Issues with analyzing physical dumps

The most common problem we see on many forensic forums and email lists is examiners obtaining a physical dump and then not being able to load that dump into a tool that claims to support the device. The vast majority of the time, this is because the examiner fails to account for the out-of-band (OOB) area.

The OOB area, sometimes called spare area, is a small section of the flash memory that's been reserved for metadata. The metadata usually consists of error-correcting code (ECC), information about bad blocks, and in some cases, information about the file system. This causes an issue for examiners because most mobile forensic tools do not account for the OOB area; they expect it to not be included in the image. When presenting the tool with an image containing spare area, the tool frequently does not know what to do and fails to parse the data properly.

The reason that tools fail to account for the OOB area is that it is not included in dd images, which is what most tools use to create their images. The OOB area may be included when using nanddump, though depending on the binary used, there may be an option to exclude it. The OOB area is included with chip-off and JTAG images.

To properly load the image into forensic tools, the OOB area will need to be removed first. A general rule of thumb is that the OOB size is based on the page size of the device; for every 512 bytes of page size, there will be 16 bytes of OOB space. For example, a device with 2,048 byte page sizes would likely have 64 bytes of OOB area at the end of each page. However, this is completely up to the memory manufacturer. Before attempting to remove OOB area, an examiner should find the datasheet for the specific memory chip to confirm the page and OOB area sizes. This can generally be done by finding the memory chip on the phone's circuit board and searching for the model number of the chip.

The following is some sample code for a Python script that will remove the OOB area from an image. Just as in the last chapter, we don't claim to be Python experts and we're sure there are better, more efficient ways to do this, but it does work:

import sys
file_to_parse = open(sys.argv[1],'rb')
file_after_removal = open('file_out.bin','wb')
while file_to_parse:
   lines_out = file_to_parse.read(2048)
   if lines_out:
         file_after_removal.write(lines_out)
         file_to_parse.seek(64,1)
   if not lines_out:
         break
print 'Done'
file_to_parse.close()
file_after_removal.close()

This file, if named OOB_Remover.py, would be executed with the following command:

python OOB_Remover.py C:UsersAndroid_Examinerphysicaldump.bin

The output file, with no OOB area, would be named file_out.bin in the directory where the script was executed. The original is not edited or modified in any way.

Note that the code as it is written assumes a page size of 2,048 and an OOB size of 64; these two numbers would have to be edited for the specific sizes of the memory chip the image was taken from. The output should then be able to be loaded into commercial mobile forensic tools.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.160.181