Hello,
I’m trying to add a full image of my redmi note 4 phone (that has been rooted) to autopsy, but every time I tried to, a lot of the image volumes will be unallocated due to autopsy cannot define file system type, aside from the few that is actually ext4, which I think is the factory default of some sort? The files that autopsy gets from ext4 partitions looks like the default system icons and the such.
So out of curiosity, I tried to check the device partition using sleuthkit mmls, here’s the result
With mmls result in mind and googling around, the viable conclusion that I could think of is that the partition that I need (mostly userdata) is probably formatted in file system that is not available in autopsy, possibly f2fs.
If that is correct, are there any ways to make autopsy able to see the partitions?
I’ve been looking up on reformatting the image with mkfs but I think that would destroy the existing data right?
You are correct that Autopsy doesn’t understand those filesystems which is what throws the errors on ingest. In regards to your ‘userdata’ partition, can you look at the first sector (10748944) via blkcat or hexdump to determine the filesystem? If it is non-encrypted f2fs one possible option is to mount the filesystem with f2fs-tools, tar or zip the contents, then feed that extraction into Autopsy.
Here are the result for blkcat, though I think I might do it wrong
After googling around, I found that I should try to check what filesystem is that partition from my phone, so I went and check it with diskinfo, and apparently, the userdata partition is ext4 but encrypted, and the program said there’s a decrypted block of the same userdata. So I went ahead and images that block and now autopsy can find and extract several things with that image, the size is also the same as my userdata block only image, so I guess this problem is solved for my case then, thank you again for your reply and information!
@asparatu, are you using a specific emulator or something to make an image of an android device or where specifically are you creating the android image?
