Research Area:  Digital Forensics

Abstract:

The popularity of Android devices has resulted in a requirement for a process to extract and analyse data in a forensically sound manner. There is a wide range of devices which use the Android operating system, and hence a standard process for forensic extraction and analysis for all devices is not possible. Many devices use the Yet Another Flash File System (YAFFS), which introduces an additional layer of forensic requirements. Focussing on the internal storage of a Sony Ericsson Xperia x10i, a process to extract both logical and physical data from the internal NAND memory is possible after gaining super user access. Data was extracted in different formats by using a variety of software processes, such as SuperOneClick, dd, xRecovery, NANDdump, Yaffs2utils and Android Debug Bridge. Analysis of the extracts was then undertaken to determine the type of data available from the different extraction methods, which included Logical file extraction, Physical data with YAFFS spare information, and also without the YAFFS spare data. The analysis showed that the NANDdump has generated a bit-by-bit dump of the internal flash memory.

Keywords:  

Author(s) Name:  Darren Quick, Mohammed Alzaabi

Publisher name:  secau Security Research Centre, Edith Cowan University, Perth, Western Australia

DOI:  10.4225/75/57b2c23a40cf1

Volume Information:  

Paper Link:   https://ro.ecu.edu.au/adf/101/