Nowadays, flash memory has drawn much attention of digital investigators, however most of them try to recover the content from logical aspect and few of them pay attention to how those files were created or modified. The deleted and edited contents of a file on the flash chips are commonly related to user behaviors which can be used as digital evidence. In this paper, a method using YAFFS2 metadata to recover files, reconstruct file system, and recover their previous history versions is proposed. The experimental results under Linux operating system show that the proposed method can correctly reconstruct file system, recover file and file traces from YAFFS2; and experiments conducted on physical images of Android phones show that our method can be applied to real scenarios.

• 出版日期2013-6
• 单位杭州电子科技大学