Is it possible to k...
 
Notifications
Clear all

Is it possible to know if an Android has been never rooted?

Skywalker
(@skywalker)
Active Member

That is the question. How is possible to know if an Android device has been never or ever rooted.

Thanks!

Quote
Topic starter Posted : 18/09/2015 1:04 am
einstein9
(@einstein9)
Member

Good Q really, but i think CANNOT

coz you can save the Original Dump and write/try whatever you want to to TRY
then write the original back.

Its not like the Hard Disk where you scan it and compare Dates to judge n tell how many times the hdd was formatted.

unless there is something which i did not know/try yet.

ReplyQuote
Posted : 20/09/2015 3:01 pm
jaclaz
(@jaclaz)
Community Legend

Its not like the Hard Disk where you scan it and compare Dates to judge n tell how many times the hdd was formatted.

It would be interesting to know WHICH dates you can compare on a hard disk. 😯
I would say that if you image a disk, then do whatever and finally restore the original image you won't find ANY date (nor ANY OTHER data) that would allow you to tell how many times it was formatted (nor anything else that happened between the image and the restore).

jaclaz

ReplyQuote
Posted : 20/09/2015 3:24 pm
einstein9
(@einstein9)
Member

When you scan and get multiple DUPLICATED Files/Folders

i go personally n compare those duplicated NAMES and see which one came 1st.

about my example here when i compared it with the Hard disk, my example is when i Scan the HDD and compare those duplicated NAMES and see which one came 1st.

but for sure, WHEN you take any HDD Image (Sector Dump) and change it from inside (the Dumped IMage), and write it back to the HDD you will get the same results for sure.

ur right here >

ReplyQuote
Posted : 20/09/2015 5:00 pm
jaclaz
(@jaclaz)
Community Legend

When you scan and get multiple DUPLICATED Files/Folders

i go personally n compare those duplicated NAMES and see which one came 1st.

about my example here when i compared it with the Hard disk, my example is when i Scan the HDD and compare those duplicated NAMES and see which one came 1st.

So, you additionally need duplicated names (which obviously must reside on different paths) and from the dates of them (if ANY) you assume that they were created right after a format operation? 😯

Since the format operation does actually erase (depending on the OS either the whole files or just their indexing records from the filesystem) I wonder how you can have duplicated files (unless you create them BOTH after the very last format operation)

jaclaz

ReplyQuote
Posted : 20/09/2015 6:27 pm
einstein9
(@einstein9)
Member

When you scan and get multiple DUPLICATED Files/Folders

i go personally n compare those duplicated NAMES and see which one came 1st.

about my example here when i compared it with the Hard disk, my example is when i Scan the HDD and compare those duplicated NAMES and see which one came 1st.

So, you additionally need duplicated names (which obviously must reside on different paths) and from the dates of them (if ANY) you assume that they were created right after a format operation? 😯

Since the format operation does actually erase (depending on the OS either the whole files or just their indexing records from the filesystem) I wonder how you can have duplicated files (unless you create them BOTH after the very last format operation)

jaclaz

Humm, seems its complicated to understand here, here is the step-by-step of what i was trying to explain

1- Get a new HDD (Zero Filled sectors)
2- Install ur Windows (OS) blah blah
3- when you are done, use your Installer CD and format and RE-INSTALL your OS again

now, in this case, you will have 2 records of WINDOWS FOLDER for example with Diff. DATES

try it and see,

What i was trying to tell you is this, I DO COMPARE both WINDOWS FOLDER dates and see which one is which,

there is ALWAYS STANDARD FOLDER/FILE NAMES, either in Windows OS or Mobile OS, the Diff. is that the way Mobile phones write to MEMORY CHIP if totally Diff. than writng in HDD by OS or so.

Spero suo chiaro ora per voi

ReplyQuote
Posted : 20/09/2015 7:56 pm
jaclaz
(@jaclaz)
Community Legend

Humm, seems its complicated to understand here, here is the step-by-step of what i was trying to explain

1- Get a new HDD (Zero Filled sectors)
2- Install ur Windows (OS) blah blah
3- when you are done, use your Installer CD and format and RE-INSTALL your OS again

now, in this case, you will have 2 records of WINDOWS FOLDER for example with Diff. DATES

No, I won't, if the volume was formatted.

Quick recap (given that partition/volume size is not changed)

  • if format is used on a volume up to XP/2003 the format command doe not wipe sectors of the volume, but it will 00 either the FAT tables or the $MFT, then the subsequent install will rewrite the files (only one instance of the file or folder can be found "normally" in the filesystem and even with direct sector parsing the chances of finding two "duplicated" files is minimal as even the filesystem structures will be spanning on exactly the same sector extents and the new install files will likely overwrite the areas where they were before)*
  • if format is used on a volume on Vista or later (unless the /q option is chosen) the entire volume is wiped (zero filled) before applying the filesystem structures so there is no possibility whatsoever to find *anything* belonging to the previous state.

You are probably referring to when you reinstall "over" an existing OS (without formatting the volume) and usually the "old install" Windows directory is renamed to "windows.old".

jaclaz

* there are of course a number of what I call "extreme" cases of NTFS when a different OS is reinstalled after a non-wiping format and since some filesystem structures on same filesystems created by different OS are placed on different extents there are some chances of finding some fragments of the $MFT, and the same may happen in some other cases where the "previous" OS has an extremely large $MFT and by sheer luck parts of it were not overwritten by "normal" files.

ReplyQuote
Posted : 20/09/2015 8:38 pm
einstein9
(@einstein9)
Member

Then how do you explain this case for example

You restore your Windows (for example) by Quick Restore Option (hidden partition) activated by the user, and the USER Data will be overwritten.

but when you run your recovery App. you will be able to see the User Data but mostly damaged, files/folders are there and most are not working.

and FEW Users know how to RESTORE THOSE DAMAGED FILES BACK.

do you?

ReplyQuote
Posted : 21/09/2015 12:44 am
jaclaz
(@jaclaz)
Community Legend

Then how do you explain this case for example

Where is the format part in the given example? ?

and FEW Users know how to RESTORE THOSE DAMAGED FILES BACK.

do you?

Maybe yes, maybe no. roll

jaclaz

ReplyQuote
Posted : 21/09/2015 1:08 am
Skywalker
(@skywalker)
Active Member

I have no doubt it is a very interesting discussion but… could we come back to the original question?

Thanks D

ReplyQuote
Topic starter Posted : 21/09/2015 4:39 pm
jaclaz
(@jaclaz)
Community Legend

I have no doubt it is a very interesting discussion but… could we come back to the original question?

Thanks D

Sure ) of course.

If the device is rooted, then it was rooted (some time in the past) wink .

If the device is not (currently) rooted it can be three cases
1) it was never rooted
2) it was actually rooted but later was restored to original condition (factory reset) and all previous data is either overwritten or inaccessible
3) it was actually rooted but later an attempt (failed) to revert to original condition failed (or however some traces were left)

Of course the exact method that was used to attempt to erase the *whatever* was before in cases #2 and #3 makes a difference, as well as the actual specific device and android version.

JFYI

http//www.techtimes.com/articles/55837/20150527/androids-factory-reset-does-not-wipe-your-data-heres-the-solution.htm
http//www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf

YMMGV depending on specific device, specific android version in use and specific method used to "factory reset" or however hide/conceal a previous rooting (or more generally pre-existing data), no one-size-fits-all answer AFAIK.

jaclaz

ReplyQuote
Posted : 21/09/2015 10:49 pm
einstein9
(@einstein9)
Member

I have no doubt it is a very interesting discussion but… could we come back to the original question?

Thanks D

Sure ) of course.

If the device is rooted, then it was rooted (some time in the past) wink .

If the device is not (currently) rooted it can be three cases
1) it was never rooted
2) it was actually rooted but later was restored to original condition (factory reset) and all previous data is either overwritten or inaccessible
3) it was actually rooted but later an attempt (failed) to revert to original condition failed (or however some traces were left)

Of course the exact method that was used to attempt to erase the *whatever* was before in cases #2 and #3 makes a difference, as well as the actual specific device and android version.

JFYI

http//www.techtimes.com/articles/55837/20150527/androids-factory-reset-does-not-wipe-your-data-heres-the-solution.htm
http//www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf

YMMGV depending on specific device, specific android version in use and specific method used to "factory reset" or however hide/conceal a previous rooting (or more generally pre-existing data), no one-size-fits-all answer AFAIK.

jaclaz

That is what i was trying to tell you if you read my reply here..

Based on your 2 links here (which is TRUE in most cases) do you know WHY ITS POSSIBLE TO RECOVER (SOME) of the older data even after factory reset in Android ONLY and only Android?

and as i mentioned before that FEW USERS ONLY know how to get it back, which AFAIK from ur reply - you don`t.

am not playing smart here, but sometimes replies like yours here makes me upset really when you say something you never tried before.

As for the OP main Q, if possible or not?
here is your answer

All Android (from inside) has a ROM which contains the MAIN FW for example and let us give it a 5 BLOCKS SPACE. and there is the SYSTEM AREA where Apps. are stored and we will give it for example 10 BLOCKS.

Now simple math, when you do for example factory reset, you are writing the 5 BLOCKS into the total of 10 BLOCKS, which destroys ONLY the 5 OLD BLOCKS ONLY.

but IF and only IF your data inside the 10 BLOCKS are >> than 5 then you MAY/MAY NOT get some parial data from it.

here is where i asked my Q before for jaclaz in another word and did not get the reply.

IF you talk about Apple IOS, then from the 4S and whatever comes after are Generating a NEW ENCRYPTION KEY for your Data which means the following

Comparing Android & Apple IOS here, you cannot apply what i said so to IOS since the Key is Generated (and divided and stored in multiple places i.e. chips) and your Data is Encrypted and there is no solution for it yet. again AFAIK

to make it really easier to understand jaclaz, TRY 2 iphones, same Model and move the Internal whatever 32GB/64GB mem to the other and see what happens

do you expect to have a working iphone after that??
please think before replying here….

good luck dude

ReplyQuote
Posted : 22/09/2015 3:31 pm
jaclaz
(@jaclaz)
Community Legend

That is what i was trying to tell you if you read my reply here..

Well then you are failing at it, as right now it is not at all clear (to me at least) what exactly you meant in the original reply, nor what you are meaning now.

As for the OP main Q, if possible or not?
here is your answer

All Android (from inside) has a ROM which contains the MAIN FW for example and let us give it a 5 BLOCKS SPACE. and there is the SYSTEM AREA where Apps. are stored and we will give it for example 10 BLOCKS.

Now simple math, when you do for example factory reset, you are writing the 5 BLOCKS into the total of 10 BLOCKS, which destroys ONLY the 5 OLD BLOCKS ONLY.

but IF and only IF your data inside the 10 BLOCKS are >> than 5 then you MAY/MAY NOT get some parial data from it.

Well if it's a ROM it is a Read Only Memory ? , however each Android version, each manufacturer customization and the specific model implementation, may lead to write either the 5 or 10 blocks to follow your example, so the answer really is "it depends".

here is where i asked my Q before for jaclaz in another word and did not get the reply.

I must have missed the question.

IF you talk about Apple IOS, then from the 4S and whatever comes after are Generating a NEW ENCRYPTION KEY for your Data which means the following

Comparing Android & Apple IOS here, you cannot apply what i said so to IOS since the Key is Generated (and divided and stored in multiple places i.e. chips) and your Data is Encrypted and there is no solution for it yet. again AFAIK

Well, but we are not talking about iPhones.

to make it really easier to understand jaclaz, TRY 2 iphones, same Model and move the Internal whatever 32GB/64GB mem to the other and see what happens

do you expect to have a working iphone after that??

My guess would be that the result of that experiment would be at least one messed up iPhone (if not two).

please think before replying here….

Are you implying that I don't normally think before replying? 😯

good luck dude

Dude? ?
Thank you for the good luck, anyway ) .

jaclaz

ReplyQuote
Posted : 22/09/2015 6:46 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

In regards to the original question, please note the following

1. I used "Kingo Root" (http//www.kingoapp.com/) to root a Samsung Galaxy Tab 2 in order to facilitate a full physical image of the device.

2. The "Kingo Root" application created the following files and folders on the Tab

Filename & Path
[email protected]@[email protected] & 1.E01\USER (EFI 17)\dalvik-cache\
com.kingouser.com & 1.E01\USER (EFI 17)\data\
KingoUser.apk & 1.E01\SYSTEM (EFI 14)\app\
.kingo & 1.E01\USER (EFI 17)\local\tmp\
[email protected]@[email protected] & 1.E01\USER (EFI 17)\dalvik-cache\
com.kingoroot.com-2.apk & 1.E01\USER (EFI 17)\app\
com.kingoroot.com-2 & 1.E01\USER (EFI 17)\app-lib\
com.kingoroot.com & 1.E01\USER (EFI 17)\data\
kingo.png & 1.E01\SYSTEM (EFI 14)\app\KingoUser.apk\

NOTES

A. "1.E01" is the name of the forensic image file I created using FTK Imager of the rooted device. In other words, once the device was rooted by Kingo, I was able to perform a physical image of the Tab using FTK Imager.

B. The above folders and files had file creation dates and times matching the exact time I used Kingo to root the Tab.

So, I recommend performing a collection of a device yourself as a test first, then rooting the device, perform a new collection of the now-rooted device, and then look for specific files and folders that the rooting process created on your test device.

ReplyQuote
Posted : 01/10/2015 9:48 am
Skywalker
(@skywalker)
Active Member

In regards to the original question, please note the following

1. I used "Kingo Root" (http//www.kingoapp.com/) to root a Samsung Galaxy Tab 2 in order to facilitate a full physical image of the device.

2. The "Kingo Root" application created the following files and folders on the Tab

Filename & Path
[email protected]@[email protected] & 1.E01\USER (EFI 17)\dalvik-cache\
com.kingouser.com & 1.E01\USER (EFI 17)\data\
KingoUser.apk & 1.E01\SYSTEM (EFI 14)\app\
.kingo & 1.E01\USER (EFI 17)\local\tmp\
[email protected]@[email protected] & 1.E01\USER (EFI 17)\dalvik-cache\
com.kingoroot.com-2.apk & 1.E01\USER (EFI 17)\app\
com.kingoroot.com-2 & 1.E01\USER (EFI 17)\app-lib\
com.kingoroot.com & 1.E01\USER (EFI 17)\data\
kingo.png & 1.E01\SYSTEM (EFI 14)\app\KingoUser.apk\

NOTES

A. "1.E01" is the name of the forensic image file I created using FTK Imager of the rooted device. In other words, once the device was rooted by Kingo, I was able to perform a physical image of the Tab using FTK Imager.

B. The above folders and files had file creation dates and times matching the exact time I used Kingo to root the Tab.

So, I recommend performing a collection of a device yourself as a test first, then rooting the device, perform a new collection of the now-rooted device, and then look for specific files and folders that the rooting process created on your test device.

If you use a tool or app to generate a physical image of a device, you may erase some areas of the file system which could be important.

ReplyQuote
Topic starter Posted : 07/10/2015 12:49 am
Share:
Share to...