The Research On Technologies Of User Behavior Reconstructing And Analyzing Based On Android

With the widespread popularization of Android smartphones, Android smartphones become one of the most important sources of new evidence on user behaviorwhile they are affecting people’s life. How to effectively reconstruct user behaviorfrom the data stored in the Andriod smartphone is a hot and difficult problem in thefield of digital forensics. Based on the characteristics of NAND flash memory,YAFFS2file system and SQLite databases, this article studied the reconstructtechnologies of user behavior in Android smartphone.Firstly, this paper proposed a user behavior reconstruction method based onYAFFS2filesystem. Based on file storage and updated features of YAFFS2inAndroid smartphone, SQLite records associated with the user behavior can berecoverde by using YAFFS2file system’s meta-data which is stored in each page’sfree area in the NAND flash memory; then, the reconstruction of user behavior can beachieved by using the SQL event-user behavior recognition technology.Experimental results based on real phones and DFRWS public data sets show that,this method can effectively achieve reconstruct Andriod user behavior from theYAFFS2file system.Secondly, this paper proposed a user behavior reconstruction method based onSQLite database. Different Android smartphones vendors may use different versions’file system, so behavior reconstruction method based on file system has a limitation.The method based on SQLite database, which does’t relies on file system’s meta-data,recovers SQLite records by using SQLite’s storage characteristics. Then, thereconstruction of user behavior can be achieved by using the SQL event-userbehavior recognition technology. The experimental results in real mobile phone showthat the proposed method can effectively achieve reconstruct Andriod user behaviorfrom different file system versions of Andriod phone.Finally, we implemented a smartphone forensic system–ATCL. Based on twoproposed method described above, ATCL can reconstruct the Android user behavior,bring a concise and friendly visual interface and a user behavior analysis platform.This system can help related persons complete their forensic works more effectivelyand smoothly. In this paper, the reconstruction user behavior methods have been studied basedon YAFFS2and SQLite. Besides we implemented an ATCL forensics system. Theresearch provides a new avenue for Android smartphone data recovery and forensicwork.