This week’s Tip Tuesdays relates to if you use a tool other than Physical Analyzer to create a forensic extraction of a mobile device, such as a full file system extraction. How can you load that into Physical Analyzer?

First, you need to export the full file system into a zip file or bin file, a file that is not proprietary to the extraction tool you are using so it can be ingested into Physical Analyzer.

Then you go to File and Open case. Select Add then Open (Advanced).

Physical Analyzer lets you take control of what you want to parse and the type of plug-ins you want to run against it.

I’m going to choose Blank project. At the top, you select Switch Chain. So, if you have an Android full file system extraction, you could choose Android Full File System, select it, then point it to the zip file that you exported. If there’s a Keystore file associated with it, click on that.

If you have an iPhone rather than an Android where the extraction was created with another forensic tool, you could do the exact same thing.

Choose All Chains, then type in iPhone at the top, and scroll down to iPhone File System or iPhone Full File System. You select it and then follow the same steps as above for Androids.

We want you to be able to parse extractions in Physical Analyzer from any forensic tool, so understanding how to properly do this is extremely important.

Watch the full episode to learn more.

Share this post