How to Check if pho...
 
Notifications
Clear all

How to Check if phone has been previously extracted

6 Posts
3 Users
0 Likes
309 Views
Vesalius
(@vesalius)
Posts: 66
Estimable Member
Topic starter
 

I have a Samsung phone that has been in someone else's hands, and I would like to know if that person has in anyway used any extraction methods on that phone.
Is there some sort of log or something that can prove that the extraction has been done on the phone before?

 
Posted : 21/12/2016 3:00 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

For physical extractions there should be no logs. If there is a physical extraction over ADB, that would be minimally logged at USB level.

For logical extractions regular USB communication is used, which is logged.

From logs you get only that the device was connected to something, not the process itself which was done with it.

 
Posted : 21/12/2016 3:35 pm
Vesalius
(@vesalius)
Posts: 66
Estimable Member
Topic starter
 

From logs you get only that the device was connected to something, not the process itself which was done with it.

Can you tell me where I can find this log?

 
Posted : 21/12/2016 3:46 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

On Android 4.1 and above root access is required. Then you could use CatLog or SysLog apps on the device itself.

If you need this in a forensically sound way, then create a physical dump of the phone and analyze the logs from there.

 
Posted : 21/12/2016 4:01 pm
Vesalius
(@vesalius)
Posts: 66
Estimable Member
Topic starter
 

On Android 4.1 and above root access is required. Then you could use CatLog or SysLog apps on the device itself.

If you need this in a forensically sound way, then create a physical dump of the phone and analyze the logs from there.

ahh appreciate the advice, so basically grab a physical image from let's say Cellebrite and then analyze it, from there what would I look at exactly, what keywords should I be looking for?

 
Posted : 21/12/2016 9:37 pm
(@randomaccess)
Posts: 385
Reputable Member
 

You could have a look at the recovery partition. I've seen cellebrite put its own version of TWRP on a phone for a physical extraction, and I imagine it wouldn't remove it

 
Posted : 22/12/2016 12:21 pm
Share: