Examining an Android Virtual Disk Image

00:00

hi and welcome to everyday digital forensics. I'm your hostess and he said, And in today's mantra of mobile forensics, I'm gonna examine in Android virtual disk image.

00:11

So in today's videos, we have to android images dot gov and dot VD h. Cain

00:18

that we're gonna go ahead and compare the differences in the data that's displayed an autopsy and anti K for both of the images.

00:26

So here we have autopsy opens up on and both images are available. We have our dot VD i and R 0.0.0 v a.

00:35

Take a look at the hex values over dot beady eye.

00:39

You can see that this is an article V M virtual box this image

00:44

and just kind of slide through the kind of showing the different data information. So first would be the identifier of what the devices Maybe some boot loaders, depending on the image,

00:53

and then use girl down to data here. We see that way, see no data whatsoever.

01:00

Moving over to the dot gov a. We have our files and a fire, which with the name and then some values most likely time stamps

01:08

versions.

01:12

Breakdown of the device details such a networking and some of the configurations and settings that are in Ebel's

01:21

this size CPU

01:27

description. Some of the element values that you confined once you're loaded that are better defaulted to this image.

01:36

We can also see the name of the file or device itself. So this is a virtual box machine with version 1.6 Lennox and drinks for

01:46

and you're always type of Lennox to six underscore 60 Forces is a 64 bit medics

01:52

running Andrew.

01:56

We get Last State changed is the last time that the state in itself changed. So we created an image at that point, and that was the point of accusation.

02:06

Some more interesting information that you can find is the Mac address. So the Mac address is pounds in your 0.0 v. Eight.

02:13

You also have not network details,

02:15

any network information. So this is networks that it connected Teoh or was connected to, at the time

02:23

particular time, Sam specially of guests.

02:28

If they were able to read and what kind of flags were set on them

02:31

now moving over to F. T. K,

02:34

it's gonna see what values that this gives us.

02:37

So we're gonna open up our data sources.

02:44

And first start with the dot V I

02:50

So just in itself the dot b I gave so much more information here than it did in autopsy. A first class.

02:58

You have your

02:59

offset zero, which identifies what it is.

03:01

And you can just kind of tell the difference here. Talks about the oracle

03:07

VD I

03:10

we're in after Kate. You're actually given information

03:14

on the device itself, but on the left, you can actually go through the fall system.

03:20

You go to the first partition or the UN partition space, which is this empty slack space

03:25

here. We have no way to trans verse, no way to actually look for any files. They're gonna exit out of autopsy

03:32

and see what details abdicate gives us.

03:37

Now we've broken down to root and unallocated space route will be your main user.

03:44

So moving into the no name we see are different blocks very similar in the NT. If Esther you had her on meth T your bit map

03:53

and those different values bad blocks, you can see some similarities in your NDFs and your injury.

04:00

In just this one section based on the additional houses of objects that has

04:06

you ever allocated space that kind of break sound into random

04:11

directories of numbers. Not gonna go into that detail.

04:14

You have your master boot record, which is a storage of your files

04:17

and links. As you can see, this is the same information that you saw at first glance when use when we selected the thought VD I

04:28

You can see partition. One starts at physical sector zero where

04:33

the master boot record and the original starts at Sector Jerrelle.

04:39

So this is sector Zero,

04:41

your original images at sector zero. That's why you may see similarities

04:45

and what's being displayed.

04:46

So I hope you enjoyed today's video and where we quickly examined to Android fouled images one of dot gov a another dot VD I in both autopsy and abdicate. We also compare the differences in the data that's displayed an autopsy, an uptick A

05:03

has seen an F decay, an autopsy for your dot beady eye. Your autopsy just kind of gave you

05:09

a small view of your not beady eye folder.

05:13

But when you went into F ck, you had the option of trans Mersing through the different sections. Your ableto first see your master boot record. See where the physical location, physical sector location that you're viewing. See your root folder go through your root folder directories as well. See the UN partition space

05:32

that's available.

05:33

We don't go into too much details over the files or the information in there. This is just more of a view or feel for how the foul system looks. And there was a section there were. It was it showed bad sectors.

05:46

It showed back clusters and similar information that could be seen in an empty FS fall system. Such a Jew pot, Klosters, some of your attributes

05:57

and so on.

05:58

I hope you enjoyed today's video and future lectures. I look forward to examining some of the images that were acquired during the organization face. We're gonna perform some of the centre graphic techniques.

06:10

We're also gonna see how to properly check and execute a malicious file and explore some of the professional tools at both a beginner and advanced level.