±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35974
New Yesterday: 1 Visitors: 166

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

LS LS676 - Encrypted device - Oxygen Forensic

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

John000
Member
 

LS LS676 - Encrypted device - Oxygen Forensic

Post Posted: Feb 21, 19 15:37

Hi,

I just installed the new Oxygen Forensic release and saw this:
• Oxygen Forensic® Extractor. Added the ability to decrypt physical dumps with the known password for Android devices based on Qualcomm Snapdragon MSM8909 chipset.

Can anyone help me to figure out how it works? I never saw a way to set a password for extraction.
If the user data partition is encrypted, there is no way to know the password.. correct me if I'm wrong.

I have a case with LS676 Boost phone and the data is encrypted so if anyone can help me here that would be very useful.

Thanks,
John  
 
  

the_Grinch
Senior Member
 

Re: LS LS676 - Encrypted device - Oxygen Forensic

Post Posted: Feb 21, 19 19:58

I don't have Oxygen, but I'm about 99.9% sure they will be utilizing emergency download mode (EDL) on the device in order to perform the extraction and decode the contents without the passcode/pattern of the device. You will need a cable designed to put the device into EDL mode and then the extraction can start. The cable isn't expensive, runs about 7 or 8 bucks and I'd suggest getting one that supports microUSB along with USB-C. Also, I'd reach out to Oxygen because most companies will provide you with the cables needed for extraction (assuming they provide cables as part of their kit).

Basically you will power off the device, plug the cable into the computer and hold the button (on the cable) down as you plug it into the phone. You'll release the button and press it again (holding down) which should put the device into EDL mode. The screen will remain black the entire time so you won't know it's in the mode without it either being detected by the software or showing up under the devices on the computer. With Cellebrite it detects it, connects and starts extracting taking around 15 to 45 minutes to complete the extraction.  
 
  

John000
Member
 

Re: LS LS676 - Encrypted device - Oxygen Forensic

Post Posted: Feb 26, 19 08:42

- the_Grinch
I don't have Oxygen, but I'm about 99.9% sure they will be utilizing emergency download mode (EDL) on the device in order to perform the extraction and decode the contents without the passcode/pattern of the device. You will need a cable designed to put the device into EDL mode and then the extraction can start. The cable isn't expensive, runs about 7 or 8 bucks and I'd suggest getting one that supports microUSB along with USB-C. Also, I'd reach out to Oxygen because most companies will provide you with the cables needed for extraction (assuming they provide cables as part of their kit).

Basically you will power off the device, plug the cable into the computer and hold the button (on the cable) down as you plug it into the phone. You'll release the button and press it again (holding down) which should put the device into EDL mode. The screen will remain black the entire time so you won't know it's in the mode without it either being detected by the software or showing up under the devices on the computer. With Cellebrite it detects it, connects and starts extracting taking around 15 to 45 minutes to complete the extraction.


Hi, Thanks for the reply but I don't think EDL is the case here.  
 
  

OxygenForensics
Senior Member
 

Re: LS LS676 - Encrypted device - Oxygen Forensic

Post Posted: Feb 27, 19 08:38

Hi John,

This approach indeed utilizes EDL mode. First, you need to have your phone switched to EDL mode than the software will lead you through the process of the dump and the keys extraction. A good addition to this is that if the dump is encrypted you can get it deciphered with the default password or try a password you think could be set. This means you can solve the task even in the case secure startup has been turned on. In the next version the brute-force procedure will be added though it won't be too fast due to the encryption functions like curve that cannot be implemented on GPUs efficiently.
_________________
Helping good people make this world safer 
 
  

John000
Member
 

Re: LS LS676 - Encrypted device - Oxygen Forensic

Post Posted: Feb 28, 19 13:17

- OxygenForensics
Hi John,

This approach indeed utilizes EDL mode. First, you need to have your phone switched to EDL mode than the software will lead you through the process of the dump and the keys extraction. A good addition to this is that if the dump is encrypted you can get it deciphered with the default password or try a password you think could be set. This means you can solve the task even in the case secure startup has been turned on. In the next version the brute-force procedure will be added though it won't be too fast due to the encryption functions like curve that cannot be implemented on GPUs efficiently.


Thanks for the answer.
But let's say I already performed the extraction using Oxygen forensic EDL extractor.
How can I import the extraction and insert the password?  
 
  

the_Grinch
Senior Member
 

Re: LS LS676 - Encrypted device - Oxygen Forensic

Post Posted: Feb 28, 19 15:03

Depending on the EDL extraction you will not need the password as they'll be able to decrypt the encryption and give you all the data.  
 
  

John000
Member
 

Re: LS LS676 - Encrypted device - Oxygen Forensic

Post Posted: Feb 28, 19 15:22

- the_Grinch
Depending on the EDL extraction you will not need the password as they'll be able to decrypt the encryption and give you all the data.


So for example, I also have a Nokia 2 device (MSM8909), and created extraction using Oxygen.
There is no data decoded, and I'm looking for the area to enter the password but can't find it.
Any suggestions?  
 

Page 1 of 2
Page 1, 2  Next