Notifications
Clear all

Android imaging

5 Posts
4 Users
0 Likes
12.7 K Views
(@afsfr)
Posts: 37
Eminent Member
Topic starter
 

I try to use ftk imager downloaded from AccessData, but it can't do physical image for android phone, there is no menu item. so how can ftk get android image whithout rooting or we have to use encase

 
Posted : 12/12/2019 5:34 am
(@gorvq7222)
Posts: 229
Reputable Member
 

Frankly speaking you could not count on FTK or EnCase to do physical extraction from a smartphone. If the phone is rooted, that would be easier. If not, you could take professional mobile forensic tools into consideration, such as Oxygen, XRY, Cellebrite 4PC…etc.

 
Posted : 25/12/2019 12:05 am
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

I try to use ftk imager downloaded from AccessData, but it can't do physical image for android phone, there is no menu item. so how can ftk get android image whithout rooting or we have to use encase

 
Posted : 25/12/2019 5:40 am
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Try to use Belkasoft Acquisition Tool (https://belkasoft.com/get).

Belkasoft Acquisition Tool is good free tool for creating images from android and ios devices.

 
Posted : 25/12/2019 5:43 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Please refer to page 66 of the DEFT Linux manual https://paper.bobylive.com/System/EN-deft7.pdf

Imaging a rooted Android phone can be accomplished using the Android Debugging Bridge (ADB) by basically opening a Terminal Window and using a DD equivalent copy command to a locally installed SD card.

You are correct that it is generally impossible to have a rooted Android phone internal memory storage be recognized as logical or physical drive connected to a Windows PC and thus directly imageable by a tool like FTK Imager.

I was able to get a rooted Windows phone recognized by FTK Imager and was successfully able to create an E01 image file using FTK Imager I believe due to file formatting.

So basically Android memory storage file format is not FAT/ExFAT/NTFS format and thus cannot be seen by FTK Imager.

The differences in file formatting between Android OS and Windows OS is why one has to basically open a terminal window on the Android phone connected to the Windows PC over the Android Debugging Bridge to create a data dump DD image of the Android phones internal memory to an appropriately formatted internal to the Android phone SD card.

 
Posted : 25/12/2019 10:48 pm
Share: