Research Of Mobile Terminal Forensics Based On Android Malware Behavior Analysis

In recent years,with the rapid development of Mobile Internet,huge economic benefits led to lots of information security crisis and Mobile Internet crime,and the criminal organization and malwares are always attack the users.The forensics and analysis about the Mobile Internet crime by technical and legal means,has become the current problem which the judicial institutions in each conutry must to solve urgently.Therefore,the research of mobile terminal forensics based on Android malware behavior analysis has become an important branch of mobile terminal forensics.This paper summarizes the status and technical level of mobile terminal forensics and presents the limitation of the model of traditional mobile terminal forensics.According to the legal norms of electronic evidence,it pretreats the Android application permission of the Android Application Package File by the reverse engineering,calculates the weight of permission in a certain category by the difference value of the frequency of permission being used,establishes a model of mobile terminal forensics based on association analysis and finds out the correlation among the electronic evidence.In the stage of evidence collection,this paper establishes the WAFP-Max mining model to extract Android malicious behavior sequence,determine the density of transaction data set automatically,give consideration to the frequency and weight of permissions in Android OS,and avoid missing the rare data.In the stage of evidence identification,this paper matches Android malicious behavior sequence by cosine distance,analyzes the relationship among the Android malware families,explains how to calculate the code similarity of experimental sample in unknown applications in hierarchical code database of Android malware.In the stage of evidence generation,this paper injects the custom dynamic shared library into the Linux kernel layer,asks the experimental sample to be tested automatically by Monkey script,monitors the calls of sensitive API dynamically according to possible malicious behavior,and observe the result on the mobile terminal.The experiments show that WAFP-Max mining model is better than Frequent-pattern Growth on matching the set which is constituted by permissions about malicious behavior.The Mobile Terminal Forensics Platform(PC & Android)do well in mobile terminal forensics based on Android malware behavior analysis,identify whether the suspicious code raises Android malicious behavior,analyze and record the execution and resource call in the mobile terminal device.