Making sense of unstructured memory dumps from cell phones : cahier de recherche

Billard, David ; Hauri, Rolf

This paper presents an alternative to traditional file carving, targeted to cell phone forensics. The proposed algorithm processes the cell phone memory dump thanks to a previous partial knowledge of the content of the regular files present in the memory dump. The memory dump is decomposed into elementary parts, each part classified according to the file type it is supposed to belong to, and... Plus

Ajouter à la liste personnelle
    Summary
    This paper presents an alternative to traditional file carving, targeted to cell phone forensics. The proposed algorithm processes the cell phone memory dump thanks to a previous partial knowledge of the content of the regular files present in the memory dump. The memory dump is decomposed into elementary parts, each part classified according to the file type it is supposed to belong to, and finally ordered in a sequence representing the recovered file. The sequence is then transformed into a real file. This paper presents the first part of the algorithm (model and implementation) and does not cover the reordering of clusters nor the export of the recovered file. A reference to a basic open source software using this technology is provided.