Analyzing data in Autopsy

Even though the case is still being loaded and Ingest Modules being run (as seen by the progress bar in the bottom right of the previous screenshot), an examiner can begin analyzing the case. Expanding the image file in the upper-left corner will show partitions/volumes identified by Autopsy:

Autopsy identified 28 partitions on our device. To find the data partition (since we know that's where the vast majority of the data we are interested in is stored), we can simply expand the allocated partitions until we find one that looks like the data partition:

In our image, volume 27 is the data partition. We can see it ...

Get Learning Android Forensics - Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.