Notifications
Clear all

QNX OS

8 Posts
6 Users
0 Likes
1,592 Views
Colin2030
(@colin2030)
Posts: 11
Active Member
Topic starter
 

Hi all,

I have a case which has involved the removal of a multi-media system from an AUDI A5. The system is a Harman automotive MMI 3G. Which contains a sat-nav capability. Which is the element I am trying to investigate. The system contains a 2.5" HDD which has been imaged.

When viewed in encase the partitions can be read no problem but each logical partition is shown as unallocated clusters. i.e. encase cannot read the logical files. I am looking to locate sat-nav files such as KML files and the like.

From research I know that the system is a QNX based operating system and the volume are labelled as such.

Any ideas how I can get encase to view the logical files?

Thanks

 
Posted : 27/02/2013 5:13 pm
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

I would be surprised if EnCase could. QNX is pretty obscure in terms of forensics.

It looks like QNX supports a pretty wide variety of file systems, including at least a few QNX-specific systems. http//www.qnx.com/developers/docs/6.4.0/neutrino/sys_arch/fsys.html

I have a few suggestions.

-Try a mobile forensic tool that support BlackBerry PlayBook and BlackBerry 10 devices. Both run a version of QNX. Cellebrite doesn't yet. XRY may, but they don't publish their list.

-Try this tool http//www.openqnx.com/node/45 which claims to allow QNX file systems to be read in Windows

-Try Linux, such as SANS SIFT. I believe it is supported, although I do not have any sample evidence to try this on. There is also a kernel patch here http//qnxfs.narod.ru/ which could help with increasing the capabilities of the Linux kernel interacting with QNX file systems.

-Contact QNX directly and ask for assistance.

Let us know what you find.

 
Posted : 27/02/2013 6:51 pm
(@thepm)
Posts: 253
Reputable Member
 

Very interesting topic, please keep us posted with your findings. D

 
Posted : 27/02/2013 11:40 pm
Colin2030
(@colin2030)
Posts: 11
Active Member
Topic starter
 

We're making some progress but no success yet.

The windows tool has not been updated for some time and does not support the version of QNX we are looking at.

SANS SIFT dosen't appear to support it. I've tried mounting the image and viewing in Autopsy but no joy. I Haven't tried installing the kernal patch yet though. The next plan is to restore the image onto a drive and connect it to Ubuntu with the patch in place…..

QNX forum is pretty good though. Another suggestion is to live boot a QNX OS with a copy of the suspect drive attached.

A learning curve to say the least……

 
Posted : 28/02/2013 6:13 pm
Colin2030
(@colin2030)
Posts: 11
Active Member
Topic starter
 

Looks like we cracked it using the following method

Booted into a QNX OS (http//www.qnx.com/products/neutrino-rtos/neutrino-rtos.html) via a live boot CD.

Restored the original image from the Audi sat-nav onto another HDD and connected to the QNX OS.

Mounted the drive in the OS. Initially the OS couldn't read it as the sat-nav system used a QNX6 file system but the OS default is QNX4. A bit of Googling for the right terminal commands got round this.

Mounted a FAT32 formatted USB stick into the OS and carried out a logical copy of the file system from the sat-nav drive onto the stick.

The downside to this method is that the date/time stamps on the original filesystem are not preserved but it does mean we can at least view the data and assess the value. We've found many db files that appear to contain sat-nav data which we can present.

Extracting the file system to maintain metadata is another challenge……

 
Posted : 01/03/2013 2:07 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

This is exactly the kind of Ftech work that keeps me coming back and interested.

Nice one.

 
Posted : 05/03/2013 8:56 am
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

Looks like we cracked it using the following method

I wholeheartedly agree with Adam. Colin, thanks for demonstrating "best practices" by freely sharing what worked, so the entire community can learn. This is what makes participation in Forensic Focus both valuable and fulfilling. Wish that everyone would do the same.

 
Posted : 05/03/2013 10:01 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

A bit of Googling for the right terminal commands got round this.

If you could add WHICH EXACTLY were these terminal commands you found would have been great.

I don't understand the reference to filesystem versions. 😯

The current evaluation of QNX is version 6.5
http//www.qnx.com/products/evaluation/

The filesystem is seemingly QNX4FS for both OS version QNX4 and QNX6
http//en.wikipedia.org/wiki/QNX4FS

jaclaz

 
Posted : 05/03/2013 6:27 pm
Share: