Hi
Â
I'm doing some tests with dumps from cell phones to recover data, not so much to do forensics on them.
Until Android 6 I can read the data directly from the dump, but I have tested for now a dump of a 6.01 version and I can't access the user data, which I think it's normal because since this version data is encrpyted right?
Is there any other way to access it? Or do I need an unlock pattern or pin from client?
Since this is for data recovery, the client will be helpfull to provide all the necessary details of course.
Thanks
I think it's normal because since this version data is encrpyted right?
Yes, that's because of data encryption.
Is there any other way to access it? Or do I need an unlock pattern or pin from client?
Yes, you will need passcode from the customer, but if by data recovery you mean deleted data, then you still need a way to dump already decrypted partition image in the first place. You can't use the passcode to decrypt it outside the device anymore.
Â
Deleted files data recovery (like pictures, videos) is almost non-existant on encrypted devices.
Â
If the dump is encrypted, but the encryption keys weren't dumped, it's almost impossible to decrypt the userdata partition, no matter if you know the user lock or not.
Hi
Â
The idea is not to recover deleted data, but access data from broken phones or tablets.
Deleted data is not on my mind right now.
The dump will done directly from the NAND chip of the board.
Thank You
Recovered data != deleted data. It's a widely used term that doesn't only apply to deleted stuff. For encrypted devices there's essentially one major rule. No boot, no data. You either have to fix the original device, so it'll boot to Android/iOS and decrypt itself, or perform a chip swap (CPU, storage, eeprom - depending on the device) onto a working board, so it can boot and decrypt itself.
In most cases, it is not possible to decrypt NAND, eMMC, UFS dumps outside that specific device, no matter if you have the passcode or not. There are some devices that can be exploited to obtain extraction keys, but even those can't be fully dead and with just storage chip dump created by using ISP or chip-off method you won'd get back anything useful.
Thank you arcaine2
Â
That's what I wanted to know!