Forensics capabilities on mobile devices is urgently needed as the ubiquity of modern smartphones increase. A common issue with analyzing all but the most recent Android devices is the inability to mount yaffs2 images that have been collected. Yaffs isn't supported "out of the box" on most Linux distributions, but by obtaining or creating a kernel module investigators can mount a collected image and further their investigation. Below you can find precompiled modules, instructions for creating your module, and a ready to go virtual machine that already has yaffs support.

Yaffs

Yaffs pre-built modules

Here are a few pre-compiled kernel modules for yaffs. Download the file appropriate for your system (determine via "uname -r"), rename the file to "yaffs.ko" and load it with "insmod". If you'd rather build the module yourself, there are some instructions below.
The MULTI should work on a wider range of systems

Multi kernel versions
• MULTI-2.6.35.14-96.fc14.x86_64-yaffs.ko
• MULTI-2.6.35.14-96.fc14.i686-yaffs.ko
• MULTI-2.6.35.14-96.fc14.i686.PAE-yaffs.ko

Single kernel versions
• 2.6.35.10-74.fc14.x86_64-yaffs.ko
• 2.6.35.12-90.fc14.x86_64-yaffs.ko
• 2.6.35.13-91.fc14.x86_64-yaffs.ko
• 2.6.35.13-92.fc14.x86_64-yaffs.ko
• 2.6.35.14-95.fc14.x86_64-yaffs.ko
• 2.6.35.14-96.fc14.x86_64-yaffs.ko

if you receiving an "-1 Unknown symbol in module" during insmod, you probably don't have MTD installed.

Yaffs Virtual Machine

I have built a Fedora 14 VM that has Yaffs2 and MTD support already working. In order to keep the download small, this virtual machine is "minimal" there is very little functionality beyond the basic OS (except of course the Yaffs2 additions). You'll need to use yum in order to add additional software. The VM was created with VMWare, but it should work in other virtualization solutions that support the VMWare VM format. You will still need to use the MTDs, nandsim, etc. The root password is "Password"

Fedora 14 Virual Machine: fc14-yaffs-vmware.tgz

Building Yaffs

Yaffs is now in git, so you can clone the tree to build a kernel module. You need to download the sources for kernel and build the module against your sources.

Building the yaffs module.

        YOURKERNELNAME=`uname -r`
	yum install git kernel-devel kernel-PAE-devel ncurses-devel mtd-utils make gcc
        git clone git://www.aleph1.co.uk/yaffs2
        cp -r /usr/src/kernels/$YOURKERNELNAME/ ./
        cd yaffs2
        ./patch-ker.sh c m ../$YOURKERNELNAME/
        cd ../$YOURKERNELNAME/
        make menuconfig
        make clean
        make M=fs/yaffs2 modules
        make M=fs/yaffs2 modules_install
        depmod
     

Using the yaffs and mtd modules. Loading the modules:

        modprobe mtd
        modprobe mtdchar
        modprobe mtdblock
        modprobe nandsim first_id_byte=0x20 second_id_byte=0xac third_id_byte=0x00 fourth_id_byte=0x15
        modprobe yaffs
     

Check if they loaded.

        lsmod | grep mtd
        lsmod | grep yaffs
     

Actually writing the collected data into the nand simulator and mounting.

	nandwrite -a -o /dev/mtd0 YOURCOLLECTEDIMAGE
  	mount -t yaffs2 -o ro /dev/mtdblock0 /wherever/you/want/to/mount
     

Android Forensics Recovery Images

The Passe-Partout images now live elsewhere. Reference collected images are also available there.

For convenience, links are also provided here:
acer_liquid_e.zip
dell_streak.zip
google_nexuss.zip
htc_desire.zip
htc_evo.zip
htc_thunderbolt.zip
huawei_pulse.zip
mytouch_4g.zip
lg_optimus.zip
moto_droidog.zip
moto_xoom.zip
galaxys2_zImage.zip
sony_xperiaminipro.zip