| Compared with foreign countries, electronic evidence and data recovery starts relatively latein our country, but has large space to develop, which was carried out to research in recent tenyears and the relationship of which is cross each other. The public security organization dealswith a lot of cases which are related to electronic equipment such as computer hard disk andUSB flash drives at present. The current criminal suspects generally have higher anti-reconnaissance consciousness, who often consciously remove the data of computer hard diskand USB. But the deleted data are crucial for the cases to crack. Data recovery as an importantmeans of public security organization in the work of inspection and identification ofelectronic evidences, plays a decisive role on the qualitative of some case.Public security organization have been using the data recovery techniques to obtain theelectronic evidence for inspection and appraisal, most of which still stay on stage of useautomated software, such as software of Final Data, Easy Recovery and so on. Althoughoperation of these software was simple and rapid, the recovery is very unsatisfactory, whichnot only destroyed the original directory structure of the disk, but also did not recovered anydata sometimes. A study of this issue was carried out in order to increase public securityorganization to solve the case means, which provides important clues to the detection of cases,and sufficient evidence for the prosecution of cases and provide a reliable guarantee for theinspection and appraisal program.First of all, the subject presented the data recovery electronic forensics laboratory appraisalprocess for the purpose of the forensic evidence, which is scientific and reasonable, ensure thequality of the appraisal and make appraisal process more standardized and legal. Next, in thebase of windows disk partition structure and FAT32file system structure, we studiedcomputer hard drive data recovery manual method, proposed the data recovery method in thecase of disk partition master boot record MBR and extended boot record EBR to be destroyedand in the case of windows FAT32file system root directory to be destroyed. This methoduses the manual recovery whose rate can reach a maximum and no damage to the filedirectory structure. |
PDF Full Text Request