CN105141784A - Mobile phone evidence obtaining method based on recovery - Google Patents
Mobile phone evidence obtaining method based on recovery Download PDFInfo
- Publication number
- CN105141784A CN105141784A CN201510662883.7A CN201510662883A CN105141784A CN 105141784 A CN105141784 A CN 105141784A CN 201510662883 A CN201510662883 A CN 201510662883A CN 105141784 A CN105141784 A CN 105141784A
- Authority
- CN
- China
- Prior art keywords
- mobile phone
- computer
- recovery
- pattern
- fastboot
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention relates to a mobile phone evidence obtaining method based on recovery. The method comprises the following steps that (1) whether a mobile phone is connected with a computer in a fastboot mode is judged by the computer; (2) if the mobile phone is connected with the computer in the fastboot mode, recovery of the third party is reinstalled; (3) the partition of the mobile phone is mounted; (4) files in the mobile phone are derived to the computer; (5) and if there is no mobile phone connected with the computer in the fastboot mode, the step (1) is continued. The mobile phone evidence obtaining method based on recovery of the structure is adopted to perform mobile phone information reading on the Android mobile phone so that Android mobile phone information reading efficiency is greatly enhanced, data reading is complete and effective, judicial evidence obtaining and actual work demands can be effectively assisted, and thus the mobile phone evidence obtaining method based on recovery is suitable for large-scale popularization and application.
Description
Technical field
The present invention relates to areas of information technology, particularly relate to information security, specifically refer to a kind of Mobile Phone Forensics method based on recovery.
Background technology
Present stage is for the evidence obtaining of Android intelligent, mainly contain two kinds, the first utilizes the debugging interface of Android phone or is won by storage chip by means of the technology of chip level, obtain the physics mirror image of mobile phone bottom, then the file system of physics mirror image is resolved, obtain corresponding data file, and then evidence obtaining.Another kind is by software approach, by means of the adb.exe that Google provides, also with regard to the debugging acid of Android mobile phone, connects mobile phone, by adb order, is derived by the file of required parsing.But these two kinds of methods have its weak point.For first method, very harsh to the hardware requirement of mobile phone, need the open case debugging interface of mobile phone, major part mobile phone is less than exploitation, so solved by the method for tearing machine open with regard to needing, but can destroy original evidence mobile phone obviously, and disassemble the very difficult of mobile phone, other is supported to need laboratory-scale.Another kind method also has some relatively strict restrictive conditions, such as need startup password, need ROOT, need USB to debug to open, as long as wherein some conditions do not meet, just probably cannot collect evidence to mobile phone, but these restrictions can be walked around by means of Recovery evidence obtaining work is carried out to mobile phone.
Summary of the invention
The object of the invention is the shortcoming overcoming above-mentioned prior art, provide a kind of improve Android phone information reading efficiency, digital independent complete effectively, can be directly the Mobile Phone Forensics method based on recovery that judicial evidence collection and real work demand extend efficient help.
To achieve these goals, the Mobile Phone Forensics method based on recovery of the present invention has following formation:
Should based on the Mobile Phone Forensics method of recovery, its main feature is, described method comprises the following steps:
(1) whether the mobile phone described in computer judgement is connected into computer with fastboot pattern;
(2) if described mobile phone is connected into computer with fastboot pattern, then brush into third-party recovery;
(3) subregion of the mobile phone described in carry;
(4) file on mobile phone is exported in described computer;
(5) if be connected into computer without mobile phone with fastboot pattern, then step (1) is continued.
Further, described step (1) specifically comprises the following steps:
(1.1) mobile phone described in enters fastboot pattern;
(1.2) mobile phone described in is connected to computer;
(1.3) whether the mobile phone described in the computer described in judges is connected into computer with fastboot pattern.
Further, described step (1.2) is specially:
(1.2) computer described in install with described mobile phone relative to driving;
(1.3) mobile phone described in is connected to computer.
Further, described step (1.3) is specially:
Described computer is looked into by the fastbootdevices order that Google provides and is seen if there is mobile phone and be connected into computer with fastboot pattern.
Further, described brush enters third-party recovery, specifically comprises the following steps:
(2.1) computer described in has judged whether that plurality of mobile phones is connected into computer;
(2.2) if there is plurality of mobile phones to be connected into computer, then enter recovery by fastboot-s.img order to the mobile phone brush of specifying, wherein s is handset serial;
(1.3) if only have a mobile phone to be connected into computer, then enter recovery by fastboots.img order to the mobile phone brush of specifying, wherein s is handset serial.
Further, the subregion of the mobile phone described in described carry, is specially:
Select the USB flash disk pattern under recovery pattern, under directly all subregions of mobile phone being mounted to corresponding catalogue;
Or
By specific option under selection recovery pattern, the specific subregion of carry.
Have employed the Mobile Phone Forensics method based on recovery in this invention, cellphone information reading can be carried out to Android phone, substantially increase Android phone information reading efficiency, digital independent is effectively complete, directly can extend efficient help for judicial evidence collection and real work demand, be applicable to large-scale promotion application.
Accompanying drawing explanation
Fig. 1 is the overall flow figure of the Mobile Phone Forensics method based on recovery of the present invention.
Embodiment
In order to more clearly describe technology contents of the present invention, conduct further description below in conjunction with specific embodiment.
The evidence obtaining of the Android mobile phone concrete storing data files mainly under right/data/data catalogue reads, read these files to need to obtain ROOT authority, then connect computer to read, but it is all not all right to be connected computer when there being startup password not open with USB debugging, and simple ROOT is impracticable.
Android phone provides fastboot pattern, and in Android system mobile phone, fastboot is a kind of brush machine pattern than recovery more bottom.It is exactly a kind of brush machine pattern using USB data line to connect mobile phone.Relative to some system card brush, line brush is more reliable, safety; If we claim recovery pattern to be reforestation practices, so fastboot is exactly real brush machine pattern, because the brush machine bag that official provides and Phoenix much all complete under fastboot pattern, fastboot pattern is real brush machine pattern thus.
Recovery pattern refers to a kind of pattern (being similar to windowsPE or DOS) can modified to the data of Android machine inside or system.We can brush into new Android system under this scheme, or back up existing system or upgrade, also can in this factory reset, the subregion that carry is corresponding.
The Recovery that official provides does not hang over authority, or USB debugging mode, cannot connect computer, is obtained the relevant information of mobile phone, so need to input third-party recovery by ADB.EXE.
Refer to shown in Fig. 1, evidence obtaining concrete steps:
(1) mobile phone enters fastboot pattern, and the method that different mobile phones enters fastboot pattern is different, such as millet mobile phone be by simultaneously by start and volume down fastboot pattern.The fastboot pattern of Samsung mobile phone i.e. brush machine pattern have a special title the pattern of mining for coal.
(2) connect computer, allow computer identify mobile phone.Need the website of cell phone manufacturer or third party website to download corresponding mobile phone to drive, do not drive computer to be None-identified mobile phone, it is failed for connecting computer.
(3) judge that whether mobile phone is with fastboot pattern exact connect ion computer.Utilize the fastboot.exe that Google provides, utilize fastbootdevices order to look into see if there is mobile phone to connect with fastboot pattern, if the sequence number of display mobile phone and fastboot printed words and successful connection separate with Zhi Biaofu t.
(4) brush into third-party recovery.Obtain the third party recovery.img file of corresponding mobile phone, the recovery that official provides generally can not develop adb debugging interface so inapplicable.After finding suitable IMG file, enter recovery by fastboot***.img to mobile phone brush, if there is plurality of mobile phones to connect computer simultaneously, needs to perform fastboot – s (handset serial) * * * .img and enter recovery to the mobile phone brush of specifying.If file mates, can automatically enter recovery pattern by mobile phone after brushing recovery.
(5) the mobile phone subregion that carry is corresponding.First method is the USB flash disk pattern under selection recovery pattern, under directly all subregions of mobile phone being mounted to corresponding catalogue; Second method, by option concrete under selecting recovery pattern, by specific subregion carry, as " carry data " be exactly/under subregion that data is corresponding hangs over this catalogue.The third is the shell-command calling adb, utilizes mount (hanging over catalogue) (hanging over subregion), subregion is mounted to particular category.
(6) file on mobile phone is exported to local computing to resolve.By adb.exepull (source directory) (destination directory), mobile phone file is derived.
Have employed the Mobile Phone Forensics method based on recovery in this invention, cellphone information reading can be carried out to Android phone, substantially increase Android phone information reading efficiency, digital independent is effectively complete, directly can extend efficient help for judicial evidence collection and real work demand, be applicable to large-scale promotion application.
In this description, the present invention is described with reference to its specific embodiment.But, still can make various amendment and conversion obviously and not deviate from the spirit and scope of the present invention.Therefore, specification and accompanying drawing are regarded in an illustrative, rather than a restrictive.
Claims (6)
1. based on a Mobile Phone Forensics method of recovery, it is characterized in that, described method comprises the following steps:
(1) whether the mobile phone described in computer judgement is connected into computer with fastboot pattern;
(2) if described mobile phone is connected into computer with fastboot pattern, then brush into third-party recovery;
(3) subregion of the mobile phone described in carry;
(4) file on mobile phone is exported in described computer;
(5) if be connected into computer without mobile phone with fastboot pattern, then step (1) is continued.
2. the Mobile Phone Forensics method based on recovery according to claim 1, is characterized in that, described step (1) specifically comprises the following steps:
(1.1) mobile phone described in enters fastboot pattern;
(1.2) mobile phone described in is connected to computer;
(1.3) whether the mobile phone described in the computer described in judges is connected into computer with fastboot pattern.
3. the Mobile Phone Forensics method based on recovery according to claim 2, is characterized in that, described step (1.2) is specially:
(1.2) computer described in install with described mobile phone relative to driving;
(1.3) mobile phone described in is connected to computer.
4. the Mobile Phone Forensics method based on recovery according to claim 2, is characterized in that, described step (1.3) is specially:
Described computer is looked into by the fastbootdevices order that Google provides and is seen if there is mobile phone and be connected into computer with fastboot pattern.
5. the Mobile Phone Forensics method based on recovery according to claim 1, it is characterized in that, described brush enters third-party recovery, specifically comprises the following steps:
(2.1) computer described in has judged whether that plurality of mobile phones is connected into computer;
(2.2) if there is plurality of mobile phones to be connected into computer, then enter recovery by fastboot-s.img order to the mobile phone brush of specifying, wherein s is handset serial;
(1.3) if only have a mobile phone to be connected into computer, then enter recovery by fastboots.img order to the mobile phone brush of specifying, wherein s is handset serial.
6. the Mobile Phone Forensics method based on recovery according to claim 1, it is characterized in that, the subregion of the mobile phone described in described carry, is specially:
Select the USB flash disk pattern under recovery pattern, under directly all subregions of mobile phone being mounted to corresponding catalogue;
Or
By specific option under selection recovery pattern, the specific subregion of carry.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510662883.7A CN105141784A (en) | 2015-10-14 | 2015-10-14 | Mobile phone evidence obtaining method based on recovery |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510662883.7A CN105141784A (en) | 2015-10-14 | 2015-10-14 | Mobile phone evidence obtaining method based on recovery |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105141784A true CN105141784A (en) | 2015-12-09 |
Family
ID=54726983
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510662883.7A Pending CN105141784A (en) | 2015-10-14 | 2015-10-14 | Mobile phone evidence obtaining method based on recovery |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105141784A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106503539A (en) * | 2016-10-13 | 2017-03-15 | 公安部第三研究所 | Smart machine screen-lock password crack method and evidence-obtaining system based on Mobex agreements |
| CN106528688A (en) * | 2016-10-25 | 2017-03-22 | 公安部第三研究所 | Analysis evidence-taking method for Twitter |
| CN106528470A (en) * | 2016-11-29 | 2017-03-22 | 维沃移动通信有限公司 | Data transmission method and mobile terminal |
| CN106775670A (en) * | 2016-11-30 | 2017-05-31 | 惠州Tcl移动通信有限公司 | The making application method and kit of a kind of kit for being applied to mobile terminal |
| CN107066350A (en) * | 2017-02-06 | 2017-08-18 | 四川秘无痕信息安全技术有限责任公司 | A kind of mirror method of WindowsPhone data in mobile phone |
| CN108319519A (en) * | 2017-12-19 | 2018-07-24 | 南京烽火软件科技有限公司 | A kind of evidence-gathering and fixing means based on Android phone |
| CN112003982A (en) * | 2020-08-12 | 2020-11-27 | 厦门市美亚柏科信息股份有限公司 | Mobile phone unlocking method and system based on chip detachment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050055595A1 (en) * | 2001-09-17 | 2005-03-10 | Mark Frazer | Software update method, apparatus and system |
| CN103559126A (en) * | 2013-10-25 | 2014-02-05 | 深圳市欧珀通信软件有限公司 | Method, device and computer terminal for testing software versions |
-
2015
- 2015-10-14 CN CN201510662883.7A patent/CN105141784A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050055595A1 (en) * | 2001-09-17 | 2005-03-10 | Mark Frazer | Software update method, apparatus and system |
| CN103559126A (en) * | 2013-10-25 | 2014-02-05 | 深圳市欧珀通信软件有限公司 | Method, device and computer terminal for testing software versions |
Non-Patent Citations (7)
| Title |
|---|
| LONGMING035889: "《安卓刷机基础普及 使用Fastboot命令秒杀一切》", 《360个人图书馆》 * |
| QQTZONG: "《好好利用Recovery的U盘模式》", 《台电P76TI》 * |
| ZHUDI1989: "《求助recovery如何挂载优盘模式》", 《机锋论坛》 * |
| ZXD6899: "《最详细的【Recovery】使用说明,刷机必备》", 《360个人图书馆》 * |
| 未知: "《Recovery刷机工具v5.0.2.8中文版》", 《绿茶软件园》 * |
| 未知: "《安卓刷机如何进入Recovery模式的通用方式详解》", 《ROM下载之家》 * |
| 韦博华: "《Android手机Recovery模式取证方法研究》", 《信息通信》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106503539A (en) * | 2016-10-13 | 2017-03-15 | 公安部第三研究所 | Smart machine screen-lock password crack method and evidence-obtaining system based on Mobex agreements |
| CN106528688A (en) * | 2016-10-25 | 2017-03-22 | 公安部第三研究所 | Analysis evidence-taking method for Twitter |
| CN106528688B (en) * | 2016-10-25 | 2020-03-10 | 公安部第三研究所 | Analysis evidence obtaining method aiming at Twitter |
| CN106528470A (en) * | 2016-11-29 | 2017-03-22 | 维沃移动通信有限公司 | Data transmission method and mobile terminal |
| CN106775670A (en) * | 2016-11-30 | 2017-05-31 | 惠州Tcl移动通信有限公司 | The making application method and kit of a kind of kit for being applied to mobile terminal |
| CN106775670B (en) * | 2016-11-30 | 2020-09-22 | 惠州Tcl移动通信有限公司 | Manufacturing and using method of tool kit applied to mobile terminal and tool kit |
| CN107066350A (en) * | 2017-02-06 | 2017-08-18 | 四川秘无痕信息安全技术有限责任公司 | A kind of mirror method of WindowsPhone data in mobile phone |
| CN107066350B (en) * | 2017-02-06 | 2020-11-03 | 四川秘无痕科技有限责任公司 | Mirroring method for Windows Phone mobile Phone data |
| CN108319519A (en) * | 2017-12-19 | 2018-07-24 | 南京烽火软件科技有限公司 | A kind of evidence-gathering and fixing means based on Android phone |
| CN112003982A (en) * | 2020-08-12 | 2020-11-27 | 厦门市美亚柏科信息股份有限公司 | Mobile phone unlocking method and system based on chip detachment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105141784A (en) | Mobile phone evidence obtaining method based on recovery | |
| CN102736978B (en) | A kind of method and device detecting the installment state of application program | |
| CN102520948B (en) | Application maintenance update method and device | |
| EP2076056A1 (en) | Management method for intelligent terminal system and intelligent terminal | |
| WO2011130971A1 (en) | Method and mobile terminal for deleting files | |
| CN103279706A (en) | Method and device for intercepting installation of Android application program in mobile terminal | |
| CN104199706A (en) | Firmware upgrade method and device for eMMC | |
| CN103544031B (en) | The android system upgrade method and system of multi partition peripheral storage device | |
| CN103559591A (en) | Software management system and management method based on trusted computing | |
| CN110225078B (en) | Application service updating method, system and terminal equipment | |
| US20170316209A1 (en) | Method and device for preventing application in an operating system from being uninstalled | |
| CN105718289A (en) | Component relationship establishing method and equipment | |
| CN103677880A (en) | Information processing method and electronic equipment | |
| CN101937351A (en) | Method and system for automatically installing application software | |
| CN106326171A (en) | Method and device for recognizing hard disk type of hard disk back plate | |
| CN103902480A (en) | Android phone driving method and system | |
| CN106569854B (en) | Method and system for setting equipment firmware and realizing factory test | |
| CN104216840A (en) | USB (universal serial bus) setting and method and device for operating external equipment | |
| CN102646056A (en) | Function expansion method and device for grid GIS (geographic information system) platform based applications | |
| CN107770299A (en) | A kind of MAC Address writes with a brush dipped in Chinese ink method, system, device and storage medium | |
| CN102722669B (en) | Completeness verification method of operating system | |
| CN105718788A (en) | Malicious application processing method and apparatus, and terminal | |
| CN105207830A (en) | Detection method and apparatus for terminal information, and terminal | |
| CN103455750A (en) | High-security verification method and high-security verification system for embedded devices | |
| CN103885784A (en) | Method for establishing Android platform with security module and plugging function |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151209 |