| With the expansion of smart phone features,smart phones have gradually become a part of people’s lives and their work.At the same time the smart phone have brought a lot of convenience to some criminals,most of criminals use smart phones as a tool for high-tech crime.according to 2016 Q3,finding that Android mobile phone market share as high as 87.5%,so the Android phone forensics research has become a hot spot in the field of forensics.The current Android mobile phone forensics research is mainly for evidence in the local,such as Oxygen Forensics,but that requires Android mobile phone to be sent to a specialized forensic institutions by professionals to obtain evidence,Not only is the human and material costs,the most important is the consumption of time,but some electronic evidence is volatile,easily lead to the disappearance of important electronic evidence,contrary to the principle of timeliness.On the other hand,due to Android terminal "fragmentation" phenomenon is serious,there is no forensic tool to meet the requirement of the unified standards of Android data acquisition,especially for some third-party application data.In view of the above problems,this paper presents a method of remote data extraction of Android phones.Install the agent program in the Android and extract data in the case of being not root and root of Android device.This paper designs the NormalForensic model to formalize each step of the forensic process and its operations.After the completion of the extraction of each file to do the hash check to ensure consistency before and after the transmission of evidence,in the transmission process,design a secure network transmission channel,ensure data validation,encryption,identity authentication and other functions;In order to ensure that electronic evidence is more convincing in court,design the evidence chain,extract the timestamp of the file and the Android device’s unique device identification number IMEI as the eigenvalue for the second hash check,when the data changes can be traced back to the time and place.On the other hand,in view of the problem that the forensic analysis method can not be unified,this paper designs an Android mobile data acquisition system,which can analyze the specific data files one by one,more intuitively show the analysis results on the website.Especially for WeChat encrypted file,this paper uses PBKDF2 to derive thekdf function,combing the password and salt to derive the decryption key,and decrypts the database.Then the result of the extracted electronic data and a CSV file generated can be directly used as evidence for the court,thereby enhancing the efficiency of evidence collection. |
PDF Full Text Request