计算机取证实验.docxVIP

实验一文件恢复FAT 在我的U盘新建一个图片imag0326.jpg,然后删除。 打开winhex,打开U盘根目录，找到文件imagO326.jpg,找到文件开头地址和结束地址。 Un* level Und? reverses AHOC OfvISiNt drM spac? n/a Clus:er No Offset 0 T 2 3 T 5 T 7 T 9 A B c D E FE5 37 00 34 00 32 00 32 00 2E 00 OF 00 B9 6A 0070 00 67 00 00 00 FF FF FF FF 00 00 FF FF FF FFES 69 00 6D 00 67 00 3D 00 33 00 OF 00 B9 32 0036 00 5F 00 31 00 37 00 31 00 00 00 30 00 35 00E5 4D 47 30 33 32 7E 31 4A 50 47 20 00 48 0B 026A 3F 6A 3F 00 00 4D 89 7A 3E 03 00 6C C2 00 0041 33 00 2E 00 64 00 6F 00 63 00 OF 00 OC 78 0000 00 FF FF FF FF FF Fr FF FF 00 00 FF FF FF FF33 37 36 45 39 7E 31 2D 44 4F 43 20 00 7E 13 02 Dnvf H 100% free File system FAT32 Default Edtt Mode Stale: original 0 2JIT_0~ A 1 j . p?g…yyyy??yyyy I?in?g?0?3?? ? j2? 6?_?1*7.1??.0.5. 6MG032^1JPG ?H… j?j?..Mlz..1A.. A3 ? ? ? d ? o ? c ? ? ? ? x ? ..yyyyyyyy. .yyyy 376E9T DOC 找到文件开头地址 0 0 0 0 Go To Sector 0 Logical: Physical: OK Sector: 16392 =Cluster: 3 Cylinder/T rack:[ Head/Side: [ Sector: Cancel 16384 17824 16496 16392 0 1158 8771 \ 回 Cluster 2 Total: 1 Fr^ent (s): 1 用计算器算出文件偏移地址，输入偏移地址，找到文件尾地址。 转到偲移 New position: 49772 ▼「Bytes ’ (hexadec.) relative to... beginning Q current positioncurrent position (back from)end (back from) 17824 16496 16392 0 1158 8771 Cluster 2 Total: 1 Fragwtnt (s)： 1 OK Cancel frAA Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F _J Al _d 二 L/nw n. File s/stom FAT32 0084A740 B3 A4 23 63 D8 50 8C 4B 9E C5 BC 9F 95 D5 A3 2B M#c0PIKlAWIlO￡* 0084A750 91 4A 92 28 71 DF 51 17 31 6C 12 8D 28 9A 6B A4 J(qBQ?ll..(lk? Dtfatlt Edit Mode OO84A760 01 A4 9E 53 7D A5 CD 2A 01 59 28 AD B7 7D DA 9A State onginal 0084A770 E7 C3 22 AB 3A EC C5 73 22 28 23 04 60 88 53 08 Undolevtl 0 0084A780 99 95 OC 29 AA 0E D5 EF C6 2B 4F BA 56 2C 8C 5C II Undorevtrsts n/a 0084A790 99 20 IF DC C6 8A IE B7 11 A4 90 48 9E AC 08 6B 1 ?U总???■?Hlr.k AlUw* Af Kr*ja ce^rA 0084A7AO EA BA 52 73 16 DC 85 Cl Bl 0E EC Cl 3B 3E 2C 46 e2Rs.UIA±.iA;,F