Android userdata pa...
 
Notifications
Clear all

Android userdata partition not recognised by FTK or Autopsy

6 Posts
5 Users
0 Likes
1,564 Views
engdan
(@engdan)
Posts: 12
Active Member
Topic starter
 

Hi,

I’ve got a rooted Moto G XT1039 on Android 5.1 and I’ve done a physical acquisition with Magnet ACQUIRE.

When I load the .raw image into FTK Imager I can see all the partitions but userdata can’t be ‘expanded’ to view the files and folders because it is an unrecognised file system. I can expand the system partition fine and FTK IDs it as ext4. I have also tried with Autopsy with the same results.

I have full access to the phone and pass codes. I searched before and it seems to be a similar problem as here but when I go into Settings app I have the option to enable encryption, suggesting it's not already on. I can also search manually through the 'unallocated space' in the partition and I can see bits and pieces of plaintext and strings. Autopsy's email address parser also pulls out addresses from there.

Does anyone have any ideas what's wrong here? Or how to get FTK/Autopsy to recognise userdata or other free tool I could try? I don't really have access to any paid software.

Thanks!

 
Posted : 17/08/2018 6:37 pm
(@mcman)
Posts: 189
Estimable Member
 

I'm pretty sure the original moto G used F2FS instead of EXT4 for the user partition…I'm not 100% certain but I think it was that device (very few used it). More info here
https://en.wikipedia.org/wiki/F2FS

If you have AXIOM or IEF, we should be able to read it, not sure if FTK or Autopsy ever added support for it since it wasn't used very much. I don't know of any free options for F2FS.

Jamie
Magnet Forensics

 
Posted : 17/08/2018 7:09 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

If your budget can afford $100.00 then purchase the single phone licenses of MOBILedit Forensic Express to process your extraction.

If you are LE then PM me and I will process your phone extraction for you and send you back a UFED Reader report with all extracted data at no charge.

 
Posted : 17/08/2018 7:57 pm
(@athulin)
Posts: 1156
Noble Member
 

I'm pretty sure the original moto G used F2FS instead of EXT4 for the user partition…I'm not 100% certain but I think it was that device (very few used it).

More info can be found at

https://f2fs.wiki.kernel.org/

along with pointers to Linux kernels that support this file system … at least to some extent.

 
Posted : 18/08/2018 9:50 am
(@arcaine2)
Posts: 235
Estimable Member
 

I'm pretty sure the original moto G used F2FS instead of EXT4 for the user partition…I'm not 100% certain but I think it was that device (very few used it). More info here
https://en.wikipedia.org/wiki/F2FS

Moto G used F2FS for userdata and Motorola (or Lenovo devices with Moto branding) still uses this filesystem in their devices. This was one of the reasons why phone worked so well and this is most likely the case. Filesystem can be easily mounted under modern Linux distribution so everything can be extracted manually if needed.

 
Posted : 18/08/2018 3:54 pm
(@athulin)
Posts: 1156
Noble Member
 

If anyone hoped to use disktype (Sourceforge project) for identifying f2fs file systems, you probably noted that they are not on the list of supported file systems.

I've just uploaded a patch to the project that at least identifies the filesystem as f2fs, with the file system version, volume name and volume uuid.

The patch has only been tested with standard linux x64 mkfs-generated file systems – not with actual Android file systems, so … there might just possibly be byte-endian issues with ARM systems.

(Added it also looks like the current file(1) magic database should support f2fs.)

 
Posted : 19/08/2018 12:23 pm
Share: