| The prerequisite for We Chat data forensics is to decrypt We Chat data files and restore deleted We Chat data.Since a We Chat user may also use We Chat on different platforms such as mobile phones,tablets and computers.Therefore,it is necessary to integrate data under different platforms in the process of data forensics.From the perspective of commonly used operating systems for mobile phones,tablets,and microcomputers,research on multi-platform We Chat data recovery and analysis technology.The following are the main work and contributions:1.In view of the shortcomings that the existing decryption method is only applicable to the We Chat En Micro Msg.db of the Android platform and the database file of the Windows platform.Based on the dynamic and static reverse analysis of the SQLite database encryption mechanism,a multi-platform migratable decryption method based on the CBC mode of the AES algorithm is designed.Experimental tests show that the proposed decryption method can successfully decrypt the Android platform We Chat En Micro Msg.db,FTS5 Index Micro Msg?encrypt.db,En Micro Msg.-db-journal,FTS5 Index Micro Msg?encrypt.db-wal,and Windows platform We Chat database files.2.In view of the generally low recovery rate of the existing Android We Chat data recovery technology and the existing We Chat data recovery on the Windows platform,the research only focuses on the issue of the recovery of withdrawn messages that does not involve the recovery of deleted data.Data recovery based on dual analysis of database files and log files is proposed method.The experimental results show that the proposed recovery method expands the range of We Chat data recovery and improves the recovery rate of We Chat data compared with the existing technology.The average recovery rate of We Chat data in the Android platform test reached 58.3%,and the average recovery rate of We Chat data in the Windows platform test was 11.2%.3.In view of the possible crossover and redundancy in the We Chat data of the same user on the Android platform and Windows platform,after completing the recovery of the We Chat data on the two platforms,a multi-platform We Chat data integration processing method based on the KMP algorithm is proposed.It can realize the integration processing of We Chat record data merging,grouping,and de-redundancy of the same user under multiple platforms.The final application effect shows that while ensuring the integrity and availability of evidence in the electronic forensics process,it effectively reduces the amount of repetitive work and improves the efficiency of forensics.The above methods have been applied to an actual forensics system,providing powerful technical support for clue investigation and evidence fixation in many real cases. |
PDF Full Text Request