Leveraging Forensics to Recover Precious Memories: The Intro
Once upon a time, a co-worker approached me with a dilemma: a software update on his wife’s phone had failed, resulting in the apparent loss of all data on the device, including many irreplaceable family photos. He asked if there was anything I could do to help. To me, it was the perfect opportunity to leverage computer forensics to do something good and hopefully recover some precious memories.
I cannot emphasize the importance of regular backups for any data that is important. Please do not rely on the techniques described in this post as a backup alternative.
The phone in question was an older Android phone that had already been rooted. This allowed for USB debugging to be enabled on the phone, and accessed through a program called Android Debug (adb), which can be used for Android debugging through a Linux workstation.
An Opportunity to Use Traditional Forensics Techniques
Since this wasn’t a formal forensics investigation, and our primary goal was data recovery, I could be more flexible with my data acquisition techniques. Ultimately, I needed to find a way to make a disk image of the phone’s internal storage, which I could then analyze using traditional forensics techniques.
With the phone in USB debugging mode, I was able to list out the connected devices using the Android debugger:
Once I confirmed that the device was detected, I could use the debugger to execute the shell on the Android device over the USB connection, and explore the internal system structure, including the list of devices.
After some exploration, I was able to determine that /dev/block/mmcblk0 was the device that contained the majority of the system storage space, and was most likely the location I would want to image and analyze.
It was now a matter of determining how to transfer the contents of this block device to my laptop using the debug connection. Fortunately, the Android debuggers support the forwarding of a TCP port form the phone to the debug machine:
Once this forwarding was established, I could execute a shell to the phone again and leverage the power of netcat (which, according to the description in its man page “is used for just about anything under the sun involving TCP, UDP, or UNIX-domain sockets”), to transfer the contents of the flash memory from the phone:
To my machine (I used pv to provide a status bar, but it’s not absolutely necessary):
At this point, I had an image of the phone that I could run through traditional forensics tools. Since the filesystem was corrupt, I decided to leverage a file-carving tool called SFDUMPER (selective file dumper) to recover image files from the disk image.
While the end result wasn’t perfect, I was able to recover quite a number of images from the phone. Crisis averted, and my co-worker’s marriage was saved. I must say that I was somewhat surprised by the sheer number of images that were recovered from the phone using this technique – hundreds of thousands.
Essentially, it appeared as if any web images downloaded by the phone, as it was used, were cached in the phone’s flash memory and therefore recoverable using these techniques. While this wasn’t what we intended to recover, it was interesting to see how much information ultimately is stored in the flash memory of a phone as it is used.
Don’t Underestimate the Power of Forensics Tools
While we typically look at forensics tools as a method for gathering evidence for legal and law enforcement purposes, we cannot underestimate the power of leveraging these tools for other uses. I am a strong proponent of integrating forensics techniques into a variety of processes where they are practical, and this case was no exception.
That being said, I don’t foresee Hurricane Labs creating a forensic marriage saving department in the near future.