| With the rapid development of mobile communication technology and the fast popularity of smart phones,criminal activities using smart phones such as fraud,network rumors,and drug trafficking have become increasingly rampant.Which have brought serious impact on people's daily lives and the harmonious development of our society.Mobile phone forensics can effectively combat these illegal and criminal activities.As an important means of digital forensic,it has become a research hotspot in the area of electronic forensics.However,smart phone forensics still has many deficiencies in issues such as evidence extraction,data recovery,and user data visualization analysis.For this reason,this article has conducted in-depth research on several key issues of Android smartphone data forensics.The main work and contributions are as follows:1.Aiming at the problems that the current mobile phone user data image extraction method has complex implementation process and low versatility,a user data image extraction method based on Recovery mode is proposed.First of all,through analyzing the characteristics and advantages and disadvantages of the existing Android smart phone data mirroring method,we found the basis for improving the extraction method;then from the structure of the Android built-in memory and file system,we analyzed the characteristics of the file system partition and partitioning were analyzed;The relevant characteristics of the load and the read and write modes of the memory in the Recovery mode are discussed.The method of user privilege elevation is discussed.Based on this design,a method for acquiring the user data image is implemented.This method can ensure that the extraction process does not destroy the integrity of the user data partition;Finally,the experiment was conducted from the aspects of logic extraction and physical extraction.The results show that the method used to extract,the integrity of the data partition is better than the existing methods and has good versatility.2.Aiming at the problems such as large recovery granularity and low recovery rate of the existing deletion record recovery method,a deletion record recovery method based on the internal structure of SQLite is proposed.First,the file header,Btree page and unit content area of the SQLite database file are studied.Based on this,the structure of SQLite data records(using QQ chat records as an example)is analyzed in depth from both logical and physical aspects;The change of cell structure finds the storage principle after the SQLite record is deleted;afterwards,it adopts a hierarchical recursive algorithm to traverse free areas composed of free blocks,and performs fine-grained recovery based on whether or not its data records are covered and covered;The method has been tested and tested.The results show that this method can recover uncovered free blocks,partially covered free blocks,and deleted data records that remain in the unused space.Compared with the existing recovery methods,the recovery range more extensive,better recovery performance.3.Aiming at the problems of the existing evidence visualized association analysis methods such as simple means and poor performance,a visual user data analysis and forensics method was proposed.Firstly,basic analysis of Android mobile phone user data is conducted to filter out useful table fields and key information.Then,by defining a unified data structure,these information is preprocessed,redundant fields and invalid information are removed,and a comprehensive information database is designed and created.After using the constructed time series graph and social network relation topology graph,the data in the comprehensive information database is visually correlated;finally,the realization of two visual analysis methods is completed and the actual case data is used for testing.The results show that the effect is good. |
PDF Full Text Request