CN112486924A - Method and device for searching file deletion time in NTFS (New technology File System) and electronic equipment - Google Patents

Method and device for searching file deletion time in NTFS (New technology File System) and electronic equipment Download PDF

Info

Publication number
CN112486924A
CN112486924A CN202011502940.2A CN202011502940A CN112486924A CN 112486924 A CN112486924 A CN 112486924A CN 202011502940 A CN202011502940 A CN 202011502940A CN 112486924 A CN112486924 A CN 112486924A
Authority
CN
China
Prior art keywords
file
searching
ntfs
transaction
record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011502940.2A
Other languages
Chinese (zh)
Inventor
孙丽
李盛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Afirstsoft Co Ltd
Original Assignee
Afirstsoft Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Afirstsoft Co Ltd filed Critical Afirstsoft Co Ltd
Priority to CN202011502940.2A priority Critical patent/CN112486924A/en
Publication of CN112486924A publication Critical patent/CN112486924A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/16File or folder operations, e.g. details of user interfaces specifically adapted to file systems
    • G06F16/162Delete operations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Human Computer Interaction (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

One or more embodiments of the present specification provide a method, an apparatus, and an electronic device for searching for file deletion time in an NTFS, where a $ Logfile in a file system is searched, a found record item in the $ Logfile is sorted, the sorted record item is divided into multiple transactions, a deletion transaction in the multiple transactions is found, a target record item is searched for by referring to the record item in the deletion transaction based on a redo operation and an undo operation, and a file name and corresponding file deletion time are extracted from the target record item, so that determination of deletion time of a deleted file in the NTFS file system is achieved.

Description

Method and device for searching file deletion time in NTFS (New technology File System) and electronic equipment
Technical Field
One or more embodiments of the present disclosure relate to the technical field of searching for file deletion time in an NTFS, and in particular, to a method and an apparatus for searching for file deletion time in an NTFS, and an electronic device.
Background
NTFS is a mainstream file system in windows, and in the file system, if a deleted file needs to be retrieved, it is mostly found based on a $ MFT file of the file system at present. However, even if the deleted file can be found, only the creation time and modification time of the deleted file can be determined, and the deletion time of the file cannot be known. While typically after a file is deleted, many people may not remember when the file was created and modified, but only when the file was deleted. Therefore, it is of practical significance to a user who wishes to restore a file deleted by mistake to determine the deletion time of the deleted file.
Disclosure of Invention
In view of this, one or more embodiments of the present disclosure are directed to a method, an apparatus, and an electronic device for searching for a file deletion time in an NTFS, which can determine a deletion time of a deleted file in an NTFS file system.
In view of the above, one or more embodiments of the present specification provide a method for searching for a file deletion time in an NTFS, including:
searching a $ Logfile according to header information of the NTFS;
analyzing the $ LogFile file, acquiring the record items in the $ LogFile file, and sequencing the record items based on the sequence numbers of the record items;
dividing the sequenced record items into a plurality of transactions;
for each transaction, searching whether a record item with a redo operation of DeallocateFileRecordSegmen exists in the transaction, and if so, determining the transaction to be a deletion transaction;
aiming at the record item in each deletion transaction, finding a redo operation as an UpdateNonResidentValue and an undoo operation as a target record item of the Noop;
and extracting the file name and the corresponding file deletion time from the target record item.
As an optional implementation manner, the locating and searching for the $ Logfile according to the header information of the NTFS includes:
positioning the position of the $ MFT file according to the volume header information of the NTFS;
looking up the $ LogFile file by the $ MFT file.
As an alternative embodiment, the sequence number consists of the first 8 bytes of the entry.
As an optional implementation, the sorting the entries based on their sequence numbers includes:
and sequencing the record items according to the sequence of the sequence numbers from small to large.
As an optional implementation manner, the sequence of entries is divided into a plurality of transactions, where the first entry of each transaction is the last entry with a sequence number of 0, and the last entry is the entry with a redo operation of ForgetTransaction.
As an alternative, the integer of 8 bytes beginning with 8 bytes offset of each entry is the last sequence number, and the integer value of 2 bytes beginning with 0x30 offset of each entry is the redo operation value.
As an alternative embodiment, the integer value consisting of 2 bytes of each entry offset by 0x32 position is an undoo operation value.
As an alternative embodiment, in the content area of the redo operation of the target entry, the 8 bytes beginning at the offset 0x20 position are the values of the deletion time, and the offset 0x52 position begins as the name of the deleted file or folder.
As a second aspect of the present invention, there is also provided an apparatus for searching for a file deletion time in an NTFS, including:
the first searching unit is used for searching a $ Logfile according to the header information of the NTFS;
the analyzing and sorting unit is used for analyzing the $ LogFile file, acquiring the record items in the $ LogFile, and sorting the record items based on the serial numbers of the record items;
the dividing unit is used for dividing the sequenced record items into a plurality of transactions;
the second searching unit is used for searching whether a record item with a redo operation of DeallocateFileRecordSegmen exists in each transaction, and if the record item exists, the transaction is a deletion transaction;
a third searching unit, configured to search, for a record item in each deletion transaction, that a redo operation is an updatenonresidatintvalue, and an undoo operation is a target record item of the Noop;
and the extracting unit is used for extracting the file name and the corresponding file deleting time from the target record item.
As a third aspect of the present invention, there is also provided an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method as described above when executing the program.
As can be seen from the above, in the method, the apparatus, and the electronic device for searching for file deletion time in an NTFS provided in one or more embodiments of the present disclosure, a $ Logfile in a file system is searched, records in the found $ Logfile are sorted, the sorted records are divided into multiple transactions, a deletion transaction in the multiple transactions is found, a target record is searched for by a redo operation and an undo operation with respect to the record in the deletion transaction, and a file name and corresponding file deletion time are extracted from the target record, so that determination of deletion time of a deleted file in the NTFS file system is achieved.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, the drawings that are needed in the description of the embodiments or prior art will be briefly described below, and it is obvious that the drawings in the following description are only one or more embodiments of the present specification, and that other drawings may be obtained by those skilled in the art without inventive effort from these drawings.
FIG. 1 is a logic diagram of a method for finding a file deletion time in an NTFS in accordance with one or more embodiments of the present disclosure;
FIG. 2 is a logic diagram of an apparatus for searching for a file deletion time in an NTFS according to one or more embodiments of the present disclosure;
FIG. 3 is a schematic view of an electronic device of one or more embodiments of the present disclosure.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
In order to achieve the above object, the present invention provides a method for searching file deletion time in NTFS, which comprises:
searching a $ Logfile according to header information of the NTFS;
analyzing the $ LogFile file, acquiring the record items in the $ LogFile file, and sequencing the record items based on the sequence numbers of the record items;
dividing the sequenced record items into a plurality of transactions;
for each transaction, searching whether a record item with a redo operation of DeallocateFileRecordSegmen exists in the transaction, and if so, determining the transaction to be a deletion transaction;
aiming at the record item in each deletion transaction, finding a redo operation as an UpdateNonResidentValue and an undoo operation as a target record item of the Noop;
and extracting the file name and the corresponding file deletion time from the target record item.
In the embodiment of the invention, the determination of the deletion time of the deleted file in the NTFS file system is realized by searching the $ LogFile in the file system, sequencing the found records in the $ LogFile, dividing the sequenced records into a plurality of transactions, finding out the deleted transaction in the transactions, searching the target record for the records in the deleted transaction based on redo operation and undoo operation, and extracting the file name and the corresponding file deletion time from the target record.
As shown in fig. 1, the present invention provides a method for searching file deletion time in NTFS, which includes:
s100, searching a $ Logfile according to the header information of the NTFS.
Optionally, the positioning and searching for the $ Logfile according to the header information of the NTFS includes:
positioning the position of the $ MFT file according to the volume header information of the NTFS;
looking up the $ LogFile file by the $ MFT file.
S200, analyzing the $ LogFile file, acquiring the record items in the $ LogFile file, and sequencing the record items based on the sequence number lsn of the record items.
Wherein the sequence number lsn consists of the first 8 bytes of the entry.
And sorting the record items according to the sequence of the sequence numbers from small to large.
Wherein, the record item: record, is an operation on the meta file of NTFS.
S300, dividing the sequenced record items into a plurality of transactions.
Transaction: transaction, consisting of a plurality of entries.
An application may group a series of changes to a file into one transaction using transactional NTFS (transactional NTFS). The transaction can ensure that all changes are either in effect at the same time or are invalidated at the same time and that the external application cannot learn of any changes until the transaction commits to completion.
Wherein the first entry of each transaction is the entry with the last sequence number pre lsn of 0, and the last entry is the entry with the redo operation of ForgetTransaction (value of 27).
Wherein, Redo operation is the operation performed on the current record item.
Each entry has stored therein the sequence number lsn of the current entry and the sequence number of the entry immediately preceding the current entry, denoted as the last sequence number pre lsn.
For the first entry of each transaction, there is no previous entry, so the last sequence number of the first entry, pre lsn, is 0.
Wherein the integer of 8 bytes starting from the offset of 8 bytes of each entry is a previous sequence number pre lsn, and the integer value of 2 bytes starting from the offset of 0x30 of each entry is a redo operation value.
S400, aiming at each transaction, searching whether a redo operation in the transaction is a record item of a DeallocataFileRecordSegmen (with a value of 3), if so, the transaction is a deletion transaction.
S500, aiming at the record item in each deletion transaction, searching a target record item with a redo operation of UpdateNonResidityValue (the value is 8) and an undoo operation of Noop (the value is 0);
wherein, the undoo operation: the operation performed to withdraw the current entry. The 2 bytes of each entry offset by the position 0x38 represents the offset of the content of the undo operation, and the 2 bytes of the position 0x40 represents the length of the content of the undo operation.
The integer value consisting of 2 bytes of each entry offset by 0x32 position is an undo operation value, and in the content area of the undo operation value, the offset 0x52 position starts with the name of the deleted file or folder.
S600, extracting the file name and the corresponding file deletion time from the target record item.
Wherein, in the content area of the redo operation of the target entry, the 8 bytes starting at the position offset 0x20 are the values of the deletion time, and the position offset 0x52 is the name of the deleted file or folder.
Wherein 2 bytes of the target entry offset 0x34 position represents the offset of the content of the redo operation, and 2 bytes of the 0x36 position represents the length of the content of the redo operation.
It should be noted that the method of one or more embodiments of the present disclosure may be performed by a single device, such as a computer or server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In such a distributed scenario, one of the devices may perform only one or more steps of the method of one or more embodiments of the present disclosure, and the devices may interact with each other to complete the method.
It should be noted that the above description describes certain embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Corresponding to the method for searching for the file deletion time in the NTFS, the present invention further provides a device for searching for the file deletion time in the NTFS, as shown in fig. 2, including:
the first searching unit 10 is configured to search a $ Logfile according to header information of the NTFS;
the analyzing and sorting unit 20 is configured to analyze the $ Logfile, acquire a record item therein, and sort the record item based on a sequence number of the record item;
a dividing unit 30, configured to divide the sorted record items into a plurality of transactions;
a second searching unit 40, configured to search, for each transaction, whether a record entry whose redo operation is DeallocateFileRecordSegmen exists in the transaction, and if so, the transaction is a delete transaction;
a second searching unit 50, configured to search, for a record item in each deletion transaction, that a redo operation is an updatenonresidatintvalue, and an undoo operation is a target record item of the Noop;
an extracting unit 60, configured to extract a file name and a corresponding file deletion time from the target record item.
In the embodiment of the invention, the determination of the deletion time of the deleted file in the NTFS file system is realized by searching the $ LogFile in the file system, sequencing the found records in the $ LogFile, dividing the sequenced records into a plurality of transactions, finding out the deleted transaction in the transactions, searching the target record for the records in the deleted transaction based on redo operation and undoo operation, and extracting the file name and the corresponding file deletion time from the target record.
It is to be noted that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present specification should have the ordinary meaning as understood by those of ordinary skill in the art to which this disclosure belongs. The use of "first," "second," and similar terms in one or more embodiments of the specification is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items.
For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, the functionality of the modules may be implemented in the same one or more software and/or hardware implementations in implementing one or more embodiments of the present description.
Based on the same inventive concept, corresponding to any of the above embodiments, one or more embodiments of the present specification further provide an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the method for searching for a file deletion time in an NTFS according to any of the above embodiments.
Fig. 3 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.
The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
Bus 1050 includes a path that transfers information between various components of the device, such as processor 1010, memory 1020, input/output interface 1030, and communication interface 1040.
It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
The electronic device of the foregoing embodiment is used to implement the method for searching for the file deletion time in the NTFS according to any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the spirit of the present disclosure, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of different aspects of one or more embodiments of the present description as described above, which are not provided in detail for the sake of brevity.
It is intended that the one or more embodiments of the present specification embrace all such alternatives, modifications and variations as fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of one or more embodiments of the present disclosure are intended to be included within the scope of the present disclosure.

Claims (10)

1. A method for searching file deletion time in NTFS is characterized by comprising the following steps:
searching a $ Logfile according to header information of the NTFS;
analyzing the $ LogFile file, acquiring the record items in the $ LogFile file, and sequencing the record items based on the sequence numbers of the record items;
dividing the sequenced record items into a plurality of transactions;
for each transaction, searching whether a record item with a redo operation of DeallocateFileRecordSegmen exists in the transaction, and if so, determining the transaction to be a deletion transaction;
aiming at the record item in each deletion transaction, finding a redo operation as an UpdateNonResidentValue and an undoo operation as a target record item of the Noop;
and extracting the file name and the corresponding file deletion time from the target record item.
2. The method for searching for file deletion time in NTFS according to claim 1, wherein the searching for $ Logfile according to the header information of NTFS includes:
positioning the position of the $ MFT file according to the volume header information of the NTFS;
looking up the $ LogFile file by the $ MFT file.
3. The method for finding file deletion time in NTFS according to claim 1, wherein the sequence number is composed of the 8 bytes of the head of the entry.
4. The method of claim 1, wherein the sorting the entries based on their sequence numbers comprises:
and sequencing the record items according to the sequence of the sequence numbers from small to large.
5. The method of claim 1, wherein the sequence of entries is divided into a plurality of transactions, wherein the first entry of each transaction is the last entry with sequence number 0, and the last entry is the entry with redo operation of ForgetTransaction.
6. The method of claim 5, wherein the integer of 8 bytes starting from 8 bytes of offset of each entry is a last sequence number, and the integer value of 2 bytes starting from 0x30 offset of each entry is a redo operation value.
7. The method for searching file deletion time in NTFS according to claim 1, wherein the integer value consisting of 2 bytes of each entry offset by 0x32 is an undoo operation value.
8. The NTFS method for searching file deletion time according to claim 1, wherein in the content area of the redo operation of the target entry, the 8 bytes starting at the offset 0x20 position are the values of the deletion time, and the offset 0x52 position is the name of the deleted file or folder.
9. An apparatus for searching file deletion time in NTFS, comprising:
the first searching unit is used for searching a $ Logfile according to the header information of the NTFS;
the analyzing and sorting unit is used for analyzing the $ LogFile file, acquiring the record items in the $ LogFile, and sorting the record items based on the serial numbers of the record items;
the dividing unit is used for dividing the sequenced record items into a plurality of transactions;
the second searching unit is used for searching whether a record item with a redo operation of DeallocateFileRecordSegmen exists in each transaction, and if the record item exists, the transaction is a deletion transaction;
a third searching unit, configured to search, for a record item in each deletion transaction, that a redo operation is an updatenonresidatintvalue, and an undoo operation is a target record item of the Noop;
and the extracting unit is used for extracting the file name and the corresponding file deleting time from the target record item.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 8 when executing the program.
CN202011502940.2A 2020-12-17 2020-12-17 Method and device for searching file deletion time in NTFS (New technology File System) and electronic equipment Pending CN112486924A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011502940.2A CN112486924A (en) 2020-12-17 2020-12-17 Method and device for searching file deletion time in NTFS (New technology File System) and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011502940.2A CN112486924A (en) 2020-12-17 2020-12-17 Method and device for searching file deletion time in NTFS (New technology File System) and electronic equipment

Publications (1)

Publication Number Publication Date
CN112486924A true CN112486924A (en) 2021-03-12

Family

ID=74914121

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011502940.2A Pending CN112486924A (en) 2020-12-17 2020-12-17 Method and device for searching file deletion time in NTFS (New technology File System) and electronic equipment

Country Status (1)

Country Link
CN (1) CN112486924A (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001077908A2 (en) * 2000-03-30 2001-10-18 Microsoft Corporation Transactional file system
CN101460930A (en) * 2005-05-06 2009-06-17 微软公司 Maintenance of link level consistency between database and file system
CN101937377A (en) * 2009-06-29 2011-01-05 百度在线网络技术(北京)有限公司 Data recovery method and device
CN102426581A (en) * 2011-09-20 2012-04-25 奇智软件(北京)有限公司 Method and device for generating file preview
CN102508855A (en) * 2011-09-28 2012-06-20 北京安天电子设备有限公司 Method and device for quickly clearing data in storage medium
CN105488187A (en) * 2015-12-02 2016-04-13 北京四达时代软件技术股份有限公司 Method and device for extracting multi-source heterogeneous data increment
CN105740103A (en) * 2016-02-02 2016-07-06 厦门市美亚柏科信息股份有限公司 NTFS ((New Technology File System) deletion file recovery method and device based on log
CN106126486A (en) * 2016-06-30 2016-11-16 童晓冲 Temporal information coded method, encoded radio search method, coding/decoding method and device
CN107832352A (en) * 2017-10-23 2018-03-23 中国银行股份有限公司 Daily record automatic processing method, device, storage medium and equipment
CN110908885A (en) * 2019-11-21 2020-03-24 苏州浪潮智能科技有限公司 Log collection method and device and related components
CN111581163A (en) * 2020-05-12 2020-08-25 山东省计算中心(国家超级计算济南中心) Data traceless deletion method and system based on NTFS (New technology File System)

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001077908A2 (en) * 2000-03-30 2001-10-18 Microsoft Corporation Transactional file system
CN101460930A (en) * 2005-05-06 2009-06-17 微软公司 Maintenance of link level consistency between database and file system
CN101937377A (en) * 2009-06-29 2011-01-05 百度在线网络技术(北京)有限公司 Data recovery method and device
CN102426581A (en) * 2011-09-20 2012-04-25 奇智软件(北京)有限公司 Method and device for generating file preview
CN102508855A (en) * 2011-09-28 2012-06-20 北京安天电子设备有限公司 Method and device for quickly clearing data in storage medium
CN105488187A (en) * 2015-12-02 2016-04-13 北京四达时代软件技术股份有限公司 Method and device for extracting multi-source heterogeneous data increment
CN105740103A (en) * 2016-02-02 2016-07-06 厦门市美亚柏科信息股份有限公司 NTFS ((New Technology File System) deletion file recovery method and device based on log
CN106126486A (en) * 2016-06-30 2016-11-16 童晓冲 Temporal information coded method, encoded radio search method, coding/decoding method and device
CN107832352A (en) * 2017-10-23 2018-03-23 中国银行股份有限公司 Daily record automatic processing method, device, storage medium and equipment
CN110908885A (en) * 2019-11-21 2020-03-24 苏州浪潮智能科技有限公司 Log collection method and device and related components
CN111581163A (en) * 2020-05-12 2020-08-25 山东省计算中心(国家超级计算济南中心) Data traceless deletion method and system based on NTFS (New technology File System)

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
PATRIK POLAKOVI: "NTFS LogFile Parser", pages 1 - 5, Retrieved from the Internet <URL:https://www.codeproject.com/Tips/1072219/NTFS-LogFile-Parser> *
范晓丹等: "事务日志及其解析在医院信息安全中的应用", 《医疗卫生装备》, 15 June 2017 (2017-06-15), pages 77 - 78 *

Similar Documents

Publication Publication Date Title
CN110569214B (en) Index construction method and device for log file and electronic equipment
CN111190583B (en) Associated conflict block presenting method and equipment
CN106327188B (en) Method and device for binding bank card in payment application
JP6042974B2 (en) Data management apparatus, data management method, and non-temporary recording medium
CN112527843B (en) Data query method, device, terminal equipment and storage medium
CN111241389A (en) Sensitive word filtering method and device based on matrix, electronic equipment and storage medium
CN116303459A (en) Method and system for processing data table
CN114201615A (en) Scientific research data change review method based on data snapshot and server
CN114048136A (en) Test type determination method, device, server, medium and product
CN111858581B (en) Paging query method and device, storage medium and electronic equipment
CN112486924A (en) Method and device for searching file deletion time in NTFS (New technology File System) and electronic equipment
CN112486734B (en) NTFS deleted file recovery method and device and electronic equipment
CN115809304A (en) Method and device for analyzing field-level blood margin, computer equipment and storage medium
CN114416256A (en) Information processing method, information processing device, electronic equipment and storage medium
CN112631838B (en) Method and device for recovering office file in NTFS and electronic equipment
US8302045B2 (en) Electronic device and method for inspecting electrical rules of circuit boards
CN109871463B (en) Audio processing method, device, electronic equipment and storage medium
JP6852002B2 (en) Data search method, data search device and program
CN113505257A (en) Image search method, trademark search method, electronic device, and storage medium
CN113641785A (en) Multi-dimension-based scientific and technological resource similar word retrieval method and electronic equipment
CN112579846A (en) Visualization method and system for user behavior track
CN112100132A (en) Deleted file type identification method and device, electronic equipment and storage medium
CN111737210B (en) Method and device for extracting thumbnail of Huacheng mobile phone and electronic equipment
CN107885828B (en) Method and device for searching matching object, storage medium and electronic equipment
CN114398205A (en) Recovery method and device for deleted data in NTFS (New technology File System) and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Country or region after: China

Address after: 1301-1310, Building 2, Jinlitong Financial Center Building, No. 1100 Xingye Road, Haiwang Community, Xin'an Street, Bao'an District, Shenzhen City, Guangdong Province

Applicant after: Shenzhen Ruan Niu Technology Group Co.,Ltd.

Address before: No. 15-3 Haitian Road, Building C, Excellence Times Square, N23 Haiwang Community, Xin'an Street, Bao'an District, Shenzhen City, Guangdong Province, China 2903

Applicant before: AFIRSTSOFT CO.,LTD.

Country or region before: China