Forensic analysis techniques for fragmented flash memory pages in smartphones
- Authors
- Park, Jungheum; Chung, Hyunji; Lee, Sangjin
- Issue Date
- 11월-2012
- Publisher
- ELSEVIER SCI LTD
- Keywords
- Digital forensics; Smartphone forensics; Flash memory; Unallocated area; Fragmented data
- Citation
- DIGITAL INVESTIGATION, v.9, no.2, pp.109 - 118
- Indexed
- SCIE
SCOPUS
- Journal Title
- DIGITAL INVESTIGATION
- Volume
- 9
- Number
- 2
- Start Page
- 109
- End Page
- 118
- URI
- https://scholar.korea.ac.kr/handle/2021.sw.korea/107105
- DOI
- 10.1016/j.diin.2012.09.003
- ISSN
- 1742-2876
- Abstract
- A mobile phone contains important personal information, and therefore, it should be considered in digital forensic investigations. Recently, the number of smartphone owners has increased drastically. Unlike feature phones, smartphones have high-performance operating systems (e.g., Android, iOS), and users can install and utilize various mobile applications on smartphones. Smartphone forensics has been actively studied because of the importance of smartphone user data acquisition and analysis for digital forensic purposes. In general, there are two logical approaches to smartphone forensics. The first approach is to extract user data using the backup and debugging function of smartphones. The second approach is to get root permission through the rooting or the bootloader method with custom kernel, and acquire an image of the flash memory. In addition, the other way is to acquire an image on a more physical way by using e.g., JTAG or chipoff process. In some cases, it may be possible to reconstruct and analyze the file system. However, existing methods for file system analysis are not suitable for recovering and analyzing data deleted from smartphones depending on the manner in which the flash memory image has to be acquired. This paper proposes new analysis techniques for fragmented flash memory pages in smartphones. In particular, this paper demonstrates analysis techniques on the image that the reconstruction of file system is impossible because the spare area of flash memory pages does not exist or that it is created from the unallocated area of the undamaged file system. (c) 2012 Elsevier Ltd. All rights reserved.
- Files in This Item
- There are no files associated with this item.
- Appears in
Collections - School of Cyber Security > Department of Information Security > 1. Journal Articles
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.