检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
作 者:康艳荣[1] 范玮[2] 赵露[1] 刘亚 KANG Yanrong;FAN Wei;ZHAO Lu;LIU Ya(Institute of Forensic Science,Ministry of Public Security,Beijing 100038,China;Institute of Forensic Science,Tianjin Public Security Bureau,Tianjin 300384,China;Shenzhen Public Security Bureau,Shenzhen 518001,Guangdong,China)
机构地区:[1]公安部物证鉴定中心,北京100038 [2]天津市公安局物证鉴定中心,天津300384 [3]深圳市公安局,广东深圳518001
出 处:《刑事技术》2018年第2期92-96,共5页Forensic Science and Technology
基 金:"十三五"国家重点研发计划项目(No.2017YFC08033805);公安部应用创新计划项目(No.2014YYCXGAES050)
摘 要:目前关于Android手机动态内存提取技术的研究是在Li ME工具基础上,通过编译源内核进行提取。由于Android系统手机开放源代码的不完整性,实际取证工作中很难获取到与目标手机相匹配的内核源码。因此,本文提出一种通过解决未知符号错误实现基于相似内核提取Android手机动态内存的方法。该方法通过分析Linux下ELF格式与内核符号机制,在内核源码中找到未知符号函数定义并取消其在内核中的配置,编译内核时产生不具有指定的符号引用信息的模块,最后将相似内核成功加载至目标手机并提取到动态内存数据。Live memory can be extracted from Android phone when the sourcing kernel of Android phone is able to be successfully compiled with LiME tool.However,most of the sourcing kernel cannot be obtained during the actual electronic forensics because not all the open source codes of Android phone are offered publicly,and even many of them are difficult to find.In this paper,a method was proposed to use one similar kernel to extract live memory from Android phone by resolving the unknown symbol error.First,an analysis was conducted on the Linux-based ELF format and kernel symboling mechanism so as to find the function definition of unknown symbols from the relevant source codes,and thereby cancel the corresponding configuration.Second,one similar kernel was accordingly compiled to exclude those unknown symbol indexes.At last,the similar kernel has been successfully uploaded to Android phones,making the live memory acquired from most of the tested phones.
关 键 词:Android手机取证 动态内存 相似内核 源内核
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.15