What if the evidence is an unrooted Mate 9?
You'd still have the problem of encryption whether it's rooted or not. Without root, you're just limited to a logical backup or partial file system which will get you unencrypted data but it won't be complete as each app can choose whether it wants to back up or not.
In general this is how we handle full physical images of encrypted Android devices
mmcblk0 is the entire phone storage block - this is great most of the time as it has the user partition, system, and all the other ones that aren't very useful to an investigation but still available.
For encrypted phones we'll get mmcblk0 but the user partition is encrypted in there so you can scan it but it won't get the good stuff. When powered on, Android mounts the user partition as dm-0 and it is unencrypted, this is the most valuable part of the entire image IMO as it will give you access to all the user data. If there is a SD card, this usually gets mounted as dm-1, also useful but a lot of examiners will remove SD cards and examine them separately anyway.
So for our acquisitions of the encrypted devices, you can potentially have 3 images created, the mmcblk0 full physical image which is partially encrypted, dm-0 which is the user partition unencrypted, and dm-1 which is the SD card unencrypted.
It can definitely be challenging but not impossible (still better to work with than iOS IMO). Can't wait to see what Google comes out with Oreo )
Jamie
Your problem can be a way how you get a physical dump from your target. So….
- if phone is Encrypted (so customer turn Encryption in phone or it's On by default) if you get it by any of below methods BL or PreLoader (Sahara/9008), ISP eMMC, JTAG or ChipOff (Direct eMMC) or eMMC NAND protocol you will get access to all partitions EXCEPT /data where 99% of informations are stored
- if phone is Encrypted but you will get dump while it's powered ON, unlocked and running using Linux exploits, ADB you will get all partitions including data decrypted so you can analyse it without any problems
* Root is not decrypt anything - it's only gives you Super User status so you can dump phone regions to which normally access is protected.
P.S
In few phones as Note 4, S5, S6 you can extract UID (stored Enc Key) and using it crack it but only if you extract data in correct way.
Hello!
I saw some really interesting conversation over here D!
I have one big problem that keeps bothering me quite often. New Huawei and Honor phones running Android N and their god dammit locked bootloaders. Of course this same problem occurs even with Android 6.
I did some testing to Huawei P10 with all the updates installed. And if the goal is the physical dumb, I don't have a glue what to do. If I unlock bootloader, the data is gone, cause phone wipes itself. And in this test case I have full access to phone UI. I mean I can change all setups I want. If the phone would be locked, obviously it's whole different case.
When P10 is on and running, I can get a connection via ADB and I can look some of the files/folder that lies in the phone. But very often I get "PERMISSION DENIED", of course when I don't have a root access. And when looking all the partitions "adb shell /proc/partitions" there are these dm-0-4 partitions that would be quite good to have in my / our pocket. But how?
So if there is any way to root these new Huawei and Honor phones, without losing data, I would really appreciate if someone would share some knowledge to me and others too.
PS. Has someone tested the chainfire autoroot to S7 edge running Android N? Does it wipe or not? There were some discussion about it in
https://www.forensicfocus.com/Forums/viewtopic/t=15394/postdays=0/postorder=asc/start=0/
PS. Has someone tested the chainfire autoroot to S7 edge running Android N? Does it wipe or not? There were some discussion about it in
https://www.forensicfocus.com/Forums/viewtopic/t=15394/postdays=0/postorder=asc/start=0/
Yes, and it doesn't work. Don't try it, you will just put your device in a boot loop.
As of now, if a phone is running Android 7, all I do is a logical extraction, an adb backup and use "adb pull /sdcard". (
Additionally some WhatsApp E-Mail Export, screenshots, but that's not really satisfying.
The goal is to get root, but how do you do that on a phone with a security patch level which is just a few month old?
hi every guy,take a look at this Chinese guys's 2 Post
They have invent some methods to get full image of Huawei series,
Step 1.Use "special method"to unlock the BL without wipe the Phone
Step 2.Flash a modified Recovery to the HUAWEI phone,
Step 3.Do physical exraction or whatever you like in the Recovery.
Step 4…..
Now I have a question,
Is this method practicable OR is this method get a decrypted image or even not?
Thanks in advance
BR