| In informational times, malicious or unintentional actions can be a big threat. But if something happens, fetching some useful information from the computer system can be a great help to analyze the reason of the accident or even offer evidence for cases. This is the meaning of sensitive information forensics.Evidence analysis is the core step of computer forensics which is a process of analising digital exhibit, ensuring type of evidence such as checking content of files or recovering files. Visual information can be analysed in normal ways. But when encountering problems that the target information is deleted or even the disk is formatted or partitioned, the only way is data recovery. For these reasons, this paper makes a study of data recovery, and realises a data recovery system. The system includes data recovery modules which are based on level in file system, level in file content and so on. They can complement with each other and make diversity support to forensics.After analyzing the mechanism of disk and file systems in Windows, this paper not only realizes the function of recovering deleted files, but also proposes Algorithm of Minimum Content Feature (AMCF) in content level. The core of the algorithm is to deeply scan the partition in fine grain. The way of which is based on minimum content feature of indexdat, register file, thumbnail of picture and so on These data can complement each other well and. Currently the model has many functions such as recovery the just kind of deleted files, recovering internet surfing traces and so onThe result of experiments also shows that deleted files can be successfully scaned and recovered by file recovery model. The sensitive information recovery model also recovers concrete sensitive information fast and systematically. In addition, these concrete sensitive information recovery models have extremely high speed and recovery rate. This makes it competitive in the field of data recovery. |
PDF Full Text Request