Information Technology Reference
In-Depth Information
From the preceding output, we can identify the blocks where the
/system
,
/data
, and
/cache
partitions are mounted. Although it's important to image all the files, most of the
data is present in the
/data
and
/system
partitions. When time allows, all partitions
should be acquired for completeness. Once this is done, execute the following command
to image the device:
dd if=/dev/block/mmcblk0p12 of=/sdcard/tmp.image
In the preceding example, the data partition of a Samsung Galaxy SIII was used (where
if
is the input file and
of
is the output file).
The preceding command will make a bit-by-bit image of the
mmcblk0p12
file (data par-
tition) and copy the image file to an SD card. Once this is done, the
dd
image file can be
analyzed using the available forensic software.
Tip
The examiner must ensure that the SD card has enough storage space to contain the data
partition image. Other methods are available to acquire data from the rooted devices.