Forensic Research And Analyses Of Android Applications

With the popularity of Android mobile phones, the relevant data of Android applications has become an important evidence in criminal cases, economic cases, political cases and high-tech crimes increasingly. The existing research for the data forensic of Android applications mainly focuses on the analysis of the Android internal memory forensic. But with the continuous improvement of the applications'data protection in Android system and the provision of the underlying overall data encryption, the traditional method of digital forensics has been unable to obtain the effective data evidence. On the base of analyses of existing technology for Android applications internal memory forensics, this paper further research of the method for Android RAM forensics. Moreover, an Android Application Data Forensic System is designed and implement and the system can the Android application can perform the internal memory forensic analyses as well as the RAM forensic. The main work of this paper is as follows:1. With the research of the existing technology of digital forensic, we put forward the analysis method and process for the Android application data forensic according to international and domestic standard digital forensics principles. The mobile digital forensic can be divided into internal memory forensic and volatile memory according to the Android application data storage format. According to Android applications'data storage locations and formats, we divide the internal memory forensic into XML file data forensic, SQLite database file data fornsic and binary file data forensic. And propose the general acquisition method of internal memory; Meanwhile, according to Linux kernel storage space and memory management mechanism, we put forward a method for the forensic of physical memory.2. Research the method of the forensic for Android application internal memory:Android applications'data are mainly stored in the XML file, SQLite database file and binary file format. First, enter the key information to the Android application under usage, and then observe and compare the special files to find its applications'data exactly storage file format and storage location. Traverse the XML tree structure format and judge attribute value to perform the acquisition and analysis for XML file; Use the SQL to query related databases to perform the acquisition and analysis for SQLite database file; Traverse the binary file and search feature values or fixed structure format to complete the acquisition and analysis for binary file. In addition, reverse the Adnroid application and inject corresponding code into the smali file to finish the acquisition and analysis for binary file.3. Research the method of the forensic for Android application physical memory:Analysis the structure of the Linux kernel and research its memory mapping mechanism. Use the loaded kernel module(LKM) to load the driver to the kernel system to perform the direct real-time acquisition of memory data based on the characteristics of Linux kernel runtime extension; Analyse the iomem_resource memory structure, get the actual System RAM physical address space and then get the virtual address page frame number through the address offset calculation. And then use the high memory mapping to get the virtual memory space linear address, and read the application process related data from the corresponding memory address; Finally, use the program in user mode to interact with the driver in TCP connection, and access application's physical memory; Analysis feature values in the extracted memory to finish the RAM forensic.4. Propose a method to analyse the physical memory extracted from the Android application based on the Hidden Markov Module:because the extracted physical memory'structure is unknown and changeable, it is difficult to acquisite the effective information. This paper proposes a method using the probabilistic finite state machines based on HMM to parse the memory data. Extract the physical memory of Android application after pre-processing several times and establish the normal information HMM model structure and use Viterbi algorithm to extracted the matching information sequence with the maximum probability to realize the automatic extraction of effective data from the physical memory.5. Design and implement an Android application digital forensic system according to international and domestic standard digital forensics principles. The forensics system consists of Android application data acquisition module, data identification and analysis module and the evidence result generation module:the data acquisition module can perform the extraction of target data; data identification and analysis module will parse the obtained application data to get the final target evidence according to a number of different types of forensic target; the evidence result generation module generate the forensic result to display. This paper chooses the most common Android application Ctrip Travel, micro-blog Sina and QQ chat from the location class, micro-blog social class and instant messaging applications to perform system functional testing. At the same time the result of the test shows that the system can be effective in data forensic for Android applications internal memory and physical memory data, and it also has a strong practical value and supports many applications' forensic, including instant messaging, geography position, micro blogging social networking, browser, email, cloud client, electronic payment applications, etc.