Hi guys,
have been looking around in the forums but not really found an answer.
I have got a whole avd file including all files which can also be started in the emulator. However, I have just started with android forensics and haven't found any tool so far which is capable of mounting yaffs2 besides the loadable kernel module, does anybody know another solution?
I found several things with text search which was within a sqlite3 database but every time I exported or carved the databases they were corrupt.
Can someone give me a starting point how to approach the analysis as I am really struggling at the moment.
thanks in advance
Although very fresh and tested on few yaffs2 phone dumps, you can use Cellebrite UFED PA 2.0 since it already includes yaffs2 decoder.
Under Plug-ins menu you can see "run plug-in" and you can locate yaffs2 there.
If you have UFED PA 2.0 license PM me and I will guide you on how to build a chain (you can check the Motorola iDen i1 chain as a reference) that will mount (inside PA 2.0) your yaffs2 dump.
Once it is mounted you can write your own plug-in to decode data out of your dump or extract the entire file system into your hdd and use other tools.
Ron
Hi Ron,
thanks a lot for your quick reply, unfortunately I do not have Cellebrite UFED PA 2.0 as I am just a poor student working on this case by myself to gain practical experience.
But here is another question, I have started the android copy in the emulator and found that as soon as I assign the sdcard.img file to the virtualised android device the appearance changes and different applications are not available, did anybody come along this behaviour as well?
ahoog from here is your man when it comes to Android. He may be able to help.
http//