence
Property, reliability and in accordance with legal provisions.
In windows operating systems, user quickly opens document opened recently for convenience, and system can be recorded
The essential information of the opened file of user and these files, introduces in Windows7 and redirects list (hereinafter referred to as
Jumplist) file type records the file of nearest opening, and file is probably document, the image that word processor is accessed recently
The image file of editing machine or other most recently used projects.File is opened information in these record Windows systems
Jumplist files, play the role of particularly important in electronic data evidence obtaining.
The content of the invention
Defect of the present invention for prior art, there is provided redirect listing file data in a kind of rapid extraction Windows
Method, can effectively solve the problem that the problem that above-mentioned prior art is present.
A kind of method that listing file data are redirected in rapid extraction Windows, comprises the following steps:
S1:Jumplist file contents are loaded and read, judges whether to meet the data structure of jumplist files, if symbol
Close data structure, then it represents that file meets the structure of jumplist files, jumps to S3, otherwise terminates;
S2:Using the method for parsing compound document structure, the subobject file content that jumplist files are included is extracted, and
Generate corresponding subfile;
S3:Parse the structure of DestList files;
S4:Result according to the data content parsed in S3 extracts the Open Recent of record in jumplist files
Information;
Wherein S3 includes step in detailed below:
S31:According to the data decompressed in S1, traversal queries DestList subobject files, and it is right to read DestList
As file data content;
S32:Judge whether whether evidence meets DestList according to DestList subobjects file structure and following standard
The structure of subobject file:
Standard 1:The value of the relative file start offset 0x0~0x03 of DestList subobject files is fixed as
0x01000000;
Standard 2:The value of DestList subobject file relative file start offsets 0x04~0x07 records is equal to S2 steps
Standard 2 in n values;
The data structure for meeting foregoing description simultaneously just meets DestList subobject file structures;S33 is performed, if discontented
It is sufficient then terminate;
S33:DestList subobject file structures according to described in S3 parse the nearest opening text recorded in this document
The computer name of part, the absolute path information of Open Recent;Again according to the structure described in S3, each single item record number is read
The corresponding mapped file in;
S34:Be resolved in record S33 the record computer name of Open Recent, the absolute path of Open Recent,
The creation time of Open Recent, the modification time of Open Recent, the last time access time of Open Recent
Etc. information.
Preferably, judging whether to meet two standards of data structure needs of jumplist files in S1:The file of standard 1
Initial address is with signature, and flag byte is 0xD0CF11E0A1B11AE1;
Standard 2:Data content meets the structure of compound document, and complete comprising must have in all subobjects
DestList。
Compared with prior art the advantage of the invention is that:What is included in complete parsing jumplist file datas is all interior
Hold;Valid data in rapid extraction jumplist files, help individual, enterprise, public security organ to recover valid data.
Brief description of the drawings
Fig. 1 is the main flow chart of the embodiment of the present invention;
Fig. 2 is the flow chart of step S3 in the embodiment of the present invention;
Fig. 3 is the structural representation of DestList files in the embodiment of the present invention;
Fig. 4 is record data structural representation in the embodiment of the present invention.
Specific embodiment
To make the purpose of the present invention:Technical scheme and advantage become more apparent, by the following examples, the present invention is done into
One step is described in detail.
The jumplist files produced under Windows7 operating systems, common store path has:%AppData%
Microsoft Windows Recent AutomaticDestinations, %AppData% Microsoft Windows
Recent CustomDestinations, jumplist files all have identical feature head 0xD0CF11E0A1B11AE1, text
Part uses the structure of compound document, according to all information included in compound document structure elucidation file, by furtheing investigate it
Design feature, discovery can be by the total data in method of the present invention rapid extraction file.In jumplist files are extracted
, it is necessary to the method for first passing through the parsing of compound document data obtains all subobject files included in file during data, wherein wrapping
The file of subobject containing DestList and the n subobject file named with numeral 1 to n, the big portion recorded in jumplist files
Divided data is stored in DestList, and the structure of DestList subobject files is as shown in Figure 3.
DestList files are made up of file header plus record data, and record has the note that DestList is included in file header
Record total number;In being recorded at each, its structure is completely the same, by complete traversal reading DestList by round-robin algorithm
Comprising all information, in addition each record can individually map a file, mapping file in can record in detail by most
The nearly information for opening file.
As shown in figure 1, a kind of method that listing file data are redirected in rapid extraction Windows, comprises the following steps:
S1 is loaded and is read jumplist file contents, is judged whether to meet the number of jumplist files according to following standard
According to structure:
Standard 1:File initial address is with signature, and flag byte is 0xD0CF11E0A1B11AE1;
Standard 2:Data content meets the structure of compound document, and complete comprising must have in all subobjects
DestList;
The data content of jumplist files is read, if meeting above-mentioned standard simultaneously, then it represents that file meets jumplist
The structure of file, jumps to S3, otherwise skips to end;
S2:Using the method for parsing compound document structure, the subobject file content that jumplist files are included is extracted, and
Generate corresponding subfile;
S3:The structure of DestList files is parsed, DestList files are made up of file characteristic head and record data.File
The length of feature head is 0x20, and initial address is relative file content start offset 0x0~0x20, the relative characteristic in feature head
The value of head start offset 0x0~0x03 records is definite value, and is fixed as 0x01000000, the relative characteristic head starting in feature head
The value of skew 0x04~0x07 records represents the total number of record data;File remainder is record data, record data
Total number has been recorded in file characteristic head, and the record data structure of each section is identical, and concrete structure is as shown in Figure 4.
It should be noted that the absolute path information that Open Recent is recorded in record data is compiled using Unicode
Code;In the 3rd mapped file of description, mapped file is produced in S1 steps for the temporal information storage of Open Recent
's.
S4:Result according to the data content parsed in S3 extracts the Open Recent of record in jumplist files
Information.
As shown in Fig. 2 S3 includes step in detailed below:
S31:According to the data decompressed in S1, traversal queries DestList subobject files, and it is right to read DestList
As file data content;
S32:DestList subobjects file structure and following standard according to described in S3 judge whether whether evidence accords with
Close the structure of DestList subobject files:
Standard 1:The value of the relative file start offset 0x0~0x03 of DestList subobject files is fixed as
0x01000000;
Standard 2:The value of DestList subobject file relative file start offsets 0x04~0x07 records is equal to S2 steps
Standard 2 in n values;
While the data structure for meeting foregoing description just meets DestList subobject file structures and then performs S33, if not
Satisfaction then terminates;
S33:DestList subobject file structures according to described in S3 parse the nearest opening text recorded in this document
The computer name of part, the absolute path information of Open Recent;Again according to the structure described in S3, each single item record number is read
The corresponding mapped file in, relative file initial address skew 0x1C~0x23 records open text recently in the mapped file
The creation time of part, relative file initial address skew 0x23~0x2B record Open Recents repaiies in the mapped file
Change the time, relative file initial address skew 0x2C~0x33 records the last time of Open Recent in the mapped file
Access time.
S34:Be resolved in record S33 the record computer name of Open Recent, the absolute path of Open Recent,
The creation time of Open Recent, the modification time of Open Recent, the last time access time of Open Recent
Etc. information.
One of ordinary skill in the art will be appreciated that embodiment described here is to aid in reader and understands this hair
Bright implementation, it should be understood that protection scope of the present invention is not limited to such especially statement and embodiment.Ability
The those of ordinary skill in domain can according to these technical inspirations disclosed by the invention make it is various do not depart from essence of the invention its
Its various specific deformation and combination, these deformations and combination are still within the scope of the present invention.
Claims (2)
1. a kind of method that listing file data are redirected in rapid extraction Windows, comprises the following steps:
S1:Jumplist file contents are loaded and read, judges whether to meet the data structure of jumplist files, if meeting number
According to structure, then it represents that file meets the structure of jumplist files, S3 is jumped to, otherwise terminated;
S2:Using the method for parsing compound document structure, the subobject file content that jumplist files are included is extracted, and generate
Corresponding subfile;
S3:Parse the structure of DestList files;
S4:Result according to the data content parsed in S3 extracts the letter of the Open Recent recorded in jumplist files
Breath;
Wherein S3 includes step in detailed below:
S31:According to the data decompressed in S1, traversal queries DestList subobject files, and read DestList subobjects text
Part data content;
S32:Judge whether whether evidence meets DestList according to DestList subobjects file structure and following standard right
As the structure of file:
Standard 1:The value of the relative file start offset 0x0~0x03 of DestList subobject files is fixed as 0x01000000;
Standard 2:The value of DestList subobject file relative file start offsets 0x04~0x07 records is equal to the mark of S2 steps
N values in accurate 2;
The data structure for meeting foregoing description simultaneously just meets DestList subobject file structures;S33 is performed, if being unsatisfactory for
Terminate;
S33:DestList subobject file structures according to described in S3 parse the Open Recent of record in this document
The absolute path information of computer name, Open Recent;Again according to the structure described in S3, in reading each single item record data
Corresponding mapped file;
S34:The record computer name of Open Recent, the absolute path of Open Recent, recently are resolved in record S33
Open the letter such as creation time, the modification time of Open Recent, last time access time of Open Recent of file
Breath.
2. the method that listing file data are redirected in a kind of rapid extraction Windows according to claim 1, its feature exists
In:Judge whether to meet two standards of data structure needs of jumplist files in S1:The file initial address of standard 1 is with spy
Mark is levied, and flag byte is 0xD0CF11E0A1B11AE1;
Standard 2:Data content meets the structure of compound document, and complete comprising must have DestList in all subobjects.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611231130.1A CN106777256A (en) | 2016-12-28 | 2016-12-28 | A kind of method that listing file data are redirected in rapid extraction Windows |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611231130.1A CN106777256A (en) | 2016-12-28 | 2016-12-28 | A kind of method that listing file data are redirected in rapid extraction Windows |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106777256A true CN106777256A (en) | 2017-05-31 |
Family
ID=58922606
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611231130.1A Pending CN106777256A (en) | 2016-12-28 | 2016-12-28 | A kind of method that listing file data are redirected in rapid extraction Windows |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106777256A (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100325181A1 (en) * | 2009-06-19 | 2010-12-23 | Aptare, Inc. | Catalog that stores file system metadata in an optimized manner |
CN102591928A (en) * | 2010-12-23 | 2012-07-18 | 微软公司 | Surfacing content including content accessed from jump list tasks and items |
CN103412901A (en) * | 2013-07-26 | 2013-11-27 | 北京奇虎科技有限公司 | Method and device for clearing historical records |
-
2016
- 2016-12-28 CN CN201611231130.1A patent/CN106777256A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100325181A1 (en) * | 2009-06-19 | 2010-12-23 | Aptare, Inc. | Catalog that stores file system metadata in an optimized manner |
CN102591928A (en) * | 2010-12-23 | 2012-07-18 | 微软公司 | Surfacing content including content accessed from jump list tasks and items |
CN103412901A (en) * | 2013-07-26 | 2013-11-27 | 北京奇虎科技有限公司 | Method and device for clearing historical records |
Non-Patent Citations (2)
Title |
---|
罗文华: ""基于Windows 7环境下的跳转列表解析用户操作行为"", 《警察技术》 * |
邓金城: ""面向Windows的计算机取证系统关键技术研究与实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104123493B (en) | The safety detecting method and device of application program | |
US20070152854A1 (en) | Forgery detection using entropy modeling | |
US20140189866A1 (en) | Identification of obfuscated computer items using visual algorithms | |
CN105653949B (en) | A kind of malware detection methods and device | |
US20200089880A1 (en) | Method and system for detecting malicious programs integrated into an electronic document | |
CN113407886A (en) | Network crime platform identification method, system, device and computer storage medium | |
JP2013543178A (en) | Publication fingerprint extraction method, publication fingerprint extraction device, publication identification system using fingerprint, and publication identification method using fingerprint | |
CN104298766B (en) | A kind of method of data in removing SQLite databases | |
CN113704180A (en) | Lossless firmware extraction method based on embedded equipment firmware file information feature library | |
JP6169277B2 (en) | Digital content monitoring system for ensuring consistency of digital content | |
KR101228900B1 (en) | System and method for detecting malicious content in a non-pe file | |
KR20090125552A (en) | Apparatus and method for digital forensic | |
JP5508953B2 (en) | Document processing apparatus and program | |
Duman et al. | Trueclick: Automatically distinguishing trick banners from genuine download links | |
CN106777256A (en) | A kind of method that listing file data are redirected in rapid extraction Windows | |
US8104092B1 (en) | Document integrity assurance | |
CN106874147B (en) | Method for recovering and analyzing pre-read file of Windows operating system | |
Liu et al. | Pdf malware detection using visualization and machine learning | |
US11100237B2 (en) | Identify and protect sensitive text in graphics data | |
Singh et al. | Recovery of forensic artifacts from deleted jump lists | |
Sali et al. | Ram forensics: The analysis and extraction of malicious processes from memory image using gui based memory forensic toolkit | |
CN108804916A (en) | Detection method, device, electronic equipment and the storage medium of malicious file | |
JP4714117B2 (en) | Company name extraction method and program | |
Lee et al. | Hidden message detection in MS-Word file by analyzing abnormal file structure | |
US11757916B1 (en) | Methods and apparatus for analyzing and scoring digital risks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 641000 Sichuan province Neijiang City Songshan Road No. 253 Applicant after: Sichuan Miwu Traceless Science and Technology Co., Ltd. Address before: 641000 Sichuan province Neijiang City Songshan Road No. 253 Applicant before: SICHUAN MWH INFORMATION SAFETY TECHNOLOGY CO., LTD. |
|
CB02 | Change of applicant information | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170531 |
|
RJ01 | Rejection of invention patent application after publication |