Join Us!

Oxygen Forensics - ...
 
Notifications
Clear all

Oxygen Forensics - Decrypt android dumps  

  RSS
John000
(@john000)
Junior Member

Hi all,

I'm trying to use the new 'Android dumps decryption' method added to Oxygen Forensics v12.1 and I experienced some difficulties.
It seems that even if Oxygen successfully extracts the Hardware-backed keys, the extraction is still encrypted.

I do see in the extracted folder the .BIN file + Keys.json but is there any way to combine between them?
How I can import the BIN to JetEngine and use the keys to decrypt the files?

Thank you,
John

Quote
Posted : 17/12/2019 10:29 am
OxygenForensics
(@oxygenforensics)
Active Member

John, if you are using OFD 12.1 then the algorithm is the following
1) You extract the device in Oxygen Forensic Extractor that creates a physical dump and extracts the hardware keys.
2) Once extraction is finished the dump is automatically imported into OFD main interface (you call it JetEngine).
3) During import there must be a window asking you to enter the user password. Once you enter it the dump will be decrypted. So hardware keys are just used in decryption process.
In the upcoming versions we will add the opportunity to bruteforce this password.
If you still experience problems you can contact us directly or leave your email in PM here and our support team will do their best to help you.

ReplyQuote
Posted : 17/12/2019 11:42 am
John000
(@john000)
Junior Member

John, if you are using OFD 12.1 then the algorithm is the following
1) You extract the device in Oxygen Forensic Extractor that creates a physical dump and extracts the hardware keys.
2) Once extraction is finished the dump is automatically imported into OFD main interface (you call it JetEngine).
3) During import there must be a window asking you to enter the user password. Once you enter it the dump will be decrypted. So hardware keys are just used in decryption process.
In the upcoming versions we will add the opportunity to bruteforce this password.
If you still experience problems you can contact us directly or leave your email in PM here and our support team will do their best to help you.

Thank you for the quick reply.
But i'm wondering what is the user password? How can I get it?

ReplyQuote
Posted : 17/12/2019 11:50 am
OxygenForensics
(@oxygenforensics)
Active Member

This is the password to lock the device screen. If Secure startup option is enabled by the device owner you need to enter the password in our software to decrypt the physical dump. As we have previously written we will soon add the ability to find this password using bruteforce. If Secure startup is not activated on the device our software must decrypt the physical dump without asking for the password.

ReplyQuote
Posted : 17/12/2019 12:16 pm
the_Grinch
(@the_grinch)
Active Member

To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?

ReplyQuote
Posted : 17/12/2019 3:05 pm
OxygenForensics
(@oxygenforensics)
Active Member

To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?

Yes, we can image an Android phone with Secure Startup enabled. Once you create an image you have an unlimited number of attempts to decrypt it in our software.

ReplyQuote
Posted : 17/12/2019 3:45 pm
the_Grinch
(@the_grinch)
Active Member

To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?

Yes, we can image an Android phone with Secure Startup enabled. Once you create an image you have an unlimited number of attempts to decrypt it in our software.

And if it's not secure startup, but just a password you would be able to bypass it? As an example, an SM-G955U?

ReplyQuote
Posted : 17/12/2019 3:51 pm
OxygenForensics
(@oxygenforensics)
Active Member

To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?

Yes, we can image an Android phone with Secure Startup enabled. Once you create an image you have an unlimited number of attempts to decrypt it in our software.

And if it's not secure startup, but just a password you would be able to bypass it? As an example, an SM-G955U?

Yes, we offer various screen lock bypass methods for Android devices. This particular model is not supported but we are working on its support.

ReplyQuote
Posted : 18/12/2019 7:33 am
passcodeunlock
(@passcodeunlock)
Senior Member

To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?

Yes, we can image an Android phone with Secure Startup enabled. Once you create an image you have an unlimited number of attempts to decrypt it in our software.

Which devices are supported for imaging an Android phone with Secure Startup enabled using OFD ?! I've read the latest release notes, but I didn't find what I'm looking for…

ReplyQuote
Posted : 30/12/2019 8:38 pm
Share: