Physical Imaging Of A Samsung Galaxy S7 Smartphone Running Android 7.0

by Oleg Skulkin & Igor Shorokhov

The release of Android Nougat has brought new challenges to mobile forensic examiners: the smartphones running this version most likely have encrypted partitions with users’ data, their bootloaders are locked and classic custom recovery acquisition, which is widely used especially for Samsung smartphones, may not work anymore. But thankfully, things are not always this bad for the examiners. From time to time we find some interesting and original ways to extract data on the physical level from the smartphones we examine. And of course it’s very important to share the knowledge, so we decided to show you a way to perform a physical acquisition of a Samsung Galaxy S7 smartphone running Android 7.0.

The most challenging part of the acquisition process of this device is that it has an encrypted user data partition, and this is the most important part of the smartphone’s memory, as it contains user-created content, so even if we perform a chip-off extraction, we’ll get a quite useless image.

The method we are going to use is pretty like the custom recovery method with one exception – there is no custom recovery. And yes, this method works for bootloader locked devices!

You will need:


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Let’s go!

  1. Put the device in the Download mode
  2. Start modified ODIN on your workstation
  3. Connect the device to your workstation and choose the appropriate boot image, look at the following figure:

4. Click ‘Start’ and wait till the process is finished. There is some magic: if there is a passcode, flashing this boot image resets it. So you can enable USB-debugging now.

5. Unpack the files for rooting and start ‘root.bat’. Now the smartphone is rooted and ready for physical acquisition.

We are going to use Magnet ACQUIRE to image the phone, but you can use the tool of your choice.

Start ACQUIRE and choose the right device. As you can see in the figure, our device has privileged access. What does that mean? It’s rooted and ACQUIRE detects it.

As our device has privileged access, we can choose ‘Full’ image type and get the entire contents of the smartphone – the physical image.

Finally choose the destination folder and image name, and fill in other available fields. Click the ‘ACQUIRE’ button and the imaging process will start.

As you can see on figure 6, ACQUIRE is imaging a decrypted (!) data partition.

In our case, it took 3 hours and 27 minutes to create the image (without calculating image hashes).

The whole process took 3 hours and 48 minutes – we got a 23.24 GB SM-G891A image.

Let’s make sure it’s really decrypted and process it with Magnet AXIOM.

First, start AXIOM Process and create a new case.

Choose the evidence source and artifacts type you want AXIOM to extract. As we are dealing with a smartphone image, we’ve chosen all mobile artifacts.

Click “ANALYZE EVIDENCE” button to start processing.

Once the image is processed, you’ll see that it’s really decrypted: we have lots of different forensic artifacts extracted by AXIOM, as shown in figure 11.

If you change Artifacts view to File System view, you can browse the file system and see once again that the image isn’t encrypted.

As you can see, sometimes it is quite useful to spend more time on research, as it can help to find new ways of physical imaging even for new devices with built-in anti-forensic technologies. Of course, the demonstrated technique isn’t as forensically sound as we would like it to be, but it’s better than trivial logical acquisition. Don’t forget to document everything you do thoroughly, especially dealing with non-standard acquisition techniques.

About the authors

Oleg Skulkin, MCFE, ACE, is a digital forensic examiner from Sochi, Russia. He is the author of Windows Forensics Cookbook (with Scar de Courcier) and Cyber Forensicator blog (with Igor Mikhaylov).

Igor Shorokhov, MCFE, ACE, OSFCE, is Chief Information Officer at Digital Forensics Corp.

25 thoughts on “Physical Imaging Of A Samsung Galaxy S7 Smartphone Running Android 7.0”

  1. In step 4, you state:

    “if there is a passcode, flashing this boot image resets it.”

    To be clear, you are saying if the device has a passcode (and in my experience this is increasing true), this process will reset the _user data_ partition, correct?

    Thx.

  2. Apologies for bumping an old blog, but I am having some issues.

    I am able to follow the first section. where I download the image. on reboot though it still asks for a pin.

    I am not sure what screen to be in to run root.bat? downloads still?

    this is an encrypted device, so will this still work?

    thank you

    B

  3. in You will need:
    the links beside odin are outdated, could you please upload again e.g. to androidfilehost?
    And are root images also for other samsung, like J530F available?
    kind regards

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, February 21 2024 #digitalforensics #dfir

Forensic Focus 21st February 2024 6:19 pm

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts. 

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director 
43:45 – Privacy of user data

Alan Platt, Professional Services Consultant at MSAB, discusses his experience as a former UK police officer working in digital forensics. He talks about the different levels of digital forensics capabilities within police forces and how MSAB products like XAMN and XEC Director are used by frontline officers versus lab analysts.

The discussion covers how MSAB partners with law enforcement to develop custom workflows for mobile device acquisitions that facilitate ISO compliance. Alan explains MSAB's managed service offering, where approved MSAB staff can remotely access a customer's XEC Director server to assist with software updates and troubleshooting. He emphasizes the strict data segregation policies enforced by customers to prevent MSAB from accessing any sensitive case data.

Looking ahead, Alan mentions MSAB's new CEO and hints at some exciting developments coming down the pipeline. He spotlights recent enhancements to XEC Director's speed and database functionality for managing large estates of networked Kiosks. Alan also plugs the new XEC Director training he created to help users fully leverage the platform's capabilities.

00:00 – Introduction to Alan Platt
07:00 – Training
12:00 – Workflows
17:20 – Ensuring a secure environment
19:45 – Customer training
20:35 – Helping customers comply with ISO accreditation
25:00 – Validation and verification
27:30 – ISO standards
30:00 – MSAB’s pipeline plans
32:40 – XEC Director
43:45 – Privacy of user data

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_ifoHVkjJtRc

How MSAB Is Managing The Digital Forensics Challenges Of Frontline Policing

Forensic Focus 21st February 2024 3:07 pm

Podcast Ep. 80 Recap: Empowering Law Enforcement With Nick Harvey From Cellebrite

Forensic Focus 20th February 2024 11:49 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles