CN111596926A - Data evidence obtaining analysis method and device and electronic equipment - Google Patents
Data evidence obtaining analysis method and device and electronic equipment Download PDFInfo
- Publication number
- CN111596926A CN111596926A CN202010291071.7A CN202010291071A CN111596926A CN 111596926 A CN111596926 A CN 111596926A CN 202010291071 A CN202010291071 A CN 202010291071A CN 111596926 A CN111596926 A CN 111596926A
- Authority
- CN
- China
- Prior art keywords
- component
- flow graph
- data
- inter
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a data evidence obtaining analysis method and device and electronic equipment, and relates to the field of network security. The data forensics analysis method comprises the following steps: decompiling an application program to obtain each component contained in the application program; constructing a data flow graph and a control flow graph corresponding to each component; predicting communication fields for inter-component communication included in each component, and sequencing each component according to the communication fields; constructing an inter-program data flow graph and an inter-program control flow graph corresponding to the application program according to the sequencing result of each component and the data flow graph and the control flow graph corresponding to each component; generating a data forensics analysis report based on the inter-program dataflow graph and the inter-program control flow graph for database decryption.
Description
Technical Field
The application relates to the technical field of computers, in particular to a data forensics analysis method and device and electronic equipment.
Background
At present, Android smart phones have occupied the largest market share in the global smart phone market, and the number of digital crimes such as economic fraud, smuggling and the like realized by means of application programs in smart phones is also rising year by year.
Given that a large amount of personal information about a user, processed by an application installed in a smartphone, is stored in a local database, data forensics based on the local database becomes a crucial step in smartphone forensics analysis.
However, when performing forensic analysis based on a local encrypted database in a smart phone, there is a problem of forensic analysis of an encryption mechanism of the encrypted database, and for the problem, an encrypted database forensic analysis method adopted in the related art mainly includes: a manual reverse engineering method and a dynamic analysis method. The manual reverse engineering method is realized by decompiling a source code, manually searching a database encryption key, and finally analyzing a key generation mechanism, but the method has the limitations that: evidence collection and analysis are long and require abundant technical expertise. The dynamic analysis method is realized by installing an application program to be analyzed in a test mobile phone or a simulated mobile phone environment and then tracking and recording the running process of an encryption database by using the application program, but the method has the following limitations: all program paths in the running process of the database are difficult to trigger, so that all encryption modes for encrypting the database cannot be found.
Disclosure of Invention
In view of the above problems, embodiments of the present application provide a data forensics analysis method, an apparatus, and an electronic device, so as to search all encryption paths of an encryption database as much as possible, and the time consumption is short.
In a first aspect, an embodiment of the present application provides a data forensics analysis method, including: decompiling an application program to obtain each component contained in the application program; constructing a data flow graph and a control flow graph corresponding to each component; predicting communication fields for inter-component communication included in each component, and sequencing each component according to the communication fields; constructing an inter-program data flow graph and an inter-program control flow graph corresponding to the application program according to the sequencing result of each component and the data flow graph and the control flow graph corresponding to each component; and generating a data forensics analysis report based on the inter-program data flow graph and the inter-program control flow graph.
Further, in an embodiment of the present application, the step of sorting each of the components according to the communication field includes: determining a component intent and an intent filter from the communication field; for each component, calculating the matching probability between the component intention of the component and the intention filter respectively corresponding to other components; and sorting the components according to the matching probability.
Further, in an embodiment of the present application, the matching probability is
Wherein the content of the first and second substances,
a component intent that represents the ith said component,
an intent filter representing the f-th said component.
Further, in an embodiment of the present application, after the step of generating a data forensics analysis report based on the inter-program dataflow graph, the method further includes: under the condition that each data flow node in the data flow graph carries a node number, searching a database encryption instruction in the inter-program data flow graph according to the node number; tracking a data flow graph corresponding to each component through the database encryption instruction to obtain a secret key source; generating the data forensics analysis report based on the inter-procedural dataflow graph and the key source.
Further, in an embodiment of the present application, in a case that the key source is an argument, stopping tracking of the dataflow graph corresponding to each component, and performing the step of generating the data forensics analysis report based on the inter-program dataflow graph and the key source.
Further, in an embodiment of the application, when the key source is a variable, the step of tracking the data flow diagram corresponding to each component through the database encryption instruction is continuously performed to obtain the key source, and until the tracked key source is a non-variable, the step of generating the data forensics analysis report based on the inter-program data flow diagram and the key source is performed.
In a second aspect, an embodiment of the present application further provides a data forensics analysis apparatus, including: the decompiling module is used for decompiling the application program to obtain each component contained in the application program; the first construction module is used for constructing a data flow graph and a control flow graph corresponding to each component; the prediction module is used for predicting communication fields used for communication among the components and included in the components, and sequencing the components according to the communication fields; a second construction module, configured to construct an inter-program data flow graph and an inter-program control flow graph corresponding to the application program according to the sorting result of each component, and the data flow graph and the control flow graph corresponding to each component; and the report generation module is used for generating a data forensics analysis report based on the inter-program data flow graph and the inter-program control flow graph.
Further, in an embodiment of the present application, the prediction module is specifically configured to determine a component intent and an intent filter from the communication field; and for each of the components, calculating a matching probability between the component intention of the component and the intention filters respectively corresponding to other components; and sorting the components according to the matching probability.
In a third aspect, an embodiment of the present application further provides an electronic device, including: at least one processor; at least one memory coupled to the processor; wherein the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method as described above.
In a fourth aspect, the present application further provides a computer-readable storage medium, where the storage medium stores computer instructions, and the computer instructions cause the computer to execute the method described above.
The embodiment of the application adopts at least one technical scheme which can achieve the following beneficial effects:
according to the data forensics analysis method, the data forensics analysis device and the electronic equipment, each component included in the application program is obtained by performing decompilation on the application program, then a plurality of possible inter-program data flow diagrams and inter-program control flow diagrams are constructed by predicting communication fields in each component and data flow diagrams and control flow diagrams in each component, and finally a data forensics analysis report is obtained based on the inter-program data flow diagrams and the inter-program control flow diagrams, so that all possible encryption paths are searched as far as possible, and the data forensics analysis duration is shortened.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic flow chart of a data forensics analysis method according to an exemplary embodiment of the present application.
Fig. 2 is a schematic diagram of a component call relationship of an application according to an exemplary embodiment of the present application.
Fig. 3 is a block diagram of a data forensics analysis apparatus according to an exemplary embodiment of the present application.
Fig. 4 is a block diagram of an electronic device provided in an exemplary embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
As shown in fig. 1, a schematic flow chart of a data forensics analysis method provided in an embodiment of the present application is shown, where the method may be executed by, but not limited to, an electronic device running an Android system, and specifically may be executed by software or hardware in the electronic device. In this embodiment, the electronic device may be a mobile phone, an IPAD, a notebook, a wearable device, or the like. Referring again to fig. 1, the data forensics method presented in this example may include the following steps.
And S110, performing decompiling on the application program to obtain each component contained in the application program.
The Application Program (APK) refers to an application involved in the forensic analysis of encrypted data, such as WeChat, QQ, parking control application, and the like, which is not limited in this embodiment.
It should be noted that, each component in the Android system encrypts the database by using a string operation, and at present, two encryption schemes are mainly involved: one is a database encryption mechanism based on a secret key, and the other is a database encryption mechanism based on a ciphertext. The database encryption mechanism based on the secret key is to generate a database encryption key and then encrypt the database by using the encryption key and calling a specific command; the cipher text-based database encryption mechanism is to encrypt data before writing it into a database, and then call an insert command of SQL (Structured Query Language) to write the encrypted data into the database.
Based on this, in order to search all possible encryption paths related to an encryption database generated by an application in the Android system, the embodiment may perform decompilation on the application based on the Android platform to obtain all components constituting the application, and further implement forensic analysis of the encryption paths based on each component.
And S120, constructing a data flow graph and a control flow graph corresponding to each component.
Corresponding to the decompilation of the component, the Data Flow Graph (DFG) and the Control Flow Graph (CFG) constructing process described in S120 may also be implemented based on, but not limited to, an Amandroid platform.
S130, communication fields used for inter-component communication and included in each component are predicted, and each component is sequenced according to the communication fields.
Among them, the Android system is a system using inter-component communication (ICC). For example, one component may send an intent to another component based on preset communication fields. The intent target may be explicitly specified in the intent or implicitly specified. Therefore, in the embodiment, the control and the data are captured from one component to another component by predicting the communication field in each component, that is, in the embodiment, the high-probability calling order of each component in the application program can be obtained based on the communication field of each component.
In practical applications, the IC3 tool may be used, but not limited to, to predict the communication field, and in this embodiment, the communication field may be a character string composed of characters, numbers, and the like. Optionally, the prediction results obtained by prediction based on the IC3 tool are of two types, one is a communication field value that can be determined, and the other is a communication field value that cannot be accurately predicted by the IC3, for which different signs can be used, for example, for uncertain values, the sign "x" can be used.
And S140, constructing an inter-program data flow graph and an inter-program control flow graph corresponding to the application program according to the sequencing result of each component, and the data flow graph and the control flow graph corresponding to each component.
The sequencing result represents a high-probability calling sequence of each component contained in the application program, and then based on the sequencing result, and the data flow graph and the control flow graph prediction corresponding to each component, a plurality of possible inter-program data flow graphs and inter-program control flow graphs can be obtained, so that the encryption paths of the application program can be searched in a derivative database of the application program, and all possible encryption paths can be searched as far as possible.
And S150, generating a data forensics analysis report based on the inter-program data flow graph (IDFG) and the inter-program control flow graph (ICFG).
The data forensics analysis report comprises information about program paths possibly adopted by the application program encryption database, so that when the subsequent database is decrypted, the Android database key generation method can be obtained through the program paths in the reverse report, and the database is decrypted on the basis of the Android database key generation method.
It should be noted that when analyzing based on the data forensics analysis report given in the present embodiment to determine a database encryption method and a corresponding database decryption scheme, the decryption method differs according to different encryption methods, and in the case of using key encryption for a database, the key may be regenerated according to its data source and the generation method in the report, and the generated key may be reused to access the encrypted database. And for the case of data encryption prior to writing the data to the database, the decrypted data may be sequentially retrieved from the decrypted database using a key based on the database encryption method.
In the data forensics analysis method, each component included in the application program is obtained by decompiling the application program, and then a plurality of possible inter-program data flow diagrams and inter-program control flow diagrams are constructed by predicting communication fields in each component, and data flow diagrams and control flow diagrams in each component, so that a reverse report of a data forensics analysis report is obtained based on the inter-program data flow diagrams and the inter-program control flow diagrams, all possible encryption paths are searched as far as possible, and a reliable basis is provided for database decryption.
In one embodiment of the present application, it is contemplated that the Amandroid platform performs only constant propagation on string values and uses a conservative model for string operations, which may result in incorrect field (intent) parsing, which in turn may result in IDFG or ICFG being incorrect or incomplete (e.g., possible communication between components may be lost). In other words, matching of the ICC is essentially a matching of fields used to communicate with fields of an intent filter of a target component, and thus, to predict the ICC, a prediction of an intent (intent) and field values on the intent filter needs to be done, e.g., using the IC3 tool, to predict the component intent and field values of the intent filter for each component.
However, since the IC3 tool cannot accurately predict all field values on the intention and intention filters, the probability that the fields predicted on the intention and intention filters match is further calculated using a probability model based on the prediction result of the IC3 in the present embodiment. Wherein, the more the intentions to be matched and the number of similar fields of the intention filter, the greater the matching probability.
Thus, as an implementation manner, the process of sorting each component according to the communication field in S130 may include: determining a component intent and an intent filter from the communication field; for each component, calculating the matching probability between the component intention of the component and the intention filter respectively corresponding to other components; and sorting the components according to the matching probability.
Wherein it is assumed that
A field value representing a communication field predicted by the IC3 tool,
actual field values representing intent filters for predicted components, then the match probability may beIs shown as
Wherein the content of the first and second substances,
the component intent that represents the kth described component,
an intent filter representing the kth said component.
For example, referring to fig. 2 in combination, assuming that fig. 2 is an abstract representation of an Android-based parking lot search application, the parking lot search application can be decompiled to obtain four components: list Activity, MapAActivity, Dialog Activity (i.e., Dial Activity shown in FIG. 2), and Desc Activity (i.e., Desc Activity shown in FIG. 2).
First, the prediction of the communication field (intention) and its filter field of each component can be accomplished by the IC3 tool, for example, the fields "action", "categories" and "data" shown in fig. 2 are all communication fields corresponding to the list Activity component, and the field values corresponding to the communication fields "action", "categories" and "data" are "view", "default" and "geo", respectively.
Then, the matching probability between the intention of each component and the intention filter of other components is calculated according to the above matching probability calculation formula, and here, taking the list activity component as an example, the matching probability between the component intention of the component activity and the intention filter among other groups is calculated respectively as follows.
From the aforementioned P1,1、P1,2、P1,3It can be seen that: the list Activity component and the desc Activity component have the highest matching probability, so that when the ICFG and the IDFG corresponding to the parking lot search application program are constructed, the DFG and the CFG with the highest component matching probability need to be considered preferentially, and the ICFG and the IDFG are calculated based on the DFG and the CFG with the highest matching probability.
And finally, sequencing all the components according to the matching probability obtained by calculation, generating a calling sequence of the Android application program components according to a sequencing result, and replacing an output result of the analysis of the ICC by the Amandroid platform. Wherein the Amandroid platform is used to combine the derived DFGs and CFGs of each component to generate the IDFG and the ICFG.
As can be seen from the foregoing, in this embodiment, by comprehensively considering the IC3 tool and the matching probability, the problem that the IDFG or the ICFG may be incorrect or incomplete can be effectively avoided, and the integrity of the encrypted path obtained by the subsequent analysis is ensured.
Further, in an embodiment of the present application, the step of generating a data forensics analysis report based on the inter-program dataflow graph includes: under the condition that each data flow node in the data flow graph carries a node number, searching a database encryption instruction (such as opencreatedatabase) in the inter-program data flow graph according to the node number; tracking each data flow graph in the data flow graph among the programs through the database encryption instruction to obtain a secret key source; and writing the key source into the data forensics analysis report.
As an implementation manner, in a case that the key source is an invariant, such as a constant or a function without a parameter, the tracking of each data flow graph is stopped, and the step of generating the data forensics analysis report based on the inter-program data flow graph and the key source is performed.
As another implementation, when the key source is a variable, if the variable or a function with a parameter is used, the step of tracking each data flow graph in the inter-program data flow graph through the database encryption instruction to obtain the key source is continuously executed, and until the tracked key source is a non-variable, the step of generating the data forensics analysis report based on the inter-program data flow graph and the key source is executed.
Example 1, assume a key-based database encryption mechanism, and the goal of forensic analysis is to find a generation method for the key used to encrypt the database. Wherein the application may encrypt the database using a key in combination with a command opencreatedatabase, null indicating a value that is reserved in the calculation to indicate that the pointer does not refer to a valid object. Hook (Hook), a platform for Windows message handling mechanisms, allows applications to intercept handling window messages or specific events.
In this embodiment, taking IDFG as an example, DFG, IDFG, and IR (intermediate language) of an application program are required for encryption path analysis. Specifically, a database encryption instruction, such as opencreatedatabase, is first found in the IDFG according to the node number, then a function calling invokeopencreatedatabase is obtained, and finally the key is tracked in the DFG to find the key source. Where the key source is assumed to be dd, then if dd is constant, the trace will be stopped and output to the data forensics analysis report. If the variable of dd is not known, it continues to be tracked to find its source in the DFG. If dd is a function with parameters, the function is output to a data forensics analysis report and the source of the parameters continues to be tracked in the DFG. If dd is a function without parameters, the function is output to the data forensics analysis report and tracking is stopped. If dd comes from the parameters of the function, the parameters will be tracked in IDFG to find the caller of the function and in DFG of the caller, thereby finding the source of the key and its way of generation and generating a data forensics analysis report to provide reference for subsequent data decryption.
Example 2, a simplified WeChat application as shown in pseudo-code 1 below, assumes that the database is encrypted on line 597 of the application. Then by calling the opennatabase () function to search for the source of barr in the IDFG, the arguments of e.q for barr can be seen, so that caller b, e.q, continues to be found in the IDFG, and the arguments of e.q are tracked in the DFG of b. Where the e.q parameter comes from two variables, device _ id and j, see pseudocode 2, so device _ id and j need to be tracked separately, finding device _ id comes from p.getdevicid () of line 134. j is from hey. uf () at line 135,. p.geteviceid () is a function to get IMEI, hey. uf () is a function to get unid, thus finding the key and its generation to encrypt the database in the simplified wechat application and outputting the result to the data forensics analysis report.
Pseudo code 1:
550public static e q(string str,string str2,boolen z)
551{
……
594sqlpool v0=new sqlpool(sqldatabase,sqlconfuguration,i);
595e evar=new e();
596barr=star2,getbytes();
597evar.tjr=v0.opendatabase(str3,barr,v1,null,268435712,evar);
……
604}
pseudo code 2:
132public Boolean b(string,str,long j,string str2)
133{
134device_id=p.getdevice_id();
135j=hey.uf()
136string substring=g.n(device_id+j).getbytes()).substring(0,7);
137this,tja=e.q(str,substring,false);
……
185}
it should be noted that the numbers in the pseudo code 1 and the pseudo code 2 are node codes, so as to be used for searching for database encryption instructions and the like, and in practical application, the node codes can be flexibly designed according to specific situations.
In addition, as for a generation method for finding a key for encrypting a database in a ciphertext-based database encryption mechanism, or an ICFG-based data forensics analysis process, reference may be made to the related descriptions in examples 1 and 2, which is not described herein again in this embodiment. It should be noted, however, that the ciphertext-based database encryption mechanism is essentially that the Android application uses SQL command insert () to write encrypted data (ciphertext) into the database, and thus the key to this encryption forensic analysis is to analyze the analysis of the ciphertext before writing to the database for the corresponding application encryption mechanism.
As can be seen from the data forensics analysis method provided by the foregoing, the application has at least the following technical effects:
the data forensics analysis method is a static analysis method for android applications, and is used for calculating the directional information of all objects in each component and further analyzing the data flow of the directional information passing through the applications, so that the processing modes of secret key information, ciphertext information and the like to be forensics in the applications are disclosed, and the problems that the inter-component relation prediction is not accurate, the analysis time is too long and the like in the existing data forensics method are solved. In addition, the inter-program data flow diagram and the inter-program control flow diagram established by the application have higher precision.
As shown in fig. 3, a block diagram of a data forensics analysis apparatus 300 according to an exemplary embodiment is shown, and the data forensics analysis apparatus 300 is applicable to a terminal device. Referring to fig. 3, the data forensics analysis apparatus 300 includes a decompilation module 310, a first construction module 320, a prediction module 330, a second construction module 340, and a report generation module 350.
A decompilation module 310, configured to decompilate an application program to obtain components included in the application program; a first constructing module 320, configured to construct a data flow graph and a control flow graph corresponding to each of the components; a prediction module 330, configured to predict a communication field included in each component for inter-component communication, and rank each component according to the communication field; a second constructing module 340, configured to construct an inter-program data flow graph and an inter-program control flow graph corresponding to the application program according to the sorting result of each component, and the data flow graph and the control flow graph corresponding to each component; a report generation module 350, configured to generate a data forensics analysis report based on the inter-program dataflow graph and the inter-program control flow graph.
Further, as a possible implementation, the prediction module 330 is specifically configured to determine a component intent and an intent filter according to the communication field; and for each of the components, calculating a matching probability between the component intention of the component and the intention filters respectively corresponding to other components; and sorting the components according to the matching probability.
The specific manner in which the respective modules perform operations has been described in detail in the embodiment of the method with respect to the apparatus 300 in the present embodiment, and will not be elaborated here.
The data forensics analysis device 300 provided by the embodiment of the application has at least the following technical effects.
The method comprises the steps of obtaining each component included in an application program by decompiling the application program, further constructing a plurality of possible data flow diagrams among programs and control flow diagrams by predicting communication fields in each component, and data flow diagrams and control flow diagrams in each component, and further obtaining a reverse report of a data forensics analysis report based on the data flow diagrams among the programs and the control flow diagrams among the programs so as to search all possible encryption paths as far as possible and provide a reliable basis for database decryption.
Referring to fig. 4, a block diagram of an electronic device 400 according to an example embodiment is provided, where the electronic device 400 may include at least a processor 410 and a memory 420 for storing instructions executable by the processor 410. Wherein processor 410 is configured to execute instructions to implement all or a portion of the steps of the data forensics analysis method as in the embodiments described above.
The processor 410 and the memory 420 are electrically connected directly or indirectly to enable data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
Wherein the processor 410 is used to read/write data or programs stored in the memory and perform corresponding functions.
The memory 420 is used for storing programs or data, such as instructions executable by the processor 410. The Memory 420 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like.
Further, as a possible implementation, the electronic device 400 may also include power components, multimedia components, audio components, input/output (I/O) interfaces, sensor components, and communication components, among others.
The power supply components provide power to the various components of the electronic device 400. The power components may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for electronic device 400.
The multimedia components include a screen that provides an output interface between the electronic device 400 and the user. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component includes a front facing camera and/or a rear facing camera. The front camera and/or the rear camera may receive external multimedia data when the electronic device 400 is in an operating mode, such as a shooting mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have a focal length and optical zoom capability.
The audio component is configured to output and/or input an audio signal. For example, the audio component includes a Microphone (MIC) configured to receive an external audio signal when the electronic device 400 is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signal may further be stored in the memory 420 or transmitted via the communication component. In some embodiments, the audio assembly further comprises a speaker for outputting audio signals.
The I/O interface provides an interface between the processing component and a peripheral interface module, which may be a keyboard, click wheel, button, etc. These buttons may include, but are not limited to: a home button, a volume button, a start button, and a lock button.
The sensor assembly includes one or more sensors for providing various aspects of status assessment for the electronic device 400. For example, the sensor component may detect an open/closed state of the electronic device 400, the relative positioning of components, such as a display and keypad of the electronic device 400, the sensor component may also detect a change in position of the electronic device 400 or a component of the electronic device 400, the presence or absence of user contact with the electronic device 400, orientation or acceleration/deceleration of the electronic device 400, and a change in temperature of the electronic device 400. The sensor assembly may include a proximity sensor configured to detect the presence of a nearby object in the absence of any physical contact. The sensor assembly may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly may further include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
The communication components are configured to facilitate wired or wireless communication between the electronic device 400 and other devices. The electronic device 400 may access a wireless network based on a communication standard, such as WiFi, a carrier network (such as 2G, 3G, 4G, or 5G), or a combination thereof. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the electronic device 400 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors or other electronic components for performing the above-described methods.
It should be understood that the configuration shown in fig. 4 is merely a schematic diagram of the configuration of the electronic device 400, and that the electronic device 400 may also include more or fewer components than shown in fig. 4, or have a different configuration than shown in fig. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof.
In an exemplary embodiment, a non-transitory computer-readable storage medium is also provided that includes instructions, such as a memory, that are executable by a processor of an electronic device to perform the data forensics analysis method described above. For example, the non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.
Claims (10)
1. A data forensics analysis method, comprising:
decompiling an application program to obtain each component contained in the application program;
constructing a data flow graph and a control flow graph corresponding to each component;
predicting a communication field for inter-component communication included in each component, and sequencing each component according to the communication field;
constructing an inter-program data flow graph and an inter-program control flow graph corresponding to the application program according to the sequencing result of each component and the data flow graph and the control flow graph corresponding to each component;
and generating a data forensics analysis report based on the inter-program data flow graph and the inter-program control flow graph.
2. The data forensics analysis method of claim 1, wherein the step of ordering each of the components according to the communication field comprises:
determining a component intent and an intent filter from the communication field;
for each component, calculating the matching probability between the component intention of the component and the intention filter respectively corresponding to other components;
and sorting the components according to the matching probability.
3. The method of claim 2, wherein the match probability is
Wherein the content of the first and second substances,
the component intent that represents the kth described component,
an intent filter representing the kth said component.
4. The data forensics analysis method of claim 1, wherein the step of generating a data forensics analysis report based on the inter-procedural dataflow graph includes:
under the condition that each data flow node in the data flow graph between programs carries a node number, searching a database encryption instruction in the data flow graph between programs according to the node number;
tracking a data flow graph corresponding to each component through the database encryption instruction to obtain a secret key source;
generating the data forensics analysis report based on the inter-procedural dataflow graph and the key source.
5. The method of claim 4, wherein in a case where the key source is non-variable, stopping tracking of the dataflow graph corresponding to each component, and performing the step of generating the data forensics analysis report based on the inter-program dataflow graph and the key source.
6. The data forensics analysis method according to claim 4, wherein when the key source is a variable, the step of tracking the data flow diagram corresponding to each component through the database encryption instruction to obtain the key source is continuously executed, and until the tracked key source is a non-variable, the step of generating the data forensics analysis report based on the inter-program data flow diagram and the key source is executed.
7. A data forensics analysis apparatus, comprising:
the decompiling module is used for decompiling the application program to obtain each component contained in the application program;
the first construction module is used for constructing a data flow graph and a control flow graph corresponding to each component;
the prediction module is used for predicting communication fields used for communication among the components and included in the components, and sequencing the components according to the communication fields;
a second construction module, configured to construct an inter-program data flow graph and an inter-program control flow graph corresponding to the application program according to the sorting result of each component, and the data flow graph and the control flow graph corresponding to each component;
and the report generation module is used for generating a data forensics analysis report based on the inter-program data flow graph and the inter-program control flow graph.
8. The data forensics analysis device of claim 7, wherein the prediction module is specifically configured to determine a component intent and an intent filter from the communication field; and for each of the components, calculating a matching probability between the component intention of the component and the intention filters respectively corresponding to other components; and sorting the components according to the matching probability.
9. An electronic device, comprising:
at least one processor;
at least one memory coupled to the processor;
wherein the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1 to 6.
10. A computer-readable storage medium, wherein the storage medium stores computer instructions that cause the computer to perform the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010291071.7A CN111596926B (en) | 2020-04-14 | 2020-04-14 | Data evidence obtaining analysis method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010291071.7A CN111596926B (en) | 2020-04-14 | 2020-04-14 | Data evidence obtaining analysis method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111596926A true CN111596926A (en) | 2020-08-28 |
| CN111596926B CN111596926B (en) | 2023-02-07 |
Family
ID=72190690
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010291071.7A Active CN111596926B (en) | 2020-04-14 | 2020-04-14 | Data evidence obtaining analysis method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111596926B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112580101A (en) * | 2020-12-29 | 2021-03-30 | 厦门市美亚柏科信息股份有限公司 | Data decryption method and terminal |
| CN113885882A (en) * | 2021-10-29 | 2022-01-04 | 四川效率源信息安全技术股份有限公司 | Method for restoring iOS type character string |
| CN114390012A (en) * | 2021-12-15 | 2022-04-22 | 中国电子科技集团公司第三十研究所 | West trust application data evidence obtaining method based on reverse analysis |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101359352A (en) * | 2008-09-25 | 2009-02-04 | 中国人民解放军信息工程大学 | API use action discovering and malice deciding method after confusion of multi-tier synergism |
| US20140130153A1 (en) * | 2012-11-08 | 2014-05-08 | International Business Machines Corporation | Sound and effective data-flow analysis in the presence of aliasing |
| WO2016101005A1 (en) * | 2014-12-23 | 2016-06-30 | University Of South Australia | Remote programmatic forensic data collection method and system |
| CN106933642A (en) * | 2015-12-29 | 2017-07-07 | 阿里巴巴集团控股有限公司 | The processing method and processing unit of application program |
| WO2017180666A1 (en) * | 2016-04-15 | 2017-10-19 | Sophos Limited | Forensic analysis of computing activity and malware detection using an event graph |
| CN107832619A (en) * | 2017-10-10 | 2018-03-23 | 电子科技大学 | Vulnerability of application program automatic excavating system and method under Android platform |
| US20180211046A1 (en) * | 2017-01-26 | 2018-07-26 | Intel Corporation | Analysis and control of code flow and data flow |
| CN109145603A (en) * | 2018-07-09 | 2019-01-04 | 四川大学 | A kind of Android privacy leakage behavioral value methods and techniques based on information flow |
| US20190121979A1 (en) * | 2017-10-19 | 2019-04-25 | International Business Machines Corporation | Policy-based detection of anomalous control and data flow paths in an application program |
| CN110008662A (en) * | 2019-04-11 | 2019-07-12 | 北京字节跳动网络技术有限公司 | Operation method, device, electronic equipment and the readable storage medium storing program for executing of application program |
-
2020
- 2020-04-14 CN CN202010291071.7A patent/CN111596926B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101359352A (en) * | 2008-09-25 | 2009-02-04 | 中国人民解放军信息工程大学 | API use action discovering and malice deciding method after confusion of multi-tier synergism |
| US20140130153A1 (en) * | 2012-11-08 | 2014-05-08 | International Business Machines Corporation | Sound and effective data-flow analysis in the presence of aliasing |
| WO2016101005A1 (en) * | 2014-12-23 | 2016-06-30 | University Of South Australia | Remote programmatic forensic data collection method and system |
| CN106933642A (en) * | 2015-12-29 | 2017-07-07 | 阿里巴巴集团控股有限公司 | The processing method and processing unit of application program |
| WO2017180666A1 (en) * | 2016-04-15 | 2017-10-19 | Sophos Limited | Forensic analysis of computing activity and malware detection using an event graph |
| US20180211046A1 (en) * | 2017-01-26 | 2018-07-26 | Intel Corporation | Analysis and control of code flow and data flow |
| CN107832619A (en) * | 2017-10-10 | 2018-03-23 | 电子科技大学 | Vulnerability of application program automatic excavating system and method under Android platform |
| US20190121979A1 (en) * | 2017-10-19 | 2019-04-25 | International Business Machines Corporation | Policy-based detection of anomalous control and data flow paths in an application program |
| CN109145603A (en) * | 2018-07-09 | 2019-01-04 | 四川大学 | A kind of Android privacy leakage behavioral value methods and techniques based on information flow |
| CN110008662A (en) * | 2019-04-11 | 2019-07-12 | 北京字节跳动网络技术有限公司 | Operation method, device, electronic equipment and the readable storage medium storing program for executing of application program |
Non-Patent Citations (2)
| Title |
|---|
| 李炳龙: "跨即时通信平台的社交网络取证研究", 《信息工程大学学报》 * |
| 杨龙等: "Android系统恶意程序检测技术在电子取证中的应用", 《中国司法鉴定》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112580101A (en) * | 2020-12-29 | 2021-03-30 | 厦门市美亚柏科信息股份有限公司 | Data decryption method and terminal |
| CN112580101B (en) * | 2020-12-29 | 2023-08-08 | 厦门市美亚柏科信息股份有限公司 | Data decryption method and terminal |
| CN113885882A (en) * | 2021-10-29 | 2022-01-04 | 四川效率源信息安全技术股份有限公司 | Method for restoring iOS type character string |
| CN113885882B (en) * | 2021-10-29 | 2023-03-07 | 四川效率源信息安全技术股份有限公司 | Method for restoring iOS type character string |
| CN114390012A (en) * | 2021-12-15 | 2022-04-22 | 中国电子科技集团公司第三十研究所 | West trust application data evidence obtaining method based on reverse analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111596926B (en) | 2023-02-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111596926B (en) | Data evidence obtaining analysis method and device and electronic equipment | |
| CN103942469A (en) | Picture processing method, device and terminal | |
| CN109842612B (en) | Log security analysis method and device based on graph library model and storage medium | |
| US20220382884A1 (en) | Method and device for parsing shared password | |
| CN107659717B (en) | State detection method, device and storage medium | |
| CN104113588B (en) | The update method of a kind of the Internet Yellow Page and device | |
| JP2018521403A (en) | Binary merging apparatus, method and computer program | |
| CN112948704A (en) | Model training method and device for information recommendation, electronic equipment and medium | |
| CN105589575A (en) | Input method invoking method and device | |
| CN113312103A (en) | Software definition method and device for intelligent camera, electronic equipment and storage medium | |
| CN109842688B (en) | Content recommendation method and device, electronic equipment and storage medium | |
| CN107656828B (en) | Method and device for detecting program running deviation path | |
| CN107580142B (en) | Method and device for executing processing | |
| CN110457192A (en) | A kind of file monitor method and device, terminal, storage medium | |
| CN107256151A (en) | Processing method, device and the terminal of page rendering | |
| CN114553552A (en) | Data encryption method and device, data decryption method and device and storage medium | |
| CN114385487A (en) | Execution time processing method and device and storage medium | |
| CN108132885A (en) | Data capture method, device and electronic equipment | |
| CN113835820A (en) | Graphic code display method and device | |
| CN108804181B (en) | Control content obtaining method and device and storage medium | |
| US20190018502A1 (en) | Method and device for obtaining operation entry, and storage medium | |
| CN115859118B (en) | Data acquisition method and device, electronic equipment and storage medium | |
| CN111626398A (en) | Operation method, device and related product | |
| CN111695158B (en) | Operation method and device | |
| CN113115287B (en) | Data transmission method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |