Android Live SD資料還原系統設計與實作
陳聖文
國立高雄師範大學資訊教育研究所
和平一路116號
高雄市802苓雅區
c.s.w.wendy@gmail.com
楊中皇
國立高雄師範大學資訊教育研究所
和平一路116號
高雄市802苓雅區
chyang@nknucc.nknu.edu.tw
陳世仁
資訊工業策進會資安科技研究所
和平東路二段106號11樓
台北市大安區
sjchen@iii.org.tw
摘要
手機鑑識是利用符合法律規範的方式對手機進行資料的採集、儲存、分析、還原手機被上鎖、隱閉、刪除的通話記錄、簡訊、通訊錄、電子郵件、照片、聲音檔等。做為法律上證明或反駁的證據。依據美國國家標準技術局(National
Institute of Standards and Technology, NIST)手機鑑識指引,手機鑑識流程可分為保存(Preservation)、採集(Acquisition)、檢驗及分析(Examination and
Analysis)和報告呈現(Reporting)等四個階段 [12]。手機鑑識的過程中資料採集是一個重要的環節,在合理的鑑識條件下,使用可接受的方法獲得手機內部的電子證據 [12],手機資料採集的方式,可分為實體採集(Physical
acquisition)與邏輯採集(Logical acquisition)兩種 [11],目前大多數手機鑑識軟體採邏輯採集的方法,這樣的方法採集出來的資料可直接識別,但都面臨著相同的問題,已刪除的資料無法還原且內部採集工具必需安裝至手機內部,利用呼叫內建函數的方式進行採集動作,這樣的採集方式,令人遲疑,是否違背了鑑識科學中保留現場的觀念。
本研究提出一種Live SD的概念,相當於電腦鑑識中的Live CD/DVD/USB的概念,並利用Recovery原理實踐於Android智慧型手機中製作實體採證與資料還原,這樣的採證方式有別於目前大多數手機鑑識軟體所使用的採證方法,進而分析與還原刪除資料。
關鍵詞: Android、Recovery、Live SD、手機鑑識、採集方法。
Mobile Forensics
is defined as to legally collect, store, analyze, recover the call records,
SMS, contact list, e-mails, photos and audios which are locked, hidden, or
deleted in the mobile phones. With mobile forensics, data can become the
evidence for legal proof or objection. According to National Institute of
Standards and Technology(NIST), the mobile forensic
process consists of four parts, including Preservation, Acquisition,
Examination & Analysis, and Reporting. Data acquisition is the key part
which can acquire internal electronic evidences in mobile devices under
reasonable forensic conditions. There are two main mobile data acquisition
methods, including Physical Acquisition and Logical Acquisition. Presently,
most of the mobile forensics tools are implemented with logical acquisition.
However, the method will result in the problem where the forensics tools are
required to firstly install in the mobile devices and the acquisition can in
turn be performed. This often raises the concern if it is against the concept
of scene reservation.
Our
research proposes the concept of
Keywords: Android,
Recovery, Live SD,