I have a Samsung phone that has been in someone else's hands, and I would like to know if that person has in anyway used any extraction methods on that phone.
Is there some sort of log or something that can prove that the extraction has been done on the phone before?
For physical extractions there should be no logs. If there is a physical extraction over ADB, that would be minimally logged at USB level.
For logical extractions regular USB communication is used, which is logged.
From logs you get only that the device was connected to something, not the process itself which was done with it.
From logs you get only that the device was connected to something, not the process itself which was done with it.
Can you tell me where I can find this log?
On Android 4.1 and above root access is required. Then you could use CatLog or SysLog apps on the device itself.
If you need this in a forensically sound way, then create a physical dump of the phone and analyze the logs from there.
On Android 4.1 and above root access is required. Then you could use CatLog or SysLog apps on the device itself.
If you need this in a forensically sound way, then create a physical dump of the phone and analyze the logs from there.
ahh appreciate the advice, so basically grab a physical image from let's say Cellebrite and then analyze it, from there what would I look at exactly, what keywords should I be looking for?
You could have a look at the recovery partition. I've seen cellebrite put its own version of TWRP on a phone for a physical extraction, and I imagine it wouldn't remove it