1. Technical Field
The present invention relates generally to a method and apparatus for recovering a partition based on file system metadata and, more particularly, to a method and apparatus for recovering a partition using metadata in which the principal information of a file system is stored, in a situation in which the partition configuration information of a disk is not present.
2. Description of the Related Art
The partitions of a computer storage device are managed via a Master Boot Record (MBR) or a Globally Unique Identifier (GUID) Partition Table (GPT).
When an MBR or a GPT is analyzed, the location of a boot record for managing information about a volume can be found. By means of information about the boot record, the basic information of each partition and the starting location of metadata information in a file can be found.
The malicious codes, used in the 3.20 and 6.25 cyber terror attacks in South Korea in 2013 to destroy hard disks, may destroy core information for the partition configuration of a disk, such as an MBR, a GPT, and a boot record. Due thereto, even if actual contents of a file are not completely deleted, the effect of destroying data and a disk may be exhibited. That is, as shown in FIG. 1, the Master File Table (MFT) entries of $MFT, in which actual data information is stored, remain complete or are only partially damaged, but it is impossible to know the layout of a partition. Even if the address of a data cluster recorded in MFT data entries is obtained, a boot record, which is a reference point for the start of a volume, was already deleted. Therefore, exact data access is impossible with the address of a data cluster.
As shown in FIG. 1, when all of an MBR, a BR, and a Backup Boot Record (BBR) are deleted in a disk structure shown in an upper portion of FIG. 1, the disk structure is converted into and present as that shown in a lower portion of FIG. 1. In this case, when the data cluster number of a file having an MFT Identifier number of 100 is 15,000, a precise data location may be detected if the starting location of a volume is known. However, when a partition layout is not present, a reference point cannot be known, and thus a completely different location may be indicated, as in the disk structure shown in the lower portion.
As related preceding technology, Korean Patent Application Publication No. 2011-0021125 discloses technology for recovering a deleted partition using information found by searching for an existing undeleted boot record.
As another related preceding technology, Korean Patent Application Publication No. 2014-0026821 discloses technology for recovering deleted partition information by searching for a backup boot record that is backed up in a file system.