App Data from Samsung Galaxy S9+
I am new to the forensics field (and this blog) but am running into some issues I hope you can help with.
Currently, I am working on a Samsung Galaxy S9+ (no passcode/unlocked and Sprint) running 8.0 Oreo. I am using Magnet acquire but am only getting information like call logs, texts, pics. I was hoping to get app data, as I can see there are Facebook messenger messages as well as some other stuff. Very frustrating to view it on the phone, but not be able to get it off.
Now, in doing research on the S9+'s, sounds like they are difficult (if not impossible) to root, or do a flash recovery? I tried getting a backup with Samsung Smart Switch and found out that they encrypt the backup, so that's been a dead end.
Is this just an issue with Galaxy S9+'s in that they are still pretty new? What are my options, if any at all? I am still pretty new to the mobile device arena and am hoping that someone can give me some advice/guidance on if this is even possible to get this app data off and/or what steps I should go about to do that.
If you have the funds, try a $99.00 single phone license of Mobiledit Forensic Express. No guarantees you wil extract more data but at a minimum you can validate the Magnet Acquire results.
Also, consider other routes to collect evidence such as using Facebook’s built in profile archiving solution which will include Messenger messages.
Other apps might also have a Windows desktop version that will allow one to download and then collect the desired data assuming you have the usernames and passwords required.
Awesome, thank you for the advice. The phone is logged into Facebook, but I don't have the password….do you by chance know if Facebook's built in profile archiving solution would work through a mobile phone? Or just on a desktop? What I mean is if I have it already logged in, could I do that or do you think I would still need the password?
As far as I know there is no forensic software that support data extraction from Smart Switch backups.
But you can try to upload created backup into another rooted Samsung Phone and then data can be extracted by any forensic program.
MOBILE EDIT support smart switch
MEF supports smart switch backups but it doesn't extract FB or messenger data. From a backup you get the same results as from the device directly (no data).
lmo1331m, we can advise you how to extract all WhatsApp data when you have access to the mobile device but cannot acquire it in any forensic tool. Our Oxygen Forensic Detective software exclusively allows you to scan a WhatsApp QR code from the mobile device in our Cloud Extractor and acquire all WhatsApp messages, calls, contacts, etc. Hope it may help you.
The OP is about FB messenger, not WhatsApp, no ?!
For this phone specifically I only have Facebook Messenger and not Whats App, but I am sure I will run into What's App eventually, so that's great info! I will definitely keep that in mind.
Regardless of the Smart Switch back up, is there anyway to extract the Facebook messages at all? I did a manual ADB backup and barely got anything. Is this because of 8.0 Oreo? So frustrating.
Hello you can take a look at the DP 10 at www.datapilot.com
This is a great hand held device for acquisitions and viewing the data on the spot in real time. This device has built in screen mirroring so all apps that are on the phone can be mirrored and captured via the forensic device (no foot print is left behind). If you have any question you can contact myself as we are the manufacture and sole source provider in the US.
Good solution for some logical acquisitions and screen capturing.
Unfortunately it has nothing to do with apps data, there is no way to capture evidence with this device, which can't be displayed on the screen (for example sqlite entries with deleted flag or other artifacts at filesystem level).
Answering the OP, the issue can be solved well with a physical acquisition only. This can be done by using a signed eng boot + temporary root.
I am using Magnet acquire but am only getting information like call logs, texts, pics. I was hoping to get app data, as I can see there are Facebook messenger messages as well as some other stuff. Thank You!
Do you have access to the target computer? Oxygen Forensic KeyScout offers the ability to seek and locate tokens and passwords saved on a computer as well as in various desktop Web browsers, like Internet Explorer, Google Chrome and Mozilla. The collected credentials can then be imported into Oxygen Forensic Cloud Extractor for immediate use
There are very few roots available for a Samsung S9. They are very new and Samsung purposely designs their phones to be difficult to root. Paraben Forensics is currently working on a free root capability that you will be able to access on their website. However, it is not yet available.