Hi all,

I have a case which has involved the removal of a multi-media system from an AUDI A5. The system is a Harman automotive MMI 3G. Which contains a sat-nav capability. Which is the element I am trying to investigate. The system contains a 2.5" HDD which has been imaged.

When viewed in encase the partitions can be read no problem but each logical partition is shown as unallocated clusters. i.e. encase cannot read the logical files. I am looking to locate sat-nav files such as KML files and the like.

From research I know that the system is a QNX based operating system and the volume are labelled as such.

Any ideas how I can get encase to view the logical files?

Thanks  

I would be surprised if EnCase could. QNX is pretty obscure in terms of forensics.

It looks like QNX supports a pretty wide variety of file systems, including at least a few QNX-specific systems. www.qnx.com/developers.../fsys.html

I have a few suggestions.

-Try a mobile forensic tool that support BlackBerry PlayBook and BlackBerry 10 devices. Both run a version of QNX. Cellebrite doesn't yet. XRY may, but they don't publish their list.

-Try this tool: www.openqnx.com/node/45 which claims to allow QNX file systems to be read in Windows

-Try Linux, such as SANS SIFT. I believe it is supported, although I do not have any sample evidence to try this on. There is also a kernel patch here: qnxfs.narod.ru/ which could help with increasing the capabilities of the Linux kernel interacting with QNX file systems.

-Contact QNX directly and ask for assistance.

Let us know what you find.  

Very interesting topic, please keep us posted with your findings.  

We're making some progress but no success yet.

The windows tool has not been updated for some time and does not support the version of QNX we are looking at.

SANS SIFT dosen't appear to support it. I've tried mounting the image and viewing in Autopsy but no joy. I Haven't tried installing the kernal patch yet though. The next plan is to restore the image onto a drive and connect it to Ubuntu with the patch in place.....

QNX forum is pretty good though. Another suggestion is to live boot a QNX OS with a copy of the suspect drive attached.

A learning curve to say the least......  

Looks like we cracked it using the following method:

Booted into a QNX OS (http://www.qnx.com/products/neutrino-rtos/neutrino-rtos.html) via a live boot CD.

Restored the original image from the Audi sat-nav onto another HDD and connected to the QNX OS.

Mounted the drive in the OS. Initially the OS couldn't read it as the sat-nav system used a QNX6 file system but the OS default is QNX4. A bit of Googling for the right terminal commands got round this.

Mounted a FAT32 formatted USB stick into the OS and carried out a logical copy of the file system from the sat-nav drive onto the stick.

The downside to this method is that the date/time stamps on the original filesystem are not preserved but it does mean we can at least view the data and assess the value. We've found many db files that appear to contain sat-nav data which we can present.

Extracting the file system to maintain metadata is another challenge......  

This is exactly the kind of Ftech work that keeps me coming back and interested.

Nice one.  

- Colin2030

Looks like we cracked it using the following method:

I wholeheartedly agree with Adam. Colin, thanks for demonstrating "best practices" by freely sharing what worked, so the entire community can learn. This is what makes participation in Forensic Focus both valuable and fulfilling. Wish that everyone would do the same.
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com