Samsung Secure Fold...
 
Notifications
Clear all

Samsung Secure Folder -> decrypt?

8 Posts
5 Users
0 Likes
7,720 Views
(@th9010)
Posts: 4
New Member
Topic starter
 

Hello everybody,

I have an unlocked Samsung Galaxy S9 device on my desk. From mobile traffic interception of the sim card we know there have been some apps used that dont show up on the normal screen. We suspect the apps are hidden inside the secure folder.

I am trying to get my hands on the oxygen device (https://www.forensicfocus.com/News/article/sid=3186/) but as far as i understand it this only works if the secure folder has been backedup. I dont know if there is a backup.

So, has anyone any experience of information to share on the decyprtion of secure folder? Any sucess someone so far?

Thank you

 
Posted : 02/07/2019 11:01 am
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

Some information from us

1. You can check if it was backuped up in Settings/Backup and Restore/Samsung Account on the device.

2. To extract and decrypt Samsung Secure folder from the cloud you need to know a Samsung account login and password.

3. As far as we know physical extraction of Samsung devices does not give access to the Secure Folder and using, for example, a custom recovery method leads to a KNOX counter reset and a complete inability to access the Secure Folder.

 
Posted : 02/07/2019 12:37 pm
(@the_grinch)
Posts: 136
Estimable Member
 

Only time I encountered this the user used the same password for the Secure Folder as the device and Gmail password. It was an older version of Android so we were able to crack it. Something to think about!

 
Posted : 02/07/2019 1:12 pm
(@shahartal)
Posts: 27
Eminent Member
 

Cellebrite Advanced Services can fully extract KNOX-protected Secure Folder contents (without cloud access or tripping warranty bit, of course).

 
Posted : 05/07/2019 8:21 am
(@puntz)
Posts: 2
New Member
 

I've just received a Samsung Galaxy S9 and the suspect has saved all the evidence in the Secure Folder. Luckily we have the PIN for the handset and the pattern for the Secure Folder.

My extractions haven't obtained these images and videos and I was wondering what the best practice would be to extract them from the phone? I can obviously just remove them from the Secure Folder but I'm changing too much data, and copying them to a USB would alter the date and times. Is a manual review the best choice, or is there something I'm blindly missing?

Thanks )

 
Posted : 09/07/2019 11:55 am
(@the_grinch)
Posts: 136
Estimable Member
 

Did you unlock the folder before starting the extraction? My understanding is if it is locked during the extraction then it will not be extracted.

 
Posted : 10/07/2019 3:12 pm
(@puntz)
Posts: 2
New Member
 

Did you unlock the folder before starting the extraction? My understanding is if it is locked during the extraction then it will not be extracted.

I did two extractions, one without unlocking the folder and one after I unlocked it, and I was unable to see the images and videos in UFED.

 
Posted : 11/07/2019 11:47 am
(@the_grinch)
Posts: 136
Estimable Member
 

I would reach out to Cellebrite's support. Perhaps they could review some logs and see what exactly might be occurring to cause you not to be able to review the information.

 
Posted : 11/07/2019 1:57 pm
Share: