我們生活在電腦可以被惡意軟件感染的世界里。最著名的例子是WannaCry，它感染了世界不同國(guó)家的許多電腦。然而，還有許多其他惡意軟件蠕蟲在系統(tǒng)和目標(biāo)計(jì)算機(jī)上執(zhí)行。
You know that we are living in the world where PCs can be infected with malware. The best-known example is WannaCry which infected many computers in different countries of the world. However, there are many other malware worms which execute?on a system and target computer running.

通常，惡意軟件利用Microsoft Windows操作系統(tǒng)中的大多數(shù)情況下使用NTFS文件系統(tǒng)的漏洞。因此，我們想提供幾個(gè)示例，數(shù)據(jù)提取器可以恢復(fù)作為惡意軟件攻擊目標(biāo)的NTFS分區(qū)。
Usually, malware exploits a vulnerability in Microsoft Windows operation system where the NTFS file system is used in most cases. So we would like to give couple examples how Data Extractor can recover NTFS partition which was a target of malware attack.

最初很少有關(guān)于NTFS文件系統(tǒng)結(jié)構(gòu)的理論。你可以在這里讀到的基本細(xì)節(jié)。
Initially few theory about NTFS file system structure. Base details you can read here.

在我們的例子中，MBR、GPT表、主NTFS引導(dǎo)和幾個(gè)MFT記錄被擦除。
In our case, MBR, GPT table, main NTFS boot and several MFT records were erased.

但是，大多數(shù)NTFS分區(qū)和NTFS引導(dǎo)副本都沒(méi)有受到損壞，并且可以像這里一樣:
However, most of the NTFS partition and NTFS boot copy escape unharmed and can be imaged like here:

如果您是一個(gè)數(shù)據(jù)恢復(fù)專家，那么您就知道您可以使用引導(dǎo)副本來(lái)獲得關(guān)于整個(gè)分區(qū)的實(shí)際信息。該選項(xiàng)適合這種情況，即“快速磁盤分析”，它在開始和結(jié)束時(shí)搜索文件系統(tǒng)結(jié)構(gòu)，并嘗試根據(jù)已發(fā)現(xiàn)的文件系統(tǒng)結(jié)構(gòu)構(gòu)建整個(gè)分區(qū)。
If you are a detective or data recovery specialist then you know that you can use boot copy to get actual information about the whole partition. The option is suited for this case is ‘Quick disk analysis’ which searches?file system structures in the beginning and in the end of the drive and tries to build the whole partitions based on found file system structures.

在“快速磁盤分析”之后的結(jié)果如下:
The results after ‘Quick disk analysis’ option look like here:

我們現(xiàn)在正在處理數(shù)據(jù)提取器中的虛擬分區(qū)?，F(xiàn)在我們可以恢復(fù)分區(qū)大部分的文件.但如果你是一名偵探或一名惡意軟件研究員，你可能想要調(diào)查另一款軟件的惡意軟件行為。
We are working with the virtual partition in Data Extractor now. And we can recover most files of the partition right now. But if you are a detective or a malware researcher then you maybe want to investigate the evidence of malware actions by another software.

The main problem, in this case, is that you can’t open recovered NTFS partition without Data Extractor (boot is lost). PC-3000 Data Extractor allows to rebuild lost file system structures and you will be able to investigate?the evidence of malware actions by another software.

There are two methods do that in Data Extractor:

1. 對(duì)找到的分區(qū)做一個(gè)快照。右鍵單擊瀏覽器中的虛擬NTFS引導(dǎo)，并選擇“快照”:
   Make a snapshot of found partition. Right click on the virtual NTFS boot in Explorer and select ‘Make snapshot’:

該方法將掃描分區(qū)的所有條目:
This method scans all entries of the partition:

最后，創(chuàng)建另一個(gè)虛擬分區(qū)，它是初始的快照。
And finally, creates another virtual partition which is the snapshot of initial one.

This method has advantages and disadvantages. The main advantage is that you get all available files on this partition. Disadvantages are you can get list of files were on file system, not the filesystem (the snapshot doesn’t include data of sectors out of the file map) and maybe the main?disadvantage – it can take a lot of time (just realize that you want?to make snapshot of RAID array filesystem with several TB size).

第二種方法是為文件系統(tǒng)創(chuàng)建一個(gè)虛擬磁盤。在數(shù)據(jù)提取器中也有類似的虛擬機(jī)安裝程序。您打開分區(qū)的映射:
2) The second method is to create a virtual disk for the filesystem. It’s similar procedure of virtual machine mounting in Data Extractor. You open map of the partition:

我們獲取分區(qū)的映射，并嘗試驗(yàn)證主引導(dǎo)是否可用(從引導(dǎo)副本中恢復(fù)):
We get the map of partition and can try to verify that main boot is available now (it was recovered from boot copy):

It’s here!!! Pay attention to the note that sector was modified. (All modifications are performed with copy of the data and you will not lose an evidence of malware actions).

下一步是將分區(qū)映射掛到虛擬磁盤:
Next step is to mount the map of partition into virtual disk:

And we get the solid disk.

我們可以將其安裝在操作系統(tǒng)中，或者將其提取到另一個(gè)驅(qū)動(dòng)器上以進(jìn)一步調(diào)查。
We can mount it in the operation system or extract on another drive to further investigation now

轉(zhuǎn)載請(qǐng)注明：成都千喜數(shù)據(jù)恢復(fù)中心 » 使用PC-3000 Data Extractor重建NTFS分區(qū)