A metadata-based method for recovering files and file traces from YAFFS2

Nowadays, flash memory has drawn much attention of digital investigators, however most of them try to recover the content from logical aspect and few of them pay attention to how those files were created or modified. The deleted and edited contents of a file on the flash chips are commonly related to user behaviors which can be used as digital evidence. In this paper, a method using YAFFS2 metadata to recover files, reconstruct file system, and recover their previous history versions is proposed. The experimental results under Linux operating system show that the proposed method can correctly reconstruct file system, recover file and file traces from YAFFS2; and experiments conducted on physical images of Android phones show that our method can be applied to real scenarios.

► Recovering files and reconstructing file system from YAFFS2 image based on metadata.
► Recovering history versions of files from YAFFS2 image.
► Recovering files and traces based on a simulated NAND chips under Linux.