CN115373897B - A method for reading volume shadow backup data - Google Patents
A method for reading volume shadow backup data Download PDFInfo
- Publication number
- CN115373897B CN115373897B CN202210735162.4A CN202210735162A CN115373897B CN 115373897 B CN115373897 B CN 115373897B CN 202210735162 A CN202210735162 A CN 202210735162A CN 115373897 B CN115373897 B CN 115373897B
- Authority
- CN
- China
- Prior art keywords
- data block
- executing
- data
- current
- block
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1446—Point-in-time backing up or restoration of persistent data
- G06F11/1448—Management of the data involved in backup or backup restore
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0638—Organizing or formatting or addressing of data
- G06F3/064—Management of blocks
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0662—Virtualisation aspects
- G06F3/0665—Virtualisation aspects at area level, e.g. provisioning of virtual or logical volumes
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Human Computer Interaction (AREA)
- Quality & Reliability (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method for reading volume image backup data, which comprises the steps of analyzing file format and data structure of volume image backup storage, judging whether a data block descriptor corresponding to a current data block exists, judging whether the current data block has superposition and whether the current backup storage is a snapshot stack top, judging whether the current data block is a skip data block and a next backup storage exists, judging whether the identification bit of the skip data block descriptor of reverse mapping exists or not, judging whether the current backup storage is at the snapshot stack top and whether the current data block is marked by a bitmap, correspondingly extracting volume image backup data of each part according to the judging results, and finally merging and outputting the volume image backup data.
Description
Technical Field
The invention belongs to the field of electronic evidence obtaining, and relates to a method for reading backup data of a rolling shadow.
Background
Although many tools and papers are available to study the rolling technology and extract data from the rolling backup file, all are done by means of a functional interface (API) provided by the Windows operating system itself. The prior art does not know the file format and data structure of the shadow backup, nor how to read data from the shadow backup without the help of the functional interface of the Windows operating system itself.
In electronic evidence collection, a disk image file is often analyzed, wherein the situation that the disk image file contains a shadow backup file is encountered. In this case, the data in the shadow backup file in the disk image cannot be read by the functional interface provided by the Windows operating system itself, because the shadow backup file can only be read by the system of the shadow file. Therefore, only the format of the file of the shadow copy is analyzed, so that the data reading method is clarified, and the data is further read from the shadow copy.
Disclosure of Invention
Aiming at the technical problems in the prior art, the invention provides a method for reading the backup data of the volume shadow, which comprises the following steps:
by analyzing the file format and the data structure of the volume image backup storage, judging whether the volume image backup storage has a data block descriptor corresponding to a current data block, judging whether the current data block is overlapped and whether the current backup storage is a snapshot stack top, judging whether the current data block is a skip data block and a next backup storage exists, judging whether the skip data block descriptor of reverse mapping exists or not, judging whether the current backup storage is at the snapshot stack top and whether the current data block is marked by a bitmap, correspondingly extracting volume image backup data of each part according to the judging results, and finally merging and outputting the volume image backup data.
Related terms and noun interpretation:
block data Block (data Block with 16KB volume inside value)
Block descriptors data block descriptor (data structure describing changes to backup block data)
Overlay block descriptors superimposed data block descriptor (data change describing smaller region data change mechanism inside backup block, typically 512 bytes of data change)
Forwarder block descriptors jumping data Block descriptor (Block describing the backup is not in store, but in disk volume his original location, equivalent to having the backup block placed in store)
Header, rolling head data Structure (including some structural information of rolling)
Catalog: backup storage directory (storing index information of backup storage)
Store, backup storage (where backup data is actually stored in the shadow)
Store information backup storage information (metadata data structure of backup storage)
Store block list backup Store data block list (data blocks of backed up data on disk volume)
Store rang list A backup storage Address Range List (disk data Block used by backup storage itself)
Original offset (Original offset of backed up data block on disk volume)
Relative store data offset relative offset (storage offset of backed up data block in backup storage)
GUID global identifier (a data structure identifier)
Current volume-Current volume (disk volume currently in use)
Flag: flag bit (flag how to backup data blocks, value determines Block descriptors types)
Bimap bitmap (identifying which backup store was backed up in backup store)
Allocation bitmap allocated bitmap (identifies areas of data blocks in 512 bytes size, those areas are backed up to backup storage)
The shadow backup technique is disk-based and not based on files on disk. So that one shadow backup corresponds to one disk volume and one disk volume corresponds to one shadow backup.
The volume shadow only supports the disk volumes of the NTFS file system.
The volume shadow is based on 16KB blocks to manage data, as is the data management method of the disk volume.
The data structure of the volume is contained in the data structure of the disk volume.
The data structure of the roller shadow mainly comprises three main parts:
1.header
2.catalog
3.Stores
Three data structures are contained in the data structure of the disk volume, and the intuitive distribution across the disk volume is shown in FIG. 2:
Wherein the header is located at the position of the header structure offset of 0x1e00 of the magnetic disk volume, and the shadow header comprises GUID identification and the position offset of the category
The catalyst structure is composed of the following parts:
GUID identification
Creation time of Store structure
Store structure in offset position of volume
A Store is where backup data of a disk volume is actually stored, and is actually a snapshot of a disk volume, but the Store does not Store all data of the disk volume, but tracks blocks on each disk volume in a block of 16KB, and only if a block on a disk volume is modified, the blocks of the disk volume are backed up to the Store.
The Store is composed of the following parts:
Store information
Store current bitmap
Bitmap offset of previous Store
Store block list
Store rang list
Store information contains information:
store identifier ID
Host name and service provider name
Store current bitmap:
Each Store has a current bitmap that indicates which 16KB sized block on the disk volume is being used by that Store (i.e., backed up). If the bit of the corresponding block is set to indicate that the block is not used by the Store (backup)
The bitmap of the previous Store, which indicates that 16KB size block on the disk volume is being used (backed up) by the previous Store. If the bit of the corresponding block is set, this block is not used by the previous Store (backup). Not every Store has a bitmap of the previous Store, and the first Store created does not have this value.
When we read the backup data in Store, these two bitmaps can be ignored in practice, and directly read the data in Store block list
Store rang list denotes blocks on the disk volume used by the Store itself.
Store blocks list represents blocks on the backed up disk volume. Store block list uses block descriptors to describe how to backup blocks on a disk volume
Block descriptors contains the following data parts:
Original offset (the Original location of the backup block on the disk volume)
Relative store data offset (backup blcok storage in store)
Flag (identification bit, identification how to backup block)
Allocation bitmap (used by Flags overlay)
Disk snapshot stack:
One disk volume may have multiple shadow copies, i.e., multiple disk snapshots, one snapshot per Store, i.e., multiple stores, stored in a stack, i.e., the nearest Store at the top of the stack and the oldest Store at the bottom of the stack. As shown in fig. 3:
Current volume is the disk volume we are using, store2 is the most recent snapshot we have, and Store1 is the oldest snapshot. As shown in fig. 3, the Current volume is backed up for all changed data in the front-most Store. Block descriptors is used to describe how the data is backed up, and only we know how the data is backed up can design algorithms to read the data. From FIG. 3 we can also derive that if we want to get the oldest snapshot Store1, we must apply Store 2's snapshot to the Current volume and then apply Store 1's snapshot to the Current volume so we can get Store1 snapshot.
Block descriptors Original offset and Relative store data offset we can restore the backed up data back onto disk volume
If the Flags in block descriptors are set to 2, this indicates that this is one overlay block descriptors. overlay is used to describe a region variation smaller than 16KB block. Typically a 512byte block. And allocation bitmap in block descriptors indicates that the 512byte block regions in this 16KB block are changed. These 512byte blocks are stored at Relative store data offset of overlay block descriptors. Overlay block descriptors needs to be applied to 16KB blocks first when reading Strore data.
Reverse mapping if the Flags in block descriptors are set to 1, this means that this is one forwarder block descriptors. I.e. Relative store data offset in the data domain is equivalent to Original offset. I.e., original offset maps to Relative store data offset, and thus, the reverse mapping from Relative store data offset to Original offset also exists.
The method provided by the invention comprises the following steps:
s000, judging whether all data blocks of the current magnetic disk volume are read, if yes, executing a step S011, otherwise, executing a step S001;
S001, according to the original offset of the current data block in the current magnetic disk volume, searching whether the data block descriptor corresponding to the current data block exists in a backup storage data block list, if so, executing a step S002, otherwise, executing a step S006;
S002, judging whether the current data block is overlapped and whether the current backup storage is the snapshot stack top, if yes, executing the step S003, otherwise, executing the step S004;
S003, reading the data blocks according to the superimposed data block descriptors, filling the original offset addressed data blocks by adopting the relative offset addressed and read 512-byte data blocks according to the marks of the allocated bitmaps, and executing the step S010;
S004, judging whether the current data block is a skip data block and a next backup storage exists, if yes, executing the step S010, otherwise, executing the step S005;
s005, reading the current data block from the current magnetic disk volume according to the original offset, and executing step S010;
s006, judging whether the next backup storage exists, if so, executing the step S010, otherwise, executing the step S007;
s007, judging whether a reverse mapped jump data block descriptor exists, if so, executing a step S005, otherwise, executing a step S008;
S008, judging whether the current backup storage is at the top of the snapshot stack and whether the current data block is marked by a bitmap, if so, executing step S005, otherwise, indicating that the current data block is in the backup storage and not used, and executing step S009;
S009, filling the current data block with zero, and executing the step S010;
S010, reading the data block stored in the next backup, and executing step S000;
and S011, outputting the read shadow backup data.
Preferably, in the step S002, the step of determining whether the current data block is superimposed includes the step of determining whether the identification bit of the data block descriptor is 2, and if so, indicating superimposition, and vice versa.
Preferably, in step S003, the step of reading the data blocks from the superimposed data block descriptor includes the step of addressing and reading the data blocks using the original offset in the backup storage.
Preferably, in step S003, the flag of the allocated bitmap is 1, which indicates that the corresponding 512 bytes of data are backed up in the backup storage, and the flag of the allocated bitmap is 0, which indicates that the corresponding 512 bytes of data are not backed up in the backup storage.
Preferably, in the step S004, the step of determining whether the current data block is a skip data block includes the step of determining whether the identification bit of the data block descriptor is 1, and if so, indicating a skip data block, and vice versa.
The invention has the following beneficial effects that the technical problem that the function interface provided by the Windows operating system cannot be used for reading the volume image backup data in the disk image in the prior art is solved.
Drawings
FIG. 1 is a flow chart of a method provided by the present invention;
FIG. 2 is a diagram illustrating a data structure of header, catalog and Stores in a shadow volume according to the present invention;
FIG. 3 is a schematic diagram of a data structure of a disk snapshot stack according to the present invention.
Detailed Description
Fig. 1 shows a flow chart of the method provided by the invention. As shown in fig. 1, the method of the present invention comprises the steps of:
S000, judging whether all data blocks (blocks) of the current magnetic disk volume are read, if yes, executing a step S011, otherwise, executing a step S001;
S001, according to the Original offset (Original offset) of the current magnetic disk volume in the current data Block (Block), searching whether a data Block descriptor (Block descriptors) corresponding to the current data Block (Block) exists in a backup storage data Block list (Store Block list), if so, executing a step S002, otherwise, executing a step S006;
s002, judging whether the current data Block (Block) is overlapped and whether the current backup storage (Store) is the snapshot stack top, if yes, executing step S003, otherwise, executing step S004;
specifically, the step of determining whether the current data Block (Block) is superimposed includes the step of determining whether the identification bit (flags) of the data Block descriptor (Block descriptors) is 2, and if so, indicating superimposition, and vice versa.
S003, reading a data Block (Block) according to the superimposed data Block descriptor (Overlay Block descriptors), filling in the data Block (Block) addressed by the Original offset (Original offset) by adopting the data Block (Block) of 512 bytes addressed and read by the relative offset (Relative store data offse) according to the mark of the allocated bitmap (Allocation bitmap), and executing step S010;
specifically, the step of reading the data Block (Block) from the superimposed data Block descriptor (Overlay Block descriptors) includes the step of addressing and reading the data Block (Block) using an Original offset in the backup Store (Store).
In addition, the allocated bitmap (Allocation bitmap) is marked 1, which indicates that the corresponding 512 bytes of data are backed up in the backup Store (Store), and the allocated bitmap (Allocation bitmap) is marked 0, which indicates that the corresponding 512 bytes of data are not backed up in the backup Store (Store).
S004, judging whether the current data Block (Block) is a skip data Block (Forwarder Block) and a next backup storage (Store) exists, if so, executing the step S010, otherwise, executing the step S005;
Specifically, the step of determining whether the current data Block (Block) is a skip data Block (Forwarder Block) includes the step of determining whether the identification bit (flags) of the data Block descriptor (Block descriptors) is 1, and if so, indicating a skip data Block (Forwarder Block) and vice versa.
S005, reading a current data Block (Block) from the current magnetic disk volume according to the Original offset (Original offset), and executing step S010;
s006, judging whether a next backup storage (Store) exists, if so, executing the step S010, otherwise, executing the step S007;
s007, judging whether a reverse mapped jump data block descriptor exists (Forwarder Block descriptors), if yes, executing a step S005, otherwise, executing a step S008;
S008, judging whether the current backup storage (Store) is at the top of the snapshot stack and whether the current data Block (Block) is marked by a bitmap, if so, executing step S005, otherwise, executing step S009, wherein the current data Block (Block) is in the backup storage (Store) and is not used;
s009, the current data Block (Block) is filled with zero, and the step S010 is executed;
s010, reading a data Block (Block) of the next backup storage (Store), and executing step S000;
and S011, outputting the read shadow backup data.
The method provided by the invention solves the technical problem that a method for reading the shadow backup data does not exist in the prior art.
It is to be understood that the invention is not limited to the examples described above, and that modifications and variations may be effected in light of the above teachings by those skilled in the art, all of which are intended to be within the scope of the invention as defined in the appended claims.
Claims (5)
1. A method of reading shadow backup data, comprising the steps of:
s000, judging whether all data blocks of the current magnetic disk volume are read, if yes, executing a step S011, otherwise, executing a step S001;
S001, according to the original offset of the current data block in the current magnetic disk volume, searching whether the data block descriptor corresponding to the current data block exists in a backup storage data block list, if so, executing a step S002, otherwise, executing a step S006;
S002, judging whether the current data block is overlapped and whether the current backup storage is the snapshot stack top, if yes, executing the step S003, otherwise, executing the step S004;
S003, reading the data blocks according to the superimposed data block descriptors, filling the original offset addressed data blocks by adopting the relative offset addressed and read 512-byte data blocks according to the marks of the allocated bitmaps, and executing the step S010;
S004, judging whether the current data block is a skip data block and a next backup storage exists, if yes, executing the step S010, otherwise, executing the step S005;
s005, reading the current data block from the current magnetic disk volume according to the original offset, and executing step S010;
s006, judging whether the next backup storage exists, if so, executing the step S010, otherwise, executing the step S007;
s007, judging whether a reverse mapped jump data block descriptor exists, if so, executing a step S005, otherwise, executing a step S008;
S008, judging whether the current backup storage is at the top of the snapshot stack and whether the current data block is marked by a bitmap, if so, executing step S005, otherwise, indicating that the current data block is in the backup storage and not used, and executing step S009;
S009, filling the current data block with zero, and executing the step S010;
S010, reading the data block stored in the next backup, and executing step S000;
and S011, outputting the read shadow backup data.
2. The method according to claim 1, wherein in the step S002, the step of determining whether the current data block is superimposed includes determining whether the identification bit of the data block descriptor is 2, and if so, indicating superimposition, and vice versa.
3. The method of claim 1, wherein the step of reading the data blocks according to the superimposed data block descriptor in step S003 includes the step of addressing and reading the data blocks using the original offset in the backup storage.
4. The method according to claim 1, wherein in step S003, the allocated bitmap is marked with 1, which indicates that the corresponding 512 bytes of data are backed up in the backup storage, and the allocated bitmap is marked with 0, which indicates that the corresponding 512 bytes of data are not backed up in the backup storage.
5. The method according to claim 1, wherein in the step S004, the step of determining whether the current data block is a skip data block includes determining whether the identification bit of the data block descriptor is 1, and if so, indicating a skip data block, and vice versa.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210735162.4A CN115373897B (en) | 2022-06-27 | 2022-06-27 | A method for reading volume shadow backup data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210735162.4A CN115373897B (en) | 2022-06-27 | 2022-06-27 | A method for reading volume shadow backup data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115373897A CN115373897A (en) | 2022-11-22 |
| CN115373897B true CN115373897B (en) | 2025-05-23 |
Family
ID=84062632
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210735162.4A Active CN115373897B (en) | 2022-06-27 | 2022-06-27 | A method for reading volume shadow backup data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115373897B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110188068A (en) * | 2019-05-16 | 2019-08-30 | 上海爱数信息技术股份有限公司 | A volume-level backup method and device for ensuring file system data consistency |
| CN114265726A (en) * | 2021-12-29 | 2022-04-01 | 成都易我科技开发有限责任公司 | Disk volume backup method and system with shadow readable and writable |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9384254B2 (en) * | 2012-06-18 | 2016-07-05 | Actifio, Inc. | System and method for providing intra-process communication for an application programming interface |
-
2022
- 2022-06-27 CN CN202210735162.4A patent/CN115373897B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110188068A (en) * | 2019-05-16 | 2019-08-30 | 上海爱数信息技术股份有限公司 | A volume-level backup method and device for ensuring file system data consistency |
| CN114265726A (en) * | 2021-12-29 | 2022-04-01 | 成都易我科技开发有限责任公司 | Disk volume backup method and system with shadow readable and writable |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115373897A (en) | 2022-11-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10649910B2 (en) | Persistent memory for key-value storage | |
| US9727452B2 (en) | Distributing metadata across multiple different disruption regions within an asymmetric memory system | |
| US7363540B2 (en) | Transaction-safe FAT file system improvements | |
| US7334099B2 (en) | Method and system for managing image files | |
| US8756458B2 (en) | Mount-time reconciliation of data availability | |
| US9251049B2 (en) | Data storage space recovery system and method | |
| US8341123B2 (en) | Event structured file system (ESFS) | |
| US8239648B2 (en) | Reclamation of thin provisioned disk storage | |
| US9009443B2 (en) | System and method for optimized reclamation processing in a virtual tape library system | |
| US7174420B2 (en) | Transaction-safe FAT file system | |
| KR101767710B1 (en) | Card-based management of discardable files | |
| CN1329841C (en) | Method and system for building-up and restoring image document | |
| US7877554B2 (en) | Method and system for block reallocation | |
| US20070106706A1 (en) | Unlimited file system snapshots and clones | |
| CN101027651A (en) | FAT analysis for optimized sequential cluster management | |
| EP3752905B1 (en) | Append only streams for storing data on a solid state device | |
| CN113568582A (en) | Data management method and device and storage equipment | |
| CN112052218A (en) | Snapshot implementation method and distributed storage cluster | |
| US9535796B2 (en) | Method, apparatus and computer for data operation | |
| US20190079674A1 (en) | Storage Scheme for a Distributed Storage System | |
| US8082230B1 (en) | System and method for mounting a file system on multiple host computers | |
| US20180232154A1 (en) | Append Only Streams For Storing Data On A Solid State Device | |
| CN115373897B (en) | A method for reading volume shadow backup data | |
| US20080189342A1 (en) | Method For Implementing Persistent File Pre-Allocation | |
| KR101017433B1 (en) | Web map service method using compression program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |