±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 0 Visitors: 84

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Oxygen Forensics - Decrypt android dumps

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

John000
Member
 

Oxygen Forensics - Decrypt android dumps

Post Posted: Dec 17, 19 11:29

Hi all,

I'm trying to use the new 'Android dumps decryption' method added to Oxygen Forensics v12.1 and I experienced some difficulties.
It seems that even if Oxygen successfully extracts the Hardware-backed keys, the extraction is still encrypted.

I do see in the extracted folder the .BIN file + Keys.json but is there any way to combine between them?
How I can import the BIN to JetEngine and use the keys to decrypt the files?

Thank you,
John  
 
  

OxygenForensics
Senior Member
 

Re: Oxygen Forensics - Decrypt android dumps

Post Posted: Dec 17, 19 12:42

John, if you are using OFD 12.1 then the algorithm is the following:
1) You extract the device in Oxygen Forensic Extractor that creates a physical dump and extracts the hardware keys.
2) Once extraction is finished the dump is automatically imported into OFD main interface (you call it JetEngine).
3) During import there must be a window asking you to enter the user password. Once you enter it the dump will be decrypted. So hardware keys are just used in decryption process.
In the upcoming versions we will add the opportunity to bruteforce this password.
If you still experience problems you can contact us directly or leave your email in PM here and our support team will do their best to help you.  
 
  

John000
Member
 

Re: Oxygen Forensics - Decrypt android dumps

Post Posted: Dec 17, 19 12:50

- OxygenForensics
John, if you are using OFD 12.1 then the algorithm is the following:
1) You extract the device in Oxygen Forensic Extractor that creates a physical dump and extracts the hardware keys.
2) Once extraction is finished the dump is automatically imported into OFD main interface (you call it JetEngine).
3) During import there must be a window asking you to enter the user password. Once you enter it the dump will be decrypted. So hardware keys are just used in decryption process.
In the upcoming versions we will add the opportunity to bruteforce this password.
If you still experience problems you can contact us directly or leave your email in PM here and our support team will do their best to help you.


Thank you for the quick reply.
But i'm wondering what is the user password? How can I get it?  
 
  

OxygenForensics
Senior Member
 

Re: Oxygen Forensics - Decrypt android dumps

Post Posted: Dec 17, 19 13:16

This is the password to lock the device screen. If Secure startup option is enabled by the device owner you need to enter the password in our software to decrypt the physical dump. As we have previously written we will soon add the ability to find this password using bruteforce. If Secure startup is not activated on the device our software must decrypt the physical dump without asking for the password.  
 
  

the_Grinch
Senior Member
 

Re: Oxygen Forensics - Decrypt android dumps

Post Posted: Dec 17, 19 16:05

To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?  
 
  

OxygenForensics
Senior Member
 

Re: Oxygen Forensics - Decrypt android dumps

Post Posted: Dec 17, 19 16:45

- the_Grinch
To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?


Yes, we can image an Android phone with Secure Startup enabled. Once you create an image you have an unlimited number of attempts to decrypt it in our software.  
 
  

the_Grinch
Senior Member
 

Re: Oxygen Forensics - Decrypt android dumps

Post Posted: Dec 17, 19 16:51

- OxygenForensics
- the_Grinch
To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?


Yes, we can image an Android phone with Secure Startup enabled. Once you create an image you have an unlimited number of attempts to decrypt it in our software.


And if it's not secure startup, but just a password you would be able to bypass it? As an example, an SM-G955U?  
 

Page 1 of 2
Page 1, 2  Next