Articles

Now Reading

Forensic analysis of an Android logical image with Autopsy

by Digital Forensics Corp2016-04-12

We got a good feedback regarding our last article – Android forensic analysis with Autopsy. But many of you asked if it is possible to perform a forensic examination of an Android logical image. The answer is – yes! And today we’ll show you how to do it.

In this example we’ll use a Samsung GT-I9105 logical image acquired by Magnet Acquire – a free imaging tool developed by Magnet Forensics:

aut_1

As you can see our logical image is in archive. To use it with Autopsy we need to unpack it. Open it with your favorite archiver and you’ll see the following:

aut_2

In our case Agent Data folder is empty, so we need to open another archive – adb-data.tar:

aut_3

All you need now is to extract these two folders. It’s high time to launch Autopsy:

aut_4

Create a new case:

aut_5

Select “Logical files” as the source type. Then click “Add” button and add the extracted folders – shared and apps:

aut_6

Now choose the ingest modules:

aut_7

As you can see we don’t use PhotoRec Carver module for our logical image, because it doesn’t have unallocated space (excluding SQLite databases, but currently Autopsy isn’t able to extract data from it).

This is it – Android Analyzer module has successfully extracted available data:

aut_8

As you can see, such powerful open source suite as Autopsy can be used not only for forensic analysis of Android physical images, but also for logical – and it’s very important, because nowadays less and less smartphones can be aqcuired physically.

About the authors:

Igor Mikhaylov

Interests: Computer, Cell Phone & Chip-Off Forensics

Oleg Skulkin

Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics

Posted In