Research On Application Data Forensics Of Intelligent Mobile Terminal

With the rise of mobile Internet and the wide use of intelligent mobile terminal, more criminals begin to use intelligent mobile terminal to fraud, steal personal privacy information and carry on the malicious attack. Thus, using forensics method to get clues efficiently from intelligent mobile terminal applications becomes critical in order to prevent such kinds of crimes. In this paper, we mainly study the intelligent mobile terminal application data forensics, especially focusing on deleted data recovery of SQLite database. Based on the above research result, an automatic forensic system is designed for the application data of Android and iOS. The main work of the thesis is as follows:(1) Studied the data storage method of SQLite database for intelligent mobile terminal applications. Meanwhile the deleted data principle of SQLite database is the focused research, including the structure of deleted data, the storing way of deleted data and all kinds of complex scenarios. Studied the recovery methods of deleted data for SQLite database. And on this basis a method named STME (Similary Type Matching Estimation) is proposed.(2) Those existing application data recovery methods fit well for some simple scenarios but not ideal for the delete area which contains many discontinuous records. STME recovery method is used to solve this problem. Free block and free page are two main cases of deleted areas in SQLite database. This method can extract data directly from free block. For the free page, violence estimation method is firstly used to recover data form the free page. Then STME recovery method associates the recovery data to the certain table. Test results show that STME recovery method increases the recovery rate to more than eighty percent, which is better than the existing methods.(3) The present forensics systems suffer from two problems:lack of good organization for the evidence and insufficient automation degree. Based on the research of user data stored in the applications, this paper divides the organization of application data into two types:IM type and Non-IM type. In addition, the automatic forensics is implemented by matching the characteristics of the user data file.(4) Design and realize an automatic forensic system for the intelligent mobile terminal application data. The forensic system of the thesis mainly targets application data stored in the Android and iOS. Meanwhile different application type shares different forensics data structure. SQLite database, XML and Plist can be parsed automatically by the system and forensics results can be displayed in a visual way. So far, the forensics system supports more than thirty species of applications, including browser, instant messaging, cloud client and mobile payment type.