Forensic analysis techniques for fragmented flash memory pages in smartphones

Jungheum Park, Hyunji Chung, Sangjin Lee

Research output: Contribution to journalArticlepeer-review

16 Citations (Scopus)


A mobile phone contains important personal information, and therefore, it should be considered in digital forensic investigations. Recently, the number of smartphone owners has increased drastically. Unlike feature phones, smartphones have high-performance operating systems (e.g., Android, iOS), and users can install and utilize various mobile applications on smartphones. Smartphone forensics has been actively studied because of the importance of smartphone user data acquisition and analysis for digital forensic purposes. In general, there are two logical approaches to smartphone forensics. The first approach is to extract user data using the backup and debugging function of smartphones. The second approach is to get root permission through the rooting or the bootloader method with custom kernel, and acquire an image of the flash memory. In addition, the other way is to acquire an image on a more physical way by using e.g., JTAG or chipoff process. In some cases, it may be possible to reconstruct and analyze the file system. However, existing methods for file system analysis are not suitable for recovering and analyzing data deleted from smartphones depending on the manner in which the flash memory image has to be acquired. This paper proposes new analysis techniques for fragmented flash memory pages in smartphones. In particular, this paper demonstrates analysis techniques on the image that the reconstruction of file system is impossible because the spare area of flash memory pages does not exist or that it is created from the unallocated area of the undamaged file system.

Original languageEnglish
Pages (from-to)109-118
Number of pages10
JournalDigital Investigation
Issue number2
Publication statusPublished - 2012 Nov

Bibliographical note

Funding Information:
This research was supported by the MKE (The Ministry of Knowledge Economy), Korea, under the ITRC (Information Technology Research Center) support program (NIPA-2012-H0301-12-3007) supervised by the NIPA (National IT Industry Promotion Agency).

Copyright 2018 Elsevier B.V., All rights reserved.


  • Digital forensics
  • Flash memory
  • Fragmented data
  • Smartphone forensics
  • Unallocated area

ASJC Scopus subject areas

  • Pathology and Forensic Medicine
  • Information Systems
  • Computer Science Applications
  • Medical Laboratory Technology
  • Law


Dive into the research topics of 'Forensic analysis techniques for fragmented flash memory pages in smartphones'. Together they form a unique fingerprint.

Cite this