Hello everyone.Am new to this website and forum and also i don't know if am posting my question at the right place or not.If not,do correct me.
By the way am student i had to create a mobile phone memory card forensic software which is part of my final year project.I had been able to make an image of a memory card by disk dump. so now my task is to extract data from this image, that are deleted and undeleted data ( message,text,videos,pictures,mp3 and contact numbers).from what i heard is that if i mount this image,windows automatically update some data present in the image which no longer be admissible.so can you help me to prevnt this from happening? and am not able to decide on the programming language and its libraries to use for the extraction. Can Java be used?? and if so, what are the libraries to use? please help me. and if there any other way (expect from using available software) or you do have codes to achieve this, do pass on to me.Thank in advance.
Could you just mount the image as read only and then perform the data extraction?
What you ask can be accomplished in 1 of 2 methods
A) carving with a custom app
B) writing a filesystem reader to find deleted files
U could mount the image read-only BUT it only then shows existing files not deleted ones.
Pick your poison…I recommend carving as its less work wink and my specialty
Feel free to email me if you run into problems ryan.manley@wiseforensics.com
Ryan Manley
Wise forensics LLC
If I mount an image read-only, then it only "shows existing files[,] not deleted ones"? Can you elucidate on this?
What you ask can be accomplished in 1 of 2 methods
A) carving with a custom app
B) writing a filesystem reader to find deleted files
U could mount the image read-only BUT it only then shows existing files not deleted ones.Pick your poison…I recommend carving as its less work wink and my specialty
Feel free to email me if you run into problems ryan.manley@wiseforensics.com
Ryan Manley
Wise forensics LLC
If I mount an image read-only, then it only "shows existing files[,] not deleted ones"? Can you elucidate on this?
What you ask can be accomplished in 1 of 2 methods
A) carving with a custom app
B) writing a filesystem reader to find deleted files
U could mount the image read-only BUT it only then shows existing files not deleted ones.Pick your poison…I recommend carving as its less work wink and my specialty
Feel free to email me if you run into problems ryan.manley@wiseforensics.com
Ryan Manley
Wise forensics LLC
Hi. So what can i do so as to be able to get deleted data also since mounting it read only will show me existing file only!! Can anyone help me in any way in the programming part for creating the forensic tool i mention above for a memory card??
Files are written and organized on most memory cards using a
As such, larger capacity memory cards tend to use FAT32, exFAT (FAT64), or NTFS.
You may wish to research as to
There are several Open Source and free tools which allow viewing of
These tools are generally called
Thank you "jhup" for helping me. But the fact is that i don't have the right to use existed tools( disk editor ). i have to do the programming by myself -( that why am stuck.
You give up too easily.
By examining how other disk editors work, you may discover how to write software that would allow you to what you need.
What programming language are you planning to use?
-) , ya may be you are right. Java or visual basic or any which are more appropriate for doing the task. What do you advice me to use?
Assembly.
Research INT 13h.