How To Perform Samsung Exynos Extractions With Oxygen Forensic Detective

Keith: Hey, Keith Lockhart here, Director of Training for Oxygen. So this video is another extraction, one about Samsung and specifically Samsung devices with the Exynos chip family. And this is kind of an evolution of our previous Samsung extractor module inside Extractor. So we’re going to figure that out and kind of follow along with this bullets that strangely enough, we’ll be able to use the extractor itself as kind of a guide, cause it pretty much walks us down these steps. 

Let’s get the phone mode, let’s craft a package to do what we want to get control of the phone. Most importantly, in this module will be secure boot attacking. So without effecting KNOX offline brute forcing a secure boot password to follow up with the extraction, and cool enough, a complete restoration to put the phone back in the state it was when you got it, in case you’ve got to give it back to somebody else.

Okay. So let’s see how that works. 

Actually, before that, let’s take a look at the differences between old-school Samsung Android dump and new school Samsung Exynos dump. 

So we’ll start with the old school. Okay. And if we look at the string here, Hey, here’s a customer recovery. We’ll take the recovery partition, overwrite it with our own. The previous one would be lost without being read. After the data extraction process is finished, our recovery image will stay there. After recovery upload, KNOX will be affected, which voids the warranty. And if you do it wrong, you know, here’s a brick for you. Now theoretically, that’s a possibility. However, I have not only done it wrong and broken the boot process of the phone, but restored the correct firmware and recovered the phone, all in the same fitful moment. So while it’s doable — this makes a great module of education, by the way, we do that in our extraction class, just so you don’t freak out and don’t, you know, throw it in the lake when you do something bad. 

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

So, you know, you read the instructions and you click next. And then there’s the whole list of phones that fall into this extraction support category. And when you pick your phone and hook it up, you get the green check mark here, and you’re good to go. That’s old school, you know, non-Exynos environment. So great. 

Let’s get rid of that and talk about the Exynos extractor, which is brand new to the tool, essentially the last build of Detective. So let’s just walk down the list here. The first bullet is the supported device list. So let me just grab that off another screen, the HTML doc. 

So if I scroll down, you can just see this whole new world of Exynos support. I think it’s 130 or something, 121 new devices in the Exynos support. I mean, Exynos just sounds cool. So you know, the more devices the better. But this is one, that’s an OS seven or eight straight out of the gate, out of the box. Including things that are upgraded to nine, not nine natively out of the box yet, that’s, I think, Q1 of next year is the current plan for that. 

We’ll see the KNOX state doesn’t change, which is a huge, huge point because that will allow us then to attack the secure boot password. Now this says secure startup has enabled investigators to enter the user password. I’m going to differentiate between a screen lock password, and call that secure start, and then a boot password and call that secure boot, because one is certainly different than the other.

Okay. So this is where this is a key new tool for your toolbox: using a dictionary attack against a password, and you know, maybe a little social engineering and your target, you know, where can you find… you can add new dictionaries, but how do you effectively create ones to give you the best bang for your buck? So, that’s alternate education aside from extraction, but that’s certainly something you should have your head around, so you can do this yourself. Okay. 

We want to install the Android driver for Samsung, sure. Charging device, all that normal, great stuff. And then we’ve got two options: automatic detection and device restoration. Okay. Like other extraction videos that have an interesting chunk of time for the extraction to occur, there are some things in this extraction that also take time. So I have a previously recorded extraction event where I can in turn a overlay narration on top of it like this and squeeze the time when I need.

So here’s the… extractor’s up the top left of the screen. And there’s the phone, which is a Galaxy S8, and the camera. I’m turning the phone on and I’m going to walk through a secure startup and secure boot protecting this device, so we can be sure it’s on there when you see the exploit take place. So the phone’s on, and I’m going to go into settings and we’re going to enable different layers of protection on the device. So we can do what we just talked about. 

So I’m in settings, and I’m going to scroll to the lock screen option. And at the top we see the screen lock type. I’ll select that. I’m going to put a password on this phone, a secure startup password. We’ll make it easy, shocking. Let’s use ‘oxygen.’ And we’ll go ahead and confirm that: ‘oxygen.’ I don’t want to back this password up. I’m not really worried about that. 

We’re done. And I’ll move past this. And there we go. I’ll shut the phone off and restart it. So we can see, indeed, we have a secure start password now. This is where I should tell a good joke, but the phone restarts and, you know, it gets picked up by the computer. Hey, I have a Galaxy S8 eight. What do you want me to do with it? Type thing, and go ahead and engage the phone. So where we have to put our start-up password in to get anything done, right? Secure start. Oxygen, like we entered. And there we go. 

So I mean, that’s the example of… the phone can start, but you really can’t do anything in the operating system until you… it’s kind of like a Windows login, your Android login. So this time we’re going to go ahead and hit ‘biometrics and security’ and enable this secure start up, which I’m terming secure boot. And if we read the red paragraph, this is the one that kind of says, listen, if you do this, it’s bad if you forget, because while this disc encryption system is default_password right this minute, it’s now about to become ‘oxygen’ as its secure boot protection password. Okay. So that’s entered. We’re going to restart the phone again and see the difference in secure boot versus secure startup.

Yeah. Your phone is encrypted for security; to start it up, enter your password. ‘Oxygen’ is what we’ll need. Verifying. Starting the phone. Decrypting what it needs to get going. Yeah, a little bit of a difference from just a secure start screen lock password, essentially, to a secure boot device lock password. We’ve got to get through that. This is where the fun is, for a lack of a better phrase, I’ll just say, this is where the fun is. So when this happens, it’s great. We’re going to let that continue to boot and then shut the phone off and begin our extraction process.

So USB cable, visual aid, and we’re going to go ahead and start the Exynos extractor and device extractor. And here, I mean, it tells us what versions are supported right now and what’s coming. The fact we’re not affecting KNOX. Make sure your battery is charged, all these things you would want to do for an extraction anyway. 

And at the bottom we have two options: automatic detection and kind of restoration. So that’s the end result or the end of the game button. We’re going to pick the automatic detection button and it will say, Hey, look, I’m out here looking for a Samsung in ODIN mode, give it up. So we’re going to hook up the phone. We’re going to pick automatic detection, hook up the phone while it’s in ODIN mode, so the extractor can recognize it and get going. 

Before we actually start the extraction, I’m going to bring up this ODIN box. So when you select automatic detection, there’s a little information ‘I’ there that you can click, which will pull up this. Now ODIN mode is simply download mode. I mean, this is the opportunity to boot your phone into a mode where you can root it, right, or flash new firmware to it. I mean, is it dangerous? Well, that goes kind of with the whole, is it bad to root? I don’t know. But listen, this is, I mean, it’s also a PC app where you can take a firmware package and flash it to your phone. Or in this case, we can boot the phone into that flashing mode — that download mode — and use technology like we’re using now. 

Getting the phone into ODIN mode is kind of a trick. As you see here in the list, there are several ways. Does your phone have a Bixby button, the little assistant, or not? I mean, what kind of key combinations get it in there, but once it’s in here, this is what Extractor is looking for, is an ODIN mode ready device so we can start working on uploading and crafting packages to get the control we want. 

Okay, let’s get this process on the road. We’ll let the ODIN box disappear. We’ll get back to our recording, and we’ll click ‘automatic detection.’ So there goes the Extractor, looking for the phone in ODIN mode. And there goes me, turning the phone on in ODIN mode. So here it is, Hey, listen, you can do this hit the up volume key if you want to get into that ODIN download mode. And there it is. And if you watch in the Extractor menu, when I push in the USB cable, ding, Extractor says, Oh, I found your phone. It’s a Samsung Galaxy S8 SMG950F. Great. 

But the reality is, it moves along to, Hmm, I’ve got some modified stuff to do. Here’s this for the phone, go ahead and reboot it for me. And that’s fine. So now we’re doing the volume down button and the power button for seven seconds, as it describes. So the phone will reboot. We can see at the top this time, there’s a little bit of difference. The command line parameter has been modified and Extractor is doing its thing with what we uploaded a second ago, or downloaded into the phone, take your preference on syntax there. But the goal now is to read the cache partition while the phone’s booting. So this is kind of like watching the scratch pad, see what’s going on in there, grabbing some things we need, you know, mixing up magical potions, doing whatever proprietary thing Extractor is doing right now, and merging it into some other proprietary stuff, standing on its head, you know, watching the moon through a telescope and uploading that into the phone. And then it’s going to want to run that and reboot again.

And I’m not fast forwarding because I want us to get a real-time feel for what’s happening here. So we’ll sit here through the awkward silence. You can think Jeopardy music or nursery rhymes or climate change, anything that can fill this awkward moment in time. 

Let’s see. I can talk about the training calendar, that would be apropos, considering that’s what I do at the company. It’s Hallowe’en in our neighborhood. I have all kinds of decorations out. This is good. Oh, look. Okay. 

And it wants to reboot into ODIN mode. Ah, so it’s probably going to take what it uploaded and put it into a position where it can impact the boot process. So there’s me holding down the key combination to reboot the phone into ODIN, hitting a volume up press right there, to get it in download mode. And you can see Extractor take off again. 

So it ran the package and now it wants to reboot into normal mode again. No worries. I’ll hit volume down and power, for seven seconds is the typical model there. And the phone should reboot into normal mode. And you can see Extractor pick back up in the process. We still have a command line, parameter modification message at the top. That’s fine.

Oh, that’s even finer. You might’ve remembered the little white logo and the red bullets when I was outlining what we’re going to do, this is the take control part. So when your Samsung has the Oxygen logo floating around, you are in a good spot. But look at this. 

Now, here is your opportunity to dictionary attack that secure boot password. Now remember, this is the secure boot, not the screen lock — not the secure startup I was talking about — because that particular lock password doesn’t even apply. It’s not even part of this process. The way we’re exploiting and attacking right here is before the operating system is even part of the game. Okay? 

So as you can see, the dictionary that we start out with is passwords, 10,000 most common, this will take about 40 minutes or so. We’re going to start with that. Not to mention we can change those passwords if we want. This just happens to be the default one we start with. So if you get a text file, you know, full of strings, just a word on the line or a string in a line and a character turn, that’s your next dictionary, whenever you have the compunction to do that. 

Okay, I’m going to start the process. And I literally have to gray out the currently applying field, because out of those 10,000 most common passwords, you just wouldn’t imagine how many bad words show up there that we just really don’t need to see. However, we’re going to wait this out, because, you know, the at no time do my fingers leave my hands conversation, I want to make sure that we follow through till we get this password, but that means I’m going to have to sit here and talk.

[Fast-forwarded section]

I hit the brakes because boom, there’s the password. And at this point, now that we have the password, we can start reading the user data. And that, of course, takes me to my happy place. That’s my ghost happy place in honor of it being Hallowe’en in my neighborhood.

So this will require a massive fast-forward to get from that 0.5% down to a hundred percent of the user data. So I’m just going to split and do a merge and we’ll just trust it made it from, you know, almost a percent, all the way to the end. 

And magically we’re to 99.8, .9, and… 100. Okay, there we go. So the phone’s looking to reboot to ODIN. So we’re going to zoom back out to our full screen, where we can watch that process. You can see on the phone, I’ve got it in download mode and it’s doing its thing, putting things back in place, and now it’s ready to reboot into normal mode again. So I’ll effect that with a power and volume down key combination for seven seconds, as it likes to have. And the phone will reboot. 

And this time it’s going to look for an instructional, Hey, what do I do from an update perspective? When it does that, it’ll eventually reboot itself into recovery mode where we’ll wipe the cache partition for anything we’ve done and reboot it back to normal. There it’s restoring the cache. Looking for a final reboot into ODIN. I was looking for one more good reboot. So here we’ll give it that.

And you can see in the Extractor world, Extractor’s done. It’s restored what it needed to do. Now, the phone itself will go through, it’ll clean up, and they’ll be right back where it needs to be. So there’s a recovery mode, just saying ‘reboot now’ as the top option because we threw it into a recovery mode, and it reboots clears itself out. And we are back where we belong with the ‘oxygen’ password still in place. And there you go.

So. Hope that helps if you get yourself into an Exynos situation. Really cool new stuff in Extractor. You know, as usual, keep on learning; call if you need anything, and we’ll speak to you later. 

Leave a Comment

Latest Articles