Join Us!

Android Binary in E...
 
Notifications
Clear all

Android Binary in EnCase v7  

  RSS
JWasley
(@jwasley)
Junior Member

Hi all,

I've got a binary dump of a Samsung Galaxy S4 i'm trying to import into EnCase v7.12. (Via Add Evidence > Add Raw Image> Disk).

The import of the binary is successful, however, for whatever reason EnCase is only parsing part of the file structure, leaving out partitions such as /data, placing the remaining files contained in 'Hard Links' and 'Lost Files'.

I've never had an issue with it up until now. The dump i'm examining has been put through EnCase on several occasions without issue.

The acquisition was conducted using the Cellebrite UFED Touch.

Any ideas?

Cheers,

J

Quote
Posted : 23/06/2016 2:56 pm
Igor_Michailov
(@igor_michailov)
Senior Member

Here is a dump of Samsung Galaxy S4. I did it with UFED.

May be, your phone has encrypted partitions.

ReplyQuote
Posted : 23/06/2016 3:18 pm
JWasley
(@jwasley)
Junior Member

Hello Igor,

That's what I was expecting (and that's what is usually presented).

The device isn't encrypted. We've had many successful extractions of this device - without issue.

Cheers

J

ReplyQuote
Posted : 23/06/2016 5:57 pm
athulin
(@athulin)
Community Legend

The dump i'm examining has been put through EnCase on several occasions without issue.

Does 'dump' mean the actual image file? If so, we can't help you. If it has worked, and doesn't work anymore, either it has changed, or the environment you use to examine it has changed since it last worked. Any recent updates to EnCase, for example? Or … perhaps you are mistaken, and it didn't work

I would want to validate that the file system is correct, and that there are no inconsistencies. I have no respect for EnCase identifying such problems. No idea how to do that offline, but I believe fsck works on Android.

ReplyQuote
Posted : 23/06/2016 6:38 pm
Share: