I hope this question hasn't been asked already as I have been combing the forums a bit and I still haven't gotten the answer I am looking for.
I want to know how to find out what file system (eg. EXT4) a phone uses (Its an Android Cellphone) as well as how to know if the device is rooted and also what is the device's API by examining a logical extraction, or file system dump created by Cellebrite UFED.
Also, is there anyway to find out if calendar entries have creation dates or other relevant metadata?
Hello wilx -
I recommend that you, for example, purchase an Android phone like this one for $34.59 to experiment on (http//
You could use the phone using WIFI, install Skype/Kik/Facebook Messenger/WhatsApp/etc. to the phone and use each communication application to generate some known content. Then delete a few messages from each application, tracking which ones you deleted.
Then, perform an acquisition of the phone using your forensic tool of choice. If you do not own any forensic tools, then use DEFT and/or Santoku (each of these Linux tools provide step by step manuals for performing a logical extraction from Android devices; Andriller is $100.00 if your budget allows.
Create reports from the one or more tools you used on the phone so that you can compare results to later acquisitions of the same phone. Compare the messages and activities you know you created (and deleted) on the phone to what the tools are reporting.
Then root the phone using your favorite rooting application.
Using FTK Imager (free tool), create a physical image of the now rooted Android phone.
Mount the FTK Imager created image file and look at the visible partitions in FTK Imager. You may see partitions with folders and files, or partitions with no apparent content. This will give you your first clue about what formatting is being used (EXT4/NTFS/etc.) in your test phone's version of Android.
You may need to use TestDisk (built in to DEFT) to identify the file system format and extract out system folders and files from the FTK Imager created physical image.
Once you can see all of the partitions' folders and files, identify all of the folders and files that were created via the rooting process; for example, you may see a "Kingo" folder.
Use Autopsy to ingest the FTK Imager created forensic image file and then analyze the calendar content, text content etc.
Also, please compare what you are seeing in Autopsy to your known content you created and deleted plus the first stage logical acquisition.
Following the above steps will answer all of your questions you posed, PLUS give you the hands on expertise of knowing where the answers lie to your excellent questions yourself.
Regards,
Larry
Hi UnallocatedClusters,
Thanks for your reply and I guess I was just avoiding what real digital forensic examiners do, which is to do your own tests which helps you to speak more definitively.
Extremely grateful and I will be posting my findings,
Thanks again