I'm a little new to the Android file system, I'm doing a project for a digital forensics class and I want to create a bit-for-bit image of my Nexus 5 running 4.4.4 stock, rooted. The normal way I would do this on a Linux system would be with dd like so.
dd if=/dev/sda of=/dev/sdb
As I have no removable SD card, I was planning on doing this with a terminal emulator and writing to a flash drive over the micro USB port. I need to be able to mount the image and browse the files from the device once the image is created. I'm specifically looking at GPS data and where it is stored, or unknowingly stored, from apps or the system. I'll sort that out myself once I have an image, I have some scripts I've written that will search through all directories and files looking for latitude and longitude strings. Although those probably won't find anything in the databases for android, I'll have to find another way to script/look through those.
Is there a good way to create the type of image I'm describing?
Thanks for any help!
Answer
You could do that using dd directly on the device, making sure the output goes to a partition you can afford to be modified. I will not "rank" here from a forensics point of view (where of course it is best to have nothing modified on the device, which is not always possible, etc.), but simply list options. As you are looking for data written by apps, you're most likely after the /data partition, so this is the most important to remain unchanged (though it already is subject to changes with the Android system booted):
- attach an external drive via OTG (might apply minor changes to
/datafor mounting information) - write to an existing internal partition (e.g. the internal SD if you plan to "dump"
/data)
Now let's check for an alternative. Assuming you've got a custom recovery installed, you could simply boot into that (something you'd probably check first). In recovery, by default most partitions (especially /data) are not mounted, so no modifications are done. Moreover, a custom recovery offers you the possibility to create a nandroid backup – which basically is a dump of all file systems (usually except the SD card(s)), each in a separate file. These dumps would go to the SD card (here: the internal one, as a Nexus has no external). You could adb pull those images to your computer even while still being in recovery mode.
No comments:
Post a Comment