CN111737057A - APFS file system data recovery method and device and electronic equipment - Google Patents
APFS file system data recovery method and device and electronic equipment Download PDFInfo
- Publication number
- CN111737057A CN111737057A CN202010591596.2A CN202010591596A CN111737057A CN 111737057 A CN111737057 A CN 111737057A CN 202010591596 A CN202010591596 A CN 202010591596A CN 111737057 A CN111737057 A CN 111737057A
- Authority
- CN
- China
- Prior art keywords
- partition
- keybag
- container
- key
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000011084 recovery Methods 0.000 title claims abstract description 24
- 238000005192 partition Methods 0.000 claims abstract description 148
- 238000000605 extraction Methods 0.000 claims abstract description 5
- 150000003839 salts Chemical class 0.000 claims description 19
- 230000006870 function Effects 0.000 claims description 17
- 238000012856 packing Methods 0.000 claims description 4
- 238000004590 computer program Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 101100127285 Drosophila melanogaster unc-104 gene Proteins 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1458—Management of the backup or restore process
- G06F11/1469—Backup restoration techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1415—Saving, restoring, recovering or retrying at system level
- G06F11/1435—Saving, restoring, recovering or retrying at system level using file system or storage system metadata
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Library & Information Science (AREA)
- Storage Device Security (AREA)
Abstract
One or more embodiments of the present specification provide an APFS file system data recovery method, apparatus, and electronic device, where the method includes determining whether a container is encrypted; if the container is encrypted, decrypting the keybag of the container to obtain the keybag of the partition corresponding to each partition in the container; judging whether the partitions are encrypted; if the partition is encrypted, decrypting the keybag of the partition to obtain a key; decrypting the blocks within the encrypted partition using a key; and searching the deleted files in the decrypted partition, and recovering the deleted files. In the invention, the keybag of the encryption container is decrypted to obtain the keybag of the partition, then the keybag of the partition is decrypted to obtain the key, then the encryption partition is decrypted by using the key, the deleted file in the decrypted partition is searched, and the deleted file is recovered, thereby realizing the recovery and extraction of the deleted file.
Description
Technical Field
One or more embodiments of the present disclosure relate to the technical field of data recovery of an APFS file system, and in particular, to a method and an apparatus for data recovery of an APFS file system, and an electronic device.
Background
The APFS is a short for Apple File System, is a next-generation File System created by Apple inc for Apple devices to replace the old HFS + File System, and is characterized by "optimizing flash/SSD storage and using encryption as a main function". The core of the system is an encryption function and can run on all platforms of iOS, macOS, tvOS and watchOS. The system comprises a multi-key encryption function, a key for each file is arranged in the system, and the system also has independent keys for sensitive metadata.
The inventor finds that a method for quickly recovering and extracting deleted files in the APFS is lacking at present due to the unique file format and the high encryption function of the APFS.
Disclosure of Invention
In view of the above, one or more embodiments of the present disclosure are directed to a method, an apparatus, and an electronic device for recovering APFS file system data, so as to solve technical problems in the prior art.
In view of the above, one or more embodiments of the present specification provide an APFS file system data recovery method, including:
judging whether the container is encrypted;
if the container is encrypted, decrypting the keybag of the container to obtain the keybag of the partition corresponding to each partition in the container;
judging whether the partitions are encrypted;
if the partition is encrypted, decrypting the keybag of the partition to obtain a key;
decrypting the blocks within the encrypted partition using a key;
and searching the deleted files in the decrypted partition, and recovering the deleted files.
As an alternative embodiment, said determining whether the container is encrypted comprises
Traversing the disk from scratch to find a first superblock with an "NXSB" flag;
and if the initial id and the size of the keybag in the super block are not 0, encrypting the container.
As an optional implementation, the determining whether the partition is encrypted includes
Finding a block with an 'APSB' flag from the superblock;
and if the initial id and the size of the keybag in the block with the APSB mark are not 0, encrypting the partition.
As an optional implementation manner, the decrypting the keybag of the container to obtain the keybag of the partition corresponding to each partition in the container includes
Reading the keybag data of the container according to the starting id and the size of the keybag of the container;
and taking uuid of the container as key, decrypting the read keybag data by using an AES-XTS algorithm, and obtaining the keybag of the partition corresponding to each partition in the container.
As an optional implementation, the decrypting the keybag of the partition to obtain the key includes
Finding out the keybag of the corresponding subarea according to the uuid of the subarea;
reading the keybag data of the partition according to the initial id and the size of the keybag of the partition;
using the uuid of the partition as a key, decrypting the read keybag data by using an AES-XTS algorithm to obtain decrypted data;
extracting a salt value, iteration times and a package key from the decrypted data;
substituting the partition password, the salt value and the iteration number of the partition into a hash function to generate a hash value;
unpacking the hash value by using an AES cipher packing algorithm and the packing key and the initial iv to obtain an intermediate value and an iteration iv;
and unpacking the intermediate value again by using an AES cipher wrapping algorithm and the wrapping key and the iteration iv to obtain the key.
As an optional implementation manner, substituting the partition password, the salt value, and the iteration number of the partition into the hash function to generate the hash value includes
And (3) taking the partition password, the salt value and the iteration number of the partition as input, and generating a hash value by using a PBKDF2 algorithm and a hash function sha 256.
As an optional implementation manner, the searching for the deleted file in the decrypted partition includes
Finding the latest snapshot in the partition;
and comparing the data of the historical snapshots in the partitions with the data in the latest snapshots to obtain deleted files in the partitions.
Corresponding to the data recovery device of the APFS file system, the invention also provides a data recovery device of the APFS file system, which comprises:
the first judgment module is used for judging whether the container is encrypted or not;
the first decryption module is used for decrypting the keybag of the container under the condition that the container is encrypted to obtain the keybag of the partition corresponding to each partition in the container;
the second judgment module is used for judging whether the subarea is encrypted or not;
the second decryption module is used for decrypting the keybag of the partition under the condition that the partition is encrypted to obtain a key;
the third decryption module is used for decrypting the blocks in the encrypted partition by using keys;
and the searching and recovering module is used for searching the decrypted deleted files in the partitions and recovering the deleted files.
As an optional implementation manner, the second decryption module includes
The searching unit is used for finding the keybag of the corresponding partition according to the uuid of the partition;
the reading unit is used for reading the keybag data of the partitions according to the initial id and the size of the keybag of the partitions;
the first decryption unit is used for taking the uuid of the partition as a key, decrypting the read keybag data by using an AES-XTS algorithm and obtaining decrypted data;
the extraction unit is used for extracting the salt value, the iteration times and the package key from the decrypted data;
the generating unit is used for substituting the partition password, the salt value and the iteration number of the partition into a hash function to generate a hash value;
a first unpacking unit, configured to unpack the hash value by using the wrapping key and the initial iv using an AES cipher wrapping algorithm to obtain an intermediate value and an iteration iv;
and the second unpacking unit is used for unpacking the intermediate value again by using the wrapping key and the iteration iv by using an AES cipher wrapping algorithm to obtain the key.
Corresponding to the APFS file system data recovery apparatus, the present invention also provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the method as described above when executing the program.
As can be seen from the foregoing, according to one or more embodiments of the present disclosure, a method, an apparatus, and an electronic device for recovering data of an APFS file system, first decrypt a keybag of an encryption container to obtain a partitioned keybag, then decrypt the partitioned keybag to obtain a key, then decrypt the encryption partition using the key, find a deleted file in the decrypted partition, and recover the deleted file, thereby recovering and extracting the deleted file.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, the drawings that are needed in the description of the embodiments or prior art will be briefly described below, and it is obvious that the drawings in the following description are only one or more embodiments of the present specification, and that other drawings may be obtained by those skilled in the art without inventive effort from these drawings.
FIG. 1 is a logical diagram of an APFS file system data recovery method in accordance with one or more embodiments of the present description;
FIG. 2 is a logical diagram of S400 of an APFS file system data recovery method in accordance with one or more embodiments of the present description;
FIG. 3 is a schematic diagram of an APFS file system data recovery apparatus in accordance with one or more embodiments of the present description;
fig. 4 is a schematic diagram of a second decryption module of the APFS file system data recovery apparatus according to one or more embodiments of the present disclosure.
Fig. 5 is a schematic view of an electronic device according to one or more embodiments of the present disclosure.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
In order to achieve the above object, embodiments of the present invention provide a method and an apparatus for recovering APFS file system data, and an electronic device, where the method and the apparatus may be applied to apple-series terminals, such as iPhone series, iPad series, iMac series, and the like, or terminals connected to apple-series terminals, such as servers, cloud servers, and server clusters, and are not limited in particular. First, the data recovery method of the APFS file system according to the embodiment of the present invention is described in detail below.
The embodiment of the invention provides a method for recovering data of an APFS file system, which comprises the following steps:
s100, judging whether the container is encrypted or not;
s200, if the container is encrypted, decrypting the keybag of the container to obtain the keybag of the partition corresponding to each partition in the container;
s300, judging whether the subareas are encrypted or not;
s400, if the partition is encrypted, decrypting the keybag of the partition to obtain a key;
s500, decrypting the blocks in the encrypted partition by using keys;
s600, searching the deleted files in the decrypted partition, and recovering the deleted files.
In this embodiment, the keybag of the encryption container is decrypted to obtain the keybag of the partition, then the keybag of the partition is decrypted to obtain the key, then the encryption partition is decrypted by using the key, the deleted file in the decrypted partition is searched, and the deleted file is restored, so that the restoration and extraction of the deleted file are realized.
Referring to fig. 1, the present embodiment provides a method for recovering data of an APFS file system, including
S100, judging whether the container is encrypted or not.
Optionally, S100 includes
S110, traversing the disk from the beginning to find a first superblock with an NXSB mark;
s120, if the initial id and the size of the keybag in the super block are not 0, encrypting the container.
Wherein, super block: the super block is used to store basic information of the container, for example, the super block records the size of each area, and the super block also stores information of unused disk blocks.
Wherein, keybag: key package, start id indicates block number, size is the start offset of keybag.
S200, if the container is encrypted, decrypting the keybag of the container to obtain the keybag of the partition corresponding to each partition in the container.
In this embodiment, S200 includes
S210, reading the keybag data of the container according to the initial id and the size of the keybag of the container;
wherein, keybag: in the key pack, the start id indicates the block number, the size is the start offset of the keybag, and the content of the keybag can be read out according to the start offset and the size.
S220, using the uuid of the container as a key, decrypting the read keybag data by using an AES-XTS algorithm, and obtaining the keybag of the partition corresponding to each partition in the container.
Wherein, uuid: universal Unique Identifier.
S300, judging whether the partitions are encrypted.
In this embodiment, S300 includes
S310, finding a block with an APSB mark from the super block, wherein the block stores basic information of a partition;
s320, if the initial id and the size of the keybag in the block with the APSB mark are not 0, encrypting the partition.
S400, if the partition is encrypted, decrypting the keybag of the partition to obtain the key.
In this embodiment, as shown in FIG. 2, S400 includes
S410, finding out the keybag of the corresponding partition according to the uuid of the partition;
specifically, the keybag of the partition corresponding to the uuid is found in S200.
S420, reading the keybag data of the partition according to the initial id and the size of the keybag of the partition;
s430, taking the uuid of the partition as a key, and decrypting the read keybag data by using an AES-XTS algorithm to obtain decrypted data;
s440, extracting a salt value, iteration times and a package key from the decrypted data;
specifically, 0 × 28 bytes from 0 × 50 bytes of the decryption data are used as a wrapping key, 8 bytes of integer form from 0 × 88 bytes are used as an iteration value, and 16 bytes of value obtained from 0 × 90 bytes are used as a salt value.
S450, substituting the partition password, the salt value and the iteration number of the partition into a hash function to generate a hash value;
specifically, a partition password, a salt value and iteration times of the partition are used as input, a PBKDF2 algorithm is used, and a hash function uses sha256 to generate a hash value.
S460, using an AES cipher wrapping algorithm, unpacking the hash value by using the wrapping key and the initial iv to obtain a middle value and an iteration iv;
wherein the initial value of iv is 0.
S470, using an AES cipher wrapping algorithm, unpacking the intermediate value again by using the wrapping key and the iteration iv to obtain a key.
S500, decrypting the blocks in the encrypted partition by using keys.
S600, searching the deleted files in the decrypted partition, and recovering the deleted files.
In this embodiment, the searching for the deleted file in the decrypted partition in S600 includes
S610, finding the latest snapshot in the partition;
s620, comparing the data of the historical snapshots in the partitions with the data in the latest snapshots to obtain deleted files in the partitions.
It is to be appreciated that the method can be performed by any apparatus, device, platform, cluster of devices having computing and processing capabilities.
It should be noted that the method of one or more embodiments of the present disclosure may be performed by a single device, such as a computer or server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the devices may perform only one or more steps of the method of one or more embodiments of the present disclosure, and the devices may interact with each other to complete the method.
Referring to fig. 3, the present invention further provides an apparatus for recovering data of an APFS file system, corresponding to the method for recovering data of an APFS file system, including:
the first judging module 10 is used for judging whether the container is encrypted or not;
the first decryption module 20, configured to decrypt the keybag of the container when the container is encrypted, to obtain the keybag of the partition corresponding to each partition in the container;
a second judging module 30, configured to judge whether the partition is encrypted;
the second decryption module 40, configured to decrypt the keybag of the partition to obtain a key when the partition is encrypted;
a third decryption module 50, configured to decrypt the blocks in the encrypted partition using keys;
and a searching and recovering module 60, configured to search for the deleted file in the decrypted partition, and recover the deleted file.
In this embodiment, the keybag of the encryption container is decrypted to obtain the keybag of the partition, then the keybag of the partition is decrypted to obtain the key, then the encryption partition is decrypted by using the key, the deleted file in the decrypted partition is searched, and the deleted file is restored, so that the restoration and extraction of the deleted file are realized.
As an alternative implementation, as shown in fig. 4, the second decryption module 40 includes
The searching unit 41 is configured to find a keybag of the corresponding partition according to the uuid of the partition;
a reading unit 42, configured to read the keybag data of the partition according to the starting id and the size of the keybag of the partition;
the first decryption unit 43 is configured to use the uuid of the partition as a key, decrypt the read keybag data by using an AES-XTS algorithm, and obtain decrypted data;
an extracting unit 44, configured to extract the salt value, the iteration number, and the parcel key from the decrypted data;
a generating unit 45, configured to substitute the partition password, the salt value, and the iteration number of the partition as inputs into a hash function to generate a hash value;
a first unpacking unit 46, configured to unpack the hash value by using the wrapping key and the initial iv using an AES cipher wrapping algorithm to obtain an intermediate value and an iteration iv;
and a second unpacking unit 47, configured to unpack the intermediate value again by using the wrapping key and the iteration iv to obtain a key using an AES cipher wrapping algorithm.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, the functionality of the modules may be implemented in the same one or more software and/or hardware implementations in implementing one or more embodiments of the present description.
It is to be noted that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present specification should have the ordinary meaning as understood by those of ordinary skill in the art to which this disclosure belongs. The use of "first," "second," and similar terms in one or more embodiments of the specification is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Fig. 5 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the spirit of the present disclosure, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of different aspects of one or more embodiments of the present description as described above, which are not provided in detail for the sake of brevity.
It is intended that the one or more embodiments of the present specification embrace all such alternatives, modifications and variations as fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of one or more embodiments of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (10)
1. An APFS file system data recovery method is characterized by comprising the following steps:
judging whether the container is encrypted;
if the container is encrypted, decrypting the keybag of the container to obtain the keybag of the partition corresponding to each partition in the container;
judging whether the partitions are encrypted;
if the partition is encrypted, decrypting the keybag of the partition to obtain a key;
decrypting the blocks within the encrypted partition using a key;
and searching the deleted files in the decrypted partition, and recovering the deleted files.
2. The APFS file system data recovery method of claim 1, wherein the determining whether the container is encrypted comprises
Traversing the disk from scratch to find a first superblock with an "NXSB" flag;
and if the initial id and the size of the keybag in the super block are not 0, encrypting the container.
3. The APFS file system data recovery method of claim 2, wherein the determining whether the partition is encrypted comprises
Finding a block with an 'APSB' flag from the superblock;
and if the initial id and the size of the keybag in the block with the APSB mark are not 0, encrypting the partition.
4. The APFS file system data recovery method of claim 1, wherein the decrypting the keybag of the container to obtain the keybag of the partition corresponding to each partition in the container comprises
Reading the keybag data of the container according to the starting id and the size of the keybag of the container;
and taking uuid of the container as key, decrypting the read keybag data by using an AES-XTS algorithm, and obtaining the keybag of the partition corresponding to each partition in the container.
5. The APFS file system data recovery method of claim 1, wherein the decrypting the keybag of the partition to obtain the key comprises
Finding out the keybag of the corresponding subarea according to the uuid of the subarea;
reading the keybag data of the partition according to the initial id and the size of the keybag of the partition;
using the uuid of the partition as a key, decrypting the read keybag data by using an AES-XTS algorithm to obtain decrypted data;
extracting a salt value, iteration times and a package key from the decrypted data;
substituting the partition password, the salt value and the iteration number of the partition into a hash function to generate a hash value;
unpacking the hash value by using an AES cipher packing algorithm and the packing key and the initial iv to obtain an intermediate value and an iteration iv;
and unpacking the intermediate value again by using an AES cipher wrapping algorithm and the wrapping key and the iteration iv to obtain the key.
6. The APFS file system data recovery method of claim 5, wherein the substituting a partition password, a salt value, and the number of iterations for the partition into a hash function to generate the hash value comprises taking a partition password, a salt value, and the number of iterations for the partition as inputs
And (3) taking the partition password, the salt value and the iteration number of the partition as input, and generating a hash value by using a PBKDF2 algorithm and a hash function sha 256.
7. The APFS file system data recovery method of claim 1, wherein the finding deleted files in the decrypted partition comprises
Finding the latest snapshot in the partition;
and comparing the data of the historical snapshots in the partitions with the data in the latest snapshots to obtain deleted files in the partitions.
8. An APFS file system data recovery apparatus, comprising:
the first judgment module is used for judging whether the container is encrypted or not;
the first decryption module is used for decrypting the keybag of the container under the condition that the container is encrypted to obtain the keybag of the partition corresponding to each partition in the container;
the second judgment module is used for judging whether the subarea is encrypted or not;
the second decryption module is used for decrypting the keybag of the partition under the condition that the partition is encrypted to obtain a key;
the third decryption module is used for decrypting the blocks in the encrypted partition by using keys;
and the searching and recovering module is used for searching the decrypted deleted files in the partitions and recovering the deleted files.
9. The APFS file system data recovery apparatus of claim 8, wherein the second decryption module comprises
The searching unit is used for finding the keybag of the corresponding partition according to the uuid of the partition;
the reading unit is used for reading the keybag data of the partitions according to the initial id and the size of the keybag of the partitions;
the first decryption unit is used for taking the uuid of the partition as a key, decrypting the read keybag data by using an AES-XTS algorithm and obtaining decrypted data;
the extraction unit is used for extracting the salt value, the iteration times and the package key from the decrypted data;
the generating unit is used for substituting the partition password, the salt value and the iteration number of the partition into a hash function to generate a hash value;
a first unpacking unit, configured to unpack the hash value by using the wrapping key and the initial iv using an AES cipher wrapping algorithm to obtain an intermediate value and an iteration iv;
and the second unpacking unit is used for unpacking the intermediate value again by using the wrapping key and the iteration iv by using an AES cipher wrapping algorithm to obtain the key.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 7 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010591596.2A CN111737057A (en) | 2020-06-24 | 2020-06-24 | APFS file system data recovery method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010591596.2A CN111737057A (en) | 2020-06-24 | 2020-06-24 | APFS file system data recovery method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111737057A true CN111737057A (en) | 2020-10-02 |
Family
ID=72651080
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010591596.2A Pending CN111737057A (en) | 2020-06-24 | 2020-06-24 | APFS file system data recovery method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111737057A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111597075A (en) * | 2020-05-11 | 2020-08-28 | 成都艾勃科技有限公司 | Method for recovering data from data storage device encrypted by hardware |
| CN112579202A (en) * | 2020-12-17 | 2021-03-30 | 深圳软牛科技有限公司 | Method, device, equipment and storage medium for editing service program of Windows system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030221095A1 (en) * | 2000-02-19 | 2003-11-27 | Powerquest Corporation | Computer imaging recovery without a working partition or a secondary medium |
| CN102750495A (en) * | 2012-06-07 | 2012-10-24 | 北京锐安科技有限公司 | System for cracking and restoring iPhone encrypted backup files |
| CN104657459A (en) * | 2015-02-09 | 2015-05-27 | 中国科学院信息工程研究所 | Massive data storage method based on file granularity |
| CN106569895A (en) * | 2016-10-24 | 2017-04-19 | 华南理工大学 | Construction method of multi-tenant big data platform based on container |
| CN110232004A (en) * | 2019-06-13 | 2019-09-13 | 深圳麦风科技有限公司 | A kind of APFS file system data restoration methods |
| CN110297781A (en) * | 2019-07-02 | 2019-10-01 | 四川效率源信息安全技术股份有限公司 | A method of restore to be deleted data in APFS based on copy-on-write |
| CN110297729A (en) * | 2019-07-02 | 2019-10-01 | 四川效率源信息安全技术股份有限公司 | A method of restore to be damaged data and deleted data in APFS based on extent block |
| CN110309019A (en) * | 2019-07-02 | 2019-10-08 | 四川效率源信息安全技术股份有限公司 | A kind of fast quick-recovery simultaneously extracts the method that file is deleted in APFS |
-
2020
- 2020-06-24 CN CN202010591596.2A patent/CN111737057A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030221095A1 (en) * | 2000-02-19 | 2003-11-27 | Powerquest Corporation | Computer imaging recovery without a working partition or a secondary medium |
| CN102750495A (en) * | 2012-06-07 | 2012-10-24 | 北京锐安科技有限公司 | System for cracking and restoring iPhone encrypted backup files |
| CN104657459A (en) * | 2015-02-09 | 2015-05-27 | 中国科学院信息工程研究所 | Massive data storage method based on file granularity |
| CN106569895A (en) * | 2016-10-24 | 2017-04-19 | 华南理工大学 | Construction method of multi-tenant big data platform based on container |
| CN110232004A (en) * | 2019-06-13 | 2019-09-13 | 深圳麦风科技有限公司 | A kind of APFS file system data restoration methods |
| CN110297781A (en) * | 2019-07-02 | 2019-10-01 | 四川效率源信息安全技术股份有限公司 | A method of restore to be deleted data in APFS based on copy-on-write |
| CN110297729A (en) * | 2019-07-02 | 2019-10-01 | 四川效率源信息安全技术股份有限公司 | A method of restore to be damaged data and deleted data in APFS based on extent block |
| CN110309019A (en) * | 2019-07-02 | 2019-10-08 | 四川效率源信息安全技术股份有限公司 | A kind of fast quick-recovery simultaneously extracts the method that file is deleted in APFS |
Non-Patent Citations (2)
| Title |
|---|
| JONAS PLUM 等: "Forensic APFS File Recovery", 《THE 13TH INTERNATIONAL CONFERENCE》, 31 August 2018 (2018-08-31), pages 1 - 10, XP059173166, DOI: 10.1145/3230833.3232808 * |
| 魏小锋 等: "基于MNT随机化容器文件系统安全性加强技术", 《计算机工程与应用》, 11 April 2018 (2018-04-11), pages 81 - 85 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111597075A (en) * | 2020-05-11 | 2020-08-28 | 成都艾勃科技有限公司 | Method for recovering data from data storage device encrypted by hardware |
| CN111597075B (en) * | 2020-05-11 | 2023-04-07 | 成都艾勃科技有限公司 | Method for recovering data from data storage device encrypted by hardware |
| CN112579202A (en) * | 2020-12-17 | 2021-03-30 | 深圳软牛科技有限公司 | Method, device, equipment and storage medium for editing service program of Windows system |
| CN112579202B (en) * | 2020-12-17 | 2024-04-05 | 深圳软牛科技有限公司 | Method, device, equipment and storage medium for editing server program of Windows system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9430332B1 (en) | Systems and methods for enabling efficient access to incremental backups | |
| CN104866389A (en) | Data recovery method as well as data backup method, device and system based on mobile operating system | |
| KR101614070B1 (en) | Wireless handheld device startup method and wireless handheld device | |
| CN111737057A (en) | APFS file system data recovery method and device and electronic equipment | |
| US11907379B2 (en) | Creating a secure searchable path by hashing each component of the path | |
| CN103186598A (en) | File processing method and system | |
| CN111737718A (en) | Encryption and decryption method and device for jar packet, terminal equipment and storage medium | |
| Immanuel et al. | Android cache taxonomy and forensic process | |
| CN112966227A (en) | Code encryption and decryption method and device and storage medium | |
| CN111459822A (en) | Method, device and equipment for extracting system component data and readable medium | |
| CN113468118B (en) | File increment storage method, device and storage medium based on blockchain | |
| CN111417927B (en) | Resource authority processing method and device, storage medium and chip | |
| CN108196906B (en) | User instruction processing method and embedded device | |
| CN113609479A (en) | File detection method and device, electronic equipment and readable storage medium | |
| CN109560927B (en) | Equipment fingerprint implementation method and device | |
| WO2019184741A1 (en) | Application program information storing method and apparatus, and application program information processing method and apparatus | |
| Yusoff et al. | Performance measurement for mobile forensic data acquisition in Firefox OS | |
| CN109002710B (en) | Detection method, detection device and computer readable storage medium | |
| US10505739B2 (en) | Prefix fingerprint | |
| JP6178119B2 (en) | Data migration system and data migration method | |
| JP6698775B2 (en) | Security providing apparatus and method for protecting code of shared object, and security executing apparatus and method | |
| CN110659490A (en) | Malicious sample processing method and device, electronic equipment and storage medium | |
| CN111291404A (en) | Crypt12 backup decryption method, system, device and storage medium of WhatsApp of android device | |
| CN112698842A (en) | Method and device for acquiring additional information of application program | |
| CN110694269B (en) | Script file loading method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |