If you have root via Jailbreaking can you just directly copy bit by bit instead of using dd for unallocated deleted file analysis through hexdump. Also if anyone know how to best utilise hex dump for deleted files I would be glad to know.
I was think of exoerimenting by deleteing files and viewing the before and after to indicate any change in the code.
Am I missing something? I thought DD was bit for bit copy.
A hex dump is a hex dump - it is up to the operator to understand what you are viewing and hence understand how the file system deletes files
From some research I have done in this area a DD will not give you the slack space with Android devices and therefore wont give you a bit for bit copy.
There are a number of papers in this area
Hoog, J. (2011) Android Forensics investigation, analysis, and mobile security for Google Android.
L. Simo, A et al (2011). Acquisition of digital evidence in android smartphones.
Lessard, J. and Kessler G (2010). Android Forensics Simplifying Cell Phone Examinations.
I was confused by your initial post as Rooting is typically referring to Android devices and Jailbreaking to Apple devices..
I would be very wary of just believing other peoples papers on test they have done. I have seen far too many people produce results in controlled lab conditions then consider the fact proven, when the reality is far more dynamic.
From some research I have done in this area a DD will not give you the slack space with Android devices and therefore wont give you a bit for bit copy.
There must be some terminology misunderstanding. ?
If something does not give the "slack space" then it is not a dd copy. 😯
The whole idea of dd is direct access to physical sectors, if this access is granted, what is copied is bit-by-bit.
jaclaz
i "think", but i might be wrong, that he refers to the difference between a DD image and a flash dump.
basically (that's what i undesthood by reading around), there are two ways of acquiring an android internal flash one with dd, where you get a filesystem physical dump with unallocated space, which in most cases should be enaugh.
The other is developed by viaforensics (?) and is a tool that can access the memory at even a lower level providing you with an image that is more similar to what you get when you do a chip-off, so you also get the information about the flash layout, it might be useful but reconstructing the filesystem from there is a pain, because you have to deal with informations that are used by the memory chip for wear leveling etc.
[…]
The other is developed by viaforensics (?) and is a tool that can access the memory at even a lower level providing you with an image that is more similar to what you get when you do a chip-off, so you also get the information about the flash layout, it might be useful but reconstructing the filesystem from there is a pain, because you have to deal with informations that are used by the memory chip for wear leveling etc.
I presume you are referring to chip-off (as you wrote), and less invasive JTAG methods. I do not think ViaForensics provides tools for either. Even in their "AFPhysical Method", is not such solution as far as I know. They are an excellent source of information for YAFFS.
It was a binary included with the AFPhysical package which wasn't dd, i didn't try it myself but i read about it in a paper, i'll try to find it again when i get back to the office.