Android智能手机动态内存取证技术综述  被引量：13

作　　者：丁丽萍[1,2] 刘雪花 陈光宣[1,4] 李引 DING Liping;LIU Xuehua;CHEN Guangxuan;LI Yin(Institute of Software, Chinese Academy of Sciences, Beijing 100190, China;Institute of Software Application Technology, Guangzhou & Chinese Academy of Sciences, Guangzhou Guangdong 511458, China;University of Chinese Academy of Sciences, Beijing 100049, China;Zhejiang Police College, Hangzhou Zhejiang 310053, China)

机构地区：[1]中国科学院软件研究所,北京100190 [2]广州中国科学院软件应用技术研究所,广东广州511458 [3]中国科学院大学,北京100049 [4]浙江警察学院,浙江杭州310053

出　　处：《信息网络安全》2019年第2期10-17,共8页Netinfo Security

基　　金：国家自然科学基金[11502275];江西省经济犯罪侦查与防控技术协同创新中心开放基金资助课题[JXJZXTCX-009;JXJZXTCX-007];广东省省级科技计划项目[2017B050506002];广州市科技计划项目[201802020015;201610010092];羊城创新创业领军人才支持计划[2016008];NSFC-浙江两化融合联合基金[U1509219]

摘　　要：不同于静态内存中敏感数据被加密存储,Android动态内存中一些敏感信息以明文的形式存在,如应用程序账户、密码、加密密钥以及一些缓存的应用数据等,这些数据具有极大的取证价值。而且随着智能手机动态内存容量的不断增大,越来越多的应用数据被缓存至动态内存中,针对Android智能手机动态内存的电子数据取证研究具有重要意义。文章分析对比了LiME及其改进方法、FROST、MEMGRAB及其改进方法、硬件提取方法等主要的Android智能手机动态内存提取技术,分析了进程分析、系统信息分析、密钥分析、账号密码和应用缓存数据分析等主流的Android智能手机动态内存分析技术。文章通过分析得出了这些方法存在的问题和不足并提出未来研究方向的建议,以帮助取证人员更好地开展Android智能手机的取证工作。Different from the sensitive data in static memory being encrypted and stored, some sensitive data in Android dynamic memory exists in the form of plaintext, such as application account, password, encryption key and some cached application data, which have great forensics value. In addition, with the increasing capacity of dynamic memory of smart phones, more and more application data are cached in the dynamic memory, the forensics research on the dynamic memory of Android smart phones is of great significance. This article analyzed and compared several Android smartphones dynamic memory extraction technologies, such as LiME, improved LiME, FROST, MEMGRAB, improved MEMGRAB and hardware extraction method, and several Android smartphone dynamic memory analysis technologies, such as process analysis, system information analysis, encryption key analysis, application account and password analysis. It is concluded that these methods have deficiencies in applicability, efficiency or operability. Through analyzing the weakness of these digital forensics technologies, this article gave some improvement advices and future research directions. The work of this article is able to benefit digital forensics practice of Android devices.

关 键 词：ANDROID 智能手机 动态内存 电子数据取证 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]