Decrypt Android 6 a...
 
Notifications
Clear all

Decrypt Android 6 and up from dump

6 Posts
3 Users
0 Likes
2,879 Views
(@rop12770)
Posts: 3
New Member
Topic starter
 

Hi

 

I'm doing some tests with dumps from cell phones to recover data, not so much to do forensics on them.

Until Android 6 I can read the data directly from the dump, but I have tested for now a dump of a 6.01 version and I can't access the user data, which I think it's normal because since this version data is encrpyted right?

Is there any other way to access it? Or do I need an unlock pattern or pin from client?

Since this is for data recovery, the client will be helpfull to provide all the necessary details of course.

Thanks

 
Posted : 30/12/2020 8:32 am
(@arcaine2)
Posts: 235
Estimable Member
 
Posted by: @rop12770

I think it's normal because since this version data is encrpyted right?

Yes, that's because of data encryption.

Is there any other way to access it? Or do I need an unlock pattern or pin from client?

Yes, you will need passcode from the customer, but if by data recovery you mean deleted data, then you still need a way to dump already decrypted partition image in the first place. You can't use the passcode to decrypt it outside the device anymore.

 

Deleted files data recovery (like pictures, videos) is almost non-existant on encrypted devices.

 

 
Posted : 01/01/2021 2:54 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

If the dump is encrypted, but the encryption keys weren't dumped, it's almost impossible to decrypt the userdata partition, no matter if you know the user lock or not.

 
Posted : 01/01/2021 8:32 pm
(@rop12770)
Posts: 3
New Member
Topic starter
 

Hi

 

The idea is not to recover deleted data, but access data from broken phones or tablets.

Deleted data is not on my mind right now.

The dump will done directly from the NAND chip of the board.

Thank You

 
Posted : 02/01/2021 5:13 pm
(@arcaine2)
Posts: 235
Estimable Member
 

Recovered data != deleted data. It's a widely used term that doesn't only apply to deleted stuff. For encrypted devices there's essentially one major rule. No boot, no data. You either have to fix the original device, so it'll boot to Android/iOS and decrypt itself, or perform a chip swap (CPU, storage, eeprom - depending on the device) onto a working board, so it can boot and decrypt itself.

In most cases, it is not possible to decrypt NAND, eMMC, UFS dumps outside that specific device, no matter if you have the passcode or not. There are some devices that can be exploited to obtain extraction keys, but even those can't be fully dead and with just storage chip dump created by using ISP or chip-off method you won'd get back anything useful.

 
Posted : 04/01/2021 9:55 pm
(@rop12770)
Posts: 3
New Member
Topic starter
 

Thank you arcaine2

 

That's what I wanted to know!

 
Posted : 05/01/2021 8:07 am
Share: