Hi,
I'm working on a MSc Dissertation for Android forensics and I am
currently trying to extract a YAFFS2 image of the filesystem (mtd0 - mtd6)
from an Android device, load the image into Nandsim with nandwrite and
mount as a filesystem. I have successfully built a Vagrant -Virtualbox VM
with YAFFS2 module as per the video on the www.yaffs.net website.
1. I extract the mtd images from the device with Nandsim
2. Set up the mtdblock and Nandsim
sudo modprobe mtdblock
sudo modprobe nandsim first_id_byte=0x20 second_id_byte=0x71
cache_file=/tmp/nandsim.bin
sudo modprobe yaffs2multi
cat /proc/mtd
dev: size erasesize name mtd0:
10000000 00004000 "NAND simulator partition 0"
3. Write the image into the mtdblock
nandwrite -r -a /dev/mtdblock0 /media/yaffs/mtd3.img
4. Mount the image as a Yaffs2
sudo mount -t yaffs2 /dev/mtdblock0 /mnt/yaffs2/
5. When I browse to /mnt/yaffs2/ there is only a folder 'lost & Found'
I get no errors during the mount or nandwrite? Is it possible that because
I used a cross-compiled Arch-Arm Linux version of Nanddump and an x86
version of Nandwrite that there are incompatibilities. To find out I am
attempting to build Yaffs2 module into the Raspbian Wheezy OS on the
Raspberry PI. I tried to add yaffs2 module to it, but I am unsure how to do
this. If you have any advice I would appreciate it, because I have put a of
great deal of work into researching YAFFS2 and this is the final stage.
I was however able to take an image using Nandroid and then use unyaffs to
extract directories. This did work, but it is not a suitable method for
forensics.
Regards
Darragh Merrick
(text/plain)