摘 要:本文着重对各个Windows 版本的回收站进行分析研究。分析了Windows 回收站的原理和功能、Windows XP 回收站文件格式、Windows 7 及Windows 10 的回收站文件格式。实现了针对Windows 系统的回收站文件夹深层次的电子数据取证研究,同时在研究过程中主要利用Winhex 软件对回收站所存储的文件进行分析,成功获取用户删除文件的文件内容、删除时间及删除路径等信息,旨在为电子数据取证完整证据链的构建提供可靠依据。
关键词:Windows;回收站;电子数据取证
中图分类号:TP316.7;D918.2 文献标识码:A 文章编号:2096-4706(2019)11-0087-03
Comparative Study on the Characteristics of Electronic Evidence inWindows System Recycle Bin
WANG Zhiming
(Criminal Investigation Police University of China,Cyber Crime Investigation Department,Shenyang 110854,China)
Abstract:This article focuses on the analysis of the various Windows versions of the recycle bin. Analyzed the principle andfunction of Windows recycle bin,Windows XP recycle bin file format,recycle bin file format for Windows 7 and Windows 10.The deep-level electronic data forensics research of the recycle bin folder for Windows system is realized. At the same time,Winhexsoftware is mainly used to analyze the files stored in the recycle bin,and the file contents,deletion time and deletion of the deleted filesare successfully obtained. Path information is intended to provide a reliable basis for the construction of a complete evidence chain forelectronic data forensics.
Keywords:Windows;recycle bin;electronic data forensics
参考文献:
[1] 邓宇琼. 网络犯罪证据的提取和固定 [J]. 中国人民公安大学学报,2003(3):120-122.
[2] 刘景云. 回收站使用技巧谈 [J]. 电脑知识与技术(经验技巧),2017(12):39-41.
[3] SINDHU KK,KOMBADE R,GADGE R,et al. ForensicInvestigation Processes for Cyber Crime and Cyber Space [M].NewDelhi: Springer India,2014:193-206.
[4] VREEMAN D J,TAGGARD S L,RHINE M D,et al.Evidence for electronic health record systems in physical therapy.[J].Physical Therapy,2006,86(3):434-46+9.
[5] 孙奕.Windows 7 环境下电子取证特点分析 [J]. 信息网络安全,2010(11):43-45.
作者简介:王志铭(1993-),男,汉族,山东济南人,研究生在读,研究方向:网络安全执法技术。