±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36595
New Yesterday: 4 Visitors: 99

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Android Binary in EnCase v7

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

JWasley
Member
 

Android Binary in EnCase v7

Post Posted: Jun 23, 16 13:56

Hi all,

I've got a binary dump of a Samsung Galaxy S4 i'm trying to import into EnCase v7.12. (Via Add Evidence > Add Raw Image> Disk).

The import of the binary is successful, however, for whatever reason EnCase is only parsing part of the file structure, leaving out partitions such as /data, placing the remaining files contained in 'Hard Links' and 'Lost Files'.

I've never had an issue with it up until now. The dump i'm examining has been put through EnCase on several occasions without issue.

The acquisition was conducted using the Cellebrite UFED Touch.

Any ideas?

Cheers,

J  
 
  

Igor_Michailov
Senior Member
 

Re: Android Binary in EnCase v7

Post Posted: Jun 23, 16 14:18

Here is a dump of Samsung Galaxy S4. I did it with UFED.




May be, your phone has encrypted partitions.
_________________
Computer, Cell Phone & Chip-Off Forensics

linkedin.com/in/igormikhaylovcf 
 
  

JWasley
Member
 

Re: Android Binary in EnCase v7

Post Posted: Jun 23, 16 16:57

Hello Igor,

That's what I was expecting (and that's what is usually presented).

The device isn't encrypted. We've had many successful extractions of this device - without issue.

Cheers

J  
 
  

athulin
Senior Member
 

Re: Android Binary in EnCase v7

Post Posted: Jun 23, 16 17:38

- JWasley
The dump i'm examining has been put through EnCase on several occasions without issue.


Does 'dump' mean the actual image file? If so, we can't help you. If it has worked, and doesn't work anymore, either it has changed, or the environment you use to examine it has changed since it last worked. Any recent updates to EnCase, for example? Or ... perhaps you are mistaken, and it didn't work

I would want to validate that the file system is correct, and that there are no inconsistencies. I have no respect for EnCase identifying such problems. No idea how to do that offline, but I believe fsck works on Android.  
 

Page 1 of 1