Need to find forensic software to investigate Galaxy S III SCH-1535 Android 4.1

What will work for that ?  

The latest XRY (v6.4.2) appears to support the Galaxy S3 according to their release notes.  

SitRep,

Cellebrite UFED has support for the Samsung SCH-i535 Galaxy S III for both logical, file system extraction and physical extraction.

Ron  

TomP and RonS,


Thanks for the info on Celleb. and Xry, presently we don't have the budget for those, do you guys know other lesser cost alternatives ?

Best Regards,

SitRep  

It depends on what kind of budget and what restraints you have. You said you were looking for a logical extraction and while it is nice to manually obtain the data from these devices, both Cellebrite and XRY are very good at analysing them.

Android devices can be analysed in great detail if they can be rooted and then what we refer to as an ADB Pull command sent to the device. You will need developer.android.com/...p/adb.html in order to 'pull' the data. You can also shell into the device and look at the file system within the command line.

This is all dependant on you having root access on the device and I'm not sure if this is possible on the S3 as I haven't looked into it much myself.

I suggest you do this on a Linux machine as some of the files within the Android operating system have names that aren't supported within Windows. On the Linux machine you can then ZIP the file and taken it to your Windows machine. I'd also suggest you work from a copy of the data and not the original data.

Once this data has been 'pulled' from the device it is mostly stored in SQLite databases and you can either write queries if you know what you are looking for or spend the time having a look. There is a wealth of data stored in these phones and I always enjoy wading around seeing what I can find!

Apologies if I've made a mistake in there, been a few weeks since I have done one and I haven't had my morning coffee yet

Happy to guide you if you want to use this thread to ask questions.

Tom  

Adding to TomP. With any 4.0+ android device you can get the majority of the data through an androidbackup which can then be decoded. The only thing it generally doesnt get is SMS Messages and if the samsung happens to store anything in dbdata then it wont get that (although that seems to be happening much less. The main reason to use this would be if there is no support for shell rooting the handset.

VIAForensics also have an open source user agent you could use to get the rest of the basic data such as SMS, contacts etc if you wish.

I would link you to their website but it seems to be down for me at the moment.

I think they also have a more in depth user agent for law enforcement/purchase but I cant see at the moment.

twitter.com/viaforensi...8551054336

Thats the twitter status talking about it anyway.  

- agolding

Adding to TomP. With any 4.0+ android device you can get the majority of the data through an androidbackup which can then be decoded. The only thing it generally doesnt get is SMS Messages and if the samsung happens to store anything in dbdata then it wont get that (although that seems to be happening much less. The main reason to use this would be if there is no support for shell rooting the handset.

VIAForensics also have an open source user agent you could use to get the rest of the basic data such as SMS, contacts etc if you wish.

I would link you to their website but it seems to be down for me at the moment.

I think they also have a more in depth user agent for law enforcement/purchase but I cant see at the moment.

twitter.com/viaforensi...8551054336

Thats the twitter status talking about it anyway.

Adding to what Alex has said, Android devices have a couple of directories you will want to look at however this can vary between manufactures.

Directories of note are;

data
data/data
dbdata