Monday, February 4, 2013

Roadblock #1

So for some reason I had the idea that everything would work out smoothly. I would generate some data on the camera, delete some emails and pictures, image the camera and start my analysis. Luckily, I was proved to be wrong early on in the acquisition process. The camera gets recognized as a portable media player and cannot be imaged with FTK Imager. I thought this was a slight hiccup, and maybe I could use some other method to extract the data. I decided to go to Champlain's on campus forensic lab and use the XRY software we have.

Everything seemed to be going smoothly. XRY recognized the camera as a Samsung USB modem, but could not acquire it. I'm really unsure as to why this happened, but my guess is the software I was attempting to use was not made for cameras. My next option was to image the SD card and see what I could get. To my surprise, there wasn't one at all. Just a piece of plastic in the microSD slot. I could obviously buy an SD card, but would that provide me with Facebook, Twitter, and email data? Probably if I moved the application data to that external storage. But how often are people doing this? From a forensic point of view, I doubt we would find much from an SD card being that most users don't think to store their applications on the SD card and use internal storage instead.

I remembered an activity we did in my mobile forensics class using Santoku and decided to try this method just for fun. I  downloaded the ISO and created a virtual machine. A tutorial on how to use Santoku with Android can be found here: https://santoku-linux.com/howto/howto-use-aflogical-ose-logical-forensics-android Below are the results AFLogical presented to me when I attempted to extract data from the camera:

AFLogical OSE was installed on the camera using the command 'adb install AFLogical-OSE_1.5.2.apk'


Next, I used the mkdir command to create a folder for the output. 'ADB pull' pulls data from the SD card




I located the output files


Inside both output folders, these files were found

This was the only picture extracted from the camera


So although there is no SD card, AFLogical was still able to extract one picture from the Samsung Galaxy camera. Call logs, contacts, MMS, and SMS were not extracted by the software, so I needed another option to get all the data I want.

I looked into grabbing RAM using LiME and also another Android data extraction method, DDMS. I only did some preliminary research on these tools and have not yet tried them. I found a way to root the camera, so I think I will try that out first because I know it will give me access to the data I'm looking for. If I have time toward the end of this project, I will try to extract data using LiME and DDMS.




No comments:

Post a Comment