±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32089
New Yesterday: 2 Visitors: 116

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Galaxy SM-G925F Running 6.0.1

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Galaxy SM-G925F Running 6.0.1

Post Posted: Mon Mar 20, 2017 10:28 pm

Hello Folks,

A different challenge today, the latest version of UFED is absolutely powerful as it includes its support to android 6.0.1. However today I have faced a different scenario, I plugged in a Galaxy SM-G925F Running 6.0.1 which is not rooted, and celebrate managed to boot up a custom recovery (TWRP) and pull a full physical dump (recovery method). However when I try to decode it using PA it pops up an encryption password, seems like the encryption option has been enabled.

I do not have access to the mobile phone (pattern protected), however I have tried to root the device and upload another custom recovery (TWRP) and had an approach to delete the gesture.key . but the system/data directories are completely empty, i'm assuming the root files I've pushed aren't compatible with the particular device? so I've pushed another root (which looks like) it was successfully rooted, but again those directories are empty.

Any thoughts?  

CopyRight
Senior Member
 
 
  

Re: Galaxy SM-G925F Running 6.0.1

Post Posted: Tue Mar 21, 2017 6:12 am

- CopyRight
Hello Folks,

A different challenge today, the latest version of UFED is absolutely powerful as it includes its support to android 6.0.1. However today I have faced a different scenario, I plugged in a Galaxy SM-G925F Running 6.0.1 which is not rooted, and celebrate managed to boot up a custom recovery (TWRP) and pull a full physical dump (recovery method). However when I try to decode it using PA it pops up an encryption password, seems like the encryption option has been enabled.

I do not have access to the mobile phone (pattern protected), however I have tried to root the device and upload another custom recovery (TWRP) and had an approach to delete the gesture.key . but the system/data directories are completely empty, i'm assuming the root files I've pushed aren't compatible with the particular device? so I've pushed another root (which looks like) it was successfully rooted, but again those directories are empty.

Any thoughts?


unfortunately as its encrypted you cant see the file system (thats why its showing up as blank) and therefore cant remove the gesture.key. Only possible option I know of is attempting encryption passwords.  

agolding
Member
 
 
  

Re: Galaxy SM-G925F Running 6.0.1

Post Posted: Tue Mar 21, 2017 2:36 pm

Few things:
a) Does phone after you root still power up normally and ask for Pattern/ Pin ?
b) Does user partitions are empty (you can check contact in PA and HEX viewer) or you see it as Unallocated (garbage data) ?

@agolding: 6.x doesn't use pattern/password.key files and HASH/SALT for storing passwords so those files are not available...instead it uses Gatekeeper mechanism with CRYPT hash type
_________________
Multi-COM - Bogusław Rzepka
multi-com.eu 

Bolo
Member
 
 
  

Re: Galaxy SM-G925F Running 6.0.1

Post Posted: Tue Mar 21, 2017 10:34 pm

- Bolo
Few things:
a) Does phone after you root still power up normally and ask for Pattern/ Pin ?
b) Does user partitions are empty (you can check contact in PA and HEX viewer) or you see it as Unallocated (garbage data) ?


a) The Phone boots up normally after the root, yes.
b) The partitions aren't empty, i can see lots of directories and files, i have attached a picture below.
That is an interesting note about Android 6.x changing its hashing mechanism to gatekeeper. Is there any articles i can read that can help me to decrypt or get rid of the pattern?

Thanks!

 

almrasl
Member
 
 
  

Re: Galaxy SM-G925F Running 6.0.1

Post Posted: Wed Mar 22, 2017 3:14 pm

Screenshot you posted is from the wrong partiton. SYSTEM partition is (so far) never encrypted which is why all the files are visible. You should take a look at userdata partition and then look for system directory if possible.  

arcaine2
Member
 
 
  

Re: Galaxy SM-G925F Running 6.0.1

Post Posted: Tue Mar 28, 2017 8:03 am

By default, Android 6 Marshmallow encryption is mandatory for most new devices which make a physical dump (using the TWRP method for example) of these mobile devices useless since you will end with an encrypted dump which cannot (yet) be decrypted. Below you will find a method using a custom recovery image that will root your device and allow you to physically dump the decrypted user partition from the operating system itself.

1. Go to autoroot.chainfire.eu/
2. Find the model and choose the right Android version.
3. Download the zip and extract all the files
4. Put your phone into download mode (Vol Down+Home+Power) then when prompted push Vol Up to continue
5. Open ODIN, go to “options” and leave auto-reboot enable
6. Flash the phone with the included tar.md5 file. The device boots-up automatically
7. Enable adb debuging.
8. Make a physical dump of your device.
9. After imaging is complete choose in supersu "full unroot". It asks if the stock boot image should be replaced.
10.Reboot the devices and check if supersu is still there. If there is bootloop, flash again the same custom recovery and repeat the unroot procedure with no stock boot image

Hope it helps.  

TaZmaniak
Newbie
 
 
  

Re: Galaxy SM-G925F Running 6.0.1

Post Posted: Tue Mar 28, 2017 11:17 am

- TaZmaniak
By default, Android 6 Marshmallow encryption is mandatory for most new devices which make a physical dump (using the TWRP method for example) of these mobile devices useless since you will end with an encrypted dump which cannot (yet) be decrypted.


This is NOT true and correct information if we are talking generally - while NEW produced devices witch got Marshmallow at start are mostly encrypted by default (you can turn if off in Settings but nobody care this) then pure 6.0 don't got any requirements for encryption at all and devices which got update to this system also not require encryption. In fact S6 (G920F) or S6 Edge (G925F) are not encrypted by default - as many of older phones too. In such situation you can easily make dump using UFED or Oxygen and then analyse it - of course you will get KNOX triggered and cannot access containers so be aware. This information reflect to Android up to 6.0.1. If Android version is higher you can make chip off , read them and then put chip back and give working phone to client. Here are short videos showing such process:

Galaxy S6 G920F chip preparation / read / analyse in UFED

Galaxy S6 UFS IC movie - chip back into phone board


P.S
This answer it's not related of subject since as author writes device seems to be encrypted so obviously user has turn it ON.
_________________
Multi-COM - Bogusław Rzepka
multi-com.eu 

Bolo
Member
 
 

Reply to topicReply to topic

Share and Like this forum topic to get more replies




Page 1 of 1