±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 34081
New Yesterday: 0 Visitors: 134

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars


Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 


Post Posted: Wed Feb 27, 2013 12:13 pm

Hi all,

I have a case which has involved the removal of a multi-media system from an AUDI A5. The system is a Harman automotive MMI 3G. Which contains a sat-nav capability. Which is the element I am trying to investigate. The system contains a 2.5" HDD which has been imaged.

When viewed in encase the partitions can be read no problem but each logical partition is shown as unallocated clusters. i.e. encase cannot read the logical files. I am looking to locate sat-nav files such as KML files and the like.

From research I know that the system is a QNX based operating system and the volume are labelled as such.

Any ideas how I can get encase to view the logical files?




Post Posted: Wed Feb 27, 2013 1:51 pm

I would be surprised if EnCase could. QNX is pretty obscure in terms of forensics.

It looks like QNX supports a pretty wide variety of file systems, including at least a few QNX-specific systems. www.qnx.com/developers.../fsys.html

I have a few suggestions.

-Try a mobile forensic tool that support BlackBerry PlayBook and BlackBerry 10 devices. Both run a version of QNX. Cellebrite doesn't yet. XRY may, but they don't publish their list.

-Try this tool: www.openqnx.com/node/45 which claims to allow QNX file systems to be read in Windows

-Try Linux, such as SANS SIFT. I believe it is supported, although I do not have any sample evidence to try this on. There is also a kernel patch here: qnxfs.narod.ru/ which could help with increasing the capabilities of the Linux kernel interacting with QNX file systems.

-Contact QNX directly and ask for assistance.

Let us know what you find.  

Senior Member


Post Posted: Wed Feb 27, 2013 6:40 pm

Very interesting topic, please keep us posted with your findings. Very Happy  

Senior Member


Post Posted: Thu Feb 28, 2013 1:13 pm

We're making some progress but no success yet.

The windows tool has not been updated for some time and does not support the version of QNX we are looking at.

SANS SIFT dosen't appear to support it. I've tried mounting the image and viewing in Autopsy but no joy. I Haven't tried installing the kernal patch yet though. The next plan is to restore the image onto a drive and connect it to Ubuntu with the patch in place.....

QNX forum is pretty good though. Another suggestion is to live boot a QNX OS with a copy of the suspect drive attached.

A learning curve to say the least......  



Post Posted: Fri Mar 01, 2013 9:07 am

Looks like we cracked it using the following method:

Booted into a QNX OS (http://www.qnx.com/products/neutrino-rtos/neutrino-rtos.html) via a live boot CD.

Restored the original image from the Audi sat-nav onto another HDD and connected to the QNX OS.

Mounted the drive in the OS. Initially the OS couldn't read it as the sat-nav system used a QNX6 file system but the OS default is QNX4. A bit of Googling for the right terminal commands got round this.

Mounted a FAT32 formatted USB stick into the OS and carried out a logical copy of the file system from the sat-nav drive onto the stick.

The downside to this method is that the date/time stamps on the original filesystem are not preserved but it does mean we can at least view the data and assess the value. We've found many db files that appear to contain sat-nav data which we can present.

Extracting the file system to maintain metadata is another challenge......  



Post Posted: Tue Mar 05, 2013 3:56 am

This is exactly the kind of Ftech work that keeps me coming back and interested.

Nice one.  

Senior Member


Post Posted: Tue Mar 05, 2013 5:01 am

- Colin2030
Looks like we cracked it using the following method:

I wholeheartedly agree with Adam. Colin, thanks for demonstrating "best practices" by freely sharing what worked, so the entire community can learn. This is what makes participation in Forensic Focus both valuable and fulfilling. Wish that everyone would do the same.
Scott Tucker
Aptegra Consulting, LLC

Senior Member

Page 1 of 2
Go to page 1, 2  Next