Notifications
Clear all

Android imaging  

  RSS
afsfr
(@afsfr)
Junior Member

I try to use ftk imager downloaded from AccessData, but it can't do physical image for android phone, there is no menu item. so how can ftk get android image whithout rooting or we have to use encase

Quote
Posted : 12/12/2019 5:34 am
gorvq7222
(@gorvq7222)
Active Member

Frankly speaking you could not count on FTK or EnCase to do physical extraction from a smartphone. If the phone is rooted, that would be easier. If not, you could take professional mobile forensic tools into consideration, such as Oxygen, XRY, Cellebrite 4PC…etc.

ReplyQuote
Posted : 25/12/2019 12:05 am
Igor_Michailov
(@igor_michailov)
Senior Member

I try to use ftk imager downloaded from AccessData, but it can't do physical image for android phone, there is no menu item. so how can ftk get android image whithout rooting or we have to use encase

ReplyQuote
Posted : 25/12/2019 5:40 am
Igor_Michailov
(@igor_michailov)
Senior Member

Try to use Belkasoft Acquisition Tool (https://belkasoft.com/get).

Belkasoft Acquisition Tool is good free tool for creating images from android and ios devices.

ReplyQuote
Posted : 25/12/2019 5:43 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Please refer to page 66 of the DEFT Linux manual https://paper.bobylive.com/System/EN-deft7.pdf

Imaging a rooted Android phone can be accomplished using the Android Debugging Bridge (ADB) by basically opening a Terminal Window and using a DD equivalent copy command to a locally installed SD card.

You are correct that it is generally impossible to have a rooted Android phone internal memory storage be recognized as logical or physical drive connected to a Windows PC and thus directly imageable by a tool like FTK Imager.

I was able to get a rooted Windows phone recognized by FTK Imager and was successfully able to create an E01 image file using FTK Imager I believe due to file formatting.

So basically Android memory storage file format is not FAT/ExFAT/NTFS format and thus cannot be seen by FTK Imager.

The differences in file formatting between Android OS and Windows OS is why one has to basically open a terminal window on the Android phone connected to the Windows PC over the Android Debugging Bridge to create a data dump DD image of the Android phones internal memory to an appropriately formatted internal to the Android phone SD card.

ReplyQuote
Posted : 25/12/2019 10:48 pm
Share: