Research On A Screen Recovery Memory Forensics Technique For Android Application

With the rapid development of networks and information technologies,smart phones have now become an inaccessible communication tool and device in people's lives.The role of smart terminals such as mobile phones and tablet computers in people's daily life is becoming more and more important.The widespread adoption of smart phones has also led people into a new er a of mobile Internet.As the most popular smart terminal operating system in the world,the Android operating system occupies slightly higher market share.The number of applications and usage frequency under the Android platform have been consistently hitting new heights.As cyber crimes against Android systems are increasingly rampant,Android systems-especially for those with high security APPs-are urgently needed.The differences between the views and data lifecycles in the Android MVC architecture are used in this thesis to implement Android application screen recovery.The research content is as follows:First of all,the progress and methods of the internal access and analysis of the Android system at home and abroad are studied in this thesis.Co mparing the advantages and disadvantages of various methods,a program that uses the memory analysis as a goal to restore the history screen of the APP as a manifestation is proposed.This program is not limited by the kind of APP and displays the results of the internal access certificate in the form of screen recovery.The purpose is to be able to collect relevant information in the target mobile phone through the internal access verification form.On this basis,an Android APP history screen forensics architecture is designed,including: memory extraction module,symbiotic APP module,memory injection module,view markup module,APP history screen recovery module,and data recovery module.Second,PROC virtual file system and PTRACE function interfaces are used in this thesis for the purpose of screen recovery.We have designed a comprehensive set of solutions for extracting the memory space of a specific Process.The program has the following characteristics: 1.Extracted for the Android application Process rather than the entire memory image;2.Not only extracted the memory image file,but also extracted the memory mapped file for later memory analysis;3.Memory space extraction is relatively complete,In the memory space,whether it is a Stack segment,a Heap segment,a data segment,or a code segment,the program extracts it as much as possible.Experiments show that the memory extraction method proposed in this thesis is more effective in terms of universality and compatibility.Finally,the thesis designs and implements the detailed design of the history screen recovery mechanism in APP.Compared with the mainstream internal memory access technology,the system completed by the project has the following characteristics: 1.The screen recovery as a form of expression,compared to the traditional internal memory card system is more intuitive,it can also show some hidden data in memory;2.Different kinds of applications including current popular instant messaging software can be used by this system.The experimental results show that the screen restoration can be successfully implemented by this project for the factory application of Android mobile phones with various systems and the current popular instant messaging software.