How to perform a physical acquisition on an SD card using a forensic tool

how to perform a physical acquisition on an sd card using a forensic tool

Following the encryption debate surrounding the San Bernardino shooter’s iPhone and lengthening issues over “digital strip searches” on the U.S. border, an increasing number of persons are paying consideration to the knowledge on your telephone. From the police or border brokers that can search to see who you’ve been speaking with, to hackers and malware-makers that need to exploit vulnerabilities to your instrument or to scouse borrow your id or footage, and companies like Google and others that merely need to stay tabs on the whole thing you do, the knowledge on your smartphone is extra valuable than it has ever been.

Sometimes you want an precise replica of the knowledge on your telephone so you’ll paintings with the replica and go away the unique untouched. One such time is all over a virtual forensic investigation, the place the knowledge’s integrity is essential. Another is when you need to paintings on corrupted or inflamed knowledge with out being concerned about additional harm to the knowledge. In each circumstances making an precise replica of the knowledge and using the replica is very important. The technique of duplicating the knowledge is identical too.

Sometimes you want an precise replica of the knowledge on your telephone so you’ll paintings with the replica and go away the unique untouched

Today we’re going to discover how the method of knowledge acquisition works and what will also be accomplished with it. Data acquisition for an Android instrument is divided into two classes; interior garage and exterior garage. Data acquisition tactics will also be widely labeled into 3 distinct varieties: Manual, Physical, and Logical Acquisition which we can delve into under.

The information will put you within the sneakers of the ones obtaining knowledge from an SD card and display you ways an symbol is created sooner than it’s able to be forensically analysed. Knowing the way it works might allow you to give protection to your self and your knowledge in long term, but it surely’s additionally simply simple interesting.

Manual Acquisition

During a handbook knowledge acquisition, the forensic examiner will use the digital instrument as customary and get right of entry to saved knowledge via its consumer interface. The examiner will then take photos of the display of all of the knowledge provide on the instrument, to doubtlessly be used as proof additional down the road. This process calls for only a few sources and desires no exterior instrument. Its major drawback is that best knowledge visual in the course of the instrument itself is available through the examiner. Any knowledge that would possibly had been deleted or purposely hidden will likely be tougher to to find, due to the the examiner being best view knowledge in the course of the instrument’s consumer interface.

Physical Acquisition

A physical acquisition comes to a bit-for-bit replication of an complete physical knowledge retailer. By having access to the knowledge without delay from the flash reminiscences, this method permits for the extraction and reconstruction of deleted information and information remnants all over the knowledge research level. This procedure is tougher than handbook acquisition as a result of each and every instrument wishes to be made safe towards unauthorized get right of entry to to reminiscence. Digital forensic equipment can help this procedure through enabling get right of entry to to reminiscence, permitting examiners to bypass consumer move codes and trend locks.

Logical Acquisition

Logical extraction acquires data from the instrument using the unique apparatus producer’s utility programming interface to synchronize the telephone’s contents with a laptop. The recovered knowledge is preserved in its authentic state with forensically-sound integrity and due to this fact may well be used as proof in court docket. One good thing about a logical acquisition is that the knowledge is more straightforward to prepare, because it photographs the knowledge construction inside the gadget. Call and textual content logs, contacts, media, and app knowledge provide on the instrument will also be extracted and seen of their respective tree buildings. Unlike a physical acquisition, logical extractions is not going to get well deleted information.

In trendy cellular gadgets, reminiscence is divided between interior and exterior garage. Numerous knowledge lives on SD playing cards, giving customers the danger to build up the entire garage in their instrument. For forensic examiners, SD playing cards constitute some other type of garage which calls for each acquisition and research so as to shape a holistic virtual investigation.  In the walkthrough under, there may be a step by step information on how to create a physical symbol of an SD card. Following the a hit imaging of the reminiscence card, the knowledge will also be analyzed using conventional forensic research equipment.

Physical Imaging of an SD Card using FTK Imager instrument

  • Launch FTK imager (will also be downloaded from right here).

  • Safely take away the SD card out of your Android instrument and insert it into your PC.
  • Navigate to File Create Disk Image

  • A brand new pop up window will ask you to choose form of acquisition, choose “Physical Drive.”

  • Select the SD card from the Source Drives dropdown record.

  • In the “Create Image” window choose “Add” and choose the Destination Image Type “Raw (dd).”

  • Fill out the “Evidence Information” phase with suitable data or skip through urgent subsequent.

  • In the “Select image destination” section browse to an suitable folder to save the picture.

  • Make positive ‘Verify image…’ is ticked sooner than hitting ‘Start’ to start the imaging procedure.

  • The imaging procedure will start. The period of the method will rely on measurement of knowledge saved.

  • After the method is entire a window will pop up with matching hash verification effects if the acquisition used to be a hit.


Acquisition is only the start. Afterward, the imaged information will also be loaded into knowledge research instrument, permitting examiners to flick thru visual and deleted knowledge provide on the instrument. Data acquisition is an very important element of Android forensics and desires to be loose from inaccuracies to make certain not one of the knowledge is manipulated all over the acquisition procedure.

It additionally permits you to get well deleted or broken information, or to take away malware with out using the unique instrument, and due to this fact with out concern of additional corruption. Knowing how forensic analysts paintings too can divulge simply how vulnerable your knowledge is, even after it’s been deleted.

Have you ever had to paintings with corrupted knowledge, and even with delicate knowledge in some more or less legal investigation? Did you utilize a replica? Let me know within the feedback under!

*Feature written through Thomas Wickens – Wickens has a background in forensic computing and safety, and years of revel in as a tech creator.*

Leave a Reply

Your email address will not be published. Required fields are marked *