| With the development of information technology, computer crimes, informationdisclosure and intrusion events often occur. Thus, as the key technology against suchsituations, computer forensics technology emerges as the times require, and people paymore and more attention on the protection of electronic evidence and the recovery oflost information. When the data which is valuable has been deleted or destroyed, itbecomes necessary to retrieve the information through the file recovery technology. Thecurrent file recovery technology is divided into two aspects: the traditional file recoverytechnology based on the metadata of the filesystem and the new file-carving technology.At first, this thesis reviews the current situation of the theory and method as well astheir advantages and disadvantages on both the traditional file recovery technologybased on the metadata of the filesystem and the new file-carving technology. At thesame time, it points out that the existing file carving techniques still have limitationsand face challenges. After lots of research and deep understanding of the SmartCarvingframe model,this thesis proposes using support vector machine algorithm to improveblock classifier and introduce a new detection algorithm based on the context ofblocks. Furthermore, which are proved by experiments, this method of filefragmentation identification improves the accuracy, and reduces the false positive rate.Second, combined with the current file recovery technology, this thesis designs andimplements a file recovery system based on Windows platform as the subsystem of theforensics system through explaining in detail on the functions of the file recoverysystem, the overall framework, the main process and the design of the variouscomponents and sub modules.Finally, this file recovery system is contrasted with two popular file recoverysoftware “Easyrecovery” and “Finaldata” in detail, which proves that the author’scarving system has better support for forensic system, as well as a faster processingspeed and better results of the number of correct carved files.To sum up, this thesis studies the file recovery technology, including the traditionalfile recovery technology based on the metadata of the filesystem and the new file-carving technology, and finally designs and implements a file recovery systembased on Windows platform. On the one hand, it provides a convenient and practicaltool for solving the disk data loss problem in actual life; on the other hand, it ends thesituation that the computer forensics career in our country has been dependent onforeign products in history, and pushes the development of our computer forensics to anew stage. |
PDF Full Text Request