Of the many things that I have been working on in between the AccessData Roadshow stops I thought I would throw out some tidbits that might be of interest to the mobile phone people. FTK4 as well as a version of FTKimager (soon to be released) allow mounting of YAFFS (Yet Another Flash File System) and YAFFS2! It is a pretty cool addition because it allows the DD image created with a physical extraction of an Android device by AccessData’s MPE+ (Mobile Phone Examiner PLUS) to be mounted. That includes partitions like cache, system, sd, userdata and many others. With these images mounted you now have applications, email, browsers and more at your finger tips.
How about analyzing these images for malware? FTKImager allows you to mount ANY AD1 as a drive where you can run any scanners against it to your heart’s content. Also, with the release of FTK there is also and add-on called Cerberus. The tool works on the code, not on a computed hash or signature of the malware. It got me thinking about finally an automated solution to the onslaught of malware Android is seeing. With Cerberus you get ratings on the likelihood of malicious code inside of the package: so no more hunting for signatures or building signatures for some of this malware that is out in the wild. With mobile devices it is hard enough to keep up with the release of the device let alone malicious code. I think it is huge step in the right direction and I hope to see Android Malware added soon.