公开(公告)号：US20170139783A1

公开(公告)日：2017-05-18

申请号：US15224853

申请日：2016-08-01

Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE

Inventor： Hyunuk HWANG ,  Kibom KIM ,  Seungyong LEE ,  Seongtaek CHEE

IPC: G06F11/14 ,  G06F17/30

CPC classification number: G06F11/1469 ,  G06F11/1435 ,  G06F16/1727 ,  G06F2201/80

Abstract: A method and an apparatus for recovery of a file system using metadata and data clusters. The apparatus for recovery of a file system generates an MFT entry list in a disc or an evidence image, collects at least one data cluster candidate, and uses at least one MFT entry and at least one data cluster candidate within the MFT entry list to generate at least one MFT entry-data cluster pair candidate. The apparatus for recovery of a file system analyzes the at least one MFT entry-data cluster pair candidate to determine attribute values of a virtual partition and generate the virtual partition based on the attribute values.

公开(公告)号：US20160077918A1

公开(公告)日：2016-03-17

申请号：US14547248

申请日：2014-11-19

Applicant: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE

Inventor： Hyunuk HWANG ,  Kibom KIM ,  Seungyong LEE

IPC: G06F11/14 ,  G06F11/20

CPC classification number: G06F11/1435 ,  G06F11/1417 ,  G06F11/1451 ,  G06F11/1469 ,  G06F11/2058 ,  G06F11/2069 ,  G06F2201/84

Abstract: A method and apparatus for recovering a partition based on file system metadata, which calculate core information necessary for the recovery of a partition using only the MFT entry information of $MFT and recover a deleted partition when an MBR and a GPT that correspond to the partition configuration information of a disk and a BR and a BBR that store the configuration information of a volume are deleted or destroyed. The method includes determining an unallocated area in a disk or an evidence image, collecting MFT entries from the unallocated area, generating MFT partition candidate information by analyzing the MFT entries, and creating information enabling a layout of a partition to be reconfigured based on the MFT partition candidate information, and creating a tree structure using the created information and the MFT entries.

Abstract translation: 一种用于基于文件系统元数据恢复分区的方法和装置，该文件系统元数据使用仅MFT条目信息$ MFT来计算恢复分区所需的核心信息，并且当与分区对应的MBR和GPT时恢复已删除分区 存储卷的配置信息的磁盘和BR的配置信息和BBR被删除或销毁。 该方法包括确定磁盘或证据图像中的未分配区域，从未分配区域收集MFT条目，通过分析MFT条目来生成MFT分区候选信息，以及创建能够基于MFT重配置分区的布局的信息 分区候选信息，以及使用创建的信息和MFT条目创建树结构。