Research On Android Application Memory Analysis And Data Recovery Technolog

With the popularization of Android system,smart terminals are increasingly used in realworld criminal activities,making the research of data recovery technology of Android application for electronic forensics receive widespread attention.However,since most of existing studies analyze the non-volatile memory from a specific view,it is not universal and the information to be recovered is limited.On the one hand,traditional analysis methods based on the file system cannot be applied to all types of Android non-volatile memory image.On the other hand,most of existing data recovery researches focus on database files.When metadata is lost or database file is damaged,data in SQLite database cannot be recovered.In response to the above problems,this paper focuses on the study of non-volatile memory analysis and data recovery method that do not depend on the specific file system and can still achieve efficient data recovery even when the file system metadata is damaged to effectively obtain valuable data.The main work and contributions are as follows:(1)In view of the shortcomings of current Android data analysis methods that rely on the file system,this paper proposes non-volatile memory analysis and data recovery plan of Android application based on in-depth analysis of Android data storage mechanism.This plan uses Android non-volatile memory image as data source and combines with data flow analysis and flash memory page reconstruction technologies,which can effectively realize data recovery for Android forensics.(2)This paper proposes a method for identifying target data files based on data flow analysis.Software analysis is performed on applications residing in the Android system,and function call graphs,data flow graphs and data dependency graphs are constructed.Reverse traversal of the data dependency graph can effectively identify the target data file in the nonvolatile memory,and then locate the storage area of the data to be restored in the image.Experimental results show that this method can solve the problems of string propagation between components and string operations,and successfully identify the target data file in nonvolatile memory.(3)This paper proposes a data recovery method based on flash memory page scanning.This method uses the characteristics of Android flash memory and SQLite page structure,according to its out-of-place-write mechanism and the principle of spatial locality,to recover the data in flash memory page,and the recovery objects cover undeleted data,deleted data and data in junk pages.Pattern-matched operation is used to determine the target application which the restored data belongs to.Experimental results show that the method is effective in real scenes and is suitable for a variety of file systems.(4)Based on the above method,a data recovery system for Android forensics is designed and implemented,which realizes the functions of application analysis,target file identification,data recovery and timeline analysis,and proves the effectiveness of the non-volatile memory analysis and data recovery method from a practical point of view.