CN103064764A - Evidence obtaining method capable of rapidly recovering messages deleted by Android mobile phone - Google Patents

Evidence obtaining method capable of rapidly recovering messages deleted by Android mobile phone Download PDF

Info

Publication number
CN103064764A
CN103064764A CN 201210585940 CN201210585940A CN103064764A CN 103064764 A CN103064764 A CN 103064764A CN 201210585940 CN201210585940 CN 201210585940 CN 201210585940 A CN201210585940 A CN 201210585940A CN 103064764 A CN103064764 A CN 103064764A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
data
information
record
andrews
deleted
Prior art date
Application number
CN 201210585940
Other languages
Chinese (zh)
Inventor
李建新
李毅
Original Assignee
盘石软件(上海)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Abstract

The invention discloses an evidence obtaining method capable of rapidly recovering messages deleted by Android mobile phone. The method includes: firstly extracting directly viewable information of a user data file in the mobile phone, obtaining storage characteristics of a database table structure according to the directly viewable information, and further separating an unused space in a database; trying to match characteristics of a normal record in the unused space, verifying matched data, obtaining a deleted record, partitioning subsequent data according to field length definition of the record, restoring content of main fields, contrasting restored data to the normal record, and adding in a record list through logical judgment; and matching the unused space continuously until all unused spaces are processed. The vidence obtaining method capable of rapidly recovering messages deleted by the Android mobile phone has the advantages of being rapid to recover, convenient to use and strong in reliability.

Description

一种快速恢复安卓手机删除信息的取证方法 A quick method to recover forensic information deleted Android phones

技术领域 FIELD

[0001] 本发明涉及移动设备信息处理及删除信息恢复领域,具体地说,特别涉及到一种快速恢复安卓手机删除信息的取证方法。 [0001] The present invention relates to a mobile information processing device and delete information restoring the art, in particular, and in particular to a method for fast recovery forensic Andrews phone to delete information.

背景技术 Background technique

[0002] 手机取证的方式方法目前在不断的更新和改进,最初只是对手机中的基本信息(如联系人,通话记录和短消息等)进行简单的提取和固定。 [0002] Evidence of the method of the current phone constantly updated and improved, initially only the basic information (such as contacts, call logging and short messages, etc.) phone simple extraction and fixed. 后来随着智能手机的出现,手机取证也包含了对应用程序数据(如即时通讯工具,社交网络工具,定位导航工具等)进行提取、固定和关联分析等。 Later, with the emergence of smart phones, mobile phone forensics also includes application data (such as instant messaging, social networking tools, navigation tools, etc.) were extracted, fixed and correlation analysis.

[0003] 司法人员在调查或取证过程中,不仅需要提取手机上当前存在的信息,还对嫌疑人已经删除的信息特别关注。 [0003] or judicial officers in the investigation and evidence collection process, not only need to extract information on the phone that currently exist, but also information on the suspect has been deleted special attention. 现有技术中对安卓手机进行删除恢复的方法有主要是如下两种: Prior art methods to recover deleted Android phone has mainly the following two:

[0004] I)第一种方法是通过制作手机的存储介质的镜像文件。 [0004] I) A first method is a mirror file produced by the storage medium of the mobile phone.

[0005] 如果使用简单的DD命令或其他镜像软件,由于受手机存储层使用的文件系统的结构限制,则不能获得到完整的文件系统的信息,得到的镜像文件无法重组还原成原来的文件系统。 [0005] If a simple DD command or other imaging software, due to the structural limitations of the file system phone memory layer used, you can not get the information complete file system, the resulting image file can not be restructuring restore the original file system . 在不能重组还原文件系统的情况下,对具体删除信息的定位难度增加,对删除信息的识别及验证的难度增加,对删除信息与未删除信息进行区分的难度增加。 In the case where the file can not be restored recombination system, the difficulty of locating specific information is deleted increases, the deletion information of the identification and verification of difficulty, are not removed by the deletion of information and the difficulty of distinguishing increases.

[0006] 如果使用复杂的外部工具虽然可以获得完整的镜像文件,但是如果镜像文件不完整或较大,再加上手机存储数据的复杂度影响,往往恢复出来的信息比较凌乱,或掺杂了很多完全无关的信息在里面,恢复的效果一般或很差。 [0006] If a complex external tools Although you can get a complete image file, but if the image file is incomplete or larger, coupled with the complexity of mobile phones to store data, the information is often recovered messy, or doped many completely unrelated information in it, the general effect of the recovery or poor.

[0007] 2)第二种方法是对信息存储文件进行定位后使用通用的方式进行处理。 [0007] 2) The second method is used after the information file is stored in a generic fashion positioning process.

[0008] 一般智能手机中的个人信息是存储在数据库文件中的,使用数据库查看工具可以查看到存储的表结构及字段信息,但是这些信息为存储而优化,所以在直接查看时,字段之间的关联等需要取证人员自己猜测和验证。 [0008] personal information is generally smart phone is stored in the database file, use the database viewer can view the table structure and field information storage, but this information is stored and optimized, so when viewed directly, between fields the association and other forensic personnel needs and verify their own speculation. 而基于数据库存储结构恢复出来的字段信息,同样需要取证人员把这些信息关联起来,对取证人员的数据库专业知识要求较高,且在数据库表较多或表结构较复杂的情况下,准确性和可靠性会非常差。 Case and recovered database storage structure is based on field information, forensics personnel also need to associate information, high professional knowledge required for the forensic database and table structure is more complex or more database tables, and accuracy reliability will be very poor.

[0009] 综上所述,针对现有技术的缺陷,特别需要一种快速恢复安卓手机删除信息的取证方法,以解决以上提到的不足。 [0009] In summary, the defects of the prior art, in particular, need a quick recovery method Android phone forensics deleted information in order to solve the problem mentioned above.

发明内容 SUMMARY

[0010] 本发明的目的在于提供一种快速恢复安卓手机删除信息的取证方法, [0010] The object of the present invention is to provide a method for fast recovery forensic Andrews phone deleted information,

[0011] 克服了传统技术中的不足,从而实现本发明的目的。 [0011] overcomes the disadvantages of the conventional art, thereby achieving the object of the present invention.

[0012] 本发明所解决的技术问题可以采用以下技术方案来实现: [0012] The problem addressed by the present invention technical problem is achieved by the following technical solution:

[0013] 一种快速恢复安卓手机删除信息的取证方法,所述方法包括如下步骤: [0013] A method for fast recovery forensic Andrews phone to remove information, said method comprising the steps of:

[0014] I)首先使用安卓SDK中提供的调试开发工具Android Debug Bridge中提供的pull命令提取手机中的用户数据文件,并对其进行进一步分析,获取用户数据文件中的可直接查看信息; [0014] I) the first to use the Android SDK pull commands provided in the debugging tools available in Android Debug Bridge to extract user data files from your phone, and carry out further analysis to obtain user data files can directly view the information;

[0015] 2)通过API读取可直接查看信息中的数据内容,然后通过对比验证来确定数据内容中各字段的具体含义,重新组合后得到手机上的可见数据,同时也得到数据库表结构的存储特征; [0015] 2) read by the API can directly view the contents of data information, and then determines the data content specific meaning of each field is verified by comparing, to give visual data on the phone re-combination, but also by the database table structure stored feature;

[0016] 3)通过数据库表结构的存储特征分离出数据库中的未使用空间; [0016] 3) separating the unused space in the database by storing the feature database table structure;

[0017] 4)通过分析安卓手机中正常记录的存储结构提取出正常记录的特征,然后通过正则表达式在未使用空间中尝试匹配该特征,并对匹配到的数据进行验证;如果其结构和正常记录相符合,则认为这是一条已经删除的记录,然后结合该记录的字段长度定义,将其后的数据进行分割,以还原其各主要字段的内容; [0017] 4) extracted by the structure analysis of the stored phone Andrews normal recording normal recording the characteristic, and then tries to match the regular expression characterized in that the unused space by n, and matching data for verification; if its structure and consistent with the normal recording, it is considered that a record has been deleted, and then combined with the definition of the field length of recording, the subsequent data is divided, in order to restore the contents of its major fields;

[0018] 5)将还原出来的数据与通过API解析的正常记录进行对比,如果关键信息完全相同,则认为这是一条逻辑上已存在或已经有相同的记录被恢复出来的冗余数据,不添加到记录列表中;如果关键信息不相同,则添加到记录列表中; [0018] 5) the data out of the reduction compared with the normal recording resolved via the API, if the key information are identical, it is considered redundant data already exists or has the same record is recovered on a logical, not added to the list of records; if the key information is not the same, the record is added to the list;

[0019] 6)继续匹配未使用空间中,直到所有的未使用空间都处理完毕。 [0019] 6) continues to match the unused space, the unused space until all have been processed.

[0020] 在本发明的一个实施例中,所述步骤I)进一步包括一种获取root权限的方法,该方法为直接通过adb root提升外部的root权限;如果adb root提示无法提升到root权限,则通过一个临时root的脚本来提升到root用户的权限。 [0020] In one embodiment of the present invention, the step I) further comprises a method for obtaining a root authority, the method directly enhance the adb external root root privileges; if the adb root tips do not to become root, to enhance the user's permissions to root through a temporary root script.

[0021] 在本发明的一个实施例中,所述步骤5)中,将还原出来的数据添加到记录列表中的同时将该数据标记为已删除,表明这是一条被恢复出来的记录。 Add [0021] In one embodiment of the present invention, the step 5), to restore it to the recording data while the data in the list is marked as deleted, indicating that this is a record to be recovered.

[0022] 在本发明的一个实施例中,所述用户数据文件为SQLite3数据库格式,通过API能正常的读取其中的数据内容。 [0022] In one embodiment of the present invention, the user data file SQLite3 database format, the API can be a normal data read its contents.

[0023] 在本发明的一个实施例中,所述调试开发工具Android Debug Bridge通过应用程序调试接口连接手机。 [0023] In one embodiment of the present invention, the debug tools Android Debug Bridge via the phone interface application debugging.

[0024] 本发明的有益效果如下: [0024] Advantageous effects of the present invention are as follows:

[0025] I)快速恢复:该方法由于事先对用户数据库的表结构及存储结构进行了研究并提取了特征,所以在恢复删除信息的时候速度非常快。 [0025] I) Quick recovery: With this method the table structure in advance and stored in the user database structure were studied and extract the features, so the time to recover deleted information very quickly.

[0026] 2)使用便捷:删除恢复在解析正常记录后自动进行,无需用户进行任何手动操作和分析。 [0026] 2) easy to use: Remove parsed automatically resume the normal recording, the user need not perform any manual operation and analysis.

[0027] 3)可靠性强:对由针对具体的特征进行扫描,针对性非常强,所以一般近期删除的数据都能恢复出来。 [0027] 3) Reliability: the scanning of specific features, targeted very strong, it is generally the recent deleted data can be recovered.

附图说明 BRIEF DESCRIPTION

[0028] 图1为本发明所述的快速恢复安卓手机删除信息的取证方法的流程示意图。 [0028] Fig 1 a schematic flow diagram Andrews mobile forensic method of deleting information in the rapid recovery of the present invention. 具体实施方式 Detailed ways

[0029] 为使本发明实现的技术手段、创作特征、达成目的与功效易于明白了解,下面结合具体实施方式,进一步阐述本发明。 [0029] In order to achieve the technical means of the present invention, the creation of features, to achieve the purpose and effect readily apparent understanding, the following embodiment with reference to specific embodiments, further illustrate the present invention.

[0030] 如图1所示,本发明所述的一种快速恢复安卓手机删除信息的取证方法,它的工作步骤如下: [0030] As shown in FIG 1, the present invention is one of the fast recovery Andrews mobile forensic methods to remove information, its working procedure is as follows:

[0031 ] I)首先需要确定目标手机是否已打开USB调试(应用程序调试接口),由于大部分第三方手机管理软件都需要使用这个功能,所以大部分手机都已经开启。 [0031] I) first need to determine whether the target phone is turned on USB debugging (Application Debugging Interface), as most third-party mobile management software is required to use this feature, so most of the phones are turned on. 如果没有开启则需要到设置-> 应用程序里打开。 If there is no need to open the Settings -> Applications in the open.

[0032] 2)直接提取文件。 [0032] 2) Direct extraction file. 使用安卓SDK中提供的调试开发工具Android DebugBridge (adb)中提供的pull命令尝试提取手机中的用户数据文件(如通讯录文件/data/data/com. android, providers, contacts/databases/contacts, db),因为用户数据文件为私密信息,如果提示访问被拒绝,或权限不够之类的错误信息,则需要root权限才能访问。 Use the pull command the Android SDK provides debugging tools in Android DebugBridge (adb) offered to try to extract user data files (such as contacts file / data / data / com. Android phone, providers, contacts / databases / contacts, db ), because the user data file is private information, if access is denied prompt or an error message is not the privilege class, you need root privileges to access. 通过adb root尝试提升外部的root权限,继续通过上面的方法尝试提取用户数据文件。 By adb root attempt to enhance the external root privileges, continue to try to extract the user data file by the above method.

[0033] 3)临时提升Root权限。 [0033] 3) temporarily promoted Root privileges. 如果adb root提示无法提升到root权限,则可以通过一个临时root的脚本(通过系统漏洞的方式)来提升到root用户的权限,在取得外部root权限的情况下,通常都能正常提取到文件。 If adb root prompt can not elevate to root privileges, you can pass a temporary root of the script (by way of loopholes in the system) to enhance the user's permissions to root, in the case of obtaining external root privileges, can usually extract the file to normal.

[0034] 4)提取用户数据。 [0034] 4) extracts user data. 提取到所需要的用户数据文件之后,首先需要提取用户已存在的数据(在手机能查看到的数据),一般该文件是SQLite3数据库格式,通过其提供的API就能正常的读取其中的数据内容。 After extracting the data files to user needs, you first need to extract data (data to be able to view the phone) the user already exists, the file is usually SQLite3 database format, API available through it will be able to read normal data which content. 由于没有原始设计文档,需要通过对比验证来确定各字段的具体含义,重新组合之后就能还原手机上的可见数据,同时也得到数据库表结构的存储特征。 In the absence of the original document design, the need to determine the specific meaning of each field is verified by comparison, you can restore data on the mobile phone visible after recombination, but also by the stored feature database table structure.

[0035] 5)分离未使用空间。 [0035] 5) separating unused space. 由于SQLite数据库是文件型数据库,其删除数据的操作只是标记该区域不再使用,所以删除之后的数据大部分还都保存在文件中,只是通过数据库查询的时候不再可见,以二进制的形式还访问到。 Since SQLite database is a database file, delete operating data just mark the area is no longer used, so most of the data after the deletion are also saved in a file, but by the time the database query is no longer visible, but also in binary form access to. 可以通过研究数据库表结构的存储特征来分离出所有未使用的空间。 It may be isolated by all unused space research stored feature database table structure.

[0036] 6)恢复删除的数据。 [0036] 6) recover deleted data. 通过分析正常记录的存储结构来提取出记录的特征,然后通过正则的方式在未使用空间中尝试匹配该特征,对匹配到的数据进行验证,如果结构和正常的记录相符合,则认为这是一条已经删除的记录,然后结合记录的字段长度定义,将其后的数据进行分割,以还原其各主要字段的内容。 Extracted by analyzing storage structure recorded normally a characteristic recorded, then a regular way to attempt to match the features in the unused space, the matching data for verification, if the structure and the normal recording consistent, it is considered that a a record has been deleted, and the field defining the length of the combined records, the subsequent data is divided, in order to restore the contents of its major fields.

[0037] 7)过滤重复数据。 [0037] 7) data filtering is repeated. 将恢复出来的数据与通过API解析的正常记录进行对比,如果关键信息(如时间,内容,号码等)完全相同,刚认为这是一条冗余数据(逻辑上已存在或已经有相同的记录被恢复出来)。 The recovered data is compared with the normal recording resolved via the API, if the key information (such as time, content, number, etc.) are identical, this is just considered a redundant data (already present or has been recorded logically identical recovered). 如果不是冗余数据则添加到记录列表中,同时标记为已删除,表明这是一条被恢复出来的记录。 If it is not redundant data is added to the list of records, but marked as deleted, indicating that this is a record to be recovered.

[0038] 8)继续匹配未使用空间中的内容,直到所有的未使用空间都处理完毕。 [0038] 8) continues to match the contents of unused space, the unused space until all have been processed.

[0039] 以上显示和描述了本发明的基本原理和主要特征和本发明的优点。 [0039] The above description and the basic principles and features of this invention and the main advantages of the invention. 本行业的技术人员应该了解,本发明不受上述实施例的限制,上述实施例和说明书中描述的只是说明本发明的原理,在不脱离本发明精神和范围的前提下,本发明还会有各种变化和改进,这些变化和改进都落入要求保护的本发明范围内。 The industry the art will appreciate, the present invention is not limited to the above embodiment, the above-described examples and embodiments described in the specification are only illustrative of the principles of the present invention, without departing from the spirit and scope of the present invention, the present invention will have various changes and improvements, changes and modifications which fall within the scope of the claimed invention. 本发明要求保护范围由所附的权利要求书及其等效物界定。 The scope of the invention as claimed by the appended claims and their equivalents.

Claims (5)

  1. 1. 一种快速恢复安卓手机删除信息的取证方法,其特征在于,所述方法包括如下步骤: 1)首先使用安卓SDK中提供的调试开发工具Android Debug Bridge中提供的pull命令提取手机中的用户数据文件,并对其进行进一步分析,获取用户数据文件中的可直接查看ί目息; 2)通过API读取可直接查看信息中的数据内容,然后通过对比验证来确定数据内容中各字段的具体含义,重新组合后得到手机上的可见数据,同时也得到数据库表结构的存储特征; 3)通过数据库表结构的存储特征分离出数据库中的未使用空间; 4)通过分析安卓手机中正常记录的存储结构提取出正常记录的特征,然后通过正则表达式在未使用空间中尝试匹配该特征,并对匹配到的数据进行验证;如果其结构和正常记录相符合,则认为这是一条已经删除的记录,然后结合该记录的字段长度定义,将其后的 A quick recovery Andrews mobile forensic method deleted information, characterized in that the method comprises the following steps: 1) using the first pull commands Andrews SDK provides debugging tools available in Android Debug Bridge extracted user phone data file, and subjected to further analysis, acquire user data file can be viewed directly ί mesh information; 2) can directly view the content information data by reading the API, and the data content is determined by comparison of the fields verification specific meaning, the recombined to give visible data on the phone, but also by the stored feature database table structure; 3) separating the unused space in the database by storing the feature database table structure; 4) by analyzing Andrews phone normal recording storage structure extracts a feature normally recorded, then the regular expression is not used in attempt to match the spatial characteristics, and matching data for verification; if it is consistent with the structure and the normal recording, it is considered a deleted recording, then the field defining the length of the record in conjunction with the subsequent 据进行分割,以还原其各主要字段的内容; 5)将还原出来的数据与通过API解析的正常记录进行对比,如果关键信息完全相同,则认为这是一条逻辑上已存在或已经有相同的记录被恢复出来的冗余数据,不添加到记录列表中;如果关键信息不相同,则添加到记录列表中; 6)继续匹配未使用空间中,直到所有的未使用空间都处理完毕。 It is divided, in order to restore the contents of its major fields; 5) to restore the data out through the API compared with the normal recording resolved, if key information are identical, it is considered to already exist or have a logically same recording the recovered redundant data is not added to the list of records; if the key information is not the same, the record is added to the list; 6) continues to match the unused space, the unused space until all have been processed.
  2. 2.根据权利要求1所述的一种快速恢复安卓手机删除信息的取证方法,其特征在于,所述步骤I)进一步包括一种获取root权限的方法,该方法为直接通过adb root提升外部的root权限;如果adb root提示无法提升到root权限,则通过一个临时root的脚本来提升到root用户的权限。 The one of the quick recovery of a method of Andrews mobile forensic deleted information, characterized in that said step I) further comprises a method of obtaining root privileges claim, which is directly outside the adb root lifting root privileges; if adb root prompt can not elevate to root privileges, to enhance the user's permissions to root through a temporary root script.
  3. 3.根据权利要求1所述的一种快速恢复安卓手机删除信息的取证方法,其特征在于,所述步骤5)中,将还原出来的数据添加到记录列表中的同时将该数据标记为已删除,表明这是一条被恢复出来的记录。 According to one of the claims 1 to quickly recover Andrews mobile forensic methods to delete information, wherein said step 5) was added to restore them to the data while the data records in the list is marked as delete, indicating that this is a record to be recovered.
  4. 4.根据权利要求1所述的一种快速恢复安卓手机删除信息的取证方法,其特征在于,所述用户数据文件为SQLite3数据库格式,通过API能正常的读取其中的数据内容。 According to one of the claims 1 to quickly recover Andrews mobile forensic methods to delete information, wherein said user data file SQLite3 database format, the API can be a normal data read its contents.
  5. 5.根据权利要求1所述的一种快速恢复安卓手机删除信息的取证方法,其特征在于,所述调试开发工具Android Debug Bridge通过应用程序调试接口连接手机。 5. A method according to claim 1, said quick recovery Andrews mobile forensic methods to delete information, wherein the debug tools Android Debug Bridge by phone application debugging interfaces.
CN 201210585940 2012-12-28 2012-12-28 Evidence obtaining method capable of rapidly recovering messages deleted by Android mobile phone CN103064764A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201210585940 CN103064764A (en) 2012-12-28 2012-12-28 Evidence obtaining method capable of rapidly recovering messages deleted by Android mobile phone

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201210585940 CN103064764A (en) 2012-12-28 2012-12-28 Evidence obtaining method capable of rapidly recovering messages deleted by Android mobile phone

Publications (1)

Publication Number Publication Date
CN103064764A true true CN103064764A (en) 2013-04-24

Family

ID=48107397

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201210585940 CN103064764A (en) 2012-12-28 2012-12-28 Evidence obtaining method capable of rapidly recovering messages deleted by Android mobile phone

Country Status (1)

Country Link
CN (1) CN103064764A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103324482A (en) * 2013-06-27 2013-09-25 苏州创智宏云信息科技有限公司 Android one-key root permission software
CN103561176A (en) * 2013-11-07 2014-02-05 腾讯科技(深圳)有限公司 Method and device for acquiring call records of terminal device and terminal device
CN103747028A (en) * 2013-11-27 2014-04-23 上海斐讯数据通信技术有限公司 Method for granting user temporary root authority
CN103793298A (en) * 2014-03-03 2014-05-14 公安部第三研究所 Method for reading Android mobile phone information
CN103942054A (en) * 2014-04-25 2014-07-23 北京邮电大学 Data evidence obtaining system based on Android
CN104035839A (en) * 2014-06-12 2014-09-10 上海交通大学 Method for implementation of recovery of Android system private data
CN104142830A (en) * 2014-08-11 2014-11-12 四川效率源信息安全技术有限责任公司 Method and device for extracting application data of smart phone by script plug-in technology
CN104156430A (en) * 2014-08-11 2014-11-19 四川效率源信息安全技术有限责任公司 Device and method for fast extracting Android mobile phone data
CN104182541A (en) * 2014-09-05 2014-12-03 四川效率源信息安全技术有限责任公司 Method for showing smart phone data information
CN104850470A (en) * 2015-05-12 2015-08-19 浪潮电子信息产业股份有限公司 Method for fast recovering mis-deleted data under linux system
CN104932838A (en) * 2015-06-09 2015-09-23 南京邮电大学 Digital forensic method and system based on Android memory dump technology
CN105022949A (en) * 2015-07-02 2015-11-04 盘石软件(上海)有限公司 Handheld device for evidence fixing of Android phones and fixing method
CN105353665A (en) * 2015-12-08 2016-02-24 武汉虹旭信息技术有限责任公司 Mobile phone deleted information recovery system based on Android system and method thereof
CN105912423A (en) * 2016-04-07 2016-08-31 上海互盾信息科技有限公司 Data recovery and forensic method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060069540A1 (en) * 2004-09-28 2006-03-30 Krutz Ronald L Methodology for assessing the maturity and capability of an organization's computer forensics processes
CN101582076A (en) * 2009-06-24 2009-11-18 浪潮电子信息产业股份有限公司 Data de-duplication method based on data base
CN102298634A (en) * 2011-09-09 2011-12-28 厦门市美亚柏科信息股份有限公司 One kind of restructuring method Sqlite delete records
CN102750204A (en) * 2012-06-07 2012-10-24 深圳市万兴软件有限公司 Data recovery method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060069540A1 (en) * 2004-09-28 2006-03-30 Krutz Ronald L Methodology for assessing the maturity and capability of an organization's computer forensics processes
CN101582076A (en) * 2009-06-24 2009-11-18 浪潮电子信息产业股份有限公司 Data de-duplication method based on data base
CN102298634A (en) * 2011-09-09 2011-12-28 厦门市美亚柏科信息股份有限公司 One kind of restructuring method Sqlite delete records
CN102750204A (en) * 2012-06-07 2012-10-24 深圳市万兴软件有限公司 Data recovery method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
姚伟等: "Android智能手机的取证", 《中国司法鉴定》, 15 January 2012 (2012-01-15), pages 45 - 49 *
王随刚等: "基于SQLite3的Android手机数据恢复技术的研究", 《警察技术》, 7 September 2012 (2012-09-07), pages 4 - 7 *

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103324482A (en) * 2013-06-27 2013-09-25 苏州创智宏云信息科技有限公司 Android one-key root permission software
CN103561176A (en) * 2013-11-07 2014-02-05 腾讯科技(深圳)有限公司 Method and device for acquiring call records of terminal device and terminal device
US9742901B2 (en) 2013-11-07 2017-08-22 Tencent Technology (Shenzhen) Company Limited Method, apparatus and terminal device for obtaining call log
CN103561176B (en) * 2013-11-07 2015-08-19 腾讯科技(深圳)有限公司 A terminal device of the call log acquisition method, device and terminal equipment
CN103747028A (en) * 2013-11-27 2014-04-23 上海斐讯数据通信技术有限公司 Method for granting user temporary root authority
CN103747028B (en) * 2013-11-27 2018-05-25 上海斐讯数据通信技术有限公司 Ways to grant temporary root user privileges
CN103793298A (en) * 2014-03-03 2014-05-14 公安部第三研究所 Method for reading Android mobile phone information
CN103942054A (en) * 2014-04-25 2014-07-23 北京邮电大学 Data evidence obtaining system based on Android
CN104035839B (en) * 2014-06-12 2017-07-18 上海交通大学 Android privacy data recovery system implementation
CN104035839A (en) * 2014-06-12 2014-09-10 上海交通大学 Method for implementation of recovery of Android system private data
CN104142830B (en) * 2014-08-11 2017-06-06 四川效率源信息安全技术股份有限公司 Method and apparatus for extracting data through a smartphone application scripting plug-in technology
CN104142830A (en) * 2014-08-11 2014-11-12 四川效率源信息安全技术有限责任公司 Method and device for extracting application data of smart phone by script plug-in technology
CN104156430A (en) * 2014-08-11 2014-11-19 四川效率源信息安全技术有限责任公司 Device and method for fast extracting Android mobile phone data
CN104182541A (en) * 2014-09-05 2014-12-03 四川效率源信息安全技术有限责任公司 Method for showing smart phone data information
CN104850470A (en) * 2015-05-12 2015-08-19 浪潮电子信息产业股份有限公司 Method for fast recovering mis-deleted data under linux system
CN104932838A (en) * 2015-06-09 2015-09-23 南京邮电大学 Digital forensic method and system based on Android memory dump technology
CN105022949A (en) * 2015-07-02 2015-11-04 盘石软件(上海)有限公司 Handheld device for evidence fixing of Android phones and fixing method
CN105353665A (en) * 2015-12-08 2016-02-24 武汉虹旭信息技术有限责任公司 Mobile phone deleted information recovery system based on Android system and method thereof
CN105912423A (en) * 2016-04-07 2016-08-31 上海互盾信息科技有限公司 Data recovery and forensic method

Similar Documents

Publication Publication Date Title
US8060596B1 (en) Methods and systems for normalizing data loss prevention categorization information
Kent et al. Guide to integrating forensic techniques into incident response
US20090164517A1 (en) Automated forensic document signatures
US20090164427A1 (en) Automated forensic document signatures
US20080301207A1 (en) Systems and methods for cascading destruction of electronic data in electronic evidence management
Garfinkel Digital media triage with bulk data analysis and bulk_extractor
CN102075542A (en) Cloud computing data security supporting platform
Morrissey et al. iOS Forensic Analysis: for iPhone, iPad, and iPod touch
Zdziarski iPhone forensics: recovering evidence, personal data, and corporate assets
CN103366107A (en) Method, device and mobile phone for protecting access permission of application program
US8321560B1 (en) Systems and methods for preventing data loss from files sent from endpoints
Raghavan Digital forensic research: current state of the art
US8359472B1 (en) Document fingerprinting with asymmetric selection of anchor points
US20110191533A1 (en) Digital forensic acquisition kit and methods of use thereof
Roussev Hashing and data fingerprinting in digital forensics
US20130067587A1 (en) Protecting archive structure with directory verifiers
CN1945571A (en) Method for re-setting up catalogue structure and restoring data in FAI volume
Van Baar et al. Digital Forensics as a Service: A game changer
US20080301756A1 (en) Systems and methods for placing holds on enforcement of policies of electronic evidence management on captured electronic
Quick et al. Data reduction and data mining framework for digital forensic evidence: storage, intelligence, review and archive
US8239348B1 (en) Method and apparatus for automatically archiving data items from backup storage
CN102937926A (en) Method and device for recovering deleted sqlite files on mobile terminal
CN103473346A (en) Android re-packed application detection method based on application programming interface
Walls et al. Forensic Triage for Mobile Phones with DEC0DE.
US9424136B1 (en) Systems and methods for creating optimized synthetic backup images

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)