±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36768
New Yesterday: 0 Visitors: 108

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Physical Data Acquisition Advice SM-930F

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Bellerophon
Newbie
 

Physical Data Acquisition Advice SM-930F

Post Posted: Feb 16, 20 16:12

Hi Everyone,

I am looking for advice on the safest way to get a physical data acquisition for a Samsung S7 running Android 7 patched in December 2017. I have the pin code and ADB Debug access to the device, encryption is enabled thus I cannot unlock the bootloader without wiping the user data. I originally was going to put a custom recovery TWRP and using CF-Auto-Root.

Tech details for the device are below:

Samsung S7 SM-G930F
Firmware Version: (G930FXXU1DQL8)
BootLoader Details SWREV B:1 K:0 S:0 FRP ON
Patch Level December 2017

I am thinking the best approach would be using Odin and a eng-root bootloader is the best option eng-root.firmware.ir/sm-g930ffd/  
 
  

arcaine2
Senior Member
 

Re: Physical Data Acquisition Advice SM-930F

Post Posted: Feb 16, 20 18:38

G930F doesn't come with locked bootloader. Samsung started to lock bootloaders by default for international variants in 2019 with models like S10, new A and M series etc.

In your case, you could enable OEM Unlocking in developers menu and flash TWRP but this would trip Knox and make any data protected by Knox inaccessible.

You seem to be running a very old firmware on this one so using eng-root would be much better option and a way to go, assuming the file you find is a valid one.  
 
  

Bellerophon
Newbie
 

Re: Physical Data Acquisition Advice SM-930F

Post Posted: Feb 17, 20 00:17

Thanks for the advice arcaine2, when you say the Knox encrypted data is lost do you mean everything in the /data/data/ internal storage will be lost?

Do you know of any reputable places to get eng-root bootloaders? Guess the other option is invest time / hope someone develops this root kernal exploit CVE-2019-2215 for the S7. That should give me the access I need.

Key data I am trying to recover is the WhatsApp data unfortunately the app is stuck with an error stating the date / time is wrong. The date is correct but the app is old so I think that is the issue it appears to be common according to some googling.

The phone is not connected to a Google account anymore so cannot update the app via play services. I have considered uploading the latest WhatsApp APK to the phone sd card then installing the updated version of the app. However I don't know if updating the app from the sd card will force the app to force a SMS verification due to it not being from a trusted location. The sim card has been deactivated in the device so it's not possible to get the SMS code.  
 
  

arcaine2
Senior Member
 

Re: Physical Data Acquisition Advice SM-930F

Post Posted: Feb 17, 20 19:58

- Bellerophon
Thanks for the advice arcaine2, when you say the Knox encrypted data is lost do you mean everything in the /data/data/ internal storage will be lost?


Nothing will be wiped, but data stored in knox "container" won't be accessible.


Do you know of any reputable places to get eng-root bootloaders?


To be honest, no, except for paid servers with files for flashing and repairing phones, like easy-firmware etc. The one you found may work and i remember having this on my disk months ago. The good thing is, that if you have OEM Unlocking disabled (default), you shouldn't be able to write any unsigned image. If file you'll try to flash with Odin won't be signed by Samsung, it just won't flash and do any harm.

EFT Dongle has some working eng-root files included, in case of G930F even up to U5 firmware and they do work.


Guess the other option is invest time / hope someone develops this root kernal exploit CVE-2019-2215 for the S7. That should give me the access I need.


Based on what you wrote before, phone you have is running Android 7, this exploit works on 8.x and from what i remember, has to be adapter per device.  
 

Page 1 of 1