I have collected /data of Android device as a raw image using dd utility onto Ubuntu. I would like to view the file and directory structure using raw image. For example if we see at file system level we have /data/data/<applicaiton folders> etc.
Is it possible to view this structure using collected raw image.
If Yes how can I do it.
I did Googled but no success.
Many thanks
Most forensic analysis programs and many data recovery programs will process DD image files. Maybe look at ones that concentrate on mobile devices/phones
Thank you )
But I would like to know the basics for doing so, if there any unix commands of the way of processing dd
FTK imager tool mount raw image and show file and directory structures. I need guidance how the tool does it? I would like to write my own piece of code as an academic work to do. OR any open source scripts which I can use for this purpose are also welcome )
Many thanks
Every files system is different, from a simple DOS V1.0 FAT12 up to file systems such as NTFS, HFS+, XFS and many Unix variations. I have not dealt much with mobile devices, but they have their own issues.
DD is just a sector by sector copy. It is a very good starting point, but from there on it is a long hard slog (I've been doing it for over 30 years).
Start looking with a good hex editor, eg WinHex, think in Hex and sectors, and probably read Brian Carrier's book.
For analysis I think you need a programing environment that will handle raw data structures, bits of bytes. I use C/C++ and have not intention of changing
Thank you for answer and guidance. I would like to take following to your attention in order to get an advice with your experience.
My initial intention is this.
1. I have collected dd image of userdata of an Android phone.
2. Extract file and directory structure.
This is the base for my previous question, once I extract the file and directory structure I have direct and easy access to files and folders inside /data (application data like database files).
3. Analyse sqlite db files taken from step 2. (for example contacts and sms)
If I use hex then I am unable to taken out db/other files at application level. I can carve sqlite files but, they can be corrupted and I cannot get an idea to which application they belong to. My tool will carve files but tool cannot understand, classify and therefore cannot properly presents data
Hope my question is clear, and expecting your advice on the topic.
Again This is an academic work
I have got ext4 data.img and system.img from a Android device. I mounted data.img, on to a folder called data/ read only and I can see directories inside /data/. But for some directories I am unable to open, list or cp directories such as com.android.mms. Their owner is shown as some other unknown.
Will changing owner change file system meta data and lead to a hash mismatch?
I want to use .db files inside database folder
Thank you