I've faced a case that involves videos and pictures, and the mobile associated with the case is a SAmsung SII [Unrooted]. I've tried to pull out the videos and pictures from the app called "Vault" however i am unable to bypass the security code before launching the APP.
Is there anyway i can see those files inside the app "VAULT"?
Thanks
Is this the app?
https://
Most of these apps just hide the files in the app's storage space. The description for this app mentions encryption, but it's unclear what is encrypted. I'm just guessing, but if anything is encrypted, I'd say it's the text-based data and not the media.
What have you done so far? What did you use to image the phone? I had an iPhone with a similar app recently and was able to use BlackLight to see everything the user had hidden with the app. Good for hiding things from users, bad for anti-forensics.
Hey,
Yeah very true , thats the application yes. I've taken an image by using Oxygen, however the oxygen only lists "vault" as an app but does not support it for displaying any of the data in it.
I've got XRY too but i had some problems taking an image on this particular device.
So emm, what do you recommend? is there a way we can decode the password on vault? or have a direct access to the data in it?
Thanks
If you have an 'image' of the device, do you not have access now to the backend databases and plist/xml files from the application? Are those encrypted? Are the media files recovered relating to the app encrypted? While the data may be protected, with a little exploring of the databases you may find that the passcode required to access the app through the UI is stored in plain text?
Just thinking out loud. )
All the folders of VAULT are empty, maybe because the device is unrooted those files are hidden?
Have you tried this before?
LOL!
Are you sure you have an "image" of the device?
by image i mean a physical dump.
i'm fairly sure UFED supports physical acquisition of such device, and i also think you can do a physical dump even without UFED if you are not worried to trouble a bit on your own.
once you have the dump there's no way for the device to restrict you from accessing the application files, all you need to understand if these files are actually encrypted.
I have came across this App before, and has it happened it was also on a Samsung Galaxy S2 device
I would recommend taking a filesystem dump of the device in XRY or Oxygen (or even better a Physical image using Cellebrite if you have access to it).
The app actually installs its config and database files within SDCARD0, which is the internal SD card that all the Samsungs seem to have, in an inconspicuous folder called "System Android", .
When you have your filesystem dump, navigate to sdcard0/SystemAndroid, then from within there you should see a couple of files and perhaps some folders.
In my case the SystemAndroid folder contained 2 files with the filenames 322w456ay432xy11 , and 322w456ay432xy11-journal, and 2 folders titled "LTZxyMDY4DD==" and "MTY10MyMA== " , however I imagine these are random filenames and yours may be different.
The files have no file extensions, but if you look at the files in EnCase/FTK/Hex editor you should see that one of the files has an SQLite database header . Load this file into your favourtite sqlite editor and it should show records for all the videos, sms, pictures, contacts etc that are hidden within the Vault App.
The 2 additional folders I had in my case contained a number of .bin files which, according to the SQLite database, were associated with hidden JPEG files held within the Vault app … now looking at these in a hex editor, I could see that the exif data was still intact, but couldn't see any headers for the actual JPEG image itself. I ran the .bin files through "recover my files", scalpel and filejuicer, but none of these tools pulled out any images, so I am thinking that the app must encrypt or cypher them in some way.
I was wondering if i took a full physical dump, will those hidden multimedia files be visible and clear?