Forensic analysis of an Android logical image with Autopsy
We got a good feedback regarding our last article – Android forensic analysis with Autopsy. But many of you asked if it is possible to perform a forensic examination of an Android logical image. The answer is – yes! And today we’ll show you how to do it.
In this example we’ll use a Samsung GT-I9105 logical image acquired by Magnet Acquire – a free imaging tool developed by Magnet Forensics:
As you can see our logical image is in archive. To use it with Autopsy we need to unpack it. Open it with your favorite archiver and you’ll see the following:
In our case Agent Data folder is empty, so we need to open another archive – adb-data.tar:
All you need now is to extract these two folders. It’s high time to launch Autopsy:
Create a new case:
Select “Logical files” as the source type. Then click “Add” button and add the extracted folders – shared and apps:
Now choose the ingest modules:
As you can see we don’t use PhotoRec Carver module for our logical image, because it doesn’t have unallocated space (excluding SQLite databases, but currently Autopsy isn’t able to extract data from it).
This is it – Android Analyzer module has successfully extracted available data:
As you can see, such powerful open source suite as Autopsy can be used not only for forensic analysis of Android physical images, but also for logical – and it’s very important, because nowadays less and less smartphones can be aqcuired physically.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics