Time
4 hours
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
hi and welcome to everyday digital forensics. I'm your hostess and he said, And in today's mantra of mobile forensics, I'm gonna examine in Android virtual disk image.
00:11
So in today's videos, we have to android images dot gov and dot VD h. Cain
00:18
that we're gonna go ahead and compare the differences in the data that's displayed an autopsy and anti K for both of the images.
00:26
So here we have autopsy opens up on and both images are available. We have our dot VD i and R 0.0.0 v a.
00:35
Take a look at the hex values over dot beady eye.
00:39
You can see that this is an article V M virtual box this image
00:44
and just kind of slide through the kind of showing the different data information. So first would be the identifier of what the devices Maybe some boot loaders, depending on the image,
00:53
and then use girl down to data here. We see that way, see no data whatsoever.
01:00
Moving over to the dot gov a. We have our files and a fire, which with the name and then some values most likely time stamps
01:08
versions.
01:12
Breakdown of the device details such a networking and some of the configurations and settings that are in Ebel's
01:21
this size CPU
01:27
description. Some of the element values that you confined once you're loaded that are better defaulted to this image.
01:36
We can also see the name of the file or device itself. So this is a virtual box machine with version 1.6 Lennox and drinks for
01:46
and you're always type of Lennox to six underscore 60 Forces is a 64 bit medics
01:52
running Andrew.
01:56
We get Last State changed is the last time that the state in itself changed. So we created an image at that point, and that was the point of accusation.
02:06
Some more interesting information that you can find is the Mac address. So the Mac address is pounds in your 0.0 v. Eight.
02:13
You also have not network details,
02:15
any network information. So this is networks that it connected Teoh or was connected to, at the time
02:23
particular time, Sam specially of guests.
02:28
If they were able to read and what kind of flags were set on them
02:31
now moving over to F. T. K,
02:34
it's gonna see what values that this gives us.
02:37
So we're gonna open up our data sources.
02:44
And first start with the dot V I
02:50
So just in itself the dot b I gave so much more information here than it did in autopsy. A first class.
02:58
You have your
02:59
offset zero, which identifies what it is.
03:01
And you can just kind of tell the difference here. Talks about the oracle
03:07
VD I
03:10
we're in after Kate. You're actually given information
03:14
on the device itself, but on the left, you can actually go through the fall system.
03:20
You go to the first partition or the UN partition space, which is this empty slack space
03:25
here. We have no way to trans verse, no way to actually look for any files. They're gonna exit out of autopsy
03:32
and see what details abdicate gives us.
03:37
Now we've broken down to root and unallocated space route will be your main user.
03:44
So moving into the no name we see are different blocks very similar in the NT. If Esther you had her on meth T your bit map
03:53
and those different values bad blocks, you can see some similarities in your NDFs and your injury.
04:00
In just this one section based on the additional houses of objects that has
04:06
you ever allocated space that kind of break sound into random
04:11
directories of numbers. Not gonna go into that detail.
04:14
You have your master boot record, which is a storage of your files
04:17
and links. As you can see, this is the same information that you saw at first glance when use when we selected the thought VD I
04:28
You can see partition. One starts at physical sector zero where
04:33
the master boot record and the original starts at Sector Jerrelle.
04:39
So this is sector Zero,
04:41
your original images at sector zero. That's why you may see similarities
04:45
and what's being displayed.
04:46
So I hope you enjoyed today's video and where we quickly examined to Android fouled images one of dot gov a another dot VD I in both autopsy and abdicate. We also compare the differences in the data that's displayed an autopsy, an uptick A
05:03
has seen an F decay, an autopsy for your dot beady eye. Your autopsy just kind of gave you
05:09
a small view of your not beady eye folder.
05:13
But when you went into F ck, you had the option of trans Mersing through the different sections. Your ableto first see your master boot record. See where the physical location, physical sector location that you're viewing. See your root folder go through your root folder directories as well. See the UN partition space
05:32
that's available.
05:33
We don't go into too much details over the files or the information in there. This is just more of a view or feel for how the foul system looks. And there was a section there were. It was it showed bad sectors.
05:46
It showed back clusters and similar information that could be seen in an empty FS fall system. Such a Jew pot, Klosters, some of your attributes
05:57
and so on.
05:58
I hope you enjoyed today's video and future lectures. I look forward to examining some of the images that were acquired during the organization face. We're gonna perform some of the centre graphic techniques.
06:10
We're also gonna see how to properly check and execute a malicious file and explore some of the professional tools at both a beginner and advanced level.
06:17
I hope you enjoyed today's video, and I'll control next one

Up Next

Everyday Digital Forensics

In this course, you will be presented with an overview of the principles and techniques for digital forensics investigation in the spectrum of file system analysis.

Instructed By

Instructor Profile Image
Yesenia Yser
Engineering Manager, Security Research & Development at SoFL, Women in Tech Committee Member, University Outreach and STEM Instructor
Instructor