I wanted to find out the storage format of my SCH-R720 Android phone. I wanted to find out the default file and folders that are created by the phone, the file type it uses, and the VBR signature of the Android formatted storage device.
Model Number: SCH-R720
Model Number: SCH-R720
Android Version: 2.3.4
Baseband Version: S:R720.06 x.EH02
Kernel Version: 2.6.35.7
Build number: GINGERBREAD.EH02
Wipe the storage device and fill it with zeros
C:\fau-1.3.0.2390\fau\FAU.x86>wipe -w 00 \\.\physicaldrive1
Forensic Acquisition Tools, 1, 3, 0, 2390 wipe, 1, 3, 0, 2390
Copyright (C) 2002-2009 GMG Systems, Inc.
After the wipe, I have verified the wipe results by searching for anything else, but zeroes on the drive in FTK Imager regular expression ( [^\x00] ).
Formatting
jumpcode no. of fats sectors per track nt reserved volume/partition name
oem/id name root entries no. of heads extended boot signature fat type
bytes per sector total sectors hidden sectors extended boot signature executable signature
sectors per allocation media type total sectors extended boot signature
reserved sectors sectors per fat drive id volume serial number
Formatting the the 2GB MicroSD storage device ( by default the phone formatted the drive to FAT16 ) resulted in the following default file structure ( the RED entry is a deleted entry ). The LOST.DIR is the first directory entry and the volume was no name associated with it by default, thus LOST.DIR create time can be considered the initial format time/date.
| Filename | Full Path | Size | Created | Modified |
| [root] | \[root]\ | 16384 | ||
| VBR | \VBR | 512 | ||
| [unallocated space] | \[unallocated space]\ | 0 | ||
| file system slack | \file system slack | 512 | ||
| FAT1 | \FAT1 | 122368 | ||
| FAT2 | \FAT2 | 122368 | ||
| LOST.DIR | \[root]\LOST.DIR\ | 32768 | 2012-Nov-30 00:48:04 | 2012-Nov-30 00:48:04 |
| .android_secure | \[root]\.android_secure\ | 32768 | 2012-Nov-30 00:48:04 | 2012-Nov-30 00:48:04 |
| DCIM | \[root]\DCIM\ | 32768 | 2012-Nov-30 00:48:04 | 2012-Nov-30 00:48:04 |
| Android | \[root]\Android\ | 32768 | 2012-Nov-30 00:48:05 | 2012-Nov-30 00:48:04 |
| DiskCacheIndex-1701006599.tmp | \[root]\DiskCacheIndex-1701006599.tmp | 0 | 2012-Nov-30 00:48:08 | 2012-Nov-30 00:48:08 |
| data | \[root]\Android\data\ | 32768 | 2012-Nov-30 00:48:05 | 2012-Nov-30 00:48:04 |
| com.cooliris.media | \[root]\Android\data\com.cooliris.media\ | 32768 | 2012-Nov-30 00:48:05 | 2012-Nov-30 00:48:04 |
| cache | \[root]\Android\data\com.cooliris.media\cache\ | 32768 | 2012-Nov-30 00:48:06 | 2012-Nov-30 00:48:06 |
| local-album-cache | \[root]\Android\data\com.cooliris.media\cache\local-album-cache\ | 32768 | 2012-Nov-30 00:48:06 | 2012-Nov-30 00:48:06 |
| local-meta-cache | \[root]\Android\data\com.cooliris.media\cache\local-meta-cache\ | 32768 | 2012-Nov-30 00:48:05 | 2012-Nov-30 00:48:04 |
| local-skip-cache | \[root]\Android\data\com.cooliris.media\cache\local-skip-cache\ | 32768 | 2012-Nov-30 00:48:05 | 2012-Nov-30 00:48:04 |
| local-image-thumbs | \[root]\Android\data\com.cooliris.media\cache\local-image-thumbs\ | 32768 | 2012-Nov-30 00:48:06 | 2012-Nov-30 00:48:06 |
| local-video-thumbs | \[root]\Android\data\com.cooliris.media\cache\local-video-thumbs\ | 32768 | 2012-Nov-30 00:48:06 | 2012-Nov-30 00:48:06 |
| chunk_0 | \[root]\Android\data\com.cooliris.media\cache\local-album-cache\chunk_0 | 10 | 2012-Nov-30 00:48:06 | 2012-Nov-30 00:48:06 |
| index | \[root]\Android\data\com.cooliris.media\cache\local-album-cache\index | 44 | 2012-Nov-30 00:48:06 | 2012-Nov-30 00:48:06 |
| index | \[root]\Android\data\com.cooliris.media\cache\local-image-thumbs\index | 18 | 2012-Nov-30 00:48:08 | 2012-Nov-30 00:48:08 |
Next time, I will explore picture and video storage formats and the reliability of the "Erase SD card" feature the phone provides. I'm curious to find out if that option is a format or a wipe utility.
No comments:
Post a Comment