Research On Digital Forensics Technology For Android System

With the rapid development of mobile Internet technology and the widespread popularization of smart phones,criminal acts such as the use of smart phones for drug transactions,the spread of online rumors,and telecommunications fraud are rampant.Digital forensics for smartphones can effectively help the judiciary collect criminal evidence.Among all smart phone platforms,the Android system has dominated the market due to its open source and functional diversity characteristics.Therefore,research on forensic technology for Android smart phones has great practical significance.Due to the openness of the Android ecosystem,the physical architecture and operating system of Android mobile devices are very different and extremely diverse.At the same time,the security mechanism of the Android system requires Root permission to obtain its information,or the device must be unlocked and the USB debugging mode must be turned on.The current mainstream mobile device acquisition technologies include logical acquisition,physical acquisition,and chip removal.This article focuses on the physical image acquisition of Android devices.The main work and contributions are as follows:(1)Aiming at the limitations of existing data extraction methods such as obtaining Root permissions,unlocking the screen lock,and enabling USB debugging,a memory data extraction method based on a firmware update protocol is proposed.First,analyze the firmware update protocol of the mobile phone to obtain the format of the protocol instructions from the analysis results;then use the fuzzing test to find hidden memory dump instructions based on the analysis results,and dump the NAND flash memory and main memory data from the device by reusing the dump instructions.According to the experimental results,the proposed method is superior to existing forensics methods in terms of integrity assurance,acquisition speed,and screen lock smartphone physical dump(disabling USB debugging).(2)For Android devices equipped with Qualcomm chips,a physical acquisition based on Qualcomm EDL mode is proposed,and the ABOOT modification is realized by controlling the Firehose protocol in EDL mode.The device partition is read through XML code to achieve the physical acquisition of the target device.(3)Aiming at the problems of poor readability of the memory data extracted by physical extraction and difficulty in collecting evidence,it is proposed to extract user account information from the physical image based on the Sunday algorithm.It is proposed to convert the main physical data into Li ME format and use the volatility tool to extract information.(4)Design and implement a forensic analysis system for Android devices.The system implements physical dumps and logical acquisition functions.Physical dumps are based on firmware update protocol dumps and Qualcomm EDL mode dumps.The Android forensic analysis system effectively implements data dump and information extraction for Android devices;for some models,the system has a higher extraction success rate,extraction rate and integrity.