Is it a full physic...
 
Notifications
Clear all

Is it a full physical image???

15 Posts
7 Users
0 Likes
2,442 Views
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

My friend asked me why she could not find some important files in a physical image acquired from an Android phone. She took the evidence tree of an Android 6.0 physical image for example, she’s used to see /data/data in a physical image.

You guys could take a look at my blog as below to see what's going on.
http//www.cnblogs.com/pieces0310/p/7119033.html

 
Posted : 04/07/2017 8:17 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

What tool or device is the activity_log.txt from and where can it be found?

It appears that mmcblk0 has a hardware device protecting this memory block from being accessed??

What new or changed files and folders exist on the phone as a direct result of the Rooting process?

It is very interesting that, even after the phone has been rooted, data extraction tools cannot copy out all memory blocks.

 
Posted : 05/07/2017 12:14 am
(@mcman)
Posts: 189
Estimable Member
 

Are those screenshots from 2 different devices? Just trying to understand what I'm looking at here.

Looks like an acquisition done with Magnet ACQUIRE or AXIOM and your first screenshot (Android 6?) looks like it's showing the /data/data/ path normally as expected. The second screenshot is from a different device (Android 7?) and shows a different folder structure.

The log indicates that it can't access the mmcblk0 block which is an info string not an error and should be expected since it's encrypted as you said but it did find and access the dm-0 and dm-1 block correctly. This is normal for most newer Android phones running 6 or 7 and have full disk encryption turned on (which is on by default by most devices and cannot be turned off).

If you compare this to a computer hard drive running FDE, imaging the physical disk gives you an encrypted image of the physical disk which isn't very useful for analysis but if you look at the logical partitions and acquire those, you can get readable data without requiring decryption each time.

So in short, yes it's a physical image, an encrypted physical image that also includes the decrypted blocks of data that you can actually analyze and make use of. DM-0 contains the decrypted content wheras mmcblk0 is the encrypted data in a nutshell.

Let me know some extra detail and I can see if I can help further.

Jamie McQuaid
Magnet Forensics

 
Posted : 05/07/2017 2:03 am
(@mcman)
Posts: 189
Estimable Member
 

It is very interesting that, even after the phone has been rooted, data extraction tools cannot copy out all memory blocks.

That's the way she goes with FDE unfortunately, rooting doesn't remove encryption at the hardware level, only allows access to protected areas of a mounted disk.

 
Posted : 05/07/2017 2:05 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Mcman your explanation makes sense-

When I use Macquisition to image a FileVault encrypted MacBook hard drive, Macquisition will display a "new" decrypted drive to image in addition to the previously visible encrypted drive only after the FileVault password has been entered into Macquisition.

 
Posted : 05/07/2017 4:00 am
SamBrown
(@sambrown)
Posts: 97
Trusted Member
 

So in short, yes it's a physical image, an encrypted physical image that also includes the decrypted blocks of data that you can actually analyze and make use of. DM-0 contains the decrypted content wheras mmcblk0 is the encrypted data in a nutshell.

Jamie McQuaid
Magnet Forensics

Just to clarity - mmcblk0 is the entire storage area which contains all partitions like the boot loader, recovery, system, data and cache. If the phone has encryption, it means that the data partition is encrypted. Therefore an image of mmcblk0 is pretty much useless. It is always great to get a full physical dump, but actually the data partition is usually sufficient because that's where all the user data is stored.

dm-0 is the name of the mounted and decrypted data partition on a live system. This is the partition which needs to be imaged on an encrypted phone. The phone needs to be up and running and you'll need to have root access to do this.

If the phone is already rooted, connect via adb to see a list of the partitions

"adb shell cat /proc/partitions"

This should help you understand the problem better.

 
Posted : 05/07/2017 2:57 pm
(@mcman)
Posts: 189
Estimable Member
 

SamBrown explained it much better than I did )

Now one other thing to note, once you get the decrypted user partition, the paths may be different for Nougat, instead of seeing /data/data/ you may get something like user_de/0/ which helps cover support for multiple users on a device.

On another side note, one of our trainers, Chris Vance is doing a webinar on the changes in Nougat including some of this stuff. If anyone is interested, it's next week
https://www.magnetforensics.com/mobile-forensics/taking-a-bite-out-of-androids-tasty-new-versions-webinar/

Jamie

 
Posted : 05/07/2017 5:48 pm
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Thank you guys. The first screenshot is Android 6(LG G3) , and the second one is Android 7(Huawei Mate 9). The difference shows the Nougat maybe become a barrier to mobile forensics for its encryption activated in default.

I've downloaded some files in /data/data or /data/system from Huawei Mate 9 via SSH. Then I conducted a search on the image acquired from this phone. To my surprise, no match search result. Those files disappeared in that image…

Yes, it looks like a encrypted partition. I used another forensic tool to do physical acquisition and analysis successfully. But the analysis result was the same as above. That meas physical acquisition maybe not "see" all partitions in the phone due to activated in default.

 
Posted : 05/07/2017 8:18 pm
(@mcman)
Posts: 189
Estimable Member
 

Hey gorvq7222,

If the device was rooted and dm-0 was captured correctly, you should have the proper user data in there. From your screenshot (the second one of the Mate 9) that looks like the system partition, not the user partition which would explain why you're not seeing the /data/ folder.

I don't have a Mate 9 but any other image I create running a rooted Android 7 device still gives me the user data with everything you'd expect (both a /data/ folder and the /user_de/0/ folder). If dm-0 was unable to be read then I would say it didn't capture the user data but from your log it appears it was captured.

Let me know how you're loading those partitions or pulling them from the raw image and maybe we can see why you can't see it.

Jamie

 
Posted : 06/07/2017 2:10 am
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Jamie thanks for your quick reply. As you could see that I used FTK Imager to mount this image acquired from that rooted Mate 9. Fortunately some tool could extract data from that rooted Mate 9 in filesystem level. What if the evidence is an unrooted Mate 9? Maybe I will do some test some other time and let you guys know what's going on.

 
Posted : 06/07/2017 7:50 pm
Page 1 / 2
Share: