Research on Different Versions of YAFFS2 File Recovery Algorithm Based on Hash

doi:10.3969/j.issn.1671-1122.2016.05.008

Abstract

Abstract:

In digital forensic, the technology of Android forensic becomes hot spot of research currently. And there are some research interests such as data extraction, data recovery for Android forensic. Among these research interests, data recovery is one of the most important step. YAFFS2 is a new flash file system. It is designed for mobile devices which use NAND flash and is widely used in Android devices. Thus, this paper proposes a method that recover different versions of YAFFS2 file based on Hash. Through extracting and storing the same object header information into Hash linked list, it can recover different versions of file. The experiment is executed under Linux system with YAFFS2 file system environment. And the experiment results show that the method can recover different types of file especially SQLite3 file and recover different versions of different types of file effectively. And this method lays the foundation for the follow-up research of Android forensic.

Key words: digital forensics, file recovery, Android, YAFFS2, Hash

CLC Number:

TP309

Yameng LI, Jingsha HE. Research on Different Versions of YAFFS2 File Recovery Algorithm Based on Hash[J]. Netinfo Security, 2016, 16(5): 51-57.

Figures/Tables 11

References 15

[1]	The Statistics Portal. Market Share Worldwide Smartphone Shipments by Operating System from 2014 to 2020[EB/OL]..
[2]	VENEMA W.File Recovery Techniques Wietse Investigates the Topic of File Recovery by Reconstructing Past Behavior and Examining Deleted File Access Time Patterns and other Attributes[J]. DOCTOR DOBBS JOURNAL, 2000, 25(12): 74-81.
[3]	ZHANG N, WANG J.Research of File Recovery in Windows FAT32[C]//IEEE, 2015 International Conference on Intelligent Systems Research and Mechatronics Engineering, April 11-13, 2015, Zhengzhou, China. Pairs: Atlantis Press, 2015:33-36.
[4]	BURGHARDT A, FELDMAN A J.Using the HFS+ Journal for Deleted File Recovery[J]. Digital Investigation, 2008 (5): S76-S82.
[5]	LUCK J, STOKES M.An Integrated Approach to Recovering Deleted Files from NAND Flash Data[J]. Small Scale Digital Device Forensics Journal, 2008, 2(1):1-13.
[6]	LEE S, SHON T.Improved Deleted File Recovery Technique for Ext2/3 File System[J]. The Journal of Supercomputing, 2014, 70(1): 20-30.
[7]	LI Q, HU X, WU H.Database Management Strategy and Recovery Methods of Android[C]//IEEE. 2014 5th IEEE International Conference on Software Engineering and Service Science (ICSESS), June 27-29, 2014, Beijing, China.New York: IEEE, 2014: 727-730.
[8]	MANNING C. How YAFFS Works [EB/OL]. .
[9]	YANG X, XU M, ZHANG H. File Recovering from YAFFS2 Based on Object Headers and Metadata[C]// Proceedings of 4th International Conference on Graphic and Image Processing , October 5, 2012, Singapore.Bellingham: International Society for Optics and Photonics, 2013:876806-876806-8.
[10]	武贝贝. 面向NAND闪存的SQLite数据恢复技术研究与应用[D].杭州:杭州电子科技大学,2012.
[11]	王随刚,吴莎莎,李昂.智能手机取证技术研究——基于SQLite3的Android手机数据恢复技术的研究[J].警察技术,2012 (5):4-7.
[12]	方冬蓉,张秋余,董瑞洪,等. Android 系统删除数据恢复方法研究[J].计算机工程,2014,40(10):275-280.
[13]	ZIMMERMANN C, SPREITZENBARTH M, SCHMITTS, et al. Forensic Analysis of YAFFS2[J]. Sicherheit. 2012 (3) : 59-69.
[14]	POTTER I, ARENDS P, MOORREES S. YAFFS2 Object Headers [EB/OL]..
[15]	HOOG A 著. Android取证实战调查、分析与移动安全[M].何泾沙,等译.北京:机械工业出版社, 2013.