Research On Android Behavior Forensics Method Based On Memory Recovery And Association Analysis

The popularity of smart phones has brought tremendous changes to people’s lives.Because of its powerful processing ability,it has become an indispensable tool for people.While people enjoy convenience,the crime of using smart phones threatens people’s lives and property security.In order to solve this social problem,mobile forensics technology came into being.As suspects need to use all kinds of mobile apps for the whole process of illegal crimes,their operation on mobile phones has become a concern of law enforcement departments.Based on the widely used Android operating system n the market,this paper analyzes the system operation mechanism,recovers the memory object by using the extracted memory image,and makes appropriate reasoning according to the characteristics and association analysis of memory allocator,recovers the user behavior sequence,and realizes the Android user behavior forensics.Firstly,this paper designs a 64-bit Android memory image acquisition technology.Since the Android system is based on Linux kernel,in order to prevent the dynamic change of memory,the memory information acquisition technology based on Ptrace mechanism is used to control the process running in the operating system.In order to obtain the memory data of special space,shellcode injection technology is used to indirectly extract the corresponding ARM64 machine code injection program counter.By integrating the two techniques and combining the characteristics of memory area,memory extraction tools are designed to lay a data foundation for the research.After that,this paper studies the memory recovery method of Android in art virtual machine environment.Starting from the Android startup mechanism,this paper analyzes and tracks the most basic runtime class in the runtime environment,and takes this as a breakthrough to obtain the tool classes thread and heap and their related class instances;finally,it goes deep into the Java layer data acquisition.The recovery and reconstruction of the memory object instance provides a method for filtering out the appropriate data.Based on the above methods,this paper studies the user behavior sequence restoration method.To process system＿server,The mechanism of server’s service Activity Manager Service(AMS)is studied to obtain the class objects worthy of attention in AMS.Based on the coupling relationship between these objects,effective data is collected in the memory image;combined with the characteristics of the memory allocator,the relationship vector between activities is created,and the user behavior sequence diagram is constructed with the help of association analysis algorithm to select some eligible objects as guidance.Finally,the validity of user behavior sequence method is verified by experiments,which proves the feasibility of user behavior forensics method.