CN105005514A - Data forensic method of device based on Android system - Google Patents
Data forensic method of device based on Android system Download PDFInfo
- Publication number
- CN105005514A CN105005514A CN201510381759.3A CN201510381759A CN105005514A CN 105005514 A CN105005514 A CN 105005514A CN 201510381759 A CN201510381759 A CN 201510381759A CN 105005514 A CN105005514 A CN 105005514A
- Authority
- CN
- China
- Prior art keywords
- recovery
- file
- data
- pattern
- android system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Stored Programmes (AREA)
Abstract
The present invention discloses a data forensic method of a device based on an Android system and belongs to the field of data forensics. The method comprises the following steps of: S1, producing a recovery file with a root privilege; S2, entering a fastboot or download mode, and performing flushing on the recovery file; and S3, directly performing a screen unlocking operation after entering a flushed recovery mode. Beneficial effects of the present invention are as follows: the method mainly solves a problem that an Android smart phone can not perform data forensics or data recovery, which is caused by that the phone with a screen lock cannot be connected to the computer, cannot enable USB debugging and can not be rooted, and by flushing into a recovery package based on official recovery modification, the USB debugging is enabled in the recovery mode and the root privilege is carried, so that a screen lock can be disengaged, to perform physical mirroring and extract recovered data.
Description
Technical field
The invention belongs to data evidence obtaining field, be specifically related to a kind of data evidence collecting method of the equipment based on Android system.
Background technology
In recent years, smart mobile phone is due to features such as its wireless access internet, PDA, explorative operating system, hommization, powerful and travelling speed are fast, develop very rapid, estimate according to " 2013-2017 China's smart mobile phone industry market demand forecast and investment strategy planning application are reported ", 2012 the first three quarters, global smart phone user sum has breached 1,000,000,000 high pointes.700,000,000 families and the customer volume of 2011 the first three quarters is only had an appointment.Can find out, the potentiality in smart mobile phone market are inestimable, and wherein, intelligent operating system-the Android exclusively released by Google becomes outstanding person wherein, according to CNET, display during survey institute StrategyAnalytics reports at the third season in 2014, Android is sure to occupy first of Mobile operating system market with the market share of 83.6%, can find out, smart mobile phone collects evidence especially Android mobile phone evidence obtaining for the importance in evidence obtaining field.
Traditional Mobile Phone Forensics software, all connect computer by adb debugging acid, for 4.0 and later Android system, the inside need be set at mobile phone and open developer's option, choose USB debugging, and when mobile phone First Contact Connections computer, mobile phone terminal can eject the option whether " allowing without exception to use this computing machine to debug ", need select to allow, after mobile phone connects computer, if the operations such as data extraction, mirror image will be carried out to mobile phone, then need to obtain root authority (i.e. the highest weight limit of cell phone system).
The solution Android screen locking method of current main flow on the market, precondition is all open USB debugging, and mobile phone needs first root, to obtain highest weight limit, mobile phone uses adb shell rm – r/data/system/gesture.key or password.key can delete corresponding pattern lock or coded lock after connecting computer, restrictive condition is more, especially for the evidence obtaining of suspect's mobile phone, the option that mobile phone First Contact Connections evidence taking equipment cannot be chosen " allowing without exception to use this computing machine to debug ", larger obstruction is caused to evidence obtaining, traditional solution screen locking method cannot head it off.
Android mobile phone recovery mode profile: recovery pattern is a kind of reforestation practices of Android mobile phone, this pattern mainly provides empty user data, recovery such as to be dispatched from the factory at the function, traditional official recovery function is comparatively single, and debugging efforts cannot be carried out by adb, recovery basis based on official's source code being revised compiling then can open USB debugging, obtains root authority etc.
Android mobile phone fastboot/download mode profile: this pattern is a kind of brush machine pattern compared with recovery pattern more bottom, and can carry out writing with a brush dipped in Chinese ink of recovery file, Samsung mobile phone is download pattern (mines for coal pattern).
Summary of the invention
The present invention is directed to the deficiencies in the prior art, provide a kind of data evidence collecting method of the equipment based on Android system, can effectively solve prior art cannot obtain screen locking pattern under data problem.
For overcoming the above problems, the technical solution used in the present invention is as follows: a kind of data evidence collecting method of the equipment based on Android system, comprises the following steps:
S1 makes the recovery file with root authority;
S2 enters fastboot or download pattern, carries out recovery file and writes with a brush dipped in Chinese ink;
Directly unlocking screen operation is carried out after recovery pattern after S3 enters and writes with a brush dipped in Chinese ink.
As preferably, the concrete grammar of S1 is as follows:
S11 obtains the official recovery file treating adaptive type;
S12 decompress(ion) recovery file, obtains kernel file and ramdisk file;
S13 revises ramdisk file core document parameter to close protection and to open USB debugging;
S14 compiles source code, produces the new recovery file with root authority.
As preferably, the concrete grammar of S13 is as follows:
The parameter ro.secure of default configuration file default.prop is revised as 0, and can close protection, parameter ro.debuggable is revised as 1, can open USB debugging under recovery pattern.
As preferably, the concrete grammar of S2 is as follows: mobile phone enters fastboot/downloade pattern, is entered by the new recovery file with root authority generated by fastboot.exe Tool brush.
Beneficial effect of the present invention is as follows: the present invention mainly solves Android smartphone to be had screen to lock cannot to connect computer, cannot open USB debugging, cannot the situation of root cause mobile phone can not carry out the problem of data evidence obtaining or date restoring, by brushing the recovery bag into revising based on official recovery, under this recovery pattern, open USB debug and carry root authority, screen lock can be removed, carry out physics mirror image and extract the data recovered.Range of application of the present invention waits equipment except Android mobile phone also comprises the Android flat board that use day by day increases.
Accompanying drawing explanation
Fig. 1 is main flow chart of the present invention.
Embodiment
For making object of the present invention, technical scheme and advantage clearly understand, to develop simultaneously embodiment referring to accompanying drawing, the present invention is described in further details.
Embodiment: a kind of data evidence collecting method of the equipment based on Android system, the present embodiment for Android mobile phone, as shown in Figure 1:
S1 makes the recovery file with root authority;
S2 enters fastboot or download pattern, carries out recovery file and writes with a brush dipped in Chinese ink;
Directly unlocking screen operation is carried out after recovery pattern after S3 enters and writes with a brush dipped in Chinese ink.
Further, the concrete grammar of S1 is as follows:
S11 obtains the official recovery file treating adaptive type;
S12 uses decompress(ion) script unpack.sh decompress(ion) recovery file, obtains kernel (kernel) file and ramdisk file;
S13 revises ramdisk file core document parameter, for closing protection and opening USB debugging; Amendment partition table file etc/recovery.fstab, for increasing built-in SD card mount directory; Amendment initialization files init.rc, debugs for initialization USB and opens, the subregion carries such as data, system;
S14 compiles source code, produces the new recovery file with root authority;
Wherein, the configuration of recovery translation and compiling environment is as follows: install Ubuntu64 bit manipulation system, and install JAVA translation and compiling environment JDK 1.6.0, recovery source code is downloaded;
Further, the concrete grammar of S13 is as follows:
The parameter ro.secure of default configuration file default.prop is revised as 0, and can close protection, parameter ro.debuggable is revised as 1, can open USB debugging under recovery pattern;
Further, the concrete grammar of S2 is as follows: mobile phone enters fastboot/downloade pattern, is entered by the new recovery file with root authority generated by fastboot.exe Tool brush.
Further, the recovery pattern after S3 enters and writes with a brush dipped in Chinese ink, can complete following operation:
A, connection USB line, now need not eject " allowing without exception to use this computing machine to debug " by mobile phone terminal, give tacit consent to and open USB debugging;
B, mobile phone do not obtain root authority in the normal mode, but have root authority in this mode, can carry out other data of file system level and extract recovery;
C, for debugging cannot open or without root authority time, screen lock cannot be removed, and under this pattern, there is root authority and USB debugging can be opened, remove pattern lock and coded lock respectively by gesture.key, password.key file under deletion/data/system/ catalogue.
D. under this recovery pattern, reflect tool can be used to carry out physics mirror image, follow-up use evidence obtaining recovers Bootload mirror image and extracts the data files such as application data, photo, video and the audio frequency recovering all in mobile phone.
Those of ordinary skill in the art will appreciate that, embodiment described here is to help reader understanding's implementation method of the present invention, should be understood to that protection scope of the present invention is not limited to so special statement and embodiment.Those of ordinary skill in the art can make various other various concrete distortion and combination of not departing from essence of the present invention according to these technology enlightenment disclosed by the invention, and these distortion and combination are still in protection scope of the present invention.
Claims (4)
1., based on a data evidence collecting method for the equipment of Android system, it is characterized in that, comprise the steps:
S1 makes the recovery file with root authority;
S2 enters fastboot or download pattern, carries out recovery file and writes with a brush dipped in Chinese ink;
Directly carry out screen lock after recovery pattern after S3 enters and writes with a brush dipped in Chinese ink and wipe operation.
2. the data evidence collecting method of the equipment based on Android system according to claim 1, it is characterized in that, the concrete grammar of S1 is as follows:
S11 obtains the official recovery file treating adaptive type;
S12 decompress(ion) recovery file, obtains kernel file and ramdisk file;
S13 revises ramdisk file core document parameter to close protection and to open USB debugging;
S14 compiles source code, produces the new recovery file with root authority.
3. the data evidence collecting method of the equipment based on Android system according to claim 2, it is characterized in that, the concrete grammar of S13 is as follows:
The parameter ro.secure of default configuration file default.prop is revised as 0, and can close protection, parameter ro.debuggable is revised as 1, can open USB debugging under recovery pattern.
4. the data evidence collecting method of the equipment based on Android system according to Claims 2 or 3, it is characterized in that, the concrete grammar of S2 is as follows: mobile phone enters fastboot/downloade pattern, is entered by the new recovery file with root authority generated by fastboot.exe Tool brush.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510381759.3A CN105005514A (en) | 2015-07-02 | 2015-07-02 | Data forensic method of device based on Android system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510381759.3A CN105005514A (en) | 2015-07-02 | 2015-07-02 | Data forensic method of device based on Android system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105005514A true CN105005514A (en) | 2015-10-28 |
Family
ID=54378193
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510381759.3A Pending CN105005514A (en) | 2015-07-02 | 2015-07-02 | Data forensic method of device based on Android system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105005514A (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105353665A (en) * | 2015-12-08 | 2016-02-24 | 武汉虹旭信息技术有限责任公司 | Mobile phone deleted information recovery system based on Android system and method thereof |
CN106503539A (en) * | 2016-10-13 | 2017-03-15 | 公安部第三研究所 | Smart machine screen-lock password crack method and evidence-obtaining system based on Mobex agreements |
CN106528470A (en) * | 2016-11-29 | 2017-03-22 | 维沃移动通信有限公司 | Data transmission method and mobile terminal |
CN106599714A (en) * | 2016-11-15 | 2017-04-26 | 厦门市美亚柏科信息股份有限公司 | Reduction method and device for Android terminal full-disk enciphered data |
CN106874778A (en) * | 2017-02-24 | 2017-06-20 | 陈晶 | Intelligent terminal file acquisition and data recovery system and method based on android system |
CN108319519A (en) * | 2017-12-19 | 2018-07-24 | 南京烽火软件科技有限公司 | A kind of evidence-gathering and fixing means based on Android phone |
CN109885356A (en) * | 2019-02-21 | 2019-06-14 | 歌尔科技有限公司 | ADB debugs port open method, apparatus, Android device and readable storage medium storing program for executing |
CN110110504A (en) * | 2019-04-30 | 2019-08-09 | 大连睿海信息科技有限公司 | Android system mobile phone application lock crack method based on Lian Fa section MTK processor communication agreement |
CN112000344A (en) * | 2020-08-25 | 2020-11-27 | 南京烽火星空通信发展有限公司 | Traceless data acquisition method based on Android platform |
CN113312095A (en) * | 2021-04-16 | 2021-08-27 | 深圳市智微智能软件开发有限公司 | Method, device, terminal and storage medium for managing plug-pull events of display equipment |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102830999A (en) * | 2012-09-05 | 2012-12-19 | 深圳市网卓信息科技有限公司 | Method and device for updating of Android system |
CN103559126A (en) * | 2013-10-25 | 2014-02-05 | 深圳市欧珀通信软件有限公司 | Method, device and computer terminal for testing software versions |
-
2015
- 2015-07-02 CN CN201510381759.3A patent/CN105005514A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102830999A (en) * | 2012-09-05 | 2012-12-19 | 深圳市网卓信息科技有限公司 | Method and device for updating of Android system |
CN103559126A (en) * | 2013-10-25 | 2014-02-05 | 深圳市欧珀通信软件有限公司 | Method, device and computer terminal for testing software versions |
Non-Patent Citations (2)
Title |
---|
ZOL论坛: "教你编译和修改第三方recovery,转过来一起研究", 《HTTP://BBS.ZOL.COM.CN/SJBBS/D1606_5064.HTML》 * |
百度经验: "安卓手机清除锁屏密码终极方法", 《HTTPS://JINGYAN.BAIDU.COM/ARTICLE/86112F1356E94227379787DA.HTML》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105353665A (en) * | 2015-12-08 | 2016-02-24 | 武汉虹旭信息技术有限责任公司 | Mobile phone deleted information recovery system based on Android system and method thereof |
CN106503539A (en) * | 2016-10-13 | 2017-03-15 | 公安部第三研究所 | Smart machine screen-lock password crack method and evidence-obtaining system based on Mobex agreements |
CN106599714B (en) * | 2016-11-15 | 2019-05-24 | 厦门市美亚柏科信息股份有限公司 | The restoring method and device of Android terminal full disk encryption data |
CN106599714A (en) * | 2016-11-15 | 2017-04-26 | 厦门市美亚柏科信息股份有限公司 | Reduction method and device for Android terminal full-disk enciphered data |
CN106528470A (en) * | 2016-11-29 | 2017-03-22 | 维沃移动通信有限公司 | Data transmission method and mobile terminal |
CN106874778A (en) * | 2017-02-24 | 2017-06-20 | 陈晶 | Intelligent terminal file acquisition and data recovery system and method based on android system |
CN106874778B (en) * | 2017-02-24 | 2019-07-23 | 陈晶 | Intelligent terminal file acquisition and data recovery system and method based on android system |
CN108319519A (en) * | 2017-12-19 | 2018-07-24 | 南京烽火软件科技有限公司 | A kind of evidence-gathering and fixing means based on Android phone |
CN109885356A (en) * | 2019-02-21 | 2019-06-14 | 歌尔科技有限公司 | ADB debugs port open method, apparatus, Android device and readable storage medium storing program for executing |
CN110110504A (en) * | 2019-04-30 | 2019-08-09 | 大连睿海信息科技有限公司 | Android system mobile phone application lock crack method based on Lian Fa section MTK processor communication agreement |
CN112000344A (en) * | 2020-08-25 | 2020-11-27 | 南京烽火星空通信发展有限公司 | Traceless data acquisition method based on Android platform |
CN113312095A (en) * | 2021-04-16 | 2021-08-27 | 深圳市智微智能软件开发有限公司 | Method, device, terminal and storage medium for managing plug-pull events of display equipment |
CN113312095B (en) * | 2021-04-16 | 2024-04-16 | 深圳市智微智能软件开发有限公司 | Method, device, terminal and storage medium for managing plug event of display equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105005514A (en) | Data forensic method of device based on Android system | |
US11507671B1 (en) | Detection and healing of vulnerabilities in computer code | |
CN101986266B (en) | Method for transplanting Android mobile phone operating system to Atom development board | |
CN103019775A (en) | Method, device and equipment for flashing for terminal equipment | |
CN104834859A (en) | Method for dynamically detecting malicious behavior in Android App (Application) | |
CN105844157A (en) | Monitoring method for App behaviors in Android system | |
CN110909358A (en) | Shaping vulnerability detection method based on dynamic and static analysis | |
CN104408366A (en) | Android application permission usage behavior tracking method based on plug-in technology | |
CN103970514A (en) | Information acquisition method and device for Android application program installation package | |
Yang et al. | Live acquisition of main memory data from Android smartphones and smartwatches | |
CN103744787A (en) | Cellphone automated testing method | |
Zhukovskyy et al. | Method of forensic analysis for compromising carrier-lock algorithm on 3G modem firmware | |
CN105302621A (en) | Method for remotely achieving initial value restoration of server BIOS Setup | |
Bunke et al. | An architecture-centric approach to detecting security patterns in software | |
Boueiz | Importance of rooting in an Android data acquisition | |
CN101976197A (en) | Method for automatically installing a plurality of mobile phone software | |
Almehmadi et al. | Impact of android phone rooting on user data integrity in mobile forensics | |
US20120210141A1 (en) | Information processing apparatus, program execution method, and computer program | |
CN103391537B (en) | Method and device for writing international mobile equipment identify (IMEI) number through mobile terminal | |
CN111382424A (en) | Mobile application sensitive behavior detection method and system based on controlled environment | |
CN109522174B (en) | Method, device, terminal and storage medium for controlling adb enabling | |
CN104850781A (en) | Method and system for dynamic multilevel behavioral analysis of malicious code | |
CN112861138A (en) | Software security analysis method and analysis device, electronic device, and storage medium | |
CN103559094A (en) | Method for managing resources of mobile terminal | |
KR102425474B1 (en) | BinTyper: Type confusion detection without source code |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 641000 Sichuan province Neijiang City Songshan Road No. 183 Applicant after: SICHUAN XLY INFORMATION SAFETY TECHNOLOGY CO., LTD. Address before: 641000 Sichuan province Neijiang City Songshan Road No. 183 Applicant before: Sichuan SalvationData Information Safety Technology Co., Ltd. |
|
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20151028 |