摘要： 随着移动通信技术的发展和应用的推广,手机犯罪成为新的犯罪趋势,手机取证是打击该类犯罪的一个有效手段。直接调用API 方法不能恢复Android 手机数据,现有方法存在无法恢复删除数据部分被覆盖的问题。为此,通过分析Android 系统SQLite 数据库的文件结构和数据记录的寻址方式,提出一种Android 系统删除数据恢复方法,即探测估算预提取数据所在表的每个Type 字段,提取恢复删除数据,结合尽最大努力恢复方法,针对删除数据部分被覆盖的情况,讨论其恢复的可能性并进行获取。在Android 手机模拟器上进行验证,结果表明,该方法能成功恢复删除数据,与传统方法相比,在不影响信息提取精确度的前提下,提高了删除数据的恢复率。

关键词: 手机取证, Android 系统, SQLite 数据库, 数据删除, 逻辑提取, 物理提取

Abstract: With the development and the wide application of mobile communication technology,mobile phone crimes become a new trend,and mobile phone forensics is an effective means to crack down on mobile phone crimes. In view of the problems that the traditional method calling API directly cannot restore the data of Android mobile phone and existing methods cannot restore the deleted data that section covered,through deep analysis of Android SQLite database file structure and the addressing mode of data record,the method that detects and estimates each Type field in the table is proposed. This method uses extraction recovery to process deleted data,combines “restore method with best effort” to discuss the recovery possibility of the deleted data that part covered,and obtains the deleted data. This method is carried out on the Android emulator. Experimental result shows that this method can restore deleted data successfully,and compared with traditional algorithm,it improves the recovery rate of deleted data with no affection of the information extraction accuracy.

Key words: mobile phone forensics, Android system, SQLite database, data deletion, logical extraction, physical extraction

中图分类号: 

• TP309