Galaxy S III SCH-...
 
Notifications
Clear all

Galaxy S III SCH-1535 Android 4.1

9 Posts
5 Users
0 Likes
607 Views
(@sitrep)
Posts: 6
Active Member
Topic starter
 

Need to find forensic software to investigate Galaxy S III SCH-1535 Android 4.1

What will work for that ?

 
Posted : 14/01/2013 9:07 am
TomP
 TomP
(@tomp)
Posts: 36
Eminent Member
 

The latest XRY (v6.4.2) appears to support the Galaxy S3 according to their release notes.

 
Posted : 14/01/2013 7:27 pm
 RonS
(@rons)
Posts: 358
Reputable Member
 

SitRep,

Cellebrite UFED has support for the Samsung SCH-i535 Galaxy S III for both logical, file system extraction and physical extraction.

Ron

 
Posted : 15/01/2013 12:00 pm
(@sitrep)
Posts: 6
Active Member
Topic starter
 

TomP and RonS,

Thanks for the info on Celleb. and Xry, presently we don't have the budget for those, do you guys know other lesser cost alternatives ?

Best Regards,

SitRep

 
Posted : 16/01/2013 6:05 am
TomP
 TomP
(@tomp)
Posts: 36
Eminent Member
 

It depends on what kind of budget and what restraints you have. You said you were looking for a logical extraction and while it is nice to manually obtain the data from these devices, both Cellebrite and XRY are very good at analysing them.

Android devices can be analysed in great detail if they can be rooted and then what we refer to as an ADB Pull command sent to the device. You will need http//developer.android.com/tools/help/adb.html in order to 'pull' the data. You can also shell into the device and look at the file system within the command line.

This is all dependant on you having root access on the device and I'm not sure if this is possible on the S3 as I haven't looked into it much myself.

I suggest you do this on a Linux machine as some of the files within the Android operating system have names that aren't supported within Windows. On the Linux machine you can then ZIP the file and taken it to your Windows machine. I'd also suggest you work from a copy of the data and not the original data.

Once this data has been 'pulled' from the device it is mostly stored in SQLite databases and you can either write queries if you know what you are looking for or spend the time having a look. There is a wealth of data stored in these phones and I always enjoy wading around seeing what I can find!

Apologies if I've made a mistake in there, been a few weeks since I have done one and I haven't had my morning coffee yet 😉

Happy to guide you if you want to use this thread to ask questions.

Tom

 
Posted : 16/01/2013 2:17 pm
(@agolding)
Posts: 31
Eminent Member
 

Adding to TomP. With any 4.0+ android device you can get the majority of the data through an androidbackup which can then be decoded. The only thing it generally doesnt get is SMS Messages and if the samsung happens to store anything in dbdata then it wont get that (although that seems to be happening much less. The main reason to use this would be if there is no support for shell rooting the handset.

VIAForensics also have an open source user agent you could use to get the rest of the basic data such as SMS, contacts etc if you wish.

I would link you to their website but it seems to be down for me at the moment.

I think they also have a more in depth user agent for law enforcement/purchase but I cant see at the moment.

https://twitter.com/viaforensics/status/229976538551054336

Thats the twitter status talking about it anyway.

 
Posted : 16/01/2013 4:00 pm
TomP
 TomP
(@tomp)
Posts: 36
Eminent Member
 

Adding to TomP. With any 4.0+ android device you can get the majority of the data through an androidbackup which can then be decoded. The only thing it generally doesnt get is SMS Messages and if the samsung happens to store anything in dbdata then it wont get that (although that seems to be happening much less. The main reason to use this would be if there is no support for shell rooting the handset.

VIAForensics also have an open source user agent you could use to get the rest of the basic data such as SMS, contacts etc if you wish.

I would link you to their website but it seems to be down for me at the moment.

I think they also have a more in depth user agent for law enforcement/purchase but I cant see at the moment.

https://twitter.com/viaforensics/status/229976538551054336

Thats the twitter status talking about it anyway.

Adding to what Alex has said, Android devices have a couple of directories you will want to look at however this can vary between manufactures.

Directories of note are;

data
data/data
dbdata

 
Posted : 21/01/2013 3:54 pm
bigjon
(@bigjon)
Posts: 159
Estimable Member
 

We have found, in our lab, the desktops that have gone to 64 bit from 32 ( since 6.4.1. xry now supports 64 bit)wont examine an s3 we have to go to one of our remaining 32 bit machines to do the s3, anybody done an s3 on 64 bit??
thanks

 
Posted : 30/01/2013 10:01 pm
TomP
 TomP
(@tomp)
Posts: 36
Eminent Member
 

That's really interesting. We currently still operate on 32bit machines however are currently testing a 64bit machine with the latest 64bit XRY on it. A colleague today has been having issues getting an extraction and XRY has fallen down. I did identify that the analyst hadn't read the notes on manual selection however it was still an incomplete extraction. It appears to just run adb backup and doesn't get data from the /dbdata folder on the device.

Incidentally it has also failed on the Cellebrite unit for both logical and physical however it is currently working pulling the file system. Cellebrite seems to be succeeding at this as we speak and from there we should be able to parse everything. The device power cycled when running the logical and physical extractions, powered on without a SIM.

Edited to add, it has completed with a file system read and looks (pending checking against the device) to have got all the data we need!

 
Posted : 30/01/2013 10:08 pm
Share: