Android Live SD資料還原系統設計與實作

 

Design and Implementation of Android Live SD Data Recovery System

 

陳聖文

國立高雄師範大學資訊教育研究所

和平一路116

高雄市802苓雅區

c.s.w.wendy@gmail.com

 

楊中皇

國立高雄師範大學資訊教育研究所

和平一路116

高雄市802苓雅區

chyang@nknucc.nknu.edu.tw

 

陳世仁

資訊工業策進會資安科技研究所

和平東路二段10611

台北市大安區

sjchen@iii.org.tw

 

摘要

手機識是利用符合法律規範的方式對手機進行資料的採集、儲存、分析、還原手機被上鎖、隱閉、刪除的通話記錄、簡訊、通訊錄、電子郵件、照片、聲音檔等。做為法律上證明或反駁的證據。依據美國國家標準技術局(National Institute of Standards and Technology, NIST)手機識指引,手機識流程可分為保存(Preservation)、採集(Acquisition)、檢驗及分析(Examination and Analysis)和報告呈現(Reporting)等四個階段 [12]。手機識的過程中資料採集是一個重要的環節,在合理的識條件下,使用可接受的方法獲得手機內部的電子證據 [12],手機資料採集的方式,可分為實體採集(Physical acquisition)與邏輯採集(Logical acquisition)兩種 [11],目前大多數手機識軟體邏輯採集的方法,這樣的方法採集出來的資料可直接識別,但都面臨著相同的問題,已刪除的資料無法還原且內部採集工具必需安裝至手機內部,利用呼叫內建函數的方式進行採集動作,這樣的採集方式,令人遲疑,是否違背了識科學中保留現場的觀念。

本研究提出一種Live SD的概念,相當於電腦識中的Live CD/DVD/USB的概念,並利用Recovery原理實踐於Android智慧型手機中製作實體證與資料還原,這樣的證方式有別於目前大多數手機識軟體所使用的證方法,進而分析與還原刪除資料。

 

關鍵詞: AndroidRecoveryLive SD、手機識、採集方法。

Abstract

Mobile Forensics is defined as to legally collect, store, analyze, recover the call records, SMS, contact list, e-mails, photos and audios which are locked, hidden, or deleted in the mobile phones. With mobile forensics, data can become the evidence for legal proof or objection. According to National Institute of Standards and Technology(NIST), the mobile forensic process consists of four parts, including Preservation, Acquisition, Examination & Analysis, and Reporting. Data acquisition is the key part which can acquire internal electronic evidences in mobile devices under reasonable forensic conditions. There are two main mobile data acquisition methods, including Physical Acquisition and Logical Acquisition. Presently, most of the mobile forensics tools are implemented with logical acquisition. However, the method will result in the problem where the forensics tools are required to firstly install in the mobile devices and the acquisition can in turn be performed. This often raises the concern if it is against the concept of scene reservation.

Our research proposes the concept of Live SD in mobile phones, which can be treated similar with the Live CD/DVD/USB in computer forensics. Moreover, Recovery theory is implemented to realize the physical acquisition and data recovery in Android smart phones. This method is different from most of the ones embedded in present mobile forensic software and can improve the ability for data recovery.

 

Keywords: Android, Recovery, Live SD, Mobile Forensics, Acquisition