| Windows Vista系统日志雕复方法研究与实现 |
| |
| 引用本文: | 楼永坚,王鹏. Windows Vista系统日志雕复方法研究与实现[J]. 杭州电子科技大学学报, 2011, 31(1) |
| |
| 作者姓名: | 楼永坚 王鹏 |
| |
| 作者单位: | 杭州电子科技大学计算机学院,浙江,杭州,310018 |
| |
| 摘 要: | 该文研究了一种全新的日志文件格式-Windows Vista系统的日志文件EVTX,通过深入剖析其结构特征,提出了基于内容特征的EVTX文件雕复方法。该方法采用Evtx文件的文件头、文件块数目验证来确认文件是否分片,确认完整文件的实际尾部;利用文件块特征来搜索和匹配分片文件的数据块Chunk;从数据块Chunk中提取单条日志文件记录并解析其内容为文本形式。实验以一个Windows Visa分区镜像为数据集,实验表明该雕复方法可以自动且准确地雕复在原始磁盘镜像中连续和分片存储的Evtx文件。
|
| 关 键 词: | 日志文件 文件雕复 内容特征 |
The Research and Realization of Event Log Carving Method in Vista System |
| |
| LOU Yong-jian,WANG Peng. The Research and Realization of Event Log Carving Method in Vista System[J]. Journal of Hangzhou Dianzi University, 2011, 31(1) |
| |
| Authors: | LOU Yong-jian WANG Peng |
| |
| Affiliation: | LOU Yong-jian,WANG Peng(School of Computer,Hangzhou Dianzi University,Hangzhou Zhejiang 310018,China) |
| |
| Abstract: | This paper presents in-depth study of a brand-new log file format-EVTX file format under windows vista system.The presented Evtx file carving method which is based on content character includes some validation steps: header/chunk num/chunk check validation,chunk-based fragment search and reassembly validation,single record extraction and format transformation.This carving method can carve automatically the contiguous Evtx file and the fragmented Evtx file in the original disc image,no matter in-order or dis... |
| |
| Keywords: | vista event log file Evtx file carving content character |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
