±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 31939
New Yesterday: 8 Visitors: 253

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News   Forums   Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Galaxy SM-G925F Running 6.0.1

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Galaxy SM-G925F Running 6.0.1

Post Posted: Mon Mar 20, 2017 10:28 pm

Hello Folks,

A different challenge today, the latest version of UFED is absolutely powerful as it includes its support to android 6.0.1. However today I have faced a different scenario, I plugged in a Galaxy SM-G925F Running 6.0.1 which is not rooted, and celebrate managed to boot up a custom recovery (TWRP) and pull a full physical dump (recovery method). However when I try to decode it using PA it pops up an encryption password, seems like the encryption option has been enabled.

I do not have access to the mobile phone (pattern protected), however I have tried to root the device and upload another custom recovery (TWRP) and had an approach to delete the gesture.key . but the system/data directories are completely empty, i'm assuming the root files I've pushed aren't compatible with the particular device? so I've pushed another root (which looks like) it was successfully rooted, but again those directories are empty.

Any thoughts?  

CopyRight
Senior Member
 
 
  

Re: Galaxy SM-G925F Running 6.0.1

Post Posted: Tue Mar 21, 2017 6:12 am

- CopyRight
Hello Folks,

A different challenge today, the latest version of UFED is absolutely powerful as it includes its support to android 6.0.1. However today I have faced a different scenario, I plugged in a Galaxy SM-G925F Running 6.0.1 which is not rooted, and celebrate managed to boot up a custom recovery (TWRP) and pull a full physical dump (recovery method). However when I try to decode it using PA it pops up an encryption password, seems like the encryption option has been enabled.

I do not have access to the mobile phone (pattern protected), however I have tried to root the device and upload another custom recovery (TWRP) and had an approach to delete the gesture.key . but the system/data directories are completely empty, i'm assuming the root files I've pushed aren't compatible with the particular device? so I've pushed another root (which looks like) it was successfully rooted, but again those directories are empty.

Any thoughts?


unfortunately as its encrypted you cant see the file system (thats why its showing up as blank) and therefore cant remove the gesture.key. Only possible option I know of is attempting encryption passwords.  

agolding
Member
 
 
  

Re: Galaxy SM-G925F Running 6.0.1

Post Posted: Tue Mar 21, 2017 2:36 pm

Few things:
a) Does phone after you root still power up normally and ask for Pattern/ Pin ?
b) Does user partitions are empty (you can check contact in PA and HEX viewer) or you see it as Unallocated (garbage data) ?

@agolding: 6.x doesn't use pattern/password.key files and HASH/SALT for storing passwords so those files are not available...instead it uses Gatekeeper mechanism with CRYPT hash type
_________________
Multi-COM - Bogusław Rzepka
multi-com.eu 

Bolo
Member
 
 
  

Re: Galaxy SM-G925F Running 6.0.1

Post Posted: Tue Mar 21, 2017 10:34 pm

- Bolo
Few things:
a) Does phone after you root still power up normally and ask for Pattern/ Pin ?
b) Does user partitions are empty (you can check contact in PA and HEX viewer) or you see it as Unallocated (garbage data) ?


a) The Phone boots up normally after the root, yes.
b) The partitions aren't empty, i can see lots of directories and files, i have attached a picture below.
That is an interesting note about Android 6.x changing its hashing mechanism to gatekeeper. Is there any articles i can read that can help me to decrypt or get rid of the pattern?

Thanks!

 

almrasl
Newbie
 
 
  

Re: Galaxy SM-G925F Running 6.0.1

Post Posted: Wed Mar 22, 2017 3:14 pm

Screenshot you posted is from the wrong partiton. SYSTEM partition is (so far) never encrypted which is why all the files are visible. You should take a look at userdata partition and then look for system directory if possible.  

arcaine2
Member
 
 

Reply to topicReply to topic

Share and Like this forum topic to get more replies




Page 1 of 1