基于安卓内存的证据挖掘与关联分析

发布时间：2018-03-03 11:13

本文选题：Android取证　切入点：易失性内存　出处：《南京邮电大学》2016年硕士论文　论文类型：学位论文

【摘要】：随着移动终端市场的蓬勃发展,手机犯罪现象作为高科技犯罪的一种,智能手机的普及使对手机取证技术的研究迈向新的高度,对移动终端Android平台,取证专家大多是通过转储非易失的安卓物理内存和文件系统,这两种方法虽然可以提取大量隐私数据,但对于加密和删除的数据往往收效甚微。因此需要采取更加先进有效的取证技术来获取移动终端数据。与此同时,得益于数据分析技术的发展和研究,将数据挖掘,关联分析等经典理论应用到取证分析技术中,也慢慢成为趋势。本文通过对安卓内存的研究,介绍了如何转储安卓的物理内存,主要是易失性内存,并采用一些方法分析安卓物理内存,主要是罗列进程列表,搜索敏感信息,解析应用聊天记录等,并利用关联挖掘和聚类分析算法深入挖掘内存数据。最后通过实验分析表明,基于安卓物理内存分析技术结合数据挖掘算法,可以提取手机大部分重要机密信息并能够关联分析用户的行为。主要内容包括:(1)调研分析内存取证技术,总结现阶段安卓内存取证相关研究成果和方法。(2)对比安卓内存采集几种方法,采取对内存损失度最小的方法进行内存采集。(3)研究安卓内存分析技术,从底层进程信息,上层应用数据等不同角度挖掘数据内容从而挖掘用户打开的相关进程,端口,网络连接等底层信息,用户在应用程序中输入的账号口令等敏感信息,以及社交类应用程序中用户与好友间的聊天记录。(4)采用具体关联挖掘和聚类分析算法,对安卓内存数据进行深入的挖掘分析,包括对安卓手机用户在某个时间段的行为关联进行分析,并结合用户与好友的亲密度,对用户的微信好友进行聚类分析。在系统模块实现和实验分析阶段,内存分析各模块正确地获取用户敏感信息和微信聊天记录;同时,通过改进,关联规则挖掘和K-means聚类算法都能够有效对内存数据进行深入分析,从而挖掘出数据背后的信息。
[Abstract]:With the vigorous development of mobile terminal market, the phenomenon of mobile phone crime as a kind of high-tech crime, the popularity of smart phones make the research of mobile phone forensics technology to a new height, the mobile terminal Android platform, Forensic experts mostly dump nonvolatile Android physical memory and file systems, both of which can extract large amounts of private data. However, data encrypted and deleted often have little effect. Therefore, more advanced and effective forensics technology is needed to obtain mobile terminal data. At the same time, thanks to the development and research of data analysis technology, data mining, This paper introduces how to dump the physical memory of Android, which is mainly volatile memory, through the research of Android memory. Some methods are used to analyze Android physical memory, such as listing processes, searching sensitive information, analyzing chat records, and mining memory data by association mining and clustering analysis. Based on Android physical memory analysis technology and data mining algorithm, it can extract most of the important confidential information of mobile phone and analyze the behavior of users. The main contents include: 1) Research and analysis of memory forensics technology. Summarizing the current research results and methods of Android memory forensics. (2) comparing with several methods of Android memory acquisition, adopting the method of minimum memory loss to do memory acquisition. (3) studying Android memory analysis technology, from the bottom process information. The upper application data and other different angles mining data content in order to mining users open related processes, ports, network connections and other underlying information, user input in the application account password and other sensitive information, And the chat record between users and friends in social application. 4) using specific association mining and clustering analysis algorithms, the Android memory data mining in-depth analysis, Including the analysis of Android mobile phone users' behavior association in a certain period of time, and combined with the user and friends' affinity, the user's WeChat friends cluster analysis. In the system module implementation and experimental analysis stage, Each module of memory analysis correctly acquires user sensitive information and chat records of WeChat. At the same time, association rules mining and K-means clustering algorithm can effectively analyze the memory data, so that the information behind the data can be mined.
【学位授予单位】：南京邮电大学
【学位级别】：硕士
【学位授予年份】：2016
【分类号】：TP311.13;D918.2

【相似文献】