How to extract data in Second Space?
Have you guys heard about a pretty good feature called "Second Space"? Manufactures like Xiaomi,Huawei… offer "Second Space" feature which allows users to own a private space on the same phone. When "Second Space" is activated, it will create a new and fresh space on your phone.To switch from one to another is easy and fast. You guys could take a look at my blog to see what's going on.
Create the physical dump of the device and decrypt the second space (if it possible).
The most important thing is knowing the directory or path along which the Second Space feature stored the files. There's nothing difficult about accessing or analyzing data from Second Space locations in smartphones.
The same rules (for the regular file locations) applies to Second Space. If something is encrypted, then you must decrypt it.
@EM-Belkka No kidding? Did you ever extract WhatsApp,WeChat…from smartphone running Android 7 or above? It's easy for you to say that but actually Law Enforcement spend more and more money to buy or update mobile forensic tools.
By the way no offense does Belkasoft Evidence Center support decrypting bootloaders, downgrade extraction , EDL or MTK Live.. I'd like to have a trail version of BEC and see it's capability. I think we'll have lots of fun and I can't wait.
It's easy for you to say that but actually Law Enforcement spend more and more money to buy or update mobile forensic tools.
That would be a problem for Law Enforcement accounting, budgeting and financing departments, it has nothing to do with the "Second Space" being in any way different (and more difficult to treat) than "normal"storage space.
I had never heard of Android OS "Second Spaces" before, so thank you for the new information as always.
It appears from your blog that the "Second Space" data is not encrypted as it resides on an Android phone, correct? I wonder if the Second Space is running as a virtual machine within Android?
If I am understanding your blog post correctly, one could fine two separate SQLITE databases for applications like Line and WhatsApp on an Android phone; one SQLITE database for the "First Space" and one SQLITE database for the "Second Space" located in separate and distinct folders.
If my understanding is correct in that users of "Second Space" will potentially have two separate and distinct SQLITE databases for Line, WhatsApp, etc., then the question is, "will forensic tools automatically parse both the First Space and Second Space SQLITE database files, or will most forensic tools simply parse only the "First Space"'s SQLITE database file and ignore the "Second Space"'s folders???"
Have you identified any specific folders or settings in Android OS that indicate a Second Space is being used? If forensic tools currently only parse the "First Space" databases, then it is critical to manually review all of the Android system folders to make sure one is not missing additional "Second Space" SQLITE database files.
Yes, you're right. "Second Space" seems like virtual machine. You could switch one to another. It also occupy a space and it's path is /data/user/10/. But the path may differ from brand to brand.
First you have to extract data from phones before conducting analysis. That means to extract is more difficult than to analyze, especially to phones running Android 7 or above. Obviously it's getting more and more difficult,right? Unfortunately some features like "Dual Apps" or "Second Space" make it even worse for Law Enforcement. Still we have to face the music and keep on going. And never give up to seize any chances no matter how hard it is.