ANDROID FORENSIC DEEP DIVE presented at Breakpoint 2012

by Bradley Schatz ,

Tags: Android Computer Forensics YAFFS2

Summary : This lecture will provide a detailed introduction to forensic acquisition and analysis of Android devices, with a focus primarily on interpretation of the YAFFS2 filesystem. The techniques of acquiring the flash memory of such devices will be described and the limitations and advantages of each approach identified. These will include the use of jailbreak/OS tools, JTAG hardware debug interfaces, and the physical removal of flash memory. Techniques for analysing the YAFF2 filesystem of Android will then be described, including recovery of past versions of deleted files. Finally, an overview of key evidential artefacts present within the filesystem will be presented.