After the dd raw dump was created as per the procedure outlined above,
the manual analysis commenced to extract the test data from the mobile. For
this the concept of file signature analysis as specified in 4 was utilised.
Every file extension or type has a unique file signature which consists of the
header and footer. The actual data of the file is stored in between the header
and footer for that particular file type. For e.g for a .jpeg file the header
and footer are FF D8 FF and FF D9 respectively. All bytes stored in between the
header and footer when copied from the hex dump and pasted in a separate file
with extension .jpeg would lead to recovery of the original file.
A search was carried out for the header and footer in the hex dump as
stated above. After extracting the required bytes and creating a file with the
desired extension, the hash of the file was calculated. The analysis of this
raw dump was also done using commercial tools like Mobiledit and UFED. This
process was repeated for another file having the same extension. Subsequently,
four more different file types were similarly extracted.
The experiment was repeated with two virtual and two real devices with
similar android versions each having five different file types as test data.
The results obtained have been discussed in the Result section.
This experiment is done with non-deleted data. First a virtual android
device having android version 4.4.4 is taken and a total of 10 files is stored into it. These include two each of file types docx, pdf, jpeg, mp4, zip. The
same set of data is stored in a real android device having same android
version. Each phone was connected separately to the Tamer VM and using adb
commands described above and a dd image or raw dump of the /data partition of
the mobile was created. The data partition contains the user data like
contacts, messages, installed apps, etc. The dd image was analysed manually in
wxHexEditor which displays the hex value of each byte. The desired files were
extracted using the concept of file header and footer described earlier. After the successful implementation of
experiment 1, another experiment was carried out to find out whether the same
data can be extracted from the proposed method using commercial mobile forensic