Introduction: The Challenge of Forensic Android Analysis
Forensic analysis of Android devices presents a unique dilemma: investigators often need to install specialized tools, modify system configurations, or create debug environments to extract crucial evidence. However, any modification to the original system state can compromise the integrity of the evidence, making it inadmissible or challenging to defend in court. Traditional methods often involve creating full disk images, but live analysis or targeted modifications for specific extraction scenarios still pose risks. This is where OverlayFS becomes an invaluable tool, allowing for persistent modifications and debugging while meticulously preserving the underlying original system state.
OverlayFS, a union filesystem, enables you to overlay a writable directory (the ‘upper’ layer) on top of a read-only directory (the ‘lower’ layer). Any changes made to the ‘merged’ view are written only to the upper layer, leaving the lower layer untouched. This capability is perfectly suited for forensic analysis, offering a non-destructive way to interact with an Android device’s filesystem.
Understanding OverlayFS Fundamentals
At its core, OverlayFS operates with three key directories:
- Lower Directory (
lowerdir): This is the original, read-only filesystem you wish to analyze (e.g.,/system,/vendor). It remains pristine and unmodified. - Upper Directory (
upperdir): This is a writable directory where all new files, modifications, and deletions are recorded. It’s effectively your scratchpad. - Work Directory (
workdir): An empty, temporary directory required by OverlayFS for internal operations during the merging process. It must be on the same filesystem as theupperdir. - Merged Directory (
mergedir): This is the unified view where files from both thelowerdirandupperdirare presented. When you access or modify files here, OverlayFS intelligently handles the underlying operations.
Prerequisites for Implementation
Before proceeding, ensure you have the following:
- Rooted Android Device: Essential for accessing system partitions and mounting filesystems.
- Custom Recovery (e.g., TWRP): Provides a reliable environment to manipulate partitions before the Android OS fully boots, and often includes a robust shell.
- ADB (Android Debug Bridge): For interacting with the device from your computer.
- Basic Linux Command-Line Knowledge: Familiarity with
mount,mkdir,cp,ls, etc. - Sufficient Free Space: On a writable partition (usually
/data) for yourupperdirandworkdir.
Step-by-Step Guide: Implementing OverlayFS for Forensic Analysis
Step 1: Preparing the Device and Filesystem in Recovery
First, we need to boot the device into a custom recovery and prepare the target partitions.
- Boot into TWRP Recovery: Power off your device, then boot into TWRP (usually Power + Volume Down, but varies by device).
- Access ADB Shell: Connect your device to your computer via USB and open a terminal. Verify ADB connectivity:
adb devicesadb shell - Identify and Remount Target Partition as Read-Only: For forensic integrity, ensure your target partition (e.g.,
/system) is mounted read-only. This is often the default in TWRP, but it’s good practice to verify and enforce it. You can check current mounts withmountorcat /proc/mounts. Find the mount point for/system(or/vendor, etc.). Let’s assume/dev/block/sdaXis your system partition.umount /system # If already mounted writablemount -o ro /dev/block/sdaX /system # Remount read-onlymount | grep /system # Verify it's ro - Create OverlayFS Directories on a Writable Partition: We’ll use
/dataas our writable partition. Make sure it’s mounted. If not:mount /dataoverlay_system.mkdir -p /data/overlay_system/upper /data/overlay_system/work /data/overlay_system/merged
Step 2: Mounting the OverlayFS
With the directories prepared, we can now mount the OverlayFS. This command will take the original /system as the lower layer and the new directories on /data for changes.
mount -t overlay overlay -o lowerdir=/system,upperdir=/data/overlay_system/upper,workdir=/data/overlay_system/work /data/overlay_system/mergedLet’s break down the command:
-t overlay: Specifies the filesystem type.overlay: The arbitrary name for the filesystem instance.lowerdir=/system: Defines the original, read-only/systempartition as the base.upperdir=/data/overlay_system/upper: Specifies where all modifications will be stored.workdir=/data/overlay_system/work: The internal working directory for OverlayFS./data/overlay_system/merged: The new mount point where the merged filesystem view will be accessible.
Verify the mount:
mount | grep overlayYou should see an entry for the overlay filesystem. You can now navigate into /data/overlay_system/merged to interact with the system.
Step 3: Performing Modifications and Analysis
Now that the OverlayFS is active, any changes you make within /data/overlay_system/merged will be written to /data/overlay_system/upper, leaving the original /system untouched.
Example 1: Installing a Forensic Tool
Let’s say you want to add a tool like strace (assuming you have a pre-compiled ARM binary or can cross-compile it for your device’s architecture).
- Push the tool to a temporary location (e.g.,
/data/local/tmp) on the device:exit # Exit adb shell, back to host PCadb push strace /data/local/tmp/straceadb shell - Copy the tool into the merged filesystem (this writes to
upperdir):cp /data/local/tmp/strace /data/overlay_system/merged/system/bin/chmod +x /data/overlay_system/merged/system/bin/strace - Verify installation and usage:
/data/overlay_system/merged/system/bin/strace --versionstraceto debug processes within the context of your OverlayFS.
Example 2: Modifying a Configuration File
Perhaps you need to modify /system/etc/hosts to redirect traffic or disable a service for specific debugging.
- Edit the file via the merged view:
echoAndroid Mobile Specs & Compare Directory
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!
Compare Devices Specs →