Research On The Method Of Extracting And Analyzing The Memory Of Android Aplication Process

As a new type of electronic product,smart phones have become part of our life.Most of the interchange of information takes place on smartphones.Simultaneously,Android operating system occupies the main market in all mobile platforms.Therefore,the forensics analysis of Android mobile phone plays an important role on remediation of illegal activities related to electronic tools.In particular,the work of Android phone's memory forensics can get more valuable electronic clues than the traditional Android phone forensics work on static files.However,there are a lot of shortages in current Android phone's memory forensics in many aspects.The extraction process affects the content and causes the lack of consistency estimation.The memory image,which is logically discrete,requires additional address translation.Moreover,the traditional memory analysis is insufficient,which lacks the way for analyzing application's data.And it also cannot analyze the correlation between application data,which going deeply into memory analysis.To overcome the shortages of extraction and analysis in current Android memory forensics process,we are going deeply into the extraction method of Android application process memory and estimate the time consistency of memory content.We also suggest a way,which aims at heap objects,to analysis Android application process memory from the bottom to the up and realize a analysis system for Android application process memory based on that.The main work of this dissertation is as follows:1.We introduces the research background of Android forensics and list the domestic and foreign models in electronic forensics.After introducing the current research status in extraction and analysis's sub-phases,we point out the shortcomings of the current way to acquire and analyze Android phone's memory.First,current research on extraction of Android phone's memory lacks the estimation of time consistency in memory content,which affected by the process of extraction.Second,the extracted memory contents are logically discrete,which increases the difficulty in recovering process memory.Moreover,the depth and breadth of memory analysis is insufficient.2.The related technologies involved in the method of memory extraction and analysis of Android application are introduced.These includes the relationship of Linux operating system and Linux process,the transition model of Linux process states,memory management of Linux application process,memory of Linux process memory,the level of Android application process,the layout of Android application process memory and so on.3.Aiming at the problem that the extraction of Android memory affects the content of memory image,we study the extraction method of Android application process which takes the process memory as its goal.We introduce the flow of the extraction method in detail and study the changes of the process memory in this flow.Also the time consistency of the extracted memory has been estimated.The results show that the extraction method based on the application process's memory does not affect the extracted content,and the extraction method is more practical and has higher timeconsistency.4.In order to meet the demands of the depth and breadth of Android memory analysis,we study the garbage collection mechanism of Android virtual machine.We deeply analyze the memory layout of various underlying data structures and the correlation between these underlying data structures.As a result,we propose a way,which aims at heap objects,for analyzing Android application process memory from the bottom to the up.During the course of the research,we found that there are three kinds of basic relevance in the application data.These related information can help to restore a variety of application data and enhance the depth of memory analysis.5.In the end of this article,we realizes a system for analyzing Android application process memory,and practice the memory forensics on a variety of application data,which is more than twenty applications in five major categories.It shows that the extraction way aimed at Android application process memory and the bottom-up analysis method targeted heap objects are widely applicable.