| As a product of science and technology, mobile phone has become a necessity ofour lives, and it indeed facilitates our lives and improved our efficiency of works.Become of the enormous profit, there are exists hundreds kinds of shanzhai mobilephones in the market. The emergences of shanzhai mobile phone really make a greatimpact on the mobile phone industry and society. Low price and convenient saleschannels lead to more and more criminals prefer to use this kind of mobile phone forcrime (eg. Steal other people‘s privacy, Fraud). With the improvement of laws, manyreal-life legal issues have been gradually introduced to digital world, thus promoting thedeveloping the digital forensic. However, the emergence of shanzhai mobile phoneproduced a new challenge to digital forensic due to the absence of system manuals andknowledge of the memory layout. This paper mainly analyze the MTK based shanzhaimobile phone, because most of shanzhai mobile phone adopt the turn-key solutionprovided by MediaTek(MTK).This paper firstly analyzes the basic characters of two kinds of Flash (NOR Flashand NAND Flash). Understanding the basic characters of Flash helps to understand thebasic structure and principles of shanzhai mobile phone. Besides, it also can explainsome phenomenon in experiments. then three methods are introduced to acquire imagedata together with the method of how to separate user area data. Since the image datacontain user area data and system area data, however, these two logically separated dataare mixed in physical layer and evidence does not stays in user area, separate theuser area data can reduce the complexity and improve the efficiency.Then two most popular shanzhai mobile phone are analyzed to extract evidenceand the two shanzhai mobile phone are individually adopted NAND Flash and NORFlash as storage medium. The evidence extracted contain basic information (phonebook,call log, sms, mms) and advanced information (website, Internet search record,web based email). We take the method of reverse engineering to resolve these evidenceand Hamilton path is applied to analyze the timeline of phonebook and email.Experimental results show that the acquisition, analysis and recovery methods designedin this paper could be helpful to investigator to understand the working mechanism ofshanzhai mobile phone and analyze the problem encounter during forensic work, morevaluable evidence could be contracted and may affect the final result of a trial. Theresearch methods, technical routes, as well as the analysis method presented in thispaper is also applicable to other solutions based shanzhai phone digital forensics analysis.In conclusion, MTK based shanzhai mobile phone is studied in this paper. Throughinvestigating the characteristics of Flash and mobile phone’s internal memorymanagement mechanism explore the method of extract and reconstruct evidence. Inaddition the technique presented in this paper has been verified by two most popularshanzhai mobile phones that adopt NOR Flash and Nand Flash as storage mediumrespectively, the experiments shows that the research can effectively solve the problemof shanzhai mobile phone forensic. |
PDF Full Text Request