Research On Forensics Technology Based On Android

With the deep development and widely used of electronic information technology based on electronic computer and internet technology,various "electronic" cases in the field of justice begin to emerge.The various forms of electronic data that appear in the case may become potential electronic evidence.The development of smart phone has greatly enriched people's life.At the same time,the popularization of smart phone enlarges the illegal behavior of using mobile phone.How to quickly excavate the sensitive information in system has important significance to the prevention and supervision of mobile phone security.In the field of smart phone,Android system is the most widely used platform.This paper does research on Android forensics.First,we analyze the current research status of Android forensics system,and describe the files and application data storage in detail based on features of Android system.For files stored in the phone,Hash values are usually used to determine whether the file is a malicious file.When the Hash values of files are different and their contents are similar,it is not possible to determine whether the file is a malicious file or not.This paper proposes a method for judging the similarity of files according to their content characteristics.This method obtains the file content characteristic value and matches the similar files according to the characteristic value instead of Hash value.Test results show the method has great value for the identification of tampered files and file fragments.In this paper,a file eigenvalue database has been established according to file hash value,file content eigenvalue,network characteristics.In addition to local data,this method can also analyze data flow of network instantly.Libpcap library is compiled to capture packets from network and match the eigenvalue to capture the packets which contain illegal feature information,so that we can monitor the network information of the system.A forensics platform was builded by combining server with mobile application;the server aggregates forensic results and eigenvalue database,and the mobile application gets data from local side and network side,and uploads the collected data to server.