| Mobile phone forensics is an effective means for crime fighting in the new period.Android smartphones is an important source of digital forensics due to its widespread usage.The browser is an essential tool for people to browse the web.The related data of the browser application is the main source of evidence for mobile phone forensics.Therefore,it is of great significance to study the forensics technology of mobile browser for the detection of cases and the maintenance of social stability.The parsing and recovery of visit history records are two key technologies for the browser forensics.Different browsers have different ways of storing data,and Chrome is the mainstream browser today.This paper studies the acquisition method of the website address in google chrome incognito mode and the recovery technology of the deleted records in normal browsing mode.The main works are as follows:1)Web address string matching is a key technique for the extraction of the URL information in incognito mode of google chrome.An improved algorithm based on BM string matching is proposed.Compared with the BM algorithm,another matching point is found in the suffix processing stages to meet the right slide of the pattern,to increase the pattern string right steps slippery and speed up the string matching.The experiment is conducted to compare the time performance and efficiency of three string matching algorithms.2)In view of the problem of privacy browsing mode in Chrome browser forensics,an acquisition method of the website address in google chrome incognito mode is proposed.Firstly,the full memory image data are obtained from Android moble phone's volatile dynamic memory using Lime tools.Then,the regular matching technique is used to extract the URL information after data filtering.Finally,on the basis of the muti-threaded processing mechanism,the website addresses in incognito mode are matched with the normal website address using improved algorithm based on BM string matching,so that the website addresses in incognito mode are obtained.The experimental result shows that the proposed method can effectively acquire the website address in google chrome incognito mode from Android volatile memory.3)Aiming at the recovery problem of deleted records in normal browsing mode,a recovery method of the deleted records is presented based on free block byte code and web address structure in leaf page.Firstly,SQLite record deletion mechanism and the data table structure on Chrome are analyzed in this paper,then,data area on the leaves page of the free block are obtained by studing record delete features and free blocks bytecode markers,finally,deleted website addrees are recovered by further researching url storage structure in the leaf pages.The experimental results shows that the recovered website address are complete and accurate,which fully verify the feasibility and validity of the proposed method in real Android mobile phone. |
PDF Full Text Request