Data Extraction From UNISOC-Based Devices In Oxygen Forensic® Detective

Mark: Hello, Mark from Oxygen Forensics here. I want to show you a short video today about the UNISOC extraction method in the Oxygen Forensic Device Extractor, which has seen some really big updates over the past year. UNISOC are a silicon maker who, amongst other things, make chip sets for Android devices. They used to be known as Spreadtrum and their market share has really increased dramatically over the past few years. And actually many of the larger OEMs such as Nokia, Motorola, and even Samsung, have increasingly started to use these chip sets in their lower price point devices instead of, for example, MediaTek chip sets.

So I’ve got the Oxygen Forensic Device Extractor open here and if I go into the methods menu and select the UNISOC Android method, the list of supported devices is…shows us some really good examples of where those major OEMs or vendors have been increasingly moving to UNISOC chip sets for their lower end price point devices. So you can see here there are Samsung devices, ZTE, HTC, Motorola; Motorola in particular have moved away from MediaTek to UNISOC. So, but also quite a few…a lot of Nokia devices. They’ve done a similar thing to Motorola just to name a few of those OEMs and vendors that are increasingly using these chip sets within their devices.

So I have a locked Motorola E40 here as a test device, and this is the device that I’m going to be showing you the extraction process as well as the decryption and passcode recovery process in Oxygen. So I’m going to open up the extraction profile for this specific device and what you’ll see is that the extraction process is really broken down into three steps. You have the initial device connection, you have the data extraction, and you have the hardware key extraction.

The first stage is to connect the device in DFU mode. Now, in order to do that you’ll need to unplug the device if it’s already plugged in, switch it off, and then plug the device back into the host PC running the device extractor whilst holding a button or button combination. Now for UNISOC devices it’s usually volume down, but this could vary from device to device or vendor to vendor. DFU stands for device firmware update mode. Generally all devices will have at least two and maybe even three device firmware update modes. One of these will be implemented by the OEM themselves. So for example, Samsung use their proprietary Odin mode. Many other vendors such as Nokia or Motorola may use the generic fast boot DFU mode, which is authored and maintained by Google.

In addition to the OEM implemented DFU modes, all devices will also have another DFU mode, which is implemented by the chip set maker, and that’s generally implemented in the boot ROM of the chip set. And it’s that UNISOC DFU mode, which we’re going to use to do this extraction. So I’m going to plug in my device whilst it’s switched off whilst holding the volume down button, which is the correct way to get this device into the UNISOC DFU mode. And we’ll see that the device extractor moves onto the next stages: data extraction. So extracting a physical image.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Because we’re using the UNISOC DFU mode to extract this image, Android isn’t booted yet, and as such, the user data partition is still going to be encrypted at this stage. It’s the next stage in the extraction, the hardware key extraction, that allows us to perform offline decryption of that user data partition, either using a known passcode or if we don’t know the passcode, we can perform attacks such as dictionary attacks or brute force attacks to recover that user passcode and then do the decryption. Now one of the nice things about doing this offline is that you can GPU accelerate that process. So once the extraction is complete, you have two options: you can open the data directly in Oxygen Forensic Detective, or you can just open the folder that the extraction is contained in.

So the next thing I want to show you is opening this extraction within Detective. So here we have the extraction in a folder. It includes a log, it includes the physical image, a keys.json and device.ewc file as well. I find the easiest way to load an extraction into Detective is just a drag and drop that .ewc file onto anywhere in the Detective program. It will open up some import options. You can put the device password in here if you know it, and you can configure some other options for analysis on import.

So assuming I don’t know the passcode for this device, I’m going to leave the password field blank. And after a few seconds of importing this extraction, Oxygen will present me with the password technology module popup, which allows you to again put in the passcode if you know it, but it also allows you to configure the types of attack that you want to run to recover that passcode. So there are some popular ones pre-populated and for example, six digit pins, popular six digit pins, but you can also go in and configure different types of attack and also add custom attacks, which allows you to generate dictionaries from files, it allows you to create join attacks, configure brute force attacks, et cetera, et cetera.

Once I’m happy with the attacks that I’ve selected, I’m going to hit “start password recovery” and it will take a few seconds for the password recovery process to begin. I mentioned earlier that this is GPU accelerated and doing this decryption and password recovery offline, one of the big advantages is that we can use GPU acceleration, so we’re really only limited in the number of attempts per second by the complexity of the key derivation function that’s being used. What that means is that you’re going to see password recovery speeds of…in the thousands if you are using a GPU rather than doing it on device, which is going to be much, much slower.

And because this was a simple six digit pin, you can see that the process finished almost instantly. And if you look down in the bottom right hand corner on the import, you can see that it has found the correct six digit passcode, which is six nines for this device. This particular device, and actually the vast, vast majority of any new Android device nowadays is using the file-based encryption scheme. What that means is that the file system encryption will be cryptographically tied to the passcode, but now that we’ve recovered the passcode, Oxygen can start to decrypt the full Android file system.

One important thing to note is that the extraction itself, the physical .bin file will still be encrypted. However, if you do want to take this extraction and export it to a format that can be imported into other tools, you can do that. Within Detective, you have the option of exporting that decrypted file system to an archive, which will give you the full file system inside an archive file that you can use for import into other tools.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles