The problem with these "physical" images is that most of the time they`re not as physical as you might think. So depending on the way you dumped the memory, youll get different types of "physical" images.
As mentioned before, the extracted data is not of a specific filetype. Its more a result of a multi-layer-access to a storage device. For example it could be :
- an active partition - partition data only
- partition with Spare areas
- memory data after error correction with OOB (multiple partitions, inactive etc.)
- raw flash data...for this youll probably need to emulate a flash/nand etc driver first (like an mtd device and a translation layer)
Just keep in mind that flash memory behaves different than a typical hdd where you can mount a "byte-by-byte" copy. Without proper information about the used data structures/translations and error correction, the real "raw" data is almost non-readable.
Software like UFED or XRY (most likely) wont be able to decode a raw-flash image. However it will work with active partitions and might be able to handle (or even need) the OOB/Spare areas - no matter what file-extension you set for the image
It will, on startup, simply look for specific offsets to identify the filesystem and partitions as long as every offset is where it belongs.
↧