Hello all,
I am very new to Mobile Forensics so forgive me for any mistakes. I am looking to gain some insight from those of you with experience. I am currently developing an exercise in mobile forensics for my company. The exercise will consist of a physical extraction being done on an iPhone 4 (which is populated with common user activity). We have not selected a software suite to perform the physical extraction yet. I would like to know what is the common format that the physical extraction is saved as? .dd, .raw, .img, etc.? My aim is to find a format that will be accepted by most, if not all, of the leading mobile forensic software (Cellebrite, XRY, Device Seizure, etc.). Any input is much appreciated.
Thanks,
Dan
iOS devices use the HFS+ case sensitive file system. Therefore, when extracting a physical image from an iPhone 4 or below, the data must be stored within a HFS+ case sensitive image file, such as .DMG file. This is common with Cellebrite etc.
iOS devices use the HFS+ case sensitive file system. Therefore, when extracting a physical image from an iPhone 4 or below, the data must be stored within a HFS+ case sensitive image file, such as .DMG file. This is common with Cellebrite etc.
I would have thought that case sensitiveness of names in a file system depends on the file system, and RAW and .dd (which are the same, as well as - normally - .img) are pretty much file system independent (being RAW formats).
jaclaz
Yes agreed it does. So to expand, there's a lot of RAW image file extensions that are used by the majority, most common being .img, .dd, .dmg etc… (.dmg being the same as a raw .dd file). wink
edit meant to say extensions not format, only one format.
So to further belabor this, there is really only one RAW file format. The file extensions used are of no relevance to the content encoding, or lack thereof. mrgreen
Yes agreed it does. So to expand, there's a lot of RAW image file formats that are used by the majority, most common being .img, .dd, .dmg etc… (.dmg being the same as a raw .dd file). wink
So to further belabor this, there is really only one RAW file format. The file extensions used are of no relevance to the content encoding, or lack there of. mrgreen
Yep ) , and to be really picky (as I am wink ) the concept of "file format" implies that some parts of the contents have a "special" meaning, like (examples) a file header, a file tail, a signature at a given offset, a prepended or appended "descriptive" sector, etc., etc..
I would say that the secret file format of RAW files is (pssst, please come closer) is that there is no file format at all. 😯
http//
just plain old bytes soup.
jaclaz
The problem with these "physical" images is that most of the time they`re not as physical as you might think. So depending on the way you dumped the memory, youll get different types of "physical" images.
As mentioned before, the extracted data is not of a specific filetype. Its more a result of a multi-layer-access to a storage device. For example it could be
- an active partition - partition data only
- partition with Spare areas
- memory data after error correction with OOB (multiple partitions, inactive etc.)
- raw flash data…for this youll probably need to emulate a flash/nand etc driver first (like an mtd device and a translation layer)
Just keep in mind that flash memory behaves different than a typical hdd where you can mount a "byte-by-byte" copy. Without proper information about the used data structures/translations and error correction, the real "raw" data is almost non-readable.
Software like UFED or XRY (most likely) wont be able to decode a raw-flash image. However it will work with active partitions and might be able to handle (or even need) the OOB/Spare areas - no matter what file-extension you set for the image 😉
It will, on startup, simply look for specific offsets to identify the filesystem and partitions as long as every offset is where it belongs.
