LS LS676 - Encrypte...
 
Notifications
Clear all

LS LS676 - Encrypted device - Oxygen Forensic

10 Posts
4 Users
0 Likes
1,350 Views
(@john000)
Posts: 45
Eminent Member
Topic starter
 

Hi,

I just installed the new Oxygen Forensic release and saw this
• Oxygen Forensic® Extractor. Added the ability to decrypt physical dumps with the known password for Android devices based on Qualcomm Snapdragon MSM8909 chipset.

Can anyone help me to figure out how it works? I never saw a way to set a password for extraction.
If the user data partition is encrypted, there is no way to know the password.. correct me if I'm wrong.

I have a case with LS676 Boost phone and the data is encrypted so if anyone can help me here that would be very useful.

Thanks,
John

 
Posted : 21/02/2019 2:37 pm
(@the_grinch)
Posts: 136
Estimable Member
 

I don't have Oxygen, but I'm about 99.9% sure they will be utilizing emergency download mode (EDL) on the device in order to perform the extraction and decode the contents without the passcode/pattern of the device. You will need a cable designed to put the device into EDL mode and then the extraction can start. The cable isn't expensive, runs about 7 or 8 bucks and I'd suggest getting one that supports microUSB along with USB-C. Also, I'd reach out to Oxygen because most companies will provide you with the cables needed for extraction (assuming they provide cables as part of their kit).

Basically you will power off the device, plug the cable into the computer and hold the button (on the cable) down as you plug it into the phone. You'll release the button and press it again (holding down) which should put the device into EDL mode. The screen will remain black the entire time so you won't know it's in the mode without it either being detected by the software or showing up under the devices on the computer. With Cellebrite it detects it, connects and starts extracting taking around 15 to 45 minutes to complete the extraction.

 
Posted : 21/02/2019 6:58 pm
(@john000)
Posts: 45
Eminent Member
Topic starter
 

I don't have Oxygen, but I'm about 99.9% sure they will be utilizing emergency download mode (EDL) on the device in order to perform the extraction and decode the contents without the passcode/pattern of the device. You will need a cable designed to put the device into EDL mode and then the extraction can start. The cable isn't expensive, runs about 7 or 8 bucks and I'd suggest getting one that supports microUSB along with USB-C. Also, I'd reach out to Oxygen because most companies will provide you with the cables needed for extraction (assuming they provide cables as part of their kit).

Basically you will power off the device, plug the cable into the computer and hold the button (on the cable) down as you plug it into the phone. You'll release the button and press it again (holding down) which should put the device into EDL mode. The screen will remain black the entire time so you won't know it's in the mode without it either being detected by the software or showing up under the devices on the computer. With Cellebrite it detects it, connects and starts extracting taking around 15 to 45 minutes to complete the extraction.

Hi, Thanks for the reply but I don't think EDL is the case here.

 
Posted : 26/02/2019 7:42 am
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

Hi John,

This approach indeed utilizes EDL mode. First, you need to have your phone switched to EDL mode than the software will lead you through the process of the dump and the keys extraction. A good addition to this is that if the dump is encrypted you can get it deciphered with the default password or try a password you think could be set. This means you can solve the task even in the case secure startup has been turned on. In the next version the brute-force procedure will be added though it won't be too fast due to the encryption functions like curve that cannot be implemented on GPUs efficiently.

 
Posted : 27/02/2019 7:38 am
(@john000)
Posts: 45
Eminent Member
Topic starter
 

Hi John,

This approach indeed utilizes EDL mode. First, you need to have your phone switched to EDL mode than the software will lead you through the process of the dump and the keys extraction. A good addition to this is that if the dump is encrypted you can get it deciphered with the default password or try a password you think could be set. This means you can solve the task even in the case secure startup has been turned on. In the next version the brute-force procedure will be added though it won't be too fast due to the encryption functions like curve that cannot be implemented on GPUs efficiently.

Thanks for the answer.
But let's say I already performed the extraction using Oxygen forensic EDL extractor.
How can I import the extraction and insert the password?

 
Posted : 28/02/2019 12:17 pm
(@the_grinch)
Posts: 136
Estimable Member
 

Depending on the EDL extraction you will not need the password as they'll be able to decrypt the encryption and give you all the data.

 
Posted : 28/02/2019 2:03 pm
(@john000)
Posts: 45
Eminent Member
Topic starter
 

Depending on the EDL extraction you will not need the password as they'll be able to decrypt the encryption and give you all the data.

So for example, I also have a Nokia 2 device (MSM8909), and created extraction using Oxygen.
There is no data decoded, and I'm looking for the area to enter the password but can't find it.
Any suggestions?

 
Posted : 28/02/2019 2:22 pm
(@the_grinch)
Posts: 136
Estimable Member
 

Again I don't have Oxygen, but my experience with other tools is that if you pull an encrypted extraction from a device and it wasn't decoded then you don't have the means to enter a password or brute force it.

The likely scenario is they are able to pull an extraction, but are unable to decrypt the data thus you aren't seeing anything. As far as other products go, I know of none that provides you the means of running passwords against the extraction in the hopes of unencrypting the data and bypassing any wiping or lockout security implementations.

 
Posted : 28/02/2019 8:48 pm
(@arcaine2)
Posts: 235
Estimable Member
 

The likely scenario is they are able to pull an extraction, but are unable to decrypt the data thus you aren't seeing anything. As far as other products go, I know of none that provides you the means of running passwords against the extraction in the hopes of unencrypting the data and bypassing any wiping or lockout security implementations.

According to release notes from current version of Oxygen Forensic Detective it is possible for that chipset. They did not specify if it's universal across all devices or just some are supported. It seems to be different from what UFED does.

Decryption of physical dumps with the known password for Android devices based on Qualcomm Snapdragon MSM8909 chipset.

 
Posted : 28/02/2019 10:24 pm
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

The software doesn't just "pull an encrypted extraction". It also performs the code on the device pulls data with partially decrypted keys. So, it's not "running passwords against the extraction". It's running passwords against key-related data as the rest of the decryption/bruteforce process can be done offline.

 
Posted : 01/03/2019 1:26 pm
Share: