CN112083970A - Mobile terminal digital evidence obtaining method and equipment based on dynamic loading technology - Google Patents

Mobile terminal digital evidence obtaining method and equipment based on dynamic loading technology Download PDF

Info

Publication number
CN112083970A
CN112083970A CN202010946200.1A CN202010946200A CN112083970A CN 112083970 A CN112083970 A CN 112083970A CN 202010946200 A CN202010946200 A CN 202010946200A CN 112083970 A CN112083970 A CN 112083970A
Authority
CN
China
Prior art keywords
application program
mobile terminal
loaded
evidence obtaining
dynamic loading
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010946200.1A
Other languages
Chinese (zh)
Inventor
童瀛
周宇
姚焕章
梁剑
王领
汤国强
朱捷
穆宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Fiberhome Telecommunication Technologies Co ltd
Original Assignee
Nanjing Fiberhome Telecommunication Technologies Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Fiberhome Telecommunication Technologies Co ltd filed Critical Nanjing Fiberhome Telecommunication Technologies Co ltd
Priority to CN202010946200.1A priority Critical patent/CN112083970A/en
Publication of CN112083970A publication Critical patent/CN112083970A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • G06F9/44526Plug-ins; Add-ons
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/14Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • G06F8/62Uninstallation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Stored Programmes (AREA)

Abstract

The invention provides a mobile terminal digital evidence obtaining method and equipment based on a dynamic loading technology, wherein the method comprises the following steps: dividing digital evidence obtaining software installed on a mobile terminal into a first application program and a second application program, after the digital evidence obtaining is started, firstly installing the first application program in the mobile terminal, installing the second application program through the first application program, loading the second application program based on a dynamic loading technology, then deleting the second application program after the second application program is loaded, and finally calling the loaded second application program through the first application program to carry out the digital evidence obtaining on the mobile terminal. The invention can dynamically load the application program in the installed and operated application and operate the core code using the application program, thereby ensuring that the core code of the application program can be used without falling to the ground so as to achieve the purpose of protecting the core code of the application program.

Description

Mobile terminal digital evidence obtaining method and equipment based on dynamic loading technology
Technical Field
The invention relates to the technical field of digital forensics, in particular to a mobile terminal digital forensics method based on a dynamic loading technology and mobile terminal digital forensics equipment based on the dynamic loading technology.
Background
With the continuous updating and iteration of the Android version of the mobile phone, the security is increasingly valued by all the social circles. Especially, in the field of forensic evidence collection by judicial expertise, in the technology of collecting suspect mobile phone data, the mobile phone ROOT is increasingly difficult, the cost for obtaining evidence through the mobile phone ROOT is increasingly high, and in addition, the existing evidence collection technology generally needs to install an APP collection client to a target mobile phone to realize the collection of the mobile phone data, but the APP installed in the technology is easily subjected to reverse analysis, so that the source code is leaked.
Disclosure of Invention
The present invention is directed to solving, at least to some extent, one of the technical problems in the art described above. Therefore, an object of the present invention is to provide a mobile terminal digital evidence obtaining method based on a dynamic loading technology, which can dynamically load an application program in an installed and running application and run a core code using the application program, thereby ensuring that the core code of the application program is not used to the ground, and achieving the purpose of protecting the core code of the application program.
The second purpose of the invention is to provide a mobile terminal digital evidence obtaining device based on the dynamic loading technology.
In order to achieve the above object, an embodiment of a first aspect of the present invention provides a mobile terminal digital forensics method based on a dynamic loading technology, including the following steps: sending a first application program to the mobile terminal, wherein the first application program is installed on the mobile terminal and is started after installation is completed; after the first application program is started, establishing communication connection with the first application program; after establishing communication connection with the first application program, sending a second application program to the mobile terminal through the first application program; after the second application program is sent, acquiring equipment information of the mobile terminal; judging whether the mobile terminal meets a set requirement or not according to the equipment information, wherein if the mobile terminal meets the set requirement, a dynamic loading technology is adopted to load the second application program; after the second application program is loaded, deleting the second application program through the first application program; and after the second application program is loaded, calling the loaded second application program through the first application program to perform digital evidence obtaining on the mobile terminal.
According to the mobile terminal digital evidence obtaining method based on the dynamic loading technology provided by the embodiment of the invention, by dividing the digital evidence obtaining software installed in the mobile terminal into a first application program and a second application program, and after the digital evidence collection is started, by first installing a first application program in the mobile terminal, installing a second application program through the first application program, and loading the second application program based on a dynamic loading technology, then deleting the second application program after the second application program is loaded, finally calling the loaded second application program through the first application program to carry out digital evidence obtaining on the mobile terminal, therefore, the application program can be dynamically loaded in the installed and operated application program and the core code using the application program can be operated, therefore, the core code of the application program can be guaranteed not to be used in a ground mode, and the purpose of protecting the core code of the application program is achieved.
In addition, the mobile terminal digital forensics method based on the dynamic loading technology proposed by the above embodiment of the present invention may also have the following additional technical features:
further, after the second application program is loaded and the loaded second application program is called by the first application program to perform digital forensics on the mobile terminal, the method further comprises the following steps: and after the digital evidence obtaining is finished, detecting whether the related files of the second application program are left in the mobile terminal, and if so, deleting the files through the first application program.
Further, if abnormal operation occurs in the digital evidence obtaining process, the loaded second application program and the relevant files are deleted through the first application program.
According to one embodiment of the invention, the first application and the second application are both code obfuscated and code hardened.
According to one embodiment of the invention, the first application is a host apk and the second application is a plug-in apk, wherein the first application comprises relevant codes for downloading and deleting the second application, and the second application comprises work codes for digital evidence obtaining.
According to one embodiment of the present invention, the device information includes operating system version information of the mobile terminal.
According to one embodiment of the invention, the mobile terminal is an Android mobile phone.
In order to achieve the above object, a second embodiment of the present invention provides a mobile terminal digital evidence obtaining device based on a dynamic loading technology, including: the first sending module is used for sending a first application program to the mobile terminal, wherein the first application program is installed on the mobile terminal and is started after installation is completed; the communication module is used for establishing communication connection with the first application program after the first application program is started; the second sending module is used for sending a second application program to the mobile terminal through the first application program after establishing communication connection with the first application program; the acquisition module is used for acquiring the equipment information of the mobile terminal after the second application program is sent; the loading module is used for judging whether the mobile terminal meets a set requirement or not according to the equipment information, wherein if the mobile terminal meets the set requirement, the second application program is loaded by adopting a dynamic loading technology; the deleting module is used for deleting the second application program through the first application program after the second application program is loaded; and the digital evidence obtaining module is used for calling the loaded second application program through the first application program to carry out digital evidence obtaining on the mobile terminal after the second application program is loaded.
According to the mobile terminal digital evidence obtaining device based on the dynamic loading technology provided by the embodiment of the invention, the first sending module is arranged for sending the first application program to the mobile terminal, the communication module is arranged for establishing communication connection with the first application program after the first application program is started, the second sending module is arranged for sending the second application program to the mobile terminal after the communication connection with the first application program is established, the acquisition module is arranged for acquiring the device information of the mobile terminal after the transmission of the second application program is finished, and the loading module is arranged for judging whether the mobile terminal reaches the set requirement according to the device information, wherein if the mobile terminal reaches the set requirement, the second application program is loaded by adopting the dynamic loading technology, the deletion module is arranged for deleting the second application program after the second application program is loaded, and the digital evidence obtaining module is arranged for deleting after the second application program is loaded, the loaded second application program is called by the first application program to carry out digital evidence obtaining on the mobile terminal, so that the application program can be dynamically loaded in the installed and operated application and the core code using the application program can be operated, the core code of the application program can be ensured to be used without falling to the ground, and the purpose of protecting the core code of the application program is achieved.
In addition, the mobile terminal digital forensics device based on the dynamic loading technology proposed by the above embodiment of the present invention may also have the following additional technical features:
and further, the mobile terminal further comprises a detection module, wherein the detection module is used for detecting whether the related files of the second application program are left in the mobile terminal after the digital evidence obtaining is finished, and if so, deleting the related files.
Further, if abnormal operation occurs in the digital evidence obtaining process, the loaded second application program and the relevant files are deleted through the first application program.
Drawings
Fig. 1 is a flowchart of a mobile terminal digital forensics method based on a dynamic loading technique according to an embodiment of the present invention;
fig. 2 is a flowchart of a mobile terminal digital forensics method based on dynamic loading technology according to an embodiment of the present invention;
fig. 3 is a flowchart of a mobile terminal digital forensics method based on dynamic loading technology according to an embodiment of the present invention;
FIG. 4 is a diagram of a class loader ClassLoader and its subclasses relationship according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a class loader ClassLoader loading plug-in apk according to an embodiment of the present invention;
fig. 6 is a schematic block diagram of a mobile terminal digital forensics device based on a dynamic loading technique according to an embodiment of the present invention;
fig. 7 is a block diagram of a mobile terminal digital forensics device based on dynamic loading technology according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a flowchart of a mobile terminal digital forensics method based on a dynamic loading technique according to an embodiment of the present invention.
As shown in fig. 1, the mobile terminal digital forensics method based on the dynamic loading technology according to the embodiment of the present invention includes the following steps:
s1, sending a first application program to the mobile terminal, wherein the first application program is installed on the mobile terminal and is started after the installation is finished;
s2, after the first application program is started, establishing communication connection with the first application program;
s3, after establishing communication connection with the first application program, sending a second application program to the mobile terminal through the first application program;
s4, after the second application program is sent, acquiring the equipment information of the mobile terminal;
s5, judging whether the mobile terminal meets the setting requirement or not according to the equipment information, wherein if the mobile terminal meets the setting requirement, a second application program is loaded by adopting a dynamic loading technology;
s6, after the second application program is loaded, deleting the second application program through the first application program;
and S7, after the second application program is loaded, calling the loaded second application program through the first application program to perform digital evidence obtaining on the mobile terminal.
Further, as shown in fig. 2, the mobile terminal digital forensics method based on the dynamic loading technology according to the embodiment of the present invention further includes the following steps:
and S8, after the digital evidence obtaining is completed, detecting whether the mobile terminal is left with the related files of the second application program, and if so, deleting the files through the first application program.
It should be further noted that, if an abnormal operation occurs during the digital forensics process, the loaded second application program and the related file are deleted by the first application program.
In an embodiment of the present invention, a digital forensics device may be used to perform digital forensics on a mobile terminal, specifically, the digital forensics device may be directly connected to the mobile terminal to push and install a first application program to the mobile terminal, and meanwhile, the digital forensics device may further open a communication port, such as a Socket port.
Further, after the first application is started, the first application may initiate a communication request, for example, may initiate a Socket communication request, to establish a communication connection with a communication port of the digital forensic device, for example, a Socket port.
Further, after the communication connection is established with the first application program through the digital evidence obtaining device, namely the communication connection is carried out with the first application program through the Socket port, the second application program can be sent to the mobile terminal. The first application program and the second application program can be both subjected to code obfuscation and code reinforcement, so that the programs can be prevented from being subjected to reverse analysis, memory interception, secondary compilation, dynamic debugging and dynamic injection, and the second application program can be prevented from being saved after being operated by the termination code after being sent to the mobile terminal.
Further, after the second application is sent, the device information of the mobile terminal, for example, the version information of the operating system of the mobile terminal, may be obtained, and it may be determined whether the mobile terminal meets the setting requirement according to the device information of the mobile terminal, that is, it may be determined whether the version of the operating system of the mobile terminal meets the setting version according to the version information of the operating system of the mobile terminal. If the version of the operating system of the mobile terminal reaches the set version, the second application program is loaded by adopting a dynamic loading technology, specifically, the second application program can be loaded by a class loader ClassLoader, and if the version of the operating system of the mobile terminal does not reach the set version, the second application program can be loaded in a reflection mode.
Further, after the second application program is loaded, that is, files such as dex files and resources in the second application program are loaded into the virtual machine, the second application program can be directly deleted through the first application program. By directly deleting the second application program, the core code of the second application program can be directly destroyed, so that the core code is difficult to remain in the mobile terminal no matter whether the subsequent step of deleting the relevant file of the second application program, namely S8, can be normally carried out, thereby preventing the program from being decompiled and achieving the purpose of program protection.
Furthermore, after the second application program is loaded, the loaded second application program can be called by the first application program to perform digital evidence obtaining on the mobile terminal, the obtained data can be sent to the digital evidence obtaining equipment through communication connection, and whether the related files of the second application program are left in the mobile terminal or not can be further detected after the digital evidence obtaining is completed.
Wherein, it is still required to explain that, at the digital evidence obtaining in-process, still can detect the interface state between mobile terminal and the digital evidence obtaining equipment through first application program, thereby can appear abnormal operation at the digital evidence obtaining in-process, when appearing unusual plug operation between mobile terminal and the digital evidence obtaining equipment promptly, directly delete the second application program, thereby can guarantee at the digital evidence obtaining in-process, whether the process is unusual all be difficult to keep down the core code in mobile terminal, in order to guarantee the security of procedure.
The implementation process of the mobile terminal digital evidence obtaining method based on the dynamic loading technology will be further described below by taking an Android mobile phone as an example.
In one embodiment of the present invention, the first application may be a host apk and the second application may be a plug-in apk, wherein the first application includes code associated with downloading and deleting the second application, and the second application includes digitally forensic work code.
Specifically, as shown in fig. 3, the method includes the following steps:
s100, connecting an Android mobile phone end with a digital evidence obtaining equipment end;
s200, the acquisition function of the digital evidence obtaining equipment end is lightened;
s300, clicking to start acquisition;
s400, judging whether the acquisition is normal or not, if so, executing a step S500, and if not, executing a step S600;
s500, deleting the plug-in apk;
s600, selecting whether to click the uninstalling plug-in apk, if so, executing the step S500, otherwise, directly and abnormally plugging and unplugging an interface between the Android mobile phone and the digital evidence obtaining equipment, and executing the step S500.
As can be seen from fig. 3, after a normal acquisition process, the plug-in apk is clicked to unload the plug-in apk, or the interface between the Android mobile phone and the digital evidence obtaining device is directly plugged and unplugged abnormally, the plug-in apk and related files thereof, such as data, application package name, files, and cache address of the Android mobile phone end, that is, the storage address of the plug-in apk and common.
More specifically, the Android mobile phone can be connected to the digital forensics device through the USB interface, so that the host apk can be pushed and installed to the Android mobile phone through the digital forensics device, and meanwhile, the digital forensics device can also open a communication port, such as a Socket port.
Further, after the host apk is started, the host apk may initiate a communication request, for example, may initiate a Socket communication request, to establish a communication connection with a communication port, for example, a Socket port, of the digital forensic device.
Further, after a communication connection is established with the host apk through the digital evidence obtaining device, namely the communication connection is carried out with the host apk through the Socket port, the plug-in apk can be sent to the Android mobile phone. The host apk and the plug-in apk can both perform code obfuscation and code reinforcement, so that the program can be prevented from being subjected to reverse analysis, memory interception, secondary compilation, dynamic debugging and dynamic injection, and the plug-in apk can be prevented from being saved after being operated by the stop code after being sent to the Android mobile phone.
Further, after the plug-in apk is sent, the device information of the Android mobile phone, such as the Android mobile phone operating system version information, can be obtained, and whether the Android mobile phone meets the set requirement or not can be judged according to the device information of the Android mobile phone, that is, whether the operating system version of the Android mobile phone reaches the set version, such as the 5.0 version or not is judged according to the Android mobile phone operating system version information. If the version of the operating system of the Android mobile phone reaches the set version, namely the 5.0 version, the plug-in apk is loaded by adopting a dynamic loading technology, specifically, the plug-in apk can be loaded by a class loader ClassLoader, and if the version of the operating system of the Android mobile phone does not reach the set version, namely the 5.0 version, the plug-in apk can be loaded in a reflection mode. It should be noted that, in the Android operating system after the 5.0 version, ART comprehensively replaces Dalvik to become an Android virtual machine operating environment, and supports that the same apk may include multiple dex files, which is the basis for implementing dynamic loading of plug-in apk by ClassLoader. The class loader ClassLoader and the subclass relationship thereof are shown in fig. 4, specifically, the subclasses of the class loader ClassLoader include BootClassLoader, BaseDexClassLoader and SecureClassLoader, where BootClassLoader may be used to load the bytecode of the Android FrameWork layer, BaseDexClassLoader may be used to load the bytecode file in the specified directory, and BaseDexClassLoader further includes the subclasses PathClassLoader, dexclassloadesloader, inmemorydedexclassloadesloadesloadesloader.
Further, after the plug-in apk is loaded, that is, after the dex file, the resource and other files in the plug-in apk are loaded into the virtual machine, the plug-in apk can be directly deleted through the host apk. By directly deleting the plug-in apk, the core code of the plug-in apk can be directly destroyed, so that the core code is difficult to remain in the Android mobile phone no matter the subsequent step of deleting the relevant file of the plug-in apk, namely whether S8 can be normally carried out, and therefore, the program can be prevented from being decompiled, and the purpose of protecting the program can be achieved. The process of loading the plug-in apk by the class loader ClassLoader is shown in fig. 5, and specifically, a dex file, that is, dex Flie, and a Resource file, that is, Resource & Native Code, contained in the plug-in apk may be loaded into a virtual machine, that is, Dalvik or ART. The Dalvik adopts a JIT technology, and the working principle of the Dalvik is that a dex File is used, namely, dex Flie is firstly converted into ODex File, and then the ODex File is loaded into Dalvik. Bytecodes are converted to machine code in real time at runtime by JIT techniques. ART replaces the traditional Dalvik virtual machine as a formal runtime library in the Android 5.0 and subsequent Android versions. The working principle of the method is that a dex File, namely, dex Flie is firstly converted into an ELF File, and then the ELF File is loaded into ART. The AOT is an optimization mechanism of the ART virtual machine to App operation, and the work of translating byte codes into machine codes is done in advance when the application is installed.
Furthermore, after the plug-in apk is loaded, the loaded plug-in apk can be called by the host apk to carry out digital evidence obtaining on the Android mobile phone, the obtained data can be sent to digital evidence obtaining equipment through communication connection, and whether relevant files of the plug-in apk are left in the Android mobile phone or not can be further detected after the digital evidence obtaining is finished.
It should be further noted that, in the digital evidence obtaining process, the interface state between the Android mobile phone and the digital evidence obtaining device can be detected through the host apk, so that abnormal operation can occur in the digital evidence obtaining process, that is, when abnormal plugging operation occurs between the Android mobile phone and the digital evidence obtaining device, the plug-in apk is directly deleted, and therefore, it can be ensured that in the digital evidence obtaining process, whether the process is abnormal or not, the core code is difficult to be retained in the Android mobile phone, and the safety of the program is ensured.
According to the mobile terminal digital evidence obtaining method based on the dynamic loading technology provided by the embodiment of the invention, by dividing the digital evidence obtaining software installed in the mobile terminal into a first application program and a second application program, and after the digital evidence collection is started, by first installing a first application program in the mobile terminal, installing a second application program through the first application program, and loading the second application program based on a dynamic loading technology, then deleting the second application program after the second application program is loaded, finally calling the loaded second application program through the first application program to carry out digital evidence obtaining on the mobile terminal, therefore, the application program can be dynamically loaded in the installed and operated application program and the core code using the application program can be operated, therefore, the core code of the application program can be guaranteed not to be used in a ground mode, and the purpose of protecting the core code of the application program is achieved.
Corresponding to the mobile terminal digital evidence obtaining method based on the dynamic loading technology provided in the above embodiment, a second aspect of the present invention provides a mobile terminal digital evidence obtaining device based on the dynamic loading technology.
As shown in fig. 6, an embodiment of the present invention provides a mobile terminal digital forensics device based on a dynamic loading technology, which includes a first sending module 10, a communication module 20, a second sending module 30, an obtaining module 40, a loading module 50, a deleting module 60, and a digital forensics module 70. The first sending module 10 is configured to send a first application program to the mobile terminal 100, where the first application program is installed in the mobile terminal 100 and is started after the installation is completed; the communication module 20 is configured to establish a communication connection with the first application program after the first application program is started; the second sending module 30 is configured to send the second application program to the mobile terminal through the first application program after establishing a communication connection with the first application program; the obtaining module 40 is configured to obtain device information of the mobile terminal after the second application is sent; the loading module 50 is configured to determine whether the mobile terminal 100 meets a set requirement according to the device information, wherein if the mobile terminal 100 meets the set requirement, a dynamic loading technology is used to load a second application program; the deleting module 60 is configured to delete the second application program through the first application program after the second application program is loaded; the digital forensics module 70 is configured to call the loaded second application program through the first application program to perform digital forensics on the mobile terminal 100 after the second application program is loaded.
Further, as shown in fig. 7, the mobile terminal digital forensic device based on the dynamic loading technology according to the embodiment of the present invention further includes a detection module 80, where the detection module 80 may be configured to detect whether a relevant file of the second application program remains in the mobile terminal 100 after the digital forensic is completed, and if so, delete the relevant file. In addition, if abnormal operation occurs in the digital evidence obtaining process, the loaded second application program and the relevant files are deleted through the first application program.
The mobile terminal digital evidence obtaining device based on the dynamic loading technology provided by the embodiment of the invention can realize the mobile terminal digital evidence obtaining method based on the dynamic loading technology provided by the embodiment, and the specific implementation mode can refer to the embodiment.
According to the mobile terminal digital evidence obtaining device based on the dynamic loading technology provided by the embodiment of the invention, the first sending module is arranged for sending the first application program to the mobile terminal, the communication module is arranged for establishing communication connection with the first application program after the first application program is started, the second sending module is arranged for sending the second application program to the mobile terminal after the communication connection with the first application program is established, the acquisition module is arranged for acquiring the device information of the mobile terminal after the transmission of the second application program is finished, and the loading module is arranged for judging whether the mobile terminal reaches the set requirement according to the device information, wherein if the mobile terminal reaches the set requirement, the second application program is loaded by adopting the dynamic loading technology, the deletion module is arranged for deleting the second application program after the second application program is loaded, and the digital evidence obtaining module is arranged for deleting after the second application program is loaded, the loaded second application program is called by the first application program to carry out digital evidence obtaining on the mobile terminal, so that the application program can be dynamically loaded in the installed and operated application and the core code using the application program can be operated, the core code of the application program can be ensured to be used without falling to the ground, and the purpose of protecting the core code of the application program is achieved.
In the description of the present invention, the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implying any number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. The meaning of "plurality" is two or more unless specifically limited otherwise.
In the present invention, unless otherwise expressly stated or limited, the terms "mounted," "connected," "secured," and the like are to be construed broadly and can, for example, be fixedly connected, detachably connected, or integrally formed; can be mechanically or electrically connected; either directly or indirectly through intervening media, either internally or in any other relationship. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
In the present invention, unless otherwise expressly stated or limited, the first feature "on" or "under" the second feature may be directly contacting the first and second features or indirectly contacting the first and second features through an intermediate. Also, a first feature "on," "over," and "above" a second feature may be directly or diagonally above the second feature, or may simply indicate that the first feature is at a higher level than the second feature. A first feature being "under," "below," and "beneath" a second feature may be directly under or obliquely under the first feature, or may simply mean that the first feature is at a lesser elevation than the second feature.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc. Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.

Claims (10)

1. A mobile terminal digital evidence obtaining method based on a dynamic loading technology is characterized by comprising the following steps:
sending a first application program to the mobile terminal, wherein the first application program is installed on the mobile terminal and is started after installation is completed;
after the first application program is started, establishing communication connection with the first application program;
after establishing communication connection with the first application program, sending a second application program to the mobile terminal through the first application program;
after the second application program is sent, acquiring equipment information of the mobile terminal;
judging whether the mobile terminal meets a set requirement or not according to the equipment information, wherein if the mobile terminal meets the set requirement, a dynamic loading technology is adopted to load the second application program;
after the second application program is loaded, deleting the second application program through the first application program;
and after the second application program is loaded, calling the loaded second application program through the first application program to perform digital evidence obtaining on the mobile terminal.
2. The method for digital forensics of a mobile terminal based on dynamic loading technology according to claim 1, wherein after the second application program is loaded, the method further comprises the following steps after the first application program calls the loaded second application program to perform digital forensics on the mobile terminal:
and after the digital evidence obtaining is finished, detecting whether the related files of the second application program are left in the mobile terminal, and if so, deleting the files through the first application program.
3. The method for mobile terminal digital forensics based on dynamic loading technology according to claim 2, wherein if abnormal operation occurs in the process of digital forensics, the loaded second application program and related files are deleted through the first application program.
4. The dynamic loading technology-based mobile terminal digital evidence obtaining method of claim 3, wherein the first application program and the second application program are both code obfuscation and code reinforcement.
5. The method for mobile terminal digital forensics based on dynamic loading technology according to claim 4, wherein the first application program is a host apk, and the second application program is a plug-in apk, wherein the first application program comprises relevant codes for downloading and deleting the second application program, and the second application program comprises work codes for digital forensics.
6. The method for mobile terminal digital forensics based on dynamic loading technology according to claim 5, wherein the device information includes operating system version information of the mobile terminal.
7. The mobile terminal digital forensics method based on the dynamic loading technology as claimed in claim 6, characterized in that the mobile terminal is an Android mobile phone.
8. A mobile terminal digital evidence obtaining device based on dynamic loading technology is characterized by comprising:
the first sending module is used for sending a first application program to the mobile terminal, wherein the first application program is installed on the mobile terminal and is started after installation is completed;
the communication module is used for establishing communication connection with the first application program after the first application program is started;
the second sending module is used for sending a second application program to the mobile terminal through the first application program after establishing communication connection with the first application program;
the acquisition module is used for acquiring the equipment information of the mobile terminal after the second application program is sent;
the loading module is used for judging whether the mobile terminal meets a set requirement or not according to the equipment information, wherein if the mobile terminal meets the set requirement, the second application program is loaded by adopting a dynamic loading technology;
the deleting module is used for deleting the second application program through the first application program after the second application program is loaded;
and the digital evidence obtaining module is used for calling the loaded second application program through the first application program to carry out digital evidence obtaining on the mobile terminal after the second application program is loaded.
9. The mobile terminal digital evidence obtaining device based on the dynamic loading technology according to claim 8, further comprising a detection module, wherein the detection module is configured to detect whether the mobile terminal has the relevant file of the second application program left therein after the digital evidence obtaining is completed, and if so, delete the relevant file.
10. The device for mobile terminal digital forensics based on dynamic loading technology according to claim 9, wherein if abnormal operation occurs in the process of digital forensics, the loaded second application program and related files are deleted through the first application program.
CN202010946200.1A 2020-09-10 2020-09-10 Mobile terminal digital evidence obtaining method and equipment based on dynamic loading technology Pending CN112083970A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010946200.1A CN112083970A (en) 2020-09-10 2020-09-10 Mobile terminal digital evidence obtaining method and equipment based on dynamic loading technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010946200.1A CN112083970A (en) 2020-09-10 2020-09-10 Mobile terminal digital evidence obtaining method and equipment based on dynamic loading technology

Publications (1)

Publication Number Publication Date
CN112083970A true CN112083970A (en) 2020-12-15

Family

ID=73733182

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010946200.1A Pending CN112083970A (en) 2020-09-10 2020-09-10 Mobile terminal digital evidence obtaining method and equipment based on dynamic loading technology

Country Status (1)

Country Link
CN (1) CN112083970A (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103473488A (en) * 2013-09-18 2013-12-25 浙江大学城市学院 Anti-piracy method and system for android application
WO2016078130A1 (en) * 2014-11-18 2016-05-26 刘鹏 Dynamic loading method for preventing reverse of apk file

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103473488A (en) * 2013-09-18 2013-12-25 浙江大学城市学院 Anti-piracy method and system for android application
WO2016078130A1 (en) * 2014-11-18 2016-05-26 刘鹏 Dynamic loading method for preventing reverse of apk file

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
巫志文 等: "基于Android平台的软件加固方案的设计与实现", 电信工程技术与标准化, no. 01, pages 33 - 37 *

Similar Documents

Publication Publication Date Title
CN110110522B (en) Kernel repairing method and device
US8296758B2 (en) Deployment and versioning of applications
CN105786538B (en) software upgrading method and device based on android system
EP2226722A1 (en) Methods and systems for merging virtualization sublayers
CN102736978A (en) Method and device for detecting installation status of application program
KR101995285B1 (en) Method and apparatur for patching security vulnerable executable binaries
CN109255235B (en) Mobile application third-party library isolation method based on user state sandbox
WO2023202299A1 (en) Sdk upgrade method and apparatus, and computer device
CN106648724B (en) Application program hot repair method and terminal
CN114417335A (en) Malicious file detection method and device, electronic equipment and storage medium
CN113835713B (en) Source code packet downloading method, device, computer equipment and storage medium
CN103793649A (en) Method and device for cloud-based safety scanning of files
CN109032617B (en) Control method and control device for automatically deleting installation package
CN114115984A (en) Server firmware upgrading method, storage device and terminal
CN111813646A (en) Method and device for injecting application probe in docker container environment
CN113900693A (en) Firmware upgrading method, device and system, electronic equipment and storage medium
CN109271792B (en) Terminal peripheral control method and device based on Android local layer hook
CN112083970A (en) Mobile terminal digital evidence obtaining method and equipment based on dynamic loading technology
CN105095754A (en) Method, device and mobile terminal for processing virus applications
CN109933351B (en) Method and device for repairing and upgrading Linux system
EP4064096A1 (en) Verification information correction device, verification information correction method and verification information correction program
CN104462969A (en) Method, device and system for checking and killing malicious application programs
CN116932072A (en) Service configuration method, device, computer readable storage medium and terminal equipment
CN106445601A (en) Device and method for plugin upgrading
CN115203703A (en) File scanning processing method, device and system and terminal equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201215