Android ForensicDigital Image Recovery

by Group 15

Presentation

Step 3 Analysis

Step 2 Data

Preservation

Step 1 Identificati

on

Highlight

Sceneario1 •Format SDCard for testing (full format / fill zero)

2 •Copy evidence file(s) to external & internal memory card

2 •Get images from external & internal memory with USB Image Tools & dd command

3 •Delete the evidence file(s) (in this case as .JPEG image) with local application (ES Explorer)

4 •Get images (again) from external & internal memory with USB Image Tools & dd command

5 •Extract all kind of files from both images with Files Scavenger.

6 •Compares extracted and founded evidences with real file(s) with JPEGNoob

7 •If the same, then recovery process is successfull

Phone Identification

Android System Info

Data Preservation

Creating Internal Memory’s Image Files:

dd command : dd if=/dev/mtd/mtdx of=/mnt/sdcard bs=4096

Data Preservation

Creating External Memory’s Image Files:

1. Enable USB Mode

2. Create Images with USB Image Tool

3. [Optional] Can use md5 checking

Analysis• Use File Scavenger to

acquire all (deleted + hidden) data

• Find ‘likely’ successfull recovered digital picture (cause sometimes the recovered image/picture has different name).

• Compare real image and recovered image with JPEGSnoop (For JPEG)

Before and After Formatting with Android Format Utility

Comparasion

Conclusion

• Recovering data in internal memory card was very hard to do especially if the memory size is small, because usually it will automatically ‘fully deleted’

• In External Memory, deleting files doesn’t delete the real files. The deleted files still resident the memory in, often in the same path.

That’s from us