Android forensic an...
 
Notifications
Clear all

Android forensic analysis with Autopsy

7 Posts
6 Users
0 Reactions
2,568 Views
(@skulkin)
Eminent Member
Joined: 12 years ago
Posts: 38
Topic starter  

Hi!

Here is our new article

http//www.weare4n6.com/android-forensic-analysis-with-autopsy/

What open source tools do you use for mobile forensics?


   
Quote
Agent47
(@agent47)
Eminent Member
Joined: 11 years ago
Posts: 32
 

Tool Autopsy is real competition to commercial tools. For some time a member of my toolset. May I ask which tool you use for make Android physical image?


   
ReplyQuote
Igor_Michailov
(@igor_michailov)
Honorable Member
Joined: 20 years ago
Posts: 529
 

May I ask which tool you use for make Android physical image?

You can do it manually

http//www.weare4n6.com/physical-acquisition-of-a-locked-android-device/


   
ReplyQuote
UnallocatedClusters
(@unallocatedclusters)
Honorable Member
Joined: 13 years ago
Posts: 576
 

First off many thanks for sharing your expertise - it is greatly appreciated and in my opinion the sign of a true expert (meaning someone willing and able to share their techniques).

Would you be able to share any information (even by PM) about drive geometries (CHS) for Android and other smartphone devices please?

I have been able to create physical images of rooted Windows Phone devices using Chimera Tool / FTK Imager and then was able to extract folders and files from the FTK Imager-created physical image file using TestDisk (http//www.cgsecurity.org/wiki/TestDisk). Extraction of the folders and files allowed me to use Forensic Explorer to analyze the Windows Phone content.

The issue I am stuck on is trying to determine the correct geometry (CHS) for a physical image of Android phones.

Within TestDisk, there is no option (or I am missing the correct option) to choose for Android disk formatting.

Is this (the drive geometries of smartphone disks and partitions) a closely guarded secret?

Maybe Jaclaz has some insight as he seems to be one of this forum's disk experts.

Regards,

Larry


   
ReplyQuote
PaulSanderson
(@paulsanderson)
Honorable Member
Joined: 19 years ago
Posts: 651
 

Larry

I can't answer you question directly but I am surprised that CHS even comes into the equation. The concept of cylinders heads and sectors started falling by the wayside with the advent of disks with variable geometry (first with more sectors on the longer outer tracks, and then adjusting the number of sectors based on how well it formatted).

Sectors on a disk have been addressed by Logical Block Address LBA for many years now as this simplifies things massively. Using this method you no longer care how many heads on a disk or even whether the device (Memory sticks etc.) even needs a CHS addressing method.

I am not familiar with the tools you mention (expcet FTK) but as you say, I wonder whether you are missing something…


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

If the (disk-like) device is partitioned (as I believe it is) then the CHS data should be in the partitioned entry (in the MBR and/or in the chain of EPBRS).

As PaulSanderson stated, most modern OSes simply do not care about CHS data in the partition table entries, though there is a small exception for HS data which are the FAT32 and NTFS bootsectors code that NEED to have correct HS data (in the bootsector) BUT ONLY in order to boot.

More or less *anything* written in the last (say) 15 years uses only LBA addresses, though there are still a few dinosaurs (including myself) that insist that having valid CHS addresses - which costs nothing BTW - is advised to lessen possible issues with tools that may be "more royalist than the king" and with a number of BIOSes (but again that will be mostly about booting).

A Mass Storage device "exposes" a given geometry nonetheless, but that is "beyond and besides" any CHS value in the MBR or EPBR or bootsectors, and obviously this "characterstic" is lost when you make the image.

What is the actual problem you are having?
I mean, what you need the CHS values for?

jaclaz


   
ReplyQuote
UnallocatedClusters
(@unallocatedclusters)
Honorable Member
Joined: 13 years ago
Posts: 576
 

Jaclaz,

The problem I am encountering is when I point TestDisk at a mounted forensic image of an Android phone, TestDisk asks me to choose what formatting the mounted disk image is (see screenshot located at
http//www.cgsecurity.org/wiki/TestDisk_Step_By_Step under the Partition Table Type Selection).

I attempted each option listed but TestDisk could never identify any partitions in the mounted image.

When I encountered this same problem with the Windows phone physical image, by adjusting the CHS settings, TestDisk was able to see the partitions within the image and then allow me to export folders and files.

This is why (and it may simply be a case of me not knowing what I do not know) I thought that adjusting CHS settings is the key to allowing TestDisk to see partitions within a mounted image file.


   
ReplyQuote
Share: