In this chapter, we discussed several techniques that are used for physically imaging internal memory or SD cards, and some of the common problems associated with them:
Technique
Problems associated
dd
Usually preinstalled on device
May not work on MTD blocks
Does not obtain the out-of-band area
nanddump
Not commonly found on the device, must be pushed to device
Works well with MTD blocks
May obtain the out-of-band area, based on options in the binary used
Additionally, each imaging technique can be used to either save the image on the device (typically on the SD card), or used with netcat to write the file to the examiner's computer:
Technique
Features
Writing to SD card
Easy, doesn't require additional binaries to be pushed to the device
Familiar to most examiners
Cannot be used if SD card is symbolically linked to the partition being imaged
Cannot be used if the entire memory is being imaged
Using netcat
Usually requires yet another binary to be pushed to the device on older devices
Somewhat complicated, must follow steps exactly
Works no matter what is being imaged
May be more time-consuming than writing to the SD
Some tools that can be used for RAM imaging were also introduced:
Tool
Features
LiME
Must be compiled for each device being examined
Very complicated process
Known, well-documented procedures for analysis
Output is a dump of all RAM
Finally, we briefly discussed chip-off and JTAG techniques at an introductory level.
In the next chapter, we will demonstrate the recovery of deleted data from physical images, like the ones created in this chapter.
