Leveraging Forensics to Recover Precious Memories: The Intro
Once upon a time, a co-worker approached me with a dilemma: a software update on his wife's phone had failed, resulting in the apparent loss of all data on the device, including many irreplaceable family photos. He asked if there was anything I could do to help. To me, it was the perfect opportunity to leverage computer forensics to do something good and hopefully recover some precious memories.
I cannot emphasize the importance of regular backups for any data that is important. Please do not rely on the techniques described in this post as a backup alternative.
The phone in question was an older Android phone that had already been rooted. This allowed for USB debugging to be enabled on the phone, and accessed through a program called Android Debug (adb), which can be used for Android debugging through a Linux workstation.
An Opportunity to Use "Traditional" Forensics Techniques
Since this wasn't a formal forensics investigation, and our primary goal was data recovery, I could be more flexible with my data acquisition techniques. Ultimately, I needed to find a way to make a disk image of the phone's internal storage, which I could then analyze using traditional forensics techniques.
With the phone in USB debugging mode, I was able to list out the connected devices using the Android debugger:
~$ adb devices List of devices attached 002a9e28dc1a9a → device
Once I confirmed that the device was detected, I could use the debugger to execute the shell on the Android device over the USB connection, and explore the internal system structure, including the list of devices.
~$ adb shell root@android:/ # su root@android:/ # ls /dev/block/ loop0 loop7 mmcblk0p12 mmcblk0p8 ram12 ram5 loop1 mmcblk0 mmcblk0p2 mmcblk0p9 ram13 ram6 loop2 mmcblk0boot0 mmcblk0p3 platform/ ram14 ram7 loop3 mmcblk0boot1 mmcblk0p4 ram0 ram15 ram8 loop4 mmcblk0p1 mmcblk0p5 ram1 ram2 ram9 loop5 mmcblk0p10 mmcblk0p6 ram10 ram3 vold/ loop6 mmcblk0p11 mmcblk0p7 ram11 ram4
After some exploration, I was able to determine that /dev/block/mmcblk0 was the device that contained the majority of the system storage space, and was most likely the location I would want to image and analyze.
It was now a matter of determining how to transfer the contents of this block device to my laptop using the debug connection. Fortunately, the Android debuggers support the forwarding of a TCP port form the phone to the debug machine:
~$ adb forward tcp:5555 tcp:5555
Once this forwarding was established, I could execute a shell to the phone again and leverage the power of netcat (which, according to the description in its man page "is used for just about anything under the sun involving TCP, UDP, or UNIX-domain sockets"), to transfer the contents of the flash memory from the phone:
~$ adb shell root@android:/ # su root@android:/ # /system/xbin/busybox nc -l -p 5555 -e /system/xbin/busybox dd if=/dev/block/mmcblk0
To my machine (I used pv to provide a status bar, but it's not absolutely necessary):
~/Downloads/androidphone$ nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0.raw 14.7GB 0:59:40 [ 4.2MB/s] [ <=> ]
At this point, I had an image of the phone that I could run through traditional forensics tools. Since the filesystem was corrupt, I decided to leverage a file-carving tool called SFDUMPER (selective file dumper) to recover image files from the disk image.
While the end result wasn't perfect, I was able to recover quite a number of images from the phone. Crisis averted, and my co-worker's marriage was saved. I must say that I was somewhat surprised by the sheer number of images that were recovered from the phone using this technique - hundreds of thousands.
Essentially, it appeared as if any web images downloaded by the phone, as it was used, were cached in the phone's flash memory and therefore recoverable using these techniques. While this wasn't what we intended to recover, it was interesting to see how much information ultimately is stored in the flash memory of a phone as it is used.
Don't Underestimate the Power of Forensics Tools
While we typically look at forensics tools as a method for gathering evidence for legal and law enforcement purposes, we cannot underestimate the power of leveraging these tools for other uses. I am a strong proponent of integrating forensics techniques into a variety of processes where they are practical, and this case was no exception.
That being said, I don't foresee Hurricane Labs creating a forensic marriage saving department in the near future.