Parsing Android DD image based on mmcblk0

A place to ask the community for help with using Autopsy.

Moderator: carrier

Parsing Android DD image based on mmcblk0

Postby bobster95 » Wed May 03, 2017 9:02 am

Hi there

I am a forensic examiner and also a universoty student. I am completing a last year project on the Facebook Messenger Application (FMA). The basis of the project will be sending messages between two android devices in various forms, (attachments, sim, wifi, etc) and then analysing the results.

Part of the project involves analysis of the FMA. I have one device, a Samsung Galaxy S4, which was factory reset from bootloader options. It has then been rebooted, permanently rooted (Kingoroot) and has busybox installed. I have not downloaded FMA yet as I wish to take an image of the device pre-FMA download, post FMA download, post FMA login, and post FMA messages exchanged. This is to try and ascertain what gets changed at various stages.I have taken the pre-image by using the following command in an adb shell on the device:

dd if=/dev/block/mmcblk0 | busybox nc -l -p 8888

In a separate command window I forwarded the tcp port 8888 using adb, and then took an image by using the following command:

nc 127.0.0.1 8888 > image.dd

I took an image of the mmcblk0 as I wished to get an disk image of the device, and maybe at some stage, run an MD5 against the whole filesystem so I can compare it with future md5 of the other images I will take after FMA logins and messages exchanged.

I have tried to view this image in autopsy, using the "disk image or vm file" option, but an error was returned:

*Failed to add data source, critical errors encountered
Errors occured while ingesting image
1. Cannot determine file system type (Sector offset: 0) "

I was able to add it as a logical file and an unallocated disk image file, but none of these parsed out the file system.

Can any help be provided as to what I can do with autopsy to view the separate file partitions for this image?

(NB I am aware that the Facebook Messenger Application stores its data mainly in the com.Facebook.orca folder, which will be analysed, however I wanted to see if i) com.Facebook.orca in a rooted device provides more info than getting it in a non-rooted device, ii) see if any other artifacts are changed. I know I can copy the com.Facebook.orca folder into the sdcard area, then pull it separately using an adb pull command, but this is a generalist view and I really wanted to make sure that there are not any other artefacts, eg in the /cache area, where further data is stored. I have santoku on a VM running from virtualbox which has TSK but I have no idea where to start with TSK and I am having problems with the setting up shared folders within it!)

Sorry for the long post and thanks for any help provided. BTW, autopsy...what an awesome free tool!!

Bob
bobster95
 
Posts: 1
Joined: Wed May 03, 2017 8:43 am

Return to Autopsy Troubleshooting

Who is online

Users browsing this forum: No registered users and 2 guests

cron