Android Binary in E...
 
Notifications
Clear all

Android Binary in EnCase v7

4 Posts
3 Users
0 Likes
707 Views
(@jwasley)
Posts: 30
Eminent Member
Topic starter
 

Hi all,

I've got a binary dump of a Samsung Galaxy S4 i'm trying to import into EnCase v7.12. (Via Add Evidence > Add Raw Image> Disk).

The import of the binary is successful, however, for whatever reason EnCase is only parsing part of the file structure, leaving out partitions such as /data, placing the remaining files contained in 'Hard Links' and 'Lost Files'.

I've never had an issue with it up until now. The dump i'm examining has been put through EnCase on several occasions without issue.

The acquisition was conducted using the Cellebrite UFED Touch.

Any ideas?

Cheers,

J

 
Posted : 23/06/2016 1:56 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Here is a dump of Samsung Galaxy S4. I did it with UFED.

May be, your phone has encrypted partitions.

 
Posted : 23/06/2016 2:18 pm
(@jwasley)
Posts: 30
Eminent Member
Topic starter
 

Hello Igor,

That's what I was expecting (and that's what is usually presented).

The device isn't encrypted. We've had many successful extractions of this device - without issue.

Cheers

J

 
Posted : 23/06/2016 4:57 pm
(@athulin)
Posts: 1156
Noble Member
 

The dump i'm examining has been put through EnCase on several occasions without issue.

Does 'dump' mean the actual image file? If so, we can't help you. If it has worked, and doesn't work anymore, either it has changed, or the environment you use to examine it has changed since it last worked. Any recent updates to EnCase, for example? Or … perhaps you are mistaken, and it didn't work

I would want to validate that the file system is correct, and that there are no inconsistencies. I have no respect for EnCase identifying such problems. No idea how to do that offline, but I believe fsck works on Android.

 
Posted : 23/06/2016 5:38 pm
Share: