This is what I've been thinking for the last months. I mean, most of the new Android devices (after Android 7), cannot be phisically extracted unless yo make the root process. But many of the devices cannot be rooted without losing everything because of the key (ciphered devices, I mean). So it is like a loop...
Â
What do you think?
Most android devices are running FBE now a days so no physical extraction, but a full filesystem will do you will get close to what a physical gives.Â
Most android devices are running FBE now a days so no physical extraction, but a full filesystem will do you will get close to what a physical gives.Â
The most important artifact uses to be the WhatsApp database and it is not always possible to be extracted with a file system extraction.
Most android devices are running FBE now a days so no physical extraction, but a full filesystem will do you will get close to what a physical gives.Â
The most important artifact uses to be the WhatsApp database and it is not always possible to be extracted with a file system extraction.
Full filesystem or just a filesystem?Â
Personally I have had an easier time historically imaging Android OS devices using Compelson's MOBILedit Forensic Express. However, the vast majority of my clients require me to use Cellebrite for smartphone preservation. Â
If there is evidence on an Android OS smartphone which needs to be substantiated in a court of law, it is still preferable in my opinion, to have collected such evidence using an industry standard tool.
Encryption seems to be an evolving and ever present challenge, but witness (pun intended) what the experts at Elcomsoft recently achieved:Â https://blog.elcomsoft.com/2020/08/behind-the-iphone-5-and-5c-passcode-cracking/
Is there an alternative to using an industry standard tool to extract Android OS smartphone evidence and then analyzing the evidence which the tool(s) are able to extract?