In digital forensic, the technology of Android forensic becomes hot spot of research currently. And there are some research interests such as data extraction, data recovery for Android forensic. Among these research interests, data recovery is one of the most important step. YAFFS2 is a new lfash ifle system. It is designed for mobile devices which use NAND lfash and is widely used in Android devices. Thus, this paper proposes a method that recover different versions of YAFFS2 ifle based on Hash. Through extracting and storing the same object header information into Hash linked list, it can recover different versions of ifle. The experiment is executed under Linux system with YAFFS2 ifle system environment. And the experiment results show that the method can recover different types of ifle especially SQLite3 ifle and recover different versions of different types of ifle effectively. And this method lays the foundation for the follow-up research of Android forensic.%Android取证过程中,包含了数据提取、数据恢复等方向,其中数据恢复是Android取证研究中非常重要的一个环节,只有更好、更多地恢复终端中的数据,特别是一些被修改或者删除的数据,才能更好地开展对后续数据的分析和研究。YAFFS2文件系统是一种新型的快速闪存文件系统,该文件系统被设计用在使用NAND闪存技术的移动终端中,也是目前广泛应用于Android移动终端中的新型文件系统。文章选择YAFFS2文件系统作为研究对象,提出了一种基于Hash的YAFFS2文件各版本恢复算法。首先通过反向扫描获得该文件系统中的数据信息;然后将具有相同对象头信息的数据提取,并将其中的信息存入Hash链表中;最后重构文件以实现对多个版本的文件恢复。文章通过在Linux系统下搭建YAFFS2文件系统环境,并进行实验,证明了该算法可有效地对各类型数据文件进行恢复,特别是可恢复SQLite3数据库文件,并且可恢复各类型文件的多个版本,实现并达到了设计算法的预期目标,也为后续对Android取证中其他方面的研究打下了一定的基础。
展开▼
