Join Us!

Samsung Secure Fold...
 
Notifications
Clear all

Samsung Secure Folder -> decrypt?  

  RSS
th9010
(@th9010)
New Member

Hello everybody,

I have an unlocked Samsung Galaxy S9 device on my desk. From mobile traffic interception of the sim card we know there have been some apps used that dont show up on the normal screen. We suspect the apps are hidden inside the secure folder.

I am trying to get my hands on the oxygen device (https://www.forensicfocus.com/News/article/sid=3186/) but as far as i understand it this only works if the secure folder has been backedup. I dont know if there is a backup.

So, has anyone any experience of information to share on the decyprtion of secure folder? Any sucess someone so far?

Thank you

Quote
Posted : 02/07/2019 12:01 pm
OxygenForensics
(@oxygenforensics)
Active Member

Some information from us

1. You can check if it was backuped up in Settings/Backup and Restore/Samsung Account on the device.

2. To extract and decrypt Samsung Secure folder from the cloud you need to know a Samsung account login and password.

3. As far as we know physical extraction of Samsung devices does not give access to the Secure Folder and using, for example, a custom recovery method leads to a KNOX counter reset and a complete inability to access the Secure Folder.

ReplyQuote
Posted : 02/07/2019 1:37 pm
the_Grinch
(@the_grinch)
Active Member

Only time I encountered this the user used the same password for the Secure Folder as the device and Gmail password. It was an older version of Android so we were able to crack it. Something to think about!

ReplyQuote
Posted : 02/07/2019 2:12 pm
shahartal
(@shahartal)
Junior Member

Cellebrite Advanced Services can fully extract KNOX-protected Secure Folder contents (without cloud access or tripping warranty bit, of course).

ReplyQuote
Posted : 05/07/2019 9:21 am
Puntz
(@puntz)
New Member

I've just received a Samsung Galaxy S9 and the suspect has saved all the evidence in the Secure Folder. Luckily we have the PIN for the handset and the pattern for the Secure Folder.

My extractions haven't obtained these images and videos and I was wondering what the best practice would be to extract them from the phone? I can obviously just remove them from the Secure Folder but I'm changing too much data, and copying them to a USB would alter the date and times. Is a manual review the best choice, or is there something I'm blindly missing?

Thanks )

ReplyQuote
Posted : 09/07/2019 12:55 pm
the_Grinch
(@the_grinch)
Active Member

Did you unlock the folder before starting the extraction? My understanding is if it is locked during the extraction then it will not be extracted.

ReplyQuote
Posted : 10/07/2019 4:12 pm
Puntz
(@puntz)
New Member

Did you unlock the folder before starting the extraction? My understanding is if it is locked during the extraction then it will not be extracted.

I did two extractions, one without unlocking the folder and one after I unlocked it, and I was unable to see the images and videos in UFED.

ReplyQuote
Posted : 11/07/2019 12:47 pm
the_Grinch
(@the_grinch)
Active Member

I would reach out to Cellebrite's support. Perhaps they could review some logs and see what exactly might be occurring to cause you not to be able to review the information.

ReplyQuote
Posted : 11/07/2019 2:57 pm
Share: