Notifications
Clear all

LG M260

8 Posts
3 Users
0 Likes
1,985 Views
(@carver)
Posts: 17
Active Member
Topic starter
 

Has anyone completed a Forensic Examination of the LG Model M260, also known as the K20? Using the Cellebrite UFED Touch 2, I found the listed device, but it only has a Logical extraction available, no Physical, and no File System. Obviously, I'd like to obtain all three if possible, or a File System at the very least. I attempted to obtain a generic Android extraction from the device but received the error code "The device security patch level is not sufficient for this extraction type". I'm using the most up to date version for the Touch 2. I completed a Blackbag Technology Blacklight extraction as well, but that did not include Apps data and was very limited in it's extraction.

Anyone?

 
Posted : 03/04/2018 10:04 pm
hectic_forensics
(@hectic_forensics)
Posts: 40
Eminent Member
 

What version of Android and what is the date of the security patch on the handset - that's what it's referring to, not the version of UFED running on your Touch 2.

 
Posted : 04/04/2018 8:17 am
(@carver)
Posts: 17
Active Member
Topic starter
 

What version of Android and what is the date of the security patch on the handset - that's what it's referring to, not the version of UFED running on your Touch 2.

Android Version 7.0

Security Patch Date February 1, 2018

 
Posted : 04/04/2018 3:53 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Using UFED specify a previous LG model (LG K10) and try to do a physical extraction in EDL mode with decryption on-fly.

The simplest way to enter EDL mode would be using ADB command. If that fails, use the UFED EDL cable. If that also fails, contact me for technical instructions on how to enforce the device to boot in EDL mode.

 
Posted : 05/04/2018 8:04 am
(@carver)
Posts: 17
Active Member
Topic starter
 

Using UFED specify a previous LG model (LG K10) and try to do a physical extraction in EDL mode with decryption on-fly.

The simplest way to enter EDL mode would be using ADB command. If that fails, use the UFED EDL cable. If that also fails, contact me for technical instructions on how to enforce the device to boot in EDL mode.

I placed the phone into EDL mode/Firmware Update mode. While selecting a LG GSM Generic Android profile, I successfully obtained a Physical extraction. I found a nice Cellebrite Guide regarding this technique

https://media.cellebrite.com/wp-content/uploads/2017/12/qualcomm-edl-physical-extractions-guide.pdf

I did not find the generic Qualcomm profile described in the guide on the Touch 2.

The guide helps with court testimony as Cellebrite accepts it as an acceptable technique. I attempted a physical extraction with a generic profile previously, but it failed. I was not in the EDL mode during my previous failed extraction and received the same "security patch level" error message.

Thank you for your help as I was having difficulty with a few LG devices.

 
Posted : 05/04/2018 3:28 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

From what you write, I wonder if you did the whole process right or not. The Emergency Download Mode is different from the regular Download Mode (FW upgrade).

 
Posted : 05/04/2018 5:03 pm
(@carver)
Posts: 17
Active Member
Topic starter
 

Hah, well, it worked either way so that's a success. I would like to learn the process you described as this is clearly not a surefire way to successful extractions.

Here are the steps I took,

a. Removing the battery
b. Inserting the battery
c. Holding the volume up button
d. Plugging the Micro USB(Cable 100) into the phone- while still holding volume up
e. Plugging the Micro USB(Cable 100) into the Touch 2- while still holding volume up
f. Phone enters EDL- Physical extraction is then available

I completed successful extractions on two LG phones today using this process. The phone displays Forensic Update on the screen. It also shows a 0% bar that never increases during the extraction.

 
Posted : 05/04/2018 5:59 pm
(@carver)
Posts: 17
Active Member
Topic starter
 

I just uploaded the extractions into Physical Analyzer, it appears that they only obtained native images and root media/audio files. I did receive a message from PA stating

"The User Data partition is encrypted with an unsupported encryption. Data will be missing."

I would assume this encrypted User Data partition is where the data I want to view is located.

I attempted to use the yellow 133 Tip for the Touch 2 to put the phone into EDL mode as you described but was unable to successfully compete that task. I am unfamiliar with the other directions you provided to put it into the EDL mode as I'm still fairly new at this.

 
Posted : 05/04/2018 6:24 pm
Share: