±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34489
New Yesterday: 5 Visitors: 165

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Android userdata partition not recognised by FTK or Autopsy

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Android userdata partition not recognised by FTK or Autopsy

Post Posted: Fri Aug 17, 2018 12:37 pm

Hi,

I’ve got a rooted Moto G XT1039 on Android 5.1 and I’ve done a physical acquisition with Magnet ACQUIRE.

When I load the .raw image into FTK Imager I can see all the partitions but userdata can’t be ‘expanded’ to view the files and folders because it is an unrecognised file system. I can expand the system partition fine and FTK IDs it as ext4. I have also tried with Autopsy with the same results.

I have full access to the phone and pass codes. I searched before and it seems to be a similar problem as here but when I go into Settings app I have the option to enable encryption, suggesting it's not already on. I can also search manually through the 'unallocated space' in the partition and I can see bits and pieces of plaintext and strings. Autopsy's email address parser also pulls out addresses from there.

Does anyone have any ideas what's wrong here? Or how to get FTK/Autopsy to recognise userdata or other free tool I could try? I don't really have access to any paid software.

Thanks!  

engdan
Newbie
 
 
  

Re: Android userdata partition not recognised by FTK or Auto

Post Posted: Fri Aug 17, 2018 1:09 pm

I'm pretty sure the original moto G used F2FS instead of EXT4 for the user partition...I'm not 100% certain but I think it was that device (very few used it). More info here:
en.wikipedia.org/wiki/F2FS

If you have AXIOM or IEF, we should be able to read it, not sure if FTK or Autopsy ever added support for it since it wasn't used very much. I don't know of any free options for F2FS.

Jamie
Magnet Forensics  

mcman
Senior Member
 
 
  

Re: Android userdata partition not recognised by FTK or Auto

Post Posted: Fri Aug 17, 2018 1:57 pm

If your budget can afford $100.00 then purchase the single phone licenses of MOBILedit Forensic Express to process your extraction.

If you are LE then PM me and I will process your phone extraction for you and send you back a UFED Reader report with all extracted data at no charge.  

UnallocatedClusters
Senior Member
 
 
  

Re: Android userdata partition not recognised by FTK or Auto

Post Posted: Sat Aug 18, 2018 3:50 am

- mcman
I'm pretty sure the original moto G used F2FS instead of EXT4 for the user partition...I'm not 100% certain but I think it was that device (very few used it).


More info can be found at

f2fs.wiki.kernel.org/

along with pointers to Linux kernels that support this file system ... at least to some extent.  

athulin
Senior Member
 
 
  

Re: Android userdata partition not recognised by FTK or Auto

Post Posted: Sat Aug 18, 2018 9:54 am

- mcman
I'm pretty sure the original moto G used F2FS instead of EXT4 for the user partition...I'm not 100% certain but I think it was that device (very few used it). More info here:
en.wikipedia.org/wiki/F2FS


Moto G used F2FS for userdata and Motorola (or Lenovo devices with Moto branding) still uses this filesystem in their devices. This was one of the reasons why phone worked so well and this is most likely the case. Filesystem can be easily mounted under modern Linux distribution so everything can be extracted manually if needed.  

arcaine2
Senior Member
 
 
  

Re: Android userdata partition not recognised by FTK or Auto

Post Posted: Sun Aug 19, 2018 6:23 am

If anyone hoped to use disktype (Sourceforge project) for identifying f2fs file systems, you probably noted that they are not on the list of supported file systems.

I've just uploaded a patch to the project that at least identifies the filesystem as f2fs, with the file system version, volume name and volume uuid.

The patch has only been tested with standard linux x64 mkfs-generated file systems -- not with actual Android file systems, so ... there might just possibly be byte-endian issues with ARM systems.

(Added: it also looks like the current file(1) magic database should support f2fs.)  

athulin
Senior Member
 
 

Page 1 of 1