Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Disk storage structure and file recovery experiment (FAT file system)     - How to adjust the system time CentOS (Linux)

- CentOS6.5 install SVN & visual management tools iF.SVNAdmin (Server)

- Ubuntu file security removal tool (Linux)

- Is Linux the most secure operating system (Linux)

- Java Foundation - Variables and data types (Programming)

- ARM assembler instruction debugging method (Programming)

- Adjustment expand VMDK format VirtualBox disk space (Linux)

- To install Ganglia configuration of experience under CentOS 5.5 (Linux)

- Cacti installation deployment under CentOS 6.6 (Server)

- CentOS iptables firewall enabled (Linux)

- GoldenGate for Oracle data consistency initializing (Database)

- JavaScript object - Flexible and dangerous (Programming)

- CentOS 6.5 installation and simple configuration Nginx (Server)

- Linux compiler of GCC (Linux)

- Deep understanding of C # generics (Programming)

- Linux boot process (Linux)

- Changes in C # asynchronous programming model (Programming)

- Linux print file and send mail (Linux)

- Findbugs installation documentation (Linux)

- C language sorting instance (select, bubble, insert, binary, fast) (Programming)

 
         
  Disk storage structure and file recovery experiment (FAT file system)
     
  Add Date : 2018-11-21      
         
         
         
  Experimental Location: Main Building A2-412

A laboratory Title: Main Laboratory A2-412

Second, the experimental project name: disk storage structure and file recovery experiment

Third, the Experimental Hours: 6 hours

Fourth, the experiment works:

In the Debug environment using the basic assembler for the boot sector, file allocation table, the table of contents and other structures displayed and analyzed;

Use tools WINHEX specified file (deleted files) for recovery.

Fifth, the purpose of the experiment:

1) understand the file system on the disk to store the image and its position and role in the security system;

2) understand the directory structure and file access method;

3) master the basic use of the system assembler technical and programming disk access and file structure for data recovery foundation.

Six Experiment:

1) In DEGUB, using the assembler instruction reads MBS boot sector, recorded and analyzed the structure described.

2) Under DEGUB, using the assembler instruction to read the boot sector DBS, record and analyze the structure described.

3) In DEGUB, using the assembler instruction reads FAT, FDT, record and analyze the structure described.

4) generating a simple text file (* .txt file), combined with FAT, FDT information, the use of assembly instructions, find and read the file on the hard disk, recording and description of the discovery process.

5) Remove the resulting text file, view the file in FAT, FDT corresponding to the file storage and file status in the data area corresponding to the contents of the sector, indicating that the file delete operation principle.

6) Use WINHEX software file recovery exercises.

 

Seven test equipment (equipment, components):

PC computer via one (at least having a FAT formatted disk partition), VMware Workstation6.0 virtual machine software, DOS7.0, WINHEX software.

Eight experimental steps:

A task to read the boot sector MBS

1. In DEGUB, using the assembler instruction reads MBS boot sector.

2. The display of information, analysis and description of MBS structure Byte Meaning and specific values.

 

Task two, and disk boot sector is read DBS BPB parameter block

      1. In DEGUB, using the assembler instruction reads DBS boot sector.

      2. The display of information, analysis shows that the structure of the boot sector.

      3. The display information Description Disk Parameter Block BPB structure and each segment specific meaning and value.

 

Task three reading FAT table

      1. Generating a simple text file (* .txt file), and "long file name."

2. In DEGUB, using the assembler instruction to read the FAT table.

      3. The display information on the role and format of the FAT.

 

Task four, Find File

      1. In "Task three" generated text file (* .txt file) as the target, locate the file according to FDT.

    2. According to the BPB information, calculate FDT position.

    3. Code display FDT.

    4. According FDT information to determine the document's first cluster, calculates the target file starting sector position according to the formula.

5. Write code to read the file corresponding to the sector, to view the contents of a file stored in the sector.

 

Task V. principle deleted files

    1. Delete the generated text file

    2. See FDT, check the deleted files in the FDT corresponding to the state change information.

    3. See FAT, check the deleted files in the FAT corresponding to the state change information.

4. View the contents of deleted files in the data area of ​​the sector, to understand the principles of deleted files.

   

Task Six, file recovery

1. In FAT16 (32) formatted disks using WINHEX file recovery exercises.

 

Nine, the experimental data and results analysis:

Task One: Read MBS boot sector

1. DEBUG instruction given in preparation of a complete record (copy screen output) read out the contents of the boot sector of MBS, and its structural analysis and description.

These are the codes as well as the entire contents of mbs, 1000-11b7 to guide program, 11b8-11bb disk signature, 11bc-11bd 0,11be-11fd default partition table, four entries, each 16 bytes. This example is only one partition at the beginning of a 80 byte represents the primary active partition. The last two bytes of the end flag.

2. Calculates the current disk space.

Current disk space is reserved sectors (including MBR) plus all the partition size, there is reserved sectors 3f, partition size to see the last 4 bytes (11ca-11cd), namely 03bf85, a total of 03bfc4 * 0200 bytes.

Task Two: Read DBS boot sector

1. DEBUG instruction is given to write a complete record (copy screen output) read out the contents of the boot sector of DBS and its structural analysis and description.

Above all the code and content dbr, 1000-1001 for the jump instruction, 1002 nop, 1003-100a for OEM code, 100b-103d is bpb, 103e-11fd for the boot program, the last two bytes of the end flag.

2. Description and calculate disk BPB parameter block and each segment of the meaning and structure of specific values.

The number of bytes per sector 0200 (100b-100c), the number of sectors per cluster 4 (100d), DBR number of reserved sectors 1 (100e-100f), the number of FAT 2 (1010), the root of the maximum number of directory entries 0200 (1011-1012), the total number of sector 0 (1013-1014), the media descriptor f8 (1015), the number of sectors per FAT 0f0 (1016-1018), the number of sectors per track 3f (1018-1019), the number of heads 4 (101a-101b), hidden sectors 3f (101c-101f), the total number of sectors 3bf85 (1020-1023), BIOS drive number 80 (1024), 1025 unused, extended boot flag 29 (1026), volume serial No. 2f2f1ceb (1027-102a), label 202020303137534f44534d (102b-1035), the file system type fat16 (1036-103d).

Task three: reading FAT table

DEBUG instruction is given to write a complete record (copy screen output) read out FAT table contents, and describes the role and the FAT format.

Above code and fat1. Each item occupies two bytes fat: 0 Description Media types, f8 represents the hard disk; No. 1 is a dirty mark; No. 2 did not play two bytes 1fat items: fff7 represents bad clusters, ffff represents a file last clusters, 00 clusters available, the other represents a cluster of cluster number of a file.

Task four: Find File

Record and explain the process to find text files, as well as results and analysis produced by each step.

1. According to the BPB information, calculate FDT position.

2. Code display FDT, observe the long file name display format, and record the first cluster number of the target file.

3. Calculating a target file starting sector position according to the formula.

4. Read the contents of the file in the data area of ​​the sector and recorded.

Here are experimenting with fat16 and fat32:

Fat16:

According bpb, each table fat accounted 0f0 bytes reserved sectors to 1, the start sector is fdt 1 + 0f0 * 2 = 1e1.

Above fdt content, personal feel with the l command much simpler, but also relates to the code above a number of sectors per track, etc., with the following l achieve the same functionality:

I use fat16 does not support long file names, so the back again done it again with the fat32, where you can also read the file contents. As 1e1 (fdt) + 20h + 4 = 205h, starting sector + fdt size + (3-2) * number of sectors per cluster that is fdt. The first cluster file directory entry can be seen from the 6 penultimate byte and 5th byte.

Said the following fat32:

The basic principle is similar with fat16:

Bpb here need to say is certainly not the same, fat table entry is 4 bytes, we are now the main purpose is to see long file names, no more than the superfluous.

The above is part of the root directory entries, the other being the province. When here to see the document LIHUAN ~ 1.TXT, create long file names, will create a short file name, the first 6 bytes + ~ 1 constitutes a short file name, another long file names require multiple directory entries, which reverse order before short filename directory entries. Now find its contents: Because fat32 the root directory on the data area, and therefore the location of files: 20 (reserved number of sectors) + 2 * 0ff7 (fat size, in 1024-1027) + (08b5-2) * 8 = 65a6 :

Task Five: Delete files principles

1. Display FDT, record deleted files in the FDT corresponding to the state change information.

2. Display FAT, deleted files recorded in the FAT corresponding state change information.

3. View the contents of deleted files in the data area sectors.

4. The above results illustrate the principle of deleted files.

fat table entry corresponding to fat cleared 0, fdt directory entry corresponding to the first byte of nearly modify e5, does not modify the contents of the file. The so-called delete, delete the entry that is fat, fdt been marked e5 represents occupies, has been removed.


Task Six: File Recovery

1. Record and describe the main parameters WINHEX disk recovery operation during use.

The main parameters used in previous dos disk in the same, according to the bpb find fat, bpb can be found in the root directory of the first cluster number, combined with the size of the number of fat, find the root directory for the file first cluster, targeting, interception of content and paste it into a new file where to get.

2. The main steps for recovery operations using WINHEX brief narrative.

Following treatment with at winhex under xp disk fat32 partition contents:

Create a file:

In winhex watching:

To completely delete a file:

Front dos principle is the same, with winhex find the root directory:

To find content based on the first cluster number 3 (said here about where the file has been modified in fact address, but this is the first cluster number 0 High cleared see the effect, the lower does not modify). The contents of the file saved in the d interception out a new disk file:

Then open, and the contents of the source file as a successful recovery.


X. experimental results:

Fully understand the mbr, dbr, bpb, fat, fdt other structures, due to the simultaneous operation of fat16 and fat32, we can see the similarities and differences of each structure, familiar with the long file name is stored, and personally restored a file, a lot of harvest.

XI Summary and experiences:

Through this experiment, to understand how files are stored on disk, and by what means and methods to find them on disk files and read and write data on the disk and delete what will change and results for the next a further understanding of the recovery files and data foundation. Mastering basic system assembler (Debug compilation) disk technology and programming methods and file structure access.
     
         
         
         
  More:      
 
- Four Methods of Self - Learning Linux (Linux)
- OpenCV 3.0 + Python 2.7 installation and testing under Ubuntu 14.04 (Linux)
- SUSE Linux network configuration and firewall configuration (Linux)
- Java Virtual Machine class loading mechanism and bytecode execution engine (Programming)
- 29 practical examples Linux system / network administrator of nmap (Linux)
- Oracle 11g user rights management study notes (Database)
- Btrfs file system creation and their characteristics in Linux (Linux)
- Ubuntu installed racing game Speed Dreams 2.1 (Linux)
- Whisker Menu 1.4.3 Install menu Linux (Linux)
- Spark read more HBase tables a RDD (Server)
- Ubuntu use three methods to install Ruby (Linux)
- To build Spring RestTemplate use HttpClient4 (Programming)
- RegExp object implements regular match --JavaScript (Programming)
- CentOS7 Minimal minimize installation and then install the GNOME graphical interface (Linux)
- VSFTPD Security (Linux)
- Packages with Snort intrusion monitoring light (Linux)
- Docker Build a Java compiler environment (Linux)
- ORA-600 [kcbz_check_objd_typ] Error Handling (Database)
- Linux operating tips: Can not open file for writing or operation not permitted solution (Linux)
- netfilter- in kernel mode network packet operation (Linux)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.