Daily Blog #191: Let's talk about MTP Part 1

Let's talk about MTP Part 1 by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
         If you read last weeks Saturday Reading you would have seen a series of very interesting articles by Nicole Ibriham about MTP device entries in the Shellbags artifact. Many of you may be wondering, well why do I care about MTP? Most of you may think MTP is still relugated to cheap MP3 players/Video players and digital cameras. 

Times have changed and in order to get a few things under control with storage space for application and files the Android devs have moved away from Mass Storage drivers and to MTP as stated below:

ICS supports USB Mass Storage (UMS). The Galaxy Nexus does not. This is the same scenario as Honeycomb, as for instance HC supports USB Mass Storage while Xoom does not.

If a given device has a removable SD card it will support USB Mass Storage. If it has only built-in storage (like Xoom and Galaxy Nexus) it will (usually) support only MTP and PTP.

It isn't physically possible to support UMS on devices that don't have a dedicated partition for storage (like a removable SD card, or a separate partition like Nexus S.) This is because UMS is a block-level protocol that gives the host PC direct access to the physical blocks on the storage, so that Android cannot have it mounted at the same time.
With the unified storage model we introduced in Honeycomb, we share your full 32GB (or 16GB or whatever) between app data and media data. That is, no more staring sadly at your 5GB free on Nexus S when your internal app data partition has filled up -- it's all one big happy volume.

However the cost is that Android can no longer ever yield up the storage for the host PC to molest directly over USB. Instead we use MTP. On Windows (which the majority of users use), it has built-in MTP support in Explorer that makes it look exactly like a disk. On Linux and Mac it's sadly not as easy, but I have confidence that we'll see some work to make this better.
On the whole it's a much better experience on the phone.
-- Dan Morril http://www.reddit.com/r/Android/comments/mg14z/whoa_whoa_ics_doesnt_support_usb_mass_storage/c30q93p

You should start understanding MTP by reading Nicole's blog series starting here http://nicoleibrahim.com/part-2-usb-device-research-msc-vs-ptp-vs-mtp/ and then the Wikipedia entry on MTP and ending with AndroidCentral.com's write up on the move to MTP as the new default.

So MTP used to be interesting from a cheap-o storage device forensics view and now is interesting in a hey what did they do with that Android 3.0+ device that they plugged into this system. With Android controlling 84% the market (at the last time I read an article about it) and more devices moving to 3.0 or greater this is something you need to pay attention to and understand.

This week we will go through:
1. What artifacts do and don't exist for MTP devices that you can rely on
2. What accesses to MTP devices look like form shellbags and other sources
3. A place holder for odd things we find along the way.

Also Read: 

Post a Comment