Book Image

Learning Android Forensics

By : Rohit Tamma, Donnie Tindall
Book Image

Learning Android Forensics

By: Rohit Tamma, Donnie Tindall

Overview of this book

Table of Contents (15 chapters)
Learning Android Forensics
About the Authors
About the Reviewers

Acquiring Android SD cards

As discussed above and in previous chapters, the SD card can refer to a physical, external SD card or a partition within the flash memory. A removable external SD card can be imaged separately from the device through a write-blocker with typical computer forensics tools, or using the dd/nanddump techniques shown in the previous section, although the former is usually faster as it does not need to write data over netcat.

Physically imaging an SD card is very similar to the physical imaging discussed above; in fact, if the SD card is symbolically linked to the /data partition, it would be acquired as part of the /data partition as seen in the Autopsy screenshots. The only difference in the process is that if the SD card is being imaged, the output file cannot be written to the SD card! This means using the netcat methods covered previously is the best option for physically imaging an internal SD card.

What can be found on an SD card?

By default, the SD card is typically...