The examiner utilizes the user interface of the mobile device to investigate the content. These data acquisition techniques are broadly divided into the following types. As we discussed earlier, data acquisition on mobile devices is not as simple as standard hard drive forensic acquisition. Data acquisition methodsĭata acquisition is the process of extracting data from the evidence.
Oxygen forensics 20154 android#
This is because, starting from Gingerbread, Android has replaced YAFFS file system with ext4. If we observe the above figure, there are few important file system partitions such as /system, /cache, /data using ext4 as their file system type rather than YAFFS. This is shown in the following figure.Īs we can see in the above figure, there are various partitions mounted on the device. In order to see the different partitions that are mounted on an Android device, we can get a shell on the device and execute the following command: “ mount“. Since it is targeted for mobile devices, Android supports YAFFS and YAFFS2 file systems, since it requires supporting NAND chips used in these devices.Īndroid’s file system is divided into different partitions. Android supports ext2, ext3, and ext4 file systems (used by Linux systems) and the vfat file system used by Windows-based systems. The “ nodev” entry next to the file system indicates that there is no physical device associated with that particular file system. To see the listing of supported file systems, we can use the following command on “ adb shell“.Īs we can see in the above figure, we got a list of file systems supported by the device. It provides greater efficiency and performance. YAFFS2 is specifically designed for embedded systems such as smart phones. The main partition of Android file system is often partitioned as YAFFS2 (Yet Another Flash File System). This is because Android has support for various file systems. Having basic knowledge of Android file systems is always good before diving into Android forensics. These are used to store user data such as images, music files, videos etc. Usually, sdcard is given for external storage. sdcard and /ext_card: In this specific case, we got sdcard for internal storage and ext_card for external storage. Due to security reasons, data in each directory cannot be accessed by other applications.
User data resides on the “ /data/data//” directory. The following figure shows how each installed application’s binary can be seen on the device (the output is truncated). This requires root privileges, which mean a user without a rooted device cannot see the contents of this directory. We can see the executable files of each application installed in the “ /data/app” directory. data: It contains user-specific data such as data stored by an SMS application. system: It contains operating system-specific data.Īs we can see in the above figure, this directory contain various sub directories to hold information about the system apps, fonts, libraries, executable etc.
The most important locations for a forensic analyst are /system, /data, /sdcard, /ext_card. The above figure shows many files and folders on the current device.
The following figure shows the file system of my device “Sony Xperia E” using “ adb shell“. It is also possible to see the directory structure of the device using DDMS. We can look at the directory structure of the device using “ adb shell“. Android directory structureĪndroid has got a directory structure specific to it. It is important to understand file systems, directory structures, and how and where the data is stored on the devices before getting into actual forensics. We may look for the following data on Android devices: SMS, MMS, emails, call logs, contacts, photos, calendars, notes, browser history, GPS locations, passwords, data stored on SD cards, etc. It supports various file systems which are specific to Android. Android forensics is different from regular disk forensics because of various reasons.
0 kommentar(er)
