Physical Acquisition of an Android Mobile Phone

General (Technical, Procedural, Software, Hardware etc.)

Last Post by forveux 11 years ago

2 Posts

2 Users

0 Reactions

883 Views

RSS

liguoroa

(@liguoroa)

Estimable Member

Joined: 16 years ago

Posts: 43

Topic starter 13/05/2014 2:14 pm

Dear All,
I'm new to mobile forensics and I'm trying some tecniques to get physical image of my android
mobile phone (Vodafone Smart Mini).
I performed the following steps
1) Enabled USB Debug
2) Connected the phone to an Ubuntu Desktop virtual machine where I have previously installed
adb (Android Debug Bridge)
3) Installed Framaroot-1.6.1.apk on the phone (to get root privilege on the mobile phone)
4) Restart the phone
5) Installed BusyBox_Pro_11.apk on the phone
6) Restart the phone
7) determine the physical partitions available using the commands
a) "cat /proc/mtd" to check yaffs2 file systems
(no yaffs2 partitions available on the phone)
b) mount to check the other partitions
the output of the command is below

rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
emmc@android /system ext4 ro,noatime,noauto_da_alloc,commit=1,data=ordered 0 0
emmc@custpack /custpack ext4 rw,relatime,noauto_da_alloc,commit=1,data=ordered 0 0
/dev/block/loop0 /mnt/cd-rom iso9660 ro,relatime 0 0
emmc@usrdata /data ext4 rw,nosuid,nodev,noatime,noauto_da_alloc,data=ordered 0 0
emmc@cache /cache ext4 rw,nosuid,nodev,noatime,discard,noauto_da_alloc,data=ordered 0 0
emmc@mobile_info /mobile_info ext4 rw,relatime,noauto_da_alloc,commit=1,data=ordered 0 0
/emmc@sec_ro /data/nvram/md/s ext4 ro,relatime,noauto_da_alloc,data=ordered 0 0
/dev/fuse /storage/sdcard0 fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0

8) I decided to acquire the partitions

/system
/custpack
/data
/cache
/mobile_info
/storage/sdcard0

9) Executed the acquisition of the partition listed above by using dd and netcat

Do you think that the procedure I followed is forensically correct?
Do you have any suggestion about it?

Best Regards,
Andrea Liguoro

Quote

forveux

(@forveux)

Eminent Member

Joined: 11 years ago

Posts: 20

23/05/2014 11:35 am

This one might be worth deleting as it is a duplicate )

ReplyQuote

8 Forums
15.7 K Topics
92.3 K Posts
230 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed