Research On Forensic Analysis Technology For Android Devices

With the widespread use of mobile smart terminals,forensic analysis for Android devices has become an important part of digital forensics.However,there is no universal forensic method for Android devices because of its diversities.The logical acquisition method for non-volatile memory requires Root permission,which greatly restricts its application scenarios.Therefore,physical forensics methods are becoming the focus of forensic technology research on Android devices.What's more,in the current physical forensics methods of Android devices,JTAG chip acquisition and other technologies are also have limitations due to their disadvantages such as complex operations and easiness to cause damage.In response to the above problems,this article focuses on researching fast non-volatile memory physical forensics methods suitable for different application scenarios and data analysis of the acquired non-volatile memory mirror files.The main work and contributions are as follows:(1)The access mechanism of the non-volatile memory of Android devices as well as the principles,methods and related protocols of digital forensics are studied.For Android devices using Qualcomm processors,the underlying implementation of EDL mode,instruction set format,and Sahara and Firehose communication protocols are studied;For Android devices with non-Qualcomm processors,the principle,protocol format and instruction set of the firmware update protocol are studied,which lays a foundation for further research on the physical acquisition method of memory image files.(2)The physical acquisition method of memory image file based on Qualcomm EDL mode and the physical acquisition method of non-volatile memory image file based on firmware update protocol are respectively proposed.For Android devices using Qualcomm processors the memory image files of Android devices are obtained by using corresponding instructions based on the EDL mode and Firehose communication protocol;For Android devices with non-Qualcomm processors,the corresponding instruction is used to obtain the non-volatile memory image file based on the firmware update protocol.(3)A method for analyzing the memory image file of Android devices is proposed.Aiming at problems such as the difficulty of parsing the physically acquired memory image files of Android devices,the method in this paper performs partition analysis,file system restoration and deleted data recovery on the non-volatile memory image files of Android devices.The basic idea of this paper is to restore the memory image file based on partition table and file system structure,and to restore some deleted data according to the file system log domain.(4)Designed and implemented a forensic analysis system for Android devices.The system realizes data acquisition and data analysis functions for Android devices.It can be found that the physical acquisition of data adopts the physical acquisition method of the nonvolatile memory image file of the Android device based on the firmware update protocol and the Qualcomm EDL model;Data analysis is for the non-volatile memory mirror files of Android devices,which realizes partition analysis,file system restoration,and recovery of deleted data.Tests have shown that the system has a higher rate in both data acquisition success and data analysis accuracy.