±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 33501
New Yesterday: 7 Visitors: 166

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Samsung Knox Partition Lockout

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Samsung Knox Partition Lockout

Post Posted: Fri Feb 09, 2018 5:12 am

Hi all.

I tried to make a physical acquisition of a Samsung Galaxy S5 using Magnet Acquire. Note that I had to manually root the device using Magisk.

At first, physical acquisition did not complete successfully and from the logs I found something that infers that Samsung Knox denied access to the partition (21) containing the user data.
Quoting:
E/audit ( 5130): type=1400 msg=audit(1517955498.830:203): avc: denied { read } for pid=5686 comm=4173796E635461736B202335 name="magisk.apk" dev="mmcblk0p21" ino=33 scontext=u:r:knox_untrusted_app:s0 tcontext=u:object_r:su_file:s0 tclass=file

After that, physical acquisitions have been successful, giving me an image size of about 3gb, instead of 16gb (the missing 13gb is from the partition that access is denied). As such, the 3gb image is unreadable when I try to browse its contents.

My questions are:
1) Has anyone encountered such an issue before?
2) How would you suggest I go about it to get the full image?
3) As I have another S5 with similar security features, do you know if Knox can be disabled (either by the company, or other method) to allow full imaging?

Please also note that I don't have access to Cellebrite, Oxygen or other specialised tools, and have tried another rooting method - CF-Auto-Root. It appears as though the device/Knox has locked out the user data partition from any sort of imaging.

One method I have not but intend trying on the second device is to use CF-Auto-Root alone to root (without Magisk), so possibly, Knox does not detect it as an 'untrusted' app and allow the acquisition of its data partition as well.
Please let me have your comments/answers. Thanks.  

mrjude
Newbie
 
 
  

Re: Samsung Knox Partition Lockout

Post Posted: Fri Feb 09, 2018 11:14 am

Easiest way to avoid this would be to flash TWRP to the device and make dump while in custom recovery.  

arcaine2
Senior Member
 
 
  

Re: Samsung Knox Partition Lockout

Post Posted: Fri Feb 09, 2018 11:27 am

Hi arcaine2. Do you mean TWRP backup? If so, I already tried that.

First, TWRP backup would select partitions of the device, not the entire disk.
Second, TWRP backup fails when it when it tries backing up the "Data" folder. I googled and saw that I could check and delete the file causing the error through the log.
I can't quite remember the particular file but I was not sure of deleting it.

In summary, TWRP backup fails and might not get the whole disk.

Please explain further if the TWRP dump you mentioned is different and captures the entire disk.  

mrjude
Newbie
 
 
  

Re: Samsung Knox Partition Lockout

Post Posted: Fri Feb 09, 2018 1:27 pm

No, while in TWRP connect phone to PC and you can just "adb pull /dev/block/mmbclk0 some_filename.bin" to dump the whole eMMC or replace mmcblk0 with mmbclk0p21 for specific partiton, userdata in this case. This works in TWRP because adbd works in root mode by default and produces raw and direct copy that can be mounted or scanned by any tool later on.  

arcaine2
Senior Member
 
 
  

Re: Samsung Knox Partition Lockout

Post Posted: Tue Feb 13, 2018 12:01 am

I think the problem is the encrypted /data partition.

When u launch TWRP (System read only) u cant mount the data partition.

If u switch over to the terminal in TWRP, type in: mount

If im right, there should no data partition mounted.

No matter if u do a twrp backup or an android dd image.. u dont have the users data.

Dont swipe to allow modifications.. this will give u an bootloop.

BUT.. if u can mount the /data partition and it is listet when u type in mount in terminal prompt... fell free to dump the hole emmc like arcaine2 wrote before.  

Plan_B
Newbie
 
 
  

Re: Samsung Knox Partition Lockout

Post Posted: Tue Feb 13, 2018 3:51 am

Thanks a lot arcaine2 and Plan_B.

I managed to acquire the second device using the "dd" command from TWRP terminal without any issue.

For the initial device, the "adb pull" command gave the error that "remote object '/dev/block/mmcblkp21' does not exist".

I also tried "cp" command on "adb shell" (since the pull command does not work on shell) and it was not successful as well.
I did these before Plan_B's comment so did not try the "Mount" command. However, I think the /data partition was already mounted and not encrypted.

The "dd" command on TWRP terminal also failed to get the full partition.

I then ran TWRP Backup and still got errors but this time, traced the files causing the backup error, copied them first, then deleted them as suggested from some googling - the files were most related to Chrome.
After that, TWRP Backup worked but "dd" still did not acquire the full disk.
I then manually copied and pasted the data folder on my usb-otg device, to identify which file in particular might cause an error.
I got no error after the manual copy/paste, so retried the dd command and acquired the userdata partition successfully.

With that, I launched Magnet Acquire again to do the full disk acquisition and got a similar error. Quoting:
E/audit ( 5241): type=1400 msg=audit(1518469966.410:262): avc: denied { write } for pid=12119 comm="app_process32_o" name="[email protected]@boot.art" dev="mmcblk0p21" ino=130836 scontext=u:r:shell:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

Perhaps the problem was not with Samsung Knox or Magisk after all.

On a second trial, Magnet Acquire got the full disk without any error.  

mrjude
Newbie
 
 
  

Re: Samsung Knox Partition Lockout

Post Posted: Tue Feb 13, 2018 6:32 am

Congratz Very Happy  

Plan_B
Newbie
 
 

Page 1 of 2
Go to page 1, 2  Next