Acquiring Android SD cards

As discussed above and in previous chapters, the SD card can refer to a physical, external SD card or a partition within the flash memory. A removable external SD card can be imaged separately from the device through a write-blocker with typical computer forensics tools, or using the dd/nanddump techniques shown in the previous section, although the former is usually faster as it does not need to write data over netcat.

Physically imaging an SD card is very similar to the physical imaging discussed above; in fact, if the SD card is symbolically linked to the /data partition, it would be acquired as part of the /data partition as seen in the Autopsy screenshots. The only difference in the process is that if the SD card is being imaged, the output file cannot be written to the SD card! This means using the netcat methods covered previously is the best option for physically imaging an internal SD card.