Forensic analysis techniques for fragmented flash memory pages in smartphones

Jungheum Park, Hyunji Chung, Sangjin Lee

Research output: Contribution to journalArticle

11 Citations (Scopus)

Abstract

A mobile phone contains important personal information, and therefore, it should be considered in digital forensic investigations. Recently, the number of smartphone owners has increased drastically. Unlike feature phones, smartphones have high-performance operating systems (e.g., Android, iOS), and users can install and utilize various mobile applications on smartphones. Smartphone forensics has been actively studied because of the importance of smartphone user data acquisition and analysis for digital forensic purposes. In general, there are two logical approaches to smartphone forensics. The first approach is to extract user data using the backup and debugging function of smartphones. The second approach is to get root permission through the rooting or the bootloader method with custom kernel, and acquire an image of the flash memory. In addition, the other way is to acquire an image on a more physical way by using e.g., JTAG or chipoff process. In some cases, it may be possible to reconstruct and analyze the file system. However, existing methods for file system analysis are not suitable for recovering and analyzing data deleted from smartphones depending on the manner in which the flash memory image has to be acquired. This paper proposes new analysis techniques for fragmented flash memory pages in smartphones. In particular, this paper demonstrates analysis techniques on the image that the reconstruction of file system is impossible because the spare area of flash memory pages does not exist or that it is created from the unallocated area of the undamaged file system.

Original languageEnglish
Pages (from-to)109-118
Number of pages10
JournalDigital Investigation
Volume9
Issue number2
DOIs
Publication statusPublished - 2012 Nov 1

Fingerprint

Flash memory
Smartphones
data acquisition
systems analysis
data analysis
reconstruction
Mobile Applications
Smartphone
Cell Phones
Computer-Assisted Image Processing
Systems Analysis
performance
Mobile phones
Data acquisition
Systems analysis

Keywords

  • Digital forensics
  • Flash memory
  • Fragmented data
  • Smartphone forensics
  • Unallocated area

ASJC Scopus subject areas

  • Law
  • Computer Science Applications
  • Medical Laboratory Technology

Cite this

Forensic analysis techniques for fragmented flash memory pages in smartphones. / Park, Jungheum; Chung, Hyunji; Lee, Sangjin.

In: Digital Investigation, Vol. 9, No. 2, 01.11.2012, p. 109-118.

Research output: Contribution to journalArticle

Park, Jungheum ; Chung, Hyunji ; Lee, Sangjin. / Forensic analysis techniques for fragmented flash memory pages in smartphones. In: Digital Investigation. 2012 ; Vol. 9, No. 2. pp. 109-118.
@article{5f1c596f3b944735b4ffd9ab83411e24,
title = "Forensic analysis techniques for fragmented flash memory pages in smartphones",
abstract = "A mobile phone contains important personal information, and therefore, it should be considered in digital forensic investigations. Recently, the number of smartphone owners has increased drastically. Unlike feature phones, smartphones have high-performance operating systems (e.g., Android, iOS), and users can install and utilize various mobile applications on smartphones. Smartphone forensics has been actively studied because of the importance of smartphone user data acquisition and analysis for digital forensic purposes. In general, there are two logical approaches to smartphone forensics. The first approach is to extract user data using the backup and debugging function of smartphones. The second approach is to get root permission through the rooting or the bootloader method with custom kernel, and acquire an image of the flash memory. In addition, the other way is to acquire an image on a more physical way by using e.g., JTAG or chipoff process. In some cases, it may be possible to reconstruct and analyze the file system. However, existing methods for file system analysis are not suitable for recovering and analyzing data deleted from smartphones depending on the manner in which the flash memory image has to be acquired. This paper proposes new analysis techniques for fragmented flash memory pages in smartphones. In particular, this paper demonstrates analysis techniques on the image that the reconstruction of file system is impossible because the spare area of flash memory pages does not exist or that it is created from the unallocated area of the undamaged file system.",
keywords = "Digital forensics, Flash memory, Fragmented data, Smartphone forensics, Unallocated area",
author = "Jungheum Park and Hyunji Chung and Sangjin Lee",
year = "2012",
month = "11",
day = "1",
doi = "10.1016/j.diin.2012.09.003",
language = "English",
volume = "9",
pages = "109--118",
journal = "Digital Investigation",
issn = "1742-2876",
publisher = "Elsevier Limited",
number = "2",

}

TY - JOUR

T1 - Forensic analysis techniques for fragmented flash memory pages in smartphones

AU - Park, Jungheum

AU - Chung, Hyunji

AU - Lee, Sangjin

PY - 2012/11/1

Y1 - 2012/11/1

N2 - A mobile phone contains important personal information, and therefore, it should be considered in digital forensic investigations. Recently, the number of smartphone owners has increased drastically. Unlike feature phones, smartphones have high-performance operating systems (e.g., Android, iOS), and users can install and utilize various mobile applications on smartphones. Smartphone forensics has been actively studied because of the importance of smartphone user data acquisition and analysis for digital forensic purposes. In general, there are two logical approaches to smartphone forensics. The first approach is to extract user data using the backup and debugging function of smartphones. The second approach is to get root permission through the rooting or the bootloader method with custom kernel, and acquire an image of the flash memory. In addition, the other way is to acquire an image on a more physical way by using e.g., JTAG or chipoff process. In some cases, it may be possible to reconstruct and analyze the file system. However, existing methods for file system analysis are not suitable for recovering and analyzing data deleted from smartphones depending on the manner in which the flash memory image has to be acquired. This paper proposes new analysis techniques for fragmented flash memory pages in smartphones. In particular, this paper demonstrates analysis techniques on the image that the reconstruction of file system is impossible because the spare area of flash memory pages does not exist or that it is created from the unallocated area of the undamaged file system.

AB - A mobile phone contains important personal information, and therefore, it should be considered in digital forensic investigations. Recently, the number of smartphone owners has increased drastically. Unlike feature phones, smartphones have high-performance operating systems (e.g., Android, iOS), and users can install and utilize various mobile applications on smartphones. Smartphone forensics has been actively studied because of the importance of smartphone user data acquisition and analysis for digital forensic purposes. In general, there are two logical approaches to smartphone forensics. The first approach is to extract user data using the backup and debugging function of smartphones. The second approach is to get root permission through the rooting or the bootloader method with custom kernel, and acquire an image of the flash memory. In addition, the other way is to acquire an image on a more physical way by using e.g., JTAG or chipoff process. In some cases, it may be possible to reconstruct and analyze the file system. However, existing methods for file system analysis are not suitable for recovering and analyzing data deleted from smartphones depending on the manner in which the flash memory image has to be acquired. This paper proposes new analysis techniques for fragmented flash memory pages in smartphones. In particular, this paper demonstrates analysis techniques on the image that the reconstruction of file system is impossible because the spare area of flash memory pages does not exist or that it is created from the unallocated area of the undamaged file system.

KW - Digital forensics

KW - Flash memory

KW - Fragmented data

KW - Smartphone forensics

KW - Unallocated area

UR - http://www.scopus.com/inward/record.url?scp=84870255379&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84870255379&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2012.09.003

DO - 10.1016/j.diin.2012.09.003

M3 - Article

AN - SCOPUS:84870255379

VL - 9

SP - 109

EP - 118

JO - Digital Investigation

JF - Digital Investigation

SN - 1742-2876

IS - 2

ER -