基于网易云信IM框架的APK加解密取证方法  

作　　者：漏燕娣 郑青庚 计超豪 宋瑞坤 LOU Yandi;ZHENG Qinggeng;JI Chaohao;SONG Ruikun(Criminal Investigation Brigade of Zhejiang Provincial Public Security Department,Hangzhou 310000,China;Institute of Criminal Science and Technology,Wenzhou Public Security Bureau,Wenzhou 325000,Zhejiang,China;Hangzhou Pinghang Technology Co.Ltd,Hangzhou 310051,China)

机构地区：[1]浙江省公安厅刑侦总队,杭州310000 [2]温州市公安局刑事科学技术研究所,浙江温州325000 [3]杭州平航科技有限公司,杭州310051

出　　处：《刑事技术》2024年第4期422-426,共5页Forensic Science and Technology

摘　　要：在电信网络诈骗案件侦办过程中,尤其是在刷单、虚假投资理财、裸聊类案件中,APP及URL取证分析是网络侧勘查取证的重点。因需要在涉案APP中实现聊天、图片上传、语音等功能,基于IM框架二次开发的APP成了主流,其中网易云信IM是目前刷单诈骗案件中最为常见的第三方IM框架。但是随着犯罪分子不断隐匿作案手段,比如通过对APP的加密或对聊天内容的端对端加密,使得直接分析无法获取IM接口key值,或仅获取到加密后的乱码,无法查看聊天内容。基于此类案件,本文介绍了IM框架原理、APP及聊天内容加密技术与解密方法,通过对此类APP进行深入逆向分析和加密算法分析,可以充分提升刷单类诈骗案件的线索挖掘和勘查取证效率,为相关案件的侦破提供有力支撑。In the process of investigating telecommunication network fraud cases,especially in cases such as click farming,investment and financial management fraud and naked chat,APP and URL forensics analysis are the focus of network-side investigation.Because of the need to realize functions such as chatting,picture uploading and voice calling in the APP involved,the APP developed based on IM framework has become the mainstream,among which NetEase Yunxin IM is the most common third-party IM framework in the current fraud cases.However,as criminals continue to hide their means of committing crimes,for example,encrypting APPs or encrypting chat content end-to-end,direct analysis cannot obtain the key value of IM interface,or only the encrypted garbled code can be obtained,and chat content cannot be viewed.Based on this kind of cases,this paper introduces the principle of IM framework,the encryption technology and decryption method of APPs and chat content.Through in-depth reverse analysis and encryption algorithm analysis of this kind of APPs,the efficiency of clue mining and investigation and evidence collection of single fraud cases can be fully improved,which provides strong support for the detection of related cases.

关 键 词：数字取证 APK逆向 AES解密 刷单诈骗 网易云信IM 

分 类 号：DF793.2[政治法律—诉讼法学]