Research And Application Of Data Recovery In Mobile Phone Based On Ext4

As the result of the popularity of smart mobile devices and application,the smart phones have become important sources of digital forensics.Ext4 which loaded by smart phone after Android 2.3 is different from YAFFS.The traditional data recovery and timeline construction algorithms are no longer applicable.The SQLite's cells have multiple layouts because of various types of keys.It has special free space collection mechanism.Those features make it difficult to recovery deleted records.After Android 4.1.1 released,emptying SQLite rollback journal header replaces the journal deletion.The lack of information makes it hard to build timeline.How to deal with the above changes,restore deleted data and build operating timeline has become an urgent problem in digital forensics to be solved.Starting from file structures of Ext4 and SQLite,this thesis analyzes their working mechanisms and designs data recovery and timeline building algorithms.The main contents and innovations of this thesis are as follows:1.An Ext4 recovery algorithm of deleted file based on searching log area conversely is realized.This thesis searches log's meta data conversely,determines the latest effective inode which corresponding the deleted one,rebuilds extent tree and restores deleted files.The algorithm is applicable to the situation of losing original extent tree key data.Experiments based on artificial datasets and SMS database file show that the algorithm is effective and feasible.2.A SQLite record recovery algorithm is designed base on estimating,splitting and reading.Based on SQLite's layout in byte level,this thesis restores deleted records using determining the value of covered columns precisely,analyzing and splitting free blocks dynamically and extracting leaf page's data stored in free page list.The experimental results indicate that the relative recovery rate is 90.403% and 89.321% in the situations of the integer key and no-integer key.The average absolute recovery rate is 45.53%.3.A timeline building algorithm suits for Ext4 and SQLite is designed.In the Ext4 level,using difference method to compare log area conversely,this thesis distinguishes the file type,extracts ns grade timestamp and determines file information.Meanwhile,SQLite journal is grouped by calculating the original checksum in header conversely and records are extracted.After it,two timelines in different levels are combined conversely.Not only recent operations,but also last modified time of some records can be showed.To sum up,this thesis researches the binary layout and free space collection mechanism of Ext4 and SQLite,realizes data recovery algorithms which are suitable for Ext4 and SQLite.Several deleted files and records can be recovered and timeline building algorithms are designed.