ScholarWorks@성균관대학교

초록

Smartphone manufacturers' enhanced privacy and security measures, such as File-Based Encryption (FBE), have disrupted traditional data extraction techniques, necessitating the adoption of Full File System Extraction (FFS). FFS requires booting a smartphone, decrypting its UserData partition, and accessing files individually, a process that risks data modifications caused by postboot application activity and network connections. This study evaluates the impact of FFS on evidence integrity by analyzing hash value changes across repeated acquisitions from Android smartphones. Using mobile forensic tools and ADB (Android Debug Bridge) for validation, we assessed whether FFS complies with the principles of repeatability and reproducibility. Files were categorized into five potential forensic relevance classes to evaluate how hash value changes affect the reliability of digital evidence. Results highlight that system-generated files and logs are prone to changes during FFS, while user-generated content largely retains integrity. To address these challenges, we suggest two possible solutions. The first is a technical approach that uses an initial reference image to identify and restore altered files, effectively mitigating hash value discrepancies. The second is a procedural measure emphasizing detailed documentation and systematic management of acquisition changes, particularly for newly created files. These findings and proposed approaches aim to improve the reliability of FFS in digital forensics, ensuring evidence admissibility and supporting cross-validation across forensic tools. This research contributes to advancing standardized practices for smartphone evidence acquisition in forensic investigations.

키워드