±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34837
New Yesterday: 0 Visitors: 120

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

how to deal with .img ( android )

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

how to deal with .img ( android )

Post Posted: Tue Oct 09, 2018 4:16 pm

hello folk ....
i have an image taken from android device that running android 4 ... but it's .img !! when i try to open it in ftk i got this ...


1- how i can read the file structure ??
2- how i can know what is th date of last android factory reset ??
3- is there anyway to conert this .img to work with vmware ??  

qassam22222
Senior Member
 
 
  

Re: how to deal with .img ( android )

Post Posted: Wed Oct 10, 2018 8:46 am

- qassam22222
1- how i can read the file structure ??


You need to identify it.

If you know the platform, you should not have any major problems in identifying known file systems, as well as any potential encryption layer that could be present. (That includes anything that the platform manufacturer, such as Samsung or Moto or ..., have added on their own. For example, there was a recent thread on lack of support for f2fs fairly recently.)

And of course, you're almost certainly looking for a file system that is *not* supported by the version of FTK that you are using.

The hardware might perhaps affect the issue: some file systems do not have a endian-independent on-disc format. Have no idea if that actually happens, as I'm not much into mobile platforms.

So ... one of the flash file systems (exFAT, F2FS, JFFS2 and perhaps even YAFFS2, as you haven't stated the brand of the device), or possibly an other-endian 'standard' file system.

If you need tools for this, file(1) can often be useful, but I would not consider it authoritative. I like disktype as it does cover a surprising number of file systems, but it too should be regarded as 'best effort' only.

Encryption ... should not be a major problem to identify, though it may prevent you from getting at the file system.

I'll leave the two other questions to the experts. Please tell them what hardware platform your device runs on (ARM? x86?) for your VMWare question.  

athulin
Senior Member
 
 
  

Re: how to deal with .img ( android )

Post Posted: Wed Oct 10, 2018 3:21 pm

This is probably dump from some older device that didn't use GPT. Try scanning it with data recovery tools for "lost" partitions. Tools like testdisk should be enough, r-studio od dmde are also good for such stuff.  

arcaine2
Senior Member
 
 
  

Re: how to deal with .img ( android )

Post Posted: Thu Oct 11, 2018 12:23 pm

qassam22222,

Your image file could be encrypted possibly.

To add to earlier comments, assuming your IMG file is not encrypted, you can:

1) Mount the IMG file using FTK Imager

2) Use TestDisk (https://www.cgsecurity.org/wiki/TestDisk_Download) to access the Android partitions and then "save folders and files" to your local computer from the user partition for further forensic analysis.

Also, you might try Autopsy (https://www.sleuthkit.org/autopsy/download.php) which is a free to use program that processes Android data. If Autopsy cannot process your IMG file it might be another clue that your IMG file contents are encrypted.

What program was used to create your IMG file in the first place?  

UnallocatedClusters
Senior Member
 
 
  

Re: how to deal with .img ( android )

Post Posted: Sat Oct 13, 2018 10:32 am

its not encrypted my brothers ...
its taken from huwawi phone ( MTK Processor ) android 4 .... the image taken by mobiledit ... i can read the data like contacts and missed calles and ... etc via mobiledit ...

but i need to mount it to extract some details from there ...
anyway i will check tomorrow when i go to office and let u know ...  

qassam22222
Senior Member
 
 
  

Re: how to deal with .img ( android )

Post Posted: Sat Oct 13, 2018 1:13 pm

fdisk -l yourimage.img

It will tell you all Smile
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 

passcodeunlock
Senior Member
 
 
  

Re: how to deal with .img ( android )

Post Posted: Sat Oct 13, 2018 11:44 pm

- passcodeunlock
fdisk -l yourimage.img

It will tell you all Smile


i already did that before writing here ... it gives me :
Disk MTK (2018-10-09 21h38m02s).img: 3.7 GiB, 3909091328 bytes, 7634944 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
 

qassam22222
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next