how to deal with .i...
 
Notifications
Clear all

how to deal with .img ( android )

11 Posts
5 Users
0 Likes
2,170 Views
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

hello folk ….
i have an image taken from android device that running android 4 … but it's .img !! when i try to open it in ftk i got this …

1- how i can read the file structure ??
2- how i can know what is th date of last android factory reset ??
3- is there anyway to conert this .img to work with vmware ??

 
Posted : 09/10/2018 10:16 pm
(@athulin)
Posts: 1156
Noble Member
 

1- how i can read the file structure ??

You need to identify it.

If you know the platform, you should not have any major problems in identifying known file systems, as well as any potential encryption layer that could be present. (That includes anything that the platform manufacturer, such as Samsung or Moto or …, have added on their own. For example, there was a recent thread on lack of support for f2fs fairly recently.)

And of course, you're almost certainly looking for a file system that is *not* supported by the version of FTK that you are using.

The hardware might perhaps affect the issue some file systems do not have a endian-independent on-disc format. Have no idea if that actually happens, as I'm not much into mobile platforms.

So … one of the flash file systems (exFAT, F2FS, JFFS2 and perhaps even YAFFS2, as you haven't stated the brand of the device), or possibly an other-endian 'standard' file system.

If you need tools for this, file(1) can often be useful, but I would not consider it authoritative. I like disktype as it does cover a surprising number of file systems, but it too should be regarded as 'best effort' only.

Encryption … should not be a major problem to identify, though it may prevent you from getting at the file system.

I'll leave the two other questions to the experts. Please tell them what hardware platform your device runs on (ARM? x86?) for your VMWare question.

 
Posted : 10/10/2018 2:46 pm
(@arcaine2)
Posts: 235
Estimable Member
 

This is probably dump from some older device that didn't use GPT. Try scanning it with data recovery tools for "lost" partitions. Tools like testdisk should be enough, r-studio od dmde are also good for such stuff.

 
Posted : 10/10/2018 9:21 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

qassam22222,

Your image file could be encrypted possibly.

To add to earlier comments, assuming your IMG file is not encrypted, you can

1) Mount the IMG file using FTK Imager

2) Use TestDisk (https://www.cgsecurity.org/wiki/TestDisk_Download) to access the Android partitions and then "save folders and files" to your local computer from the user partition for further forensic analysis.

Also, you might try Autopsy (https://www.sleuthkit.org/autopsy/download.php) which is a free to use program that processes Android data. If Autopsy cannot process your IMG file it might be another clue that your IMG file contents are encrypted.

What program was used to create your IMG file in the first place?

 
Posted : 11/10/2018 6:23 pm
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

its not encrypted my brothers …
its taken from huwawi phone ( MTK Processor ) android 4 …. the image taken by mobiledit … i can read the data like contacts and missed calles and … etc via mobiledit …

but i need to mount it to extract some details from there …
anyway i will check tomorrow when i go to office and let u know …

 
Posted : 13/10/2018 4:32 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

fdisk -l yourimage.img

It will tell you all )

 
Posted : 13/10/2018 7:13 pm
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

fdisk -l yourimage.img

It will tell you all )

i already did that before writing here … it gives me

Disk MTK (2018-10-09 21h38m02s).img 3.7 GiB, 3909091328 bytes, 7634944 sectors
Units sectors of 1 * 512 = 512 bytes
Sector size (logical/physical) 512 bytes / 512 bytes
I/O size (minimum/optimal) 512 bytes / 512 bytes

 
Posted : 14/10/2018 5:44 am
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

when i try to read the image by hexeditor

 
Posted : 14/10/2018 6:15 am
(@arcaine2)
Posts: 235
Estimable Member
 

Again, scan it with some data recovery tool for "lost" partitions. R-Studio handles stuff like this quite well. Testdisk should be able as well for free. You can then directly copy data from such partition or "export" it to a file that'll FTK will be able to open as well.

 
Posted : 14/10/2018 11:42 am
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

Again, scan it with some data recovery tool for "lost" partitions. R-Studio handles stuff like this quite well. Testdisk should be able as well for free. You can then directly copy data from such partition or "export" it to a file that'll FTK will be able to open as well.

okay i will try it …. and let u know

 
Posted : 14/10/2018 3:30 pm
Page 1 / 2
Share: