 |
| What an Android phone looks like in Windows Explore |
It’s been a few weeks since I last updated. One of the
problems that I ran into with my research was with figuring out the difference
between removable devices. For this I used an Android phone, a couple flash
drives and an iPhone. When I used sbag I was only able to see what appeared to
be a disk UUID of the device. So you cannot tell what kind of device it is. You
cannot tell what folders they opened on the device but you can tell they opened
multiple folders. Each folder is given a different entry but there is no way to
tell what folder is visited.
This is a problem because it becomes harder to
figure out
what devices they might have stored data on.
 |
| ShellBag entries in sbag for the Android phone |
However, using
RegRipper I was able to get around this problem. RegRipper correctly parses the
devices name so it allowed me to see the device name as it shows up when it is
plugged into the computer. I can also mostly what folders they went too. The
one exemption is that on the iPhone it does not record the folders below the
internal storage one. That is not a big deal because on an iPhone that is not
jail broken there is only one folder path. You can tell exactly what kind of
android phone is plugged in but I do not think you can tell what kind of iPhone
was plugged in.
 |
| ShellBag Entries in RegRipper for the same Android phone |
I am almost done with my research and have started on writing a paper on my findings which will be done in December at the latest. In the mean time I will update a few more times on a few different parts of my research. If anyone has any preference to what topics I cover or has any questions please leave a comment below. Thanks for reading.
