基于LiME工具的Android手机动态内存提取  

Volatile Memory Acquisition from Android Devices with LiME Forensics

在线阅读下载全文

作  者:刘亚[1] 康艳荣[2] 赵露[2] 于文浩[3] 张国臣[2] 

机构地区:[1]中国人民公安大学,北京100038 [2]公安部物证鉴定中心,北京100038 [3]中国政法大学,北京100088

出  处:《刑事技术》2015年第6期431-434,共4页Forensic Science and Technology

基  金:公安部应用创新计划(2014YYCXGAES050-JB)

摘  要:本文以手机内核源码为研究对象,利用LiME工具对不同Android版本内核的手机进行动态内存提取,详细分析了其内核校验机制,并阐述了如何通过修改内核配置和内核源码的方式,编译出可用的内存提取模块,建立了手机动态内存提取方法,为国内Android手机动态内存取证提供了一个新思路。实验表明,此方法能够成功提取多个品牌、型号手机的动态内存,可以解决普遍的Android手机动态内存提取问题。Volatile memory acquisition from cell phone has gained popularity in recent years, because its analysis yields a wealth of information not available in non-volatile storage. Such aspects as the executing and terminated processes, application data, network connections, some user names and passwords, are important for investigation storage in the volatile memory. In this paper, we introduce a novel idea for cell phone forensics by analyzing a set of kernel source of android phone, and establishing an acquisition method that could extract volatile memory from phones with different kernel version. On Linux, kernel modules must be compiled against the relevant version of kernel headers and configuration so that it can be executed on the target system. During the module installation, the kernel starts to analyze two special sections in the module of .modinfo and versions, and will refuse to load if this module contains incompatible version magic. Aiming at different Android kernel versions for different mobile phone, we analyzed the kernel verification mechanism, and explained how to modify the kernel configuration mode and kernel source code, to compile the available memory extraction module. The results show that this method can successfully extract volatile memory from multiple brands and models of Android mobile phones.

关 键 词:电子物证 ANDROID手机 动态内存 内核模块 

分 类 号:TP333.1[自动化与计算机技术—计算机系统结构]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象