±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35894
New Yesterday: 0 Visitors: 110

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Is it a full physical image???

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

gorvq7222
Senior Member
 

Is it a full physical image???

Post Posted: Jul 04, 17 20:17

My friend asked me why she could not find some important files in a physical image acquired from an Android phone. She took the evidence tree of an Android 6.0 physical image for example, she’s used to see /data/data in a physical image.

You guys could take a look at my blog as below to see what's going on.
www.cnblogs.com/pieces...19033.html  
 
  

UnallocatedClusters
Senior Member
 

Re: Is it a full physical image???

Post Posted: Jul 05, 17 00:14

What tool or device is the activity_log.txt from and where can it be found?

It appears that mmcblk0 has a hardware device protecting this memory block from being accessed??

What new or changed files and folders exist on the phone as a direct result of the Rooting process?

It is very interesting that, even after the phone has been rooted, data extraction tools cannot copy out all memory blocks.  
 
  

mcman
Senior Member
 

Re: Is it a full physical image???

Post Posted: Jul 05, 17 02:03

Are those screenshots from 2 different devices? Just trying to understand what I'm looking at here.

Looks like an acquisition done with Magnet ACQUIRE or AXIOM and your first screenshot (Android 6?) looks like it's showing the /data/data/ path normally as expected. The second screenshot is from a different device (Android 7?) and shows a different folder structure.

The log indicates that it can't access the mmcblk0 block which is an info string not an error and should be expected since it's encrypted as you said but it did find and access the dm-0 and dm-1 block correctly. This is normal for most newer Android phones running 6 or 7 and have full disk encryption turned on (which is on by default by most devices and cannot be turned off).

If you compare this to a computer hard drive running FDE, imaging the physical disk gives you an encrypted image of the physical disk which isn't very useful for analysis but if you look at the logical partitions and acquire those, you can get readable data without requiring decryption each time.

So in short, yes it's a physical image, an encrypted physical image that also includes the decrypted blocks of data that you can actually analyze and make use of. DM-0 contains the decrypted content wheras mmcblk0 is the encrypted data in a nutshell.

Let me know some extra detail and I can see if I can help further.

Jamie McQuaid
Magnet Forensics  
 
  

mcman
Senior Member
 

Re: Is it a full physical image???

Post Posted: Jul 05, 17 02:05

- UnallocatedClusters


It is very interesting that, even after the phone has been rooted, data extraction tools cannot copy out all memory blocks.


That's the way she goes with FDE unfortunately, rooting doesn't remove encryption at the hardware level, only allows access to protected areas of a mounted disk.  
 
  

UnallocatedClusters
Senior Member
 

Re: Is it a full physical image???

Post Posted: Jul 05, 17 04:00

Mcman your explanation makes sense-

When I use Macquisition to image a FileVault encrypted MacBook hard drive, Macquisition will display a "new" decrypted drive to image in addition to the previously visible encrypted drive only after the FileVault password has been entered into Macquisition.  
 
  

SamBrown
Senior Member
 

Re: Is it a full physical image???

Post Posted: Jul 05, 17 14:57

- mcman

So in short, yes it's a physical image, an encrypted physical image that also includes the decrypted blocks of data that you can actually analyze and make use of. DM-0 contains the decrypted content wheras mmcblk0 is the encrypted data in a nutshell.

Jamie McQuaid
Magnet Forensics


Just to clarity - mmcblk0 is the entire storage area which contains all partitions like the boot loader, recovery, system, data and cache. If the phone has encryption, it means that the data partition is encrypted. Therefore an image of mmcblk0 is pretty much useless. It is always great to get a full physical dump, but actually the data partition is usually sufficient because that's where all the user data is stored.

dm-0 is the name of the mounted and decrypted data partition on a live system. This is the partition which needs to be imaged on an encrypted phone. The phone needs to be up and running and you'll need to have root access to do this.

If the phone is already rooted, connect via adb to see a list of the partitions:

"adb shell cat /proc/partitions"

This should help you understand the problem better.  
 
  

mcman
Senior Member
 

Re: Is it a full physical image???

Post Posted: Jul 05, 17 17:48

SamBrown explained it much better than I did Smile

Now one other thing to note, once you get the decrypted user partition, the paths may be different for Nougat, instead of seeing /data/data/ you may get something like user_de/0/ which helps cover support for multiple users on a device.

On another side note, one of our trainers, Chris Vance is doing a webinar on the changes in Nougat including some of this stuff. If anyone is interested, it's next week:
www.magnetforensics.co...s-webinar/

Jamie  
 

Page 1 of 3
Page 1, 2, 3  Next