Recovering Evidence from F2FS File Systems with IEF

This is the sixth blog post in a series of seven about the new features included in IEF v6.5

In Internet Evidence Finder (IEF) v6.5 we are now offering support for the F2FS file system. The F2FS (Flash-Friendly File System) was originally created by Samsung and is still in development today. The F2FS file system takes into account features of NAND flash-memory-based systems such as SD cards and solid state drives.  Currently, the F2FS file system is used on some versions of Motorola Moto G and Moto X mobile phones. If you have tried to analyze one of these phones without software that supports F2FS, you would quickly realize that you won’t get a complete view of the important data. F2FS is a unique file system that remains unsupported by almost all forensics tools today.

In previous versions of IEF you could run a search on a mobile image running an F2FS file system, but only at the Sector Level (since F2FS files systems weren’t officially supported).

With the release of IEF v6.5, support for the F2FS file system has been added, and it is now recognized as a source of evidence that can be searched.  You are given the option of conducting a Full Search (which is the default option), a Quick Search, or once again a Sector Level Search.

As you can see below, IEF will search the entire disk, recognizing the F2FS  file system and therefore search through various areas of the image.

IEF’s Dynamic App Finder will also try and recover artifacts from obscure or unsupported third-party mobile chat apps it encounters.

Here’s a screenshot of the artifacts that can be recovered by an IEF search from a mobile phone running an F2FS file system:

The team at Magnet Forensics takes great pride in identifying new technologies (like F2FS), and providing you with the best digital forensics tools to find and analyze evidence that could be critical to your investigation.