Title: Recovering multiple versions of YAFFS2 files based on Hash and timestamps
Authors: Yameng Li; Jingsha He; Na Huang; Gongzheng Liu
Addresses: Faculty of Information Technology and Beijing Engineering Research Center for IoT Software and Systems, Beijing University of Technology, Beijing 100124, China ' Faculty of Information Technology and Beijing Engineering Research Center for IoT Software and Systems, Beijing University of Technology, Beijing 100124, China ' Faculty of Information Technology and Beijing Engineering Research Center for IoT Software and Systems, Beijing University of Technology, Beijing 100124, China ' Faculty of Information Technology and Beijing Engineering Research Center for IoT Software and Systems, Beijing University of Technology, Beijing 100124, China
Abstract: With the popularity of digital devices, digital forensic research targeted at Android-based devices has drawn increasing attention. Among the many issues in digital forensics, data recovery has received a great deal of attention. In data recovery, deleted or updated data may contain important information about past activities of the user, making such information viable evidence as far as digital forensics is concerned. In this paper, according to special characteristics of YAFFS2, we propose a new method based on the notions of Hash and timestamp to recover multiple versions of YAFFS2 files during which the relationship between timestamps and file operations is analysed. To verify the effectiveness of our proposed method, we will simulate a NAND chip under Linux and perform some experiments to show that the proposed method is both effective and efficient in the recovery of multiple versions of different types of YAFFS2 files as well as Android images.
Keywords: security; digital forensics; data recovery; android; YAFFS2; Hash; timestamp.
International Journal of Embedded Systems, 2018 Vol.10 No.4, pp.313 - 322
Received: 20 May 2016
Accepted: 28 Nov 2016
Published online: 01 Aug 2018 *