File Monitoring System Based On File Filter Driver Design And Implementation

With the rapid development of computer technology and electronic technology, theprice of the personal computer is lower and lower, the applications are beconming morepopular. The serises of Windows operating system have a very high market share onpersonal computer. There are many software running on Windows, the frequency of fileoperating is very high. Therefore, the aim of this thesis is to research a file monitoringsystem which can monitor the operation of the file. By studying and reserching thissystem, it can not only monitor the operation of the file, but also recover file by theoperation of file.The thesis first describes the framework of Windows system, and researches anumber of important management. And then it introduces the WDK which is a Windowsdriver development tool. The WDK contains head file, library file, document and sourcecode. Moreover, three methods are used to analyze the file monitor, the first way isusing the function by the Windows suppling. Its adventage is that implementation issimpleness. but it cann’t get the context of the IO operations. The second way is usinghook. It’s harder than the first one, but it can get the context of the IO operations.Because of the massive functions of the IO operations, the workload is heavy, and it cannot be extended easily, and it is easy to lose IO operations. The last way is using filterdriver. It can record the IO operations accuratly but it’s hard to be realized. And then,the thesis reserches the principles and implementation of the file filter driver. Finally,the thesis also analizes of the development of file recovery and the differences amongthem.The thesis designs and implements a file monitoring system based on file filterdriver via the theories above. The system first implements the file filter driver, whichcan capture the file operations. The system can save these file operations in remotemachine for querying and using.The using of file monitoring is large, we also can use these operations to help usersto recover lost files. The system has saved the write operations in remote machine. Wecan get the write operations when we need to recover the file, then combine them into recovering file and save it to disc.The system captures file operations at driver level, therefore, it can record thesefile operations accurately and integrity. In order to prevent destroying or losing file bydisaster, this system saves file operation in remote machine. This system only stores themodified part of the file, so it can reduce bandwidth usage and data storage.