Samsung Galaxy Note...
 
Notifications
Clear all

Samsung Galaxy Note 8 SD card files

9 Posts
5 Users
0 Likes
1,741 Views
(@forn6)
Posts: 8
Active Member
Topic starter
 

I'm using UFED 4PC v7.15.0.73

I have a Samsung Galaxy Note 8 used to send messages through Instagram. There was no SD card in the phone and the owner claims to have never had one. Better yet, there's no evidence in the extractions (Advanced Logical and File System) of the Instagram app ever being installed on the phone, however, there's thousands of file paths that refer to an sd card (e.g. Samsung CDMA_SM-N950U Galaxy Note 8.zip/sdcard/Pictures/Instagram/IMG_20180916_232525_305.jpg). There's also a duplicate media file (e.g. Media/Phone/Pictures/Instagram/IMG_20180916_232525_305.jpg) for many of these.

I think the Instagram app and all of its data was stored on the missing SD card. Although the date of the duplicate media/phone/pictures/Instagram file is one day earlier than the SD card file. Can I prove there was an SD card in the phone used for the aforementioned purpose, and how do I explain the duplicate file dates and times?

 
Posted : 04/03/2019 3:09 pm
hectic_forensics
(@hectic_forensics)
Posts: 40
Eminent Member
 

You sure it's not the emulated storage area when you're referring to \sdcard\ ?

 
Posted : 04/03/2019 3:41 pm
(@forn6)
Posts: 8
Active Member
Topic starter
 

You sure it's not the emulated storage area when you're referring to \sdcard\ ?

I suppose it would depend on how Android manages storage. Does Android 1st attempt to save to the SD card, and if no SD card is inserted, does it save to the emulated storage OR does an SD card have to be manually adopted by the user for the file path referencing an SD card to exist?

 
Posted : 04/03/2019 3:57 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

In some mobile devices, some portion of the NAND memory is set aside for creating an emulated SD card. This SD card is not a removable SD card. It is up to the forensic analyst to determine whether or not they are dealing with the actual SD card or an emulated SD card.

First I would see if this phone has the hardware available to accept an SD card. If it does not, then you know you are looking at the emulated SD card. I am not sure if the S8 does or does not have the hardware to accept an SD card.

As far as where the phone decides to store data first (emulated SD vs. a true SD card), it might depend on the app. For example, I had an S5. It stored the photos on the phone initially. When I put the SD card in, I received a notification that photos would start being stored on the SD card. My older photos however, remained on the emulated SD card.

 
Posted : 04/03/2019 5:34 pm
(@forn6)
Posts: 8
Active Member
Topic starter
 

In some mobile devices, some portion of the NAND memory is set aside for creating an emulated SD card. This SD card is not a removable SD card. It is up to the forensic analyst to determine whether or not they are dealing with the actual SD card or an emulated SD card.

First I would see if this phone has the hardware available to accept an SD card. If it does not, then you know you are looking at the emulated SD card. I am not sure if the S8 does or does not have the hardware to accept an SD card.

It does have the a slot for an SD card.

 
Posted : 04/03/2019 5:38 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Please consider a subpoena or warrant to the company Instagram for the specific user account.

You will want to include the make/model/telephone number/email accounts/serial numbers for the Galaxy Note 8 in your request to Instagram. Your subpoena/warrant/records request will request, times/dates/IP addresses/direct message activity/posting activity for the specific account for a very specific time period.

Although Instagram does not keep user generated content by default (unless required to do so under a warrant), Instagram should be able to provide to you a variety of data about the specific user account in question. This might prove such Instagram usage occurred on the Galaxy 8 notwithstanding the fact that the real world SD card is potentially missing from the phone itself.

 
Posted : 04/03/2019 7:26 pm
(@tcemp)
Posts: 1
New Member
 

Can you provide more details about the extraction methods. E.g.
Cellebrite profiles?

Most of the Android file system extractions are partials, and not complete if physical is not available.

If you're able to obtain a physical or complete file system, you may have access to the chats, if the app is still installed that is.

Can you manually check phone if app is installed?

As mentioned above, submit preservation order to facebook for the Instagram data.

 
Posted : 04/03/2019 9:26 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

https://www.facebook.com/records/login/

 
Posted : 04/03/2019 9:44 pm
(@forn6)
Posts: 8
Active Member
Topic starter
 

I used the Samsung CDMA SM-N950U Galaxy Note 8 profile. The file system extraction was an Android Backup. Physical extraction is only supported for rooted devices. The app is installed on the device. There's dozens of apps but there's almost no app data showing in installed applications and chats. Nothing was decoded for Instagram. I'm waiting on requested information from Instagram (Facebook).

 
Posted : 04/03/2019 10:07 pm
Share: