CN102254032A - Method for recombining mobile phone memory chip image files into standard file system - Google Patents
Method for recombining mobile phone memory chip image files into standard file system Download PDFInfo
- Publication number
- CN102254032A CN102254032A CN201110223031XA CN201110223031A CN102254032A CN 102254032 A CN102254032 A CN 102254032A CN 201110223031X A CN201110223031X A CN 201110223031XA CN 201110223031 A CN201110223031 A CN 201110223031A CN 102254032 A CN102254032 A CN 102254032A
- Authority
- CN
- China
- Prior art keywords
- file system
- mobile phone
- storage
- memory chip
- chip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method for recombining mobile phone memory chip image files into a standard file system. Different mobile phone memory image mapping tables are generated according to features of different chips; the mapping tables reflect bias information of blocks and sectors of the file system in a storage area of the mobile phone chip; and a standard file system structure is restored again according to mapping information provided in the mapping table. The method specifically comprises the following steps of: 1) confirming a storage format, a storage type and features of the mobile phone memory chip; 2) separating a code area and a storage area according to the storage format and the features of the memory chip; 3) dividing the storage area into a management area and a data area again according to the storage type and the features of the memory chip; 4) generating a mapping table from the data area to the actual file system structure according to the features of the management area; and 5) restoring a standard file system format by recombining the data area according to the mapping table.
Description
Technical field
The present invention relates to the judicial evidence collection field, particularly mobile phone judicial evidence collection field is specifically related to a kind of method that reassembles into standard file system at mobile phone EMS memory chip image file.
Background technology
Along with the improving constantly and expand of service level that mobile communication technology provides and type service, mobile phone becomes people's indispensable contact instrument in the life of working day by day.Yet meanwhile, utilize mobile phone swindle, calumniate and criminal activity such as forgery also of common occurrence.The effective means that this class crime is hit in the mobile phone evidence obtaining just.Mobile phone evidence obtaining is exactly to collect, save from damage and analyze relevant electronic evidence from SIM cards of mobile phones, mobile phone EMS memory, mobile telephone external storage card and Mobile Network Operator database, and final therefrom obtain acquire full legal force, can be by the process of the evidence that court accepted.The criminal offence that involves mobile phone at present roughly has three kinds; The one, in the implementation process of criminal offence, use mobile phone to serve as the liaison instrument; The 2nd, mobile phone is used as a kind of storage media of evidence of crime; Last a kind of mode is the implementation tool that mobile phone is taken as novel mobile phone criminal activities such as note swindle, note harassing and wrecking and bogusware propagation.These fully show that all the correlative study of carrying out the mobile phone forensic technologies is for keeping social stability, ensureing that people's rights and interests and the behavior of fighting crime have sufficient necessity and urgent greatly.
Memory chip generally adopts the storage chip of NAND and NOR form in the mobile phone, and different according to chip manufacturer and model specification are stored as privately owned data layout.At present generally adopt the mode of signature search to analyze to the personal data in the mobile phone EMS memory, this mode is not owing to reassemble into the file system of standard, is not easy to check yet and uses third party's disk analysis instrument to analyze once more.Normal record or the record of having deleted can not be distinguished by the data that searching analysis goes out, the file content in the file system can not be distinguished.
In sum, at the defective of prior art, need especially a kind ofly to reassemble into the method for standard file system, to solve the deficiencies in the prior art at mobile phone EMS memory chip image file.
Summary of the invention
The purpose of this invention is to provide the method that a kind of mobile phone EMS memory chip image file reassembles into standard file system, produce different mobile phone EMS memory Mirroring Mapping tables according to different chip feature, mapping table has reflected piece and the sector offset information in the chip for cell phone memory block in the file system, again be reduced into the file system structure of a standard by the map information that provides in the mapping table, thereby realize purpose of the present invention.
Technical matters solved by the invention can realize by the following technical solutions:
A kind of mobile phone EMS memory chip image file reassembles into the method for standard file system, it is characterized in that, described method comprises the steps:
1) storage format, storage class and the feature of affirmation mobile phone EMS memory storage chip;
2) isolate code area and memory block according to the storage format and the feature of storage chip;
3) according to the storage class and the feature of storage chip, the memory block is separated into directorial area and data field again;
4), produce the mapping table of a data field to the actual file system structure according to the feature of directorial area;
5) by mapping table the data field is reconfigured, be reduced into the file system format of a standard.
In one embodiment of the invention, the storage format in the described storage chip is made up of in NAND form or the NOR form one or more.
In one embodiment of the invention, described method is analyzed the structure of image file earlier, reassembles into standard file system again.
Beneficial effect of the present invention is: can be by reconfiguring, mobile phone memory chip mirror image is reduced into the file system of standard, and be easier to carry out further data mining.Can better extract the canned data in the mobile phone EMS memory, and better distinguish the record that existing record has still been deleted.
Embodiment
For technological means, creation characteristic that the present invention is realized, reach purpose and effect is easy to understand, below in conjunction with concrete diagram, further set forth the present invention.
A kind of mobile phone EMS memory chip image file reassembles into the method for standard file system, produce different mobile phone EMS memory Mirroring Mapping tables according to different chip feature, mapping table has reflected piece and the sector offset information in the chip for cell phone memory block in the file system, again be reduced into the file system structure of a standard by the map information that provides in the mapping table, specifically comprise the steps:
1) storage format, storage class and the feature of affirmation mobile phone EMS memory storage chip;
2) isolate code area and memory block according to the storage format and the feature of storage chip;
3) according to the storage class and the feature of storage chip, the memory block is separated into directorial area and data field again;
4), produce the mapping table of a data field to the actual file system structure according to the feature of directorial area;
5) by mapping table the data field is reconfigured, be reduced into the file system format of a standard.
Be example with the i908 of association below, specify:
1. analyze the NAND chip
" typical case " NAND mirror image, doing analyzing prism picture size with the i908 of association mirror image herein is 66M.
The composition of NAND and NOR chip all is divided into directorial area and data field.The data field is actual data, and unit is 512 bytes/sector usually.Mobile phone adopts the FAT32 file system of standard basically.
Therefore, directorial area just management how with the data map in the sector to file system.
Each directorial area of general NAND chip is 16 bytes, manages a sector, the i.e. real data of 512 bytes.Comparatively common and general arrangement mode is the directorial area of sector heel 16 bytes of each 512 byte.Whether effective, check bit, and the actual position that is mapped in the FAT file system if describing this sector in the directorial area.Before not recombinating, the order of sector and document layout system all are chaotic.
Before carrying out concrete analysis, at first to find the position of data field and directorial area in the mirror image.Generally speaking the data field of NAND chip and directorial area are put together, and major part is all at the latter half of mirror image, and first half then is some code areas.A more common method of searching the data field is arranged, be exactly at first to find first " .BIN " mark in the mirror image first half, first 01 mark so after searching the .BIN mark subsequently, 4 bytes of the position of skew 0x0A behind the mark of ' 01 ', be exactly the deviation post of data field at whole mirror image, and then 4 sizes that byte is exactly the data field, these 4 bytes adopt the storage of small end syllable sequences.
Here be noted that: side-play amount and size are only represented the position in clear data district, because the existence of directorial area is arranged, therefore, per 512 bytes have 16 byte directorial areas, the position of 0x02000000 through calculating, real offset should be 0x02100000, and size has also comprised staggered directorial area, should be 0x02100000.(be half of whole mirror image size, 32M+1M) see the directorial area of last 16 bytes earlier.Wherein, side-play amount is that 4 0x88 represents that this sector is effective sector, and last 4 byte 0x00000000 represent that the position of this sector in the FAT file system is first position.Can verify that roughly it is the data head of a FAT from top 512 bytes end 0x55AA, the practical function of all the other bytes is to be verified.
Then and the like, 512+16,512+16... can reassemble into a FAT file system like this.
2. reassemble into standard file system
Because what MTK adopted is NAND or NOR chip (perhaps NOR of a NAND), they are when reassembling into the FAT file system, and minimal data unit is the data sector of 512 bytes.Therefore, there are specific data sector in the original mirror image and the man-to-man relation of certain data sector in the FAT system, and can make a mapping table.
Owing to be man-to-man relation, for conserve space, taked the mode of sequential storage, promptly omitted the index of purpose FAT mirror image sector number, change acquiescence into since 0, increase progressively, the mode of similar array is arranged.
64 bytes of beginning are structures that defines, and are defined as follows:
The start of text (STX) address is 0x00000040, from here on, and the position of sector in original mirror image of the manipulative indexing of per 8 new FAT file system of byte representation.
Such as address in original mirror image, the 0th sector of 8 byte representations of 0x00000040-0x00000047 is 0x00000000E3FE00, (Little Endian)
Address in original mirror image, the 1st sector of 8 byte representations of 0x0x00000048-0x0000004F is 0x00000000E3FC00.By that analogy.
In follow-up processing, can handle like this, by the file system of the sector position standard of recombinating out this mapping table.
More than show and described ultimate principle of the present invention and principal character and advantage of the present invention.The technician of the industry should understand; the present invention is not restricted to the described embodiments; that describes in the foregoing description and the instructions just illustrates principle of the present invention; without departing from the spirit and scope of the present invention; the present invention also has various changes and modifications; all in the claimed scope of the invention, the claimed scope of the present invention is defined by appending claims and equivalent thereof these changes and improvements.
Claims (3)
1. a mobile phone EMS memory chip image file reassembles into the method for standard file system, it is characterized in that described method comprises the steps:
1) storage format, storage class and the feature of affirmation mobile phone EMS memory storage chip;
2) isolate code area and memory block according to the storage format and the feature of storage chip;
3) according to the storage class and the feature of storage chip, the memory block is separated into directorial area and data field again;
4), produce the mapping table of a data field to the actual file system structure according to the feature of directorial area;
5) by mapping table the data field is reconfigured, be reduced into the file system format of a standard.
2. a kind of mobile phone EMS memory chip image file as claimed in claim 1 reassembles into the method for standard file system, it is characterized in that, the storage format in the described storage chip is made up of in NAND form or the NOR form one or more.
3. a kind of mobile phone EMS memory chip image file as claimed in claim 1 reassembles into the method for standard file system, it is characterized in that, described method is analyzed the structure of image file earlier, reassembles into standard file system again.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110223031XA CN102254032A (en) | 2011-08-04 | 2011-08-04 | Method for recombining mobile phone memory chip image files into standard file system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110223031XA CN102254032A (en) | 2011-08-04 | 2011-08-04 | Method for recombining mobile phone memory chip image files into standard file system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102254032A true CN102254032A (en) | 2011-11-23 |
Family
ID=44981296
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110223031XA Pending CN102254032A (en) | 2011-08-04 | 2011-08-04 | Method for recombining mobile phone memory chip image files into standard file system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102254032A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105183383A (en) * | 2015-09-10 | 2015-12-23 | 厦门市美亚柏科信息股份有限公司 | Recombination method for irrelevant mirror images of file system |
| CN106339280A (en) * | 2016-08-31 | 2017-01-18 | 四川效率源信息安全技术股份有限公司 | Method for recombining data of spreadtrum system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101183337A (en) * | 2007-12-12 | 2008-05-21 | 中兴通讯股份有限公司 | Space management techniques based on NAND FLASH mobile terminal storage medium |
| CN201898554U (en) * | 2010-11-15 | 2011-07-13 | 上海华勤通讯技术有限公司 | Self-copying and data-recovering mobile phone |
-
2011
- 2011-08-04 CN CN201110223031XA patent/CN102254032A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101183337A (en) * | 2007-12-12 | 2008-05-21 | 中兴通讯股份有限公司 | Space management techniques based on NAND FLASH mobile terminal storage medium |
| CN201898554U (en) * | 2010-11-15 | 2011-07-13 | 上海华勤通讯技术有限公司 | Self-copying and data-recovering mobile phone |
Non-Patent Citations (1)
| Title |
|---|
| 张志伟: "MTK手机Flash芯片文件系统恢复研究", 《信息网络安全》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105183383A (en) * | 2015-09-10 | 2015-12-23 | 厦门市美亚柏科信息股份有限公司 | Recombination method for irrelevant mirror images of file system |
| CN105183383B (en) * | 2015-09-10 | 2018-05-15 | 厦门市美亚柏科信息股份有限公司 | A kind of unrelated mirror image recombination method of file system |
| CN106339280A (en) * | 2016-08-31 | 2017-01-18 | 四川效率源信息安全技术股份有限公司 | Method for recombining data of spreadtrum system |
| CN106339280B (en) * | 2016-08-31 | 2019-05-24 | 四川效率源信息安全技术股份有限公司 | A method of recombination spreadtrum system data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101853287B (en) | Data compression quick retrieval file system and method thereof | |
| CN108022583A (en) | Meeting summary generation method, application server and computer-readable recording medium | |
| CN104951515B (en) | A method of it extracts and analyzes Android phone whereabouts trace information | |
| CN103064764A (en) | Evidence obtaining method capable of rapidly recovering messages deleted by Android mobile phone | |
| CN103200293A (en) | Method of automatically combining tautonomy contacts in process of guiding contacts into contact list | |
| CN102609462A (en) | Method for compressed storage of massive SQL (structured query language) by means of extracting SQL models | |
| CN105678174A (en) | Method for decrypting WeChat encrypted data based on binary system | |
| CN113495903A (en) | Electric power time sequence database caching method, system, equipment and readable storage medium | |
| CN112182004A (en) | Method and device for viewing data in real time, computer equipment and storage medium | |
| CN103679477A (en) | Enterprise credit assessment system and method | |
| CN111008183A (en) | Storage method and system for business wind control log data | |
| CN102254032A (en) | Method for recombining mobile phone memory chip image files into standard file system | |
| CN103455479A (en) | Method and terminal for creating contacts | |
| CN106802958A (en) | Conversion method and system of the CAD data to GIS data | |
| CN114006743A (en) | Method for extracting and querying land use state in real time based on big data | |
| CN104636677A (en) | Data safety storage method based on privacy protection | |
| CN110659162B (en) | Data recovery method, device and system of TPSFS file system and storage medium | |
| CN102737082A (en) | Method and system for dynamically updating file data indexes | |
| CN104866535A (en) | Compression method and device of number segment records | |
| CN202110582U (en) | Court attendance and law enforcement performance management system | |
| CN104637496A (en) | Computer system and audio comparison method | |
| CN107545332A (en) | Prospect's information combined analysis method and server | |
| CN106850924A (en) | Address book data processing method and processing terminal | |
| CN102665201A (en) | Mobile terminal and user information encryption method for same | |
| CN102567209B (en) | Flash memory chip data analyzing method and flash memory chip data analyzing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20111123 |