| This paper mainly studies forensics method in the Linux operating system,and the methods of the Linux system management,including the management of disks,file system and memory are analyzed.First,by analyzing the MBR and GPT format disk to get the specific structure,proposed a algorithm based on disk partition table.The basic idea of the algorithm is:get the disk master boot record,extracting primary partition table.Then analysis of each partition table entry,and judge the disk format.Finally,start to analysis disks.Second,analyze the EXT2,EXT3 or EXT4 file system in the disk partition,proposed a algorithm based on inode index node.The basic idea is:get directory entry from its parent directory,derive the index node number.Then calculate the specific address of the file inode index nodes,so that can get all address of data blocks.Finally,in order to achieve any physical memory address data browsing,modify the method of writing memory driver is proposed.The basic idea of the method is:reload compiled memory drive,then map the physical memory to a new custom device file,so that can get the physical memory data.In this paper,the biggest innovation is that for different EXT2,EXT3,EXT4 file systems have achieved the data recovery.In different extensions file system by analyzing changes before and after data deletion.The author have put forward to complete data recovery algorithms:EXT2 for using an algorithm to scan the inode table.EXT3 and EXT4 for using an algorithm to scan the journal file.Experiments show that these algorithms are able to analysis different format disks,get all the files under any extended file system,and achieve any physical memory address data browsing.More important is to achieve the maximum possibility of restored data. |
PDF Full Text Request