When an Android Phone is All You Have

Announcer: The broadcast is now starting. All attendees are in listen only mode.

Keith Lockart: Good morning, everybody. Well, I take that back. Good day everybody, depending on where you are. This is Keith Lockhart from Oxygen. It’s just about four minutes to the top of the hour when we’ll start our broadcast. So I’m just popping in to say hello, do a quick sound check and hop off to my coffee. I’ll be back soon. 

Okay, it shows the top of the hour for me. Again, this is Keith Lockhart from Oxygen and thank you for attending our live webinar this morning on this Friday. I frankly don’t want to do a webinar at all anymore. Looking at the attendee list I just want to have a big jam session and talk to everybody that I haven’t seen in a long time and find out where everyone’s from. But we won’t do that. So this morning I have myself, and I’m accompanied by Ryan from our training group, and we are going to talk about Android extractions.

So, there are all kinds of things that are exciting and new right now that we get to show you and play with and talk to. I’m including a newly-minted slide template for us that we see on the screen here, so I’m kind of happy to use that. Really? I muted myself backwards like that. So yes, I muted myself backwards like that.

So if you didn’t hear all that, I’ll just repeat myself really quickly. This is Keith Lockhart again. I said welcome to our webinar, thanks for attending on this Friday, but what I also said was looking at the attendee list right now, I don’t even want to do a webinar; I just want to have a big jam session and talk to everybody that I haven’t talked to in a long time and see where everyone’s from. I recognise some far away names.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


What I also said was this is a conversation about data extraction from an Android perspective, because I have with me, Ryan Ebersole who works in the training team at Oxygen here. And we were a party to some recent testing where, you know, this conversation is about Android extraction, but it’s also kind of a showcase of functionality for the extractor technology of ours, as it’s always undergoing change, and whenever there’s a new release, we just jump in there right away and see what’s new.

Like, what new things can we do? What new exploits are built in? What new functionality is there for us to play with? And in conjunction with that testing that was going on that we were working with, we were having the conversation about, well, we’re always having the conversation about Android, and we were having a deeper conversation about what types of methodologies were used in testing.

Now that kind of goes to say, well, what pieces of the tool are you familiar with? Or, you know, do you have your go-to things you always want to do when you have the broadest range of support? Or is this a specific model of phone, brand, firmware, operating system, security patch, I mean, all those different things that might affect the way you go about your extraction? So, we were really working with the testing crew and just making sure we were exploring everything. And that brought us to the conversation of, let’s talk about this in mass.

So we have a webinar coming up, a live one where we can talk about Android on the whole and some of the popular ways we can get data from an Android, because frankly, if you give a phone or a device, while it’s in my greedy little hands, I’m going to do everything I can to it and get every type of extraction I can, because this one might give me that and that one might give this and back and forth until I’ve exhausted all my possibilities. So, Ryan, just to make sure that I’m not jumping all over your audio, are you there to introduce yourself for a second and say hello?  I’m just about, there you go. Had to unmute you, too.

Ryan: Yes, I’m here. Good morning, everyone.

Keith: Perfect. Okay. So, how this is going to work is Ryan has the technology and I am going to be lucky enough to narrate and he navigates for us when we get to that point. But I have up on the screen here, kind of a roadmap for us. And we’ll start in the top left and just kind of work through these extractions. And Ryan has a camera and our favorite phone for this just to show us a couple things in real life. But all of these extractions right now are recorded because if we started a physical and waited for it to finish, that’s all we get to do.

So, we have them all recorded, or we can start and kind of fast-forward parts we want to talk about and show things and discuss things and all that. So if you’re new to this altogether, and I don’t know looking at the list out there where everyone’s knowledge is, so I’ll kind of speak to a common ground, but I do want to say, if you’re just jumping in or go, “Oh, what, what happens with Androids and Oxygen?” we can kind of take an older graphic that’s always stuck in my head. It was a pyramid that you could turn upside down, so the small point was at the bottom in the large base at the top. And we would say, “Look, our ultimate goal is to get as much data as we can.”

So, you know, depending on the extraction type, we may be in a mode where we get what we can see, or we may be in the next, you know, best mode where we can get a file system extraction, or maybe we can grab everything, and typically referred to as a rooted or a physical extraction. And again, those are all dependent on, you know, there are so many variables out there; the operating system, the firmware, the security patch, the brand of the phone, the chip and the phone, the model of the phone. You know, is it from this region or that region? Just so many things impact that.

But a physical is kind of the ultimate goal because we know we’re getting as much as we can in essence of the data that’s available. Maybe we can recover some deleted stuff. Maybe we can get things at a level that a file system doesn’t show, or certainly doesn’t show at a what-you-see-is-what-you-get level. So it’s kind of, you can almost argue, gosh, why would you start with that one? But we’re just going to start with a physical and then work our way across the line there doing an Android backup and talking about the pros and cons or the ups and downs of an Android backup and an APK downgrade; downgrading applications on a device to make it give up data that we couldn’t really get with maybe just a simple Android backup.

We’ll move on a file system and see how that works. And then we’re going to use our agent. We have a what was previously the Oxy agent because it was just by itself and the toolkit. And now we kind of call it the Android agent and the iOS agent because we have one for both. And, you know, depending on where we are in time, we might go actually attack an encrypted, secure, booted device just to show how that works. Because there are several models, makes and brands and chips that we can do like that as well; using either password that’s built into Detective or some proprietary attacks that we build ourselves. Whether it’s full disk or file-based encryption, we have some ways you can feed yourself, drink the water yourself, maybe not have to send the phone away, or, you know, decrement account you have where you, you know, can save it and keep that count for something more difficult that you couldn’t do on your own.

Okay. So let me just run through a couple of the bullets on this as I talk through them. Android Physical, we’ll say we’re going to get root access and the largest data collection. All of these until we get down to maybe before first unlock attack, these are all examples where we have control of the phone. We can get in the phone, we can turn on USB ddebugging by entering developer mode. And Ryan’s going to do that once just so we can say, hey, this is a prerequisite to the things we’re showing right here except the agent and the BFU, they work a little differently. But we’ll show that in case you’ve never seen that and then we’ll kind of look at the process and the video to do that.

And when I say CVE exploit, common vulnerability, there are tons of them out there: vulnerabilities, it’s a build a better mouse trap game. What really gets cool is when the new vulnerabilities are built into the extraction technology, which is why we go crazy whenever there’s a new build. We want to go see what’s in there and see what new things we can do like that. So, we’ll put the phone into USB debugging mode and perform the physical, then we’re going to perform the backup. And, you know, one thing I’ll also add to the conversation, whether it’s a, gosh, I don’t know, an iOS backup or Android backup is we always want to encrypt those, meaning we’re going to add a password to it.

So the technology at hand will consider things more protected and put more data in there that we, you know, from our data collection standpoint are happier about. And we’ll run the backup, but we’ll see that the Android backup is, you know, there’s a large component of the Android backup that says, oh, you’ll get me the data that’s tagged to back up, you know, and these days that’s less and less as compared to previous days.

One of the things, one of the reasons for that is, you know, there’s a lot of data in the cloud, you know, why keep it locally when we can keep it in the cloud so you can get to it no matter what device you log into? Okay, fair enough. Other times the databases and the code, and it’s just not tagged to back up anymore like that, which is why that APK downgrade becomes so important. I can put the bullet out there, if you’ve ever met me in my life, you know I’m a sci-fi guy, but that was the unwinnable test that you know, Captain Kirk cheated on to win. So we’re kind of cheating. We’re going to go in there and take the versions of the applications that won’t give up the data we want and trade them out for versions that will, and we’ll get the data we want and then put the original versions back.

So that’s really cool, call it the Android-backup-enhanced version of getting things. The full file system, you know, people call it all kinds of things: file system, full file system, whatever is it. The better than the what-you-see-is-what-you-get level, less than getting your physical, but generally a great data set to work with. And then with the agent, as I expand on that a little bit, the agent works two ways in the Android world. One is you can push it over a USB cable with the phone hooked up to the machine and execute it like that. And that’s fine, but the other way is putting it on an OTG device, an on-the-go device. And Ryan has one of the cooler ones I think is out there and you’re going to see that. But the value of that or the difference in that is amazing because when you install it on the phone manually from that on-the-go device you get a different menu that allows third-party application access, where we are constantly building parsers for popular applications and implanting them into the agent.

So, the bullet at the bottom of both of those agent sections is widest range of support. Now, you know, you have access to the phone if you’re going to put an agent on it, you’ve got to put it into debugging mode if you push it across the wire. You don’t have to put it into debugging mode if you install it from the on-the-go device. But this is, you know, when we say we’re supporting 30,000 or whatever the number of devices is today, that just sounds astronomical. You know, marketing loves a number like that. I’m skeptical of a number like that.

But if we take the concept and say, look, every phone has 10 things or you know, we’ll stick to Androids. Every Android has 10 things, we always want all 10. Sometimes we get eight things, sometimes we get four things, maybe one, maybe 10. Either way, we’re supporting that device. The agent is an application, an Android app, and it’s permissions. 

Now think about, so you get your phone, you throw WhatsApp on it, and you go to chat with somebody and take a picture. What does WhatsApp say to you? “Hey, I need access to your camera. Yeah, no problem. Hey, I need access to your contacts. Yeah, sure.” I mean, it’s, can I have access to this? Yes or no? And you’ll, the agent does the same thing, right? And he gets on there and says, “I want access to all these things.” and of course we’re going to say yes to that. But then when we get into those third party things, that’s true power above and beyond pushing it over USB.

And those are one of the things that when we were in that testing environment, Ryan and I, we were able to say, “That’s fantastic. Let’s do this one too.” And it opened up a whole new world of data collection like that just because we employed an alternate method of using the agent. And like I said, if we have time, maybe we can throw down on a secure boot device and stab the Android. I guess I’m still stuck on Halloween with my Android icon there. 

Okay, so Ryan, I’m going to the presenter so you can share your screen and then we can continue navigating like that. So, I’ll click and make you presenter and I’ll watch for your screen, Ryan. Okay, Ryan, I see your screen and, oh, I see your super cool OTG with your camera on the phone there. Fantastic. So, oh, go ahead.

Ryan: I said I couldn’t help but show it off immediately. 

Keith: No, you know, I can’t blame you for that all. Ryan, can you get closer to your microphone? Cause you seem for me anyway far away and I just want to be able to hear you well.

Ryan: How’s this?

Keith: That’s the same for me. However, that doesn’t say anything for anybody else. Maybe everybody else can hear you better. That’s okay. I’ll talk a lot. We can survive that. Cool. So, Ryan has the camera up there on his Galaxy and he has an OTG beside it. Miraculously cool. So, the first video we wanted to show, the first extraction that’s recorded is probably a better way to say that, in our live webinar was the Android physical. So, Ryan, I think if behind your camera is probably the Android physical. Yeah, I can see it up on the top left: the Android physical mp4.

So Ryan, well, I take this back, Ryan, maybe put your camera back up there and let’s get through one time putting your phone into developer mode and then activating USB debugging. And we’re going to do this exercise just once, because, again, if you’re watching this and you’re new to this, a very common methodology for accessing Android data is putting it into developer mode so you can engage a feature called USB debugging. Kind of like you’re a developer working with your Android, hooking it up to a computer and allowing, you know, a free data transfer between your computer and your device, because it’s like you’re testing your new application or something, you’re in developer mode. And when we engage that USB debugging, we can create kind of a secure connection between the two devices and send data back and forth. And from there we can start, you know, doing nefarious data collection versus, you know, debugging testing. 

So, Ryan, if you please, I see Ryan’s device there and what Ryan’s going to do, this is kind of cool, I get to like think it and then a magic thing happens in front of my screen. Ryan is going to sweep down on the top of his phone and hit the gear, you know, the settings gear and get into settings. And when he does that, he’ll be presented with, you know, depending on the operating system version of the device or maybe some proprietary look and feel for the settings menu, we’re going to try to find the area of maybe about phone or phone, you know, settings or something like that where Ryan is at the bottom, he just found the about phone, and then we can get into things like legal information, software information, you know, I think he’s got battery there and all that. And we’re just going to poke around until we find the build number for the phone. And that’s just about right in the middle of his screen and he’s tapping it. Now stop right there, Ryan. So as you tap, right, you can see the little thing pops up and it goes, “Hey, you’re like four taps away from being a developer.”

So you’ve got to do it seven times. And once you get to the seventh one it says, “Ding ding, you’re a developer!” And what that does is if you back up, I think you’ll probably have to go back one screen, maybe two, that opens up a new feature area in the settings called developer options, which you can see at the bottom of that screen. So, when Ryan taps that, then there are all these crazy things you can do to the phone that, you know, normally you shouldn’t be doing to the phone. Most users would care less about developer options unless they’re again trying to develop things. So, Ryan’s going to scroll down to this section where he’s going to find this thing called USB debugging. And we’re going to activate that. And what that allows is a secure, you’ll see an RSA key fingerprint approval process between the device and the machine.

So he’s going to tap allow or okay on that allow screen. And whether it happens here because he is probably already done it on the phone or when we would get into an extraction, the extractor would query the phone or try to query it and you might have to approve that key transfer there to get the phone into the right state so extractor can work with it and talk to it. So that’s cool, Ryan, you can move your camera out of the way for our video as we through that. But I just wanted to make sure that once because the physical, the backup, the APK downgrade the file system, those are all methodologies that employ developer mode and USB debugging. So thank you for doing that for us. And then if you come back to your video, oh, sorry Ryan, go ahead.

Ryan: Yeah, one distinction also on these devices, as you see my screen…

Keith: Oh, you just got louder, by the way, So stay wherever you are.

Ryan: Make sure stay awake mode is on as well. That way your device display doesn’t power down during an extraction, because in some cases it can affect the extraction itself. So ensuring your device stays on and alive throughout the process is also important.

Keith: Brilliant. So, you know, Ryan, before we just kick off this extraction and talk about it and zoom around through it in the video, I think you have extracted running, can you pull it up for a second? So, if you haven’t played with our extractor in a while, I mean, this could be a super new look and feel for you. So, Ryan, go to the tools menu for a second. And oh, so Ryan has a build that’s not quite out in the world yet.

Look at those, I don’t even know what those are, Ryan, those are really cool. But start at the old extractor, that’s what I meant to do. I don’t have that other build installed yet. Just run the old one because I if you haven’t been here in a while, you might remember this version of extractor and you can see, you know, what’s left there is kind of pittance because the majority of the extraction platforms have been ported over to what I’m calling, well, you know, look at this and if you’ve ever heard me or maybe had me do an extraction class or something, the top bar of that extractor says Oxygen Forensic Extractor, and then the top left of this screen and Ryan’s extractor that’s behind that one, it says Oxygen Forensic Device Extractor. So you can differentiate the two by their name now. But we’ve come full board to this Data Extraction Wizard 2 model. So thanks, Ryan. You can minimize that if you want to come back to it later or something. 

But I just want to show that view versus this one because things have definitely changed even to the point where, you know, in this build I can tell you that there’s an update to the MediaTech Android extractor because there’s a little update flag there or in the Samsung Exynos there’s a little update flag there. So something’s new there. I mean, it’s just a whole new look and feel, a whole different way of doing extraction compared to the last version or the last wizard. And this is how we roll now, right? 

So Ryan is on the Android tab essentially at the top or that little differentiator. So we are just filtering to all of the Android extractors. Hit all real quick, Ryan, just so we can see the craziness of all the things and how they sit there and align now. And change your view if you want, I guess you can do that too. So we just got a whole new extraction world. And then, Ryan, one time before we leave this, go to the devices section because, you know, depending on the extractor you picked in the old extractor world, how you selected your device could have varied based on the way that extractor module is set up. But now we have this massive type down list.

I mean, you can start typing in the search box up there and it essentially will narrow down to whatever you’re typing, you know, on the fly, I guess is the way to say that. Super. And then what are we at? 30,584 devices. Yeah, a lot of them with what you’re going to do today. So, oh, there’s your phone right there, huh? Is that the one? The G960U1 from memory. Cool. Okay, thanks for that. Let’s go fire up that physical one and take a look at how that works.

Not in real life, just your video. We’ll be here forever. Yeah, and this is, I mean, we can do a live conversation like this, but I wanted to be able to show a lot of different extractions so we had to kind of record them for us. So, Ryan actually took the time to go record these and not say anything. So I don’t know how that had to be, Ryan, to really be quiet during a recording cause it’s just not the way, you know. But if at this point, this is, you know, when you pull this up on the screen, here it is, and all the extraction modules kind of walk you through the description of what’s going on. But you can see the first bullet for this one: “Hey, to connect to the device, put it in USB debugging mode and do that through developer mode.” And if we’d hit that link in the tool, it would show you how to do just what we did, you know, cap build model or build numbers so many times to get into development mode and go find these settings, right?

And then at the connection of a 4.2.2 or newer, you know, confirm the RSA key on the screen, getting route access, the phone may go upside-down, be unstable, jump on its head and whatever. I don’t know if it’ll get that crazy, but I will pause on that bullet to give you an intrinsic tip. All of these things require patience, most of which I have none. And routinely I get angry and yell at extractor and Ryan would call me back and go, “Watch this.” and, you know, everything’s fine because he waited, the extractor tells you this might take 20 minutes and I’m like, I don’t have 20 minutes. Ryan has 25 minutes and then he has the last laugh because it, or you know, it took two times, but I got it, you know, cause the phone’s on, it’s alive, and we’re trying to get root access to it. And I’m sure that somewhere inside there that’s not the easiest task. So we’re performing an exploit, right?

Sometimes it takes time and sometimes it doesn’t work the first time. And I learned my lesson a lot by watching Ryan do it. And I’m just like, how does he get so lucky? And you know, sometimes I catch up to that and sometimes I don’t. But, you know, remain unlocked. Ryan was just talking about that. Have the right drivers on there, put an airplane, fully charge it and things like that. So you can move forward a little bit, Ryan, to act like we’ve clicked the button and, you know, we get to this stage right here and it wants to detect the device and it says “Connect the device in USB mode ADB debugging”. And you might remember what you saw right there in the recording where Ryan was doing that, we set up, it’s hooked up and we’re going to transfer or get that key fingerprint confirmation so, you know, the devices are authorized to talk to each other and things like that. 

And as the extractor recognizes that, it says, “Oh yeah, look, there’s a Samsung SMG960U1 out there.” Great. Now it’s going to check the connection and see what it can do. And Ryan, I don’t know how far you have to get in the process for that to happen or in your video, but if you get to that point, oh, ta-da now look right here. So it’s looking to see based on everything about the phone, you know, get properties Android debug command in the background to see everything about the thing go, oh yeah, listen, I think we can throw down the 1905 common vulnerability because it’s a Qualcomm device operating Android 7 to 11 with Linux kernel up to 5.4 and Adrene GPU 5 or 6 version without the May 2021 security patch. The exploitation of the vulnerability can take, oh, this is the one that takes up to 20 minutes. I walked right into that door. 

But this is, I mean, this is what I said in the beginning, there are all kinds of variables that can impact this. And just reading that statement, you know, this is a device type, a chip type, an OS version type, a security patch qualifier, and a GPU on the chip, and 20 minutes for the people that don’t have patience. You have to have that into consideration. So then it says it may take some time, if the device freezes or reboots, you know, it might not have happened, do it again. You know, so this would be the Ryan, try again, you know, if you first don’t succeed, Keith, have patience.

So go ahead, exploit that thing, Ryan, in the video anyway. And then we can fast forward to what I always call a happy place. When I see an extraction start or the data collection start, I get happy. Oh, so how far in the video is that? Maybe four minutes? 20 minutes. Nice. But yeah, that’s great watching that happen, checking the encryption state and then extracting a visual. This is my happy place, right? This is where we want to be.

And I don’t even know how big this phone is, Ryan, but looking at your video, we’re at five minutes and 20 seconds now, and it’s an hour and 10 minutes long. So we’re not going to wait around for 52 gig of data, but understanding that, oh, I’ve got a device. Now, if we talked about two, four, sioux, six different extraction methods that we want to go through in this conversation, you’re not done after one. Let’s try the other ones too, right? So Ryan, I guess if you want to drag all the way to the end of this video to kind of close the conversation on physical, just to see what it looks like at the end, including hashing the collected data right after we collect it, right? Good data integrity conversation there. And at the end we get a success screen that allows us to go see where the data is, you know, what we collected, or push it into the detective for analysis, right? That’s a good spot to be. Right there. Okay? 

Ryan: Now see, it looks really really nice when recorded, but this took me a very long time to get and not for any…

Keith: Oh, you’re going to admit? Good job. You have to admit it was miserable, wasn’t it?

Ryan: Right? You know, it took me, I would say easily eight times over and over again, and the frustrating part was before I started recording, I did a test run and said, “All right, let me just validate and verify before I start live recording.” And it worked the first time I plugged it in, I was like, “Excellent, let’s go.” And then when I started recording it failed, or the exploit didn’t catch that time.

And then I was like, “All right, let’s go through this rodeo that requires an immense amount of patience, some days especially because, you know, you unplug the phone, you plug it back in, the connection’s good.” All right, that doesn’t work. You restart the phone, okay, that doesn’t work. You restart the extractor, that doesn’t work. And you’re just going through this consistent motion of how do I make this work better? How do I get this exploit to catch? And sometimes it may take the alignment of the moon and stars to be in the right position for the extraction and catch, but patience is the biggest thing required when it comes to extracting, especially on a physical extraction.

Keith: I think I remember the day you were doing this one. You were like, “argh!”, you showed a patient’s problem that day. It was fantastic. I felt vindicated. No, fantastic. Okay, so that’s that one. Let’s fire up the Android backup one, Ryan, and talk through that conversation. So, you know, moving on to next, essentially, running an Android backup. And here we go again. Put the device in USB debugging through developer mode, keep it unlocked, have the drivers in, put it in airplane mode, charge it, all your normal things and look, anytime there’s a link, a hyperlink or one of the little information circles, you can click on that and get information in the extractor right there. So go ahead and hit that extraction, Ryan, fast-forward, I mean.

And Ryan’s doing, you know, the same process, let’s get in debugging mode and there’s extractor and it’s because we have the appropriate connection, it detects the device and it gets to a point where it says, okay, you’re doing a backup. What options would you like to select here? Well, by default we have the dash shared option. Hey, it will enable the backup of the shared storage and SD card section of the phone. Yeah, we want that. Create a backup for all the installed applications. If it’s doable, great, we’ll go for all of them and enable backup data with key value pairs returned. Sure. That’s probably some great confirmation of getting the right data between the machines. 

The other ones, you know, enable backup of APK files to an archive. Listen, that could be a lot of data. Maybe you want it, maybe you don’t. You know, all the installers that could be gigabytes of data if it came down to it. And unless you’re trying to prove there’s an app on there or not, or Oh, my phone was taken over by malware. Who knows? Maybe that’s important or not, but by default that’s not on. Including all the system applications, that’s kind of like the computer forensic world of, you want to look at all the Windows files, maybe, maybe not. So that’s not on by default. And backing up any files with an APK extension. Again, you know, when you get into getting all the APK installers or application files themselves, maybe not. So, we’ll go with the three default ones as far as those options and see what happens in our next step here.

There’s Ryan imagining to himself while he’s having the same conversation in his head.

Ryan: Oh, there we go. My mouse stuck. There we go.

Ryan: And I saw the extract button, so I’ll just say there was an extract button and Ryan clicked it. Now,  back to that magic part of anytime we have the opportunity to create a backup and encrypt it, we want to do that. And if we don’t want to do that, the extractor is going to prompt us to do that because encrypted backups have more data, right? So, here Ryan is selecting a password that when it comes time to open this later, you know, he’ll need that to import the data, but this will trigger the device to give up more data when it does what we want. So, if an error message appears in the device during extraction, please close it. Great. But off it goes. And where’s this one? We’re at 1:38 in the video, and this took seven minutes. So, Ryan, you can drag to the end if you want.

Ta da, all right, there’s the happy place we want to be in and success at the end, 600 mb of data at that point. Now, what we’re going to do next is the application downgrade extraction, which is essentially an Android backup with the enhancement of changing all the application versions to the ones that we can get data from. And we’re going to check the difference between those two. So, hold that thought once we do this next one we’ll go see what they look like by comparison. Okay, so this one, APK downgrade is, you know, devices operated on operating system 5 through 11 are supported. Man, I was hoping that would say 12 in this new build. Maybe it still will. We’ve still got a week or so I think before this comes out. So OS 5 to 11, you know, put an airplane mode, charge it, disable screen lock if you have one.

For some applications you might have to restart the device during the process, depends, and some may be logged out. So it’s kind of like if you’re logging into WhatsApp to gather data and you log out your target at the same time, you know, there may be a consideration for you. And then once the applications have been downgraded they actually get saved in a folder. So if something happens, you can see a button down there underneath the camera view that’s like, there’s the extract from data applications on the left and then there’s ‘restore the’ right beside it. So if you had to go and manually restore the applications yourself, they are saved for you in case something went awry during your process. So I mean, if you have to give the device back the way you found it, fair enough, you can do that.

So, okay, let’s see what happens when we extract, Ryan. And this is kind of a more involved process than before because a lot of querying and a lot of application removal and replacement has to take place. And somewhere in the middle of that you’ll see the Android backup part occur, throw a password in. But this is incredibly important because if you weren’t able to do this and you were just relying on the backup, when we look at the difference, you’re going to go, “Oh, I see.” So check that out right there. It says, okay, found the phone, but it says 43 installed applications. I think there are 12 that could be backed up, essentially. Select the ones you want to do. So you’ve got the button there, and then here’s your list. Maybe you take all of them, maybe you don’t.

I mean the list, it’s a huge list, but these are the ones that in this particular device are able to be susceptible to this process. So, Ryan’s selecting all 12 in his video. It looks like it anyway, or maybe not, selecting four. Fair enough. Or he just went and did all 12 right there. So there it goes. So here, there’s extractor hung out and saving the original APKs into the folder that would be the extraction folder of all the content of this particular exercise. And then the step will be, yeah, just kind of, you’re going to have to fast-forward your way through all those steps, Ryan, and maybe stop along the way. So he is up eight to 12, okay, 12. Now, a little more time consuming at this point, we’re up to a whole eight minutes. So I probably would’ve walked away already cause I had no patience. I would be doing something new. 

But now that we’ve got the originals saved out, we’re going to start the process of, hmm, let’s get rid of those on the phone. Let’s reboot. Probably have to confirm your key transfer again at some point. And what do we get to next? Please wait. Oh, now, I’ll tell you, here’s the good story. Again, patience. You barely just can’t see the top of Ryan’s screen there. But when you turn a phone back on and it says, “Please wait until the device is fully loaded.” unlock it if you have to. Yeah. So I’m like, go, go, go continue. And not everything is loaded up.

All the applications aren’t up and running yet as the phone is still booting. And generally you see all those little icons across the top of the screen, like a Windows task bar at the bottom. You see everything start populating as everything spins up. Well, wait until the device is fully loaded because if you continue before that, that’s one of the troubleshooting things in the class book is wait, cause it’ll say, yeah, two of your 12 backed up and the other 10 failed. Like, well why? Well because they weren’t even loaded yet. And you said, go. So, patience. Go ahead and continue. Tell yourself that story to amuse yourself and force patience into it. And that you can just picture, it’s kind of like the far side cartoon. We should make a far side chapter for device extraction. Can you imagine?

Okay, so we’re ready to go. Don’t break anything. Do not interact with the device while backing up or until the backing up starts. Interacting can corrupt data. Might be in trouble at that point. So touch nothing, you know, let it do its thing. And I think here, Ryan, you can probably fast forward to getting to the part where you’re going to pull data. Tah dah, great. Unlock the device, make sure it operates, hit continue. Maybe you’re not, you know, extract application data, including shared stuff. I would probably do that. But here we’re back to an Android backup. And you can see on the camera screen of Ryan’s phone, he’s put a password in. So, we’re performing essentially the same operation as before, but we’ve gone and told all the applications to give us data we want and we’ve enforced application versions that will do that, that will work for us like that. So, we’re creating the backup, we’ve encrypted it and it’s gathering data. Let’s see the end of this, Ryan.

Terrific. Deleting the APKs without removing data, restoring the originals, don’t touch anything. And at the end we’re at a success screen where once again we can go look at our data or pull it into Detective. Now, at this point I want to go look and Ryan’s got a detective running, I think, that has a database just created just for this webinar where he has all these extractions in there. So, there’s an APK downgrade and there’s the backup. Now, if you haven’t seen Detective in a long time, this may shock you, but hopefully you’ve all seen Detective recently.

If we just look in the application section of the backup, right, we got the event log, the Google calendar, Telegram. Oh, you didn’t have to go that far, Ryan. If you just, yeah, stay right there.  WhatsApp Messenger, WhatsApp Messenger backup versus down below and look at the file count, 1900 things versus 4,200 things. And down below we’ve got some Facebook Messenger information, Firefox, Line, Telegram, Twitter, Viber, I mean much more data. Same device, different extraction method and employing the AK downgrade one that gets us some cool stuff. 

Cool, Ryan, thank you for that. That helps illustrate some of the difference in why we’d want to do both things while we had it. You know, and looking that screen’s success, I’m playing like we’re in class for a minute because you might see extraction partial and it might be yellow because maybe one of your extractions or selected applications didn’t work. That doesn’t mean the whole thing failed, it just might mean you missed one out of all that you selected. A lot of trouble, look, this is why we run the extraction class cause nothing ever works perfectly the first time and a lot of things like that to be cognizant about. 

So, okay, Ryan, the next one’s the full file system. It’s right there in our list, top to bottom. So, this is, if we’re back at our pyramid of upside down where the top, the base is the most information and we’re starting to work our way down, the pyramid’s getting smaller, but we’re still getting a good set of information. I think Sam Brothers made that. Gosh, I’m working backward in time in my head.

You can see on the camera Ryan’s turning the phone or putting the phone into the mode we wanted to, oh, and there, if you look at the top of the phone and the camera view there, you can see the information bar, little icon bar I was talking about. When it says wait and be patient, that’s where you want to see everything populate. Okay? So in this particular instance, we’re back to, oh hey, on this phone there’s a vulnerability we can exploit. Essentially this is the same one that the physical world took. This is a great vulnerability for this perfect phone for our demonstrative purposes. Same process, a larger data set, you know, just not doing the physical exploit. So, Ryan, you can go for it. And how many times did this one take you, by the way?

Ryan: So, this one took me about three times. Again, after the initial, like, let’s try it and see if it works. So I learned, record always, no matter what it is. And then edit later.

Keith: Yeah, exactly. 

Ryan: But just because the vulnerability worked previously on the Android physical, the exploit may be a bit picky today and may not work the first time on a different extraction. So again; patience, patience, patience. I think I went through more than a pot of coffee doing all these extractions. So I don’t know if that helped or hurt my patience in the moment.

Keith: You know, it’s par for that lifestyle, right? I mean, the phone’s on and we’re trying to do bad things to it. Who knows what’s going on outside there while we’re doing it. And at least, you know, at least we’re having this conversation. The extractor can try to warn you, this might take time, if it doesn’t work, do it again. I’ve seen the do it agains before and you know, given up. But yeah, if at first you don’t succeed. Okay, super.

We’re at happy phase number one. It’s kind of like when the pilot says, “Hey, we’re beginning our gradual descent toward happy place.” I think that’s where we’re going right now with the extraction. You can take us to the end where we’re going to get to our success screen. That simple. Oh, I say that simple, obviously the big caveats are right in that middle section that we continue to reference about patience and try, try again. But super, I mean, 11.4 gb of data, that’s not 52 gb of incomplete, you know, physical parameters. But I’m happy, I’m super happy if I can get a file system. So good. Let’s check out the Agent, Ryan. And matter of fact, Ryan, go to a live extractor for a second if you still have that running.

Ryan: For you to put the agent on?

Keith: Let’s just look at this right here for a second. Because your video is the OTG version, right? 

Ryan: Yep. 

Keith: Yeah. Okay, so we need to do this using the Android agent. I mean, there are two ways to go about this and this is the one where you would push the agent to the phone. And is your phone hooked up right now, Ryan, still?

Ryan: Give me a second.

Keith: Yeah, we’ll go ahead and we’ll get to the point where, let’s see how far in the process we can get to where it’s like, okay, this is good, but here’s why we would want to try to do it the other way, as well. And while Ryan’s hooking that up, if you look at the bottom of the screen, there are two buttons here: “Extract user data via USB” and “Do it over Wi-Fi”. So, I’ll tell this story or tell a couple use cases. It’s like, why would you ever want to do something like that over wi-fi? Are you crazy?

Well, look, there are two considerations here: one is time and the other is space. And, you know, when you see the menu of things that select to bring back with the agent, one of them is the APK installers. And you know that in class that’s like the first thing we we slam down is don’t by default leave that on all the time because maybe you wanted the 2 gb of user data that the agent will get for you, but you just elected to pull 40 gb of data because you get all the APK installers, you’re like, “Oh no.”

Well that takes a lot of time and a lot of storage. If you happen to have, I don’t know, it’s weird to say an air-gapped wi-fi network or we’re just a cordoned-off segmented internal wi-fi network, you can run the agent, get an IP address, you know, hook it up to the wi-fi signal that you have segmented in where you’re doing it and secure, get an IP address and you know, share that with the extractor and it will pull that over to wi-fi. It is way faster.

You’re not, you know, forcing everything through that little USB port at the bottom of the device and you can point it wherever you want. I mean, right? Send it to an ad and just let it gather gbs and gbs of data if that’s the case and a really fast mode. Or as I like to pull the example of me and Jordan and Ryan are at the bar and, you know, Ryan’s across the way with a laptop and a little wireless access point and I’m sitting at the table and Jordan shows up and he’s like, “Hey, man” throws down his phone. He’s like, “Yeah, I’ll be back. I’ve got to do something.” I immediately grab it, throw an agent on there from an OTG device, hook it up to Ryan’s hotspot and then just set it back down. And then Jordan’s sitting there and Ryan’s pulling all this data across the bar into his laptop over wi-fi and Jordan has no idea. 

Now that’s, you know, a little extreme, playing James Bond in my head, but it works; you can do it if you don’t get caught. So, I just put that in there just because speed and time, you know, that’s a heck of a solution to those two pain points. Okay, Ryan, you hooked up? 

Ryan: Yeah, we’re all good. 

Keith: Cool, let’s do it. So, Ryan’s electing the, you know, extract button and here’s the tool saying “Connected USB mode. Device is unauthorized. Please allow debugging.” My guess is Ryan just has to click the, yeah, so see his phone sitting on, do you want to transfer the key fingerprint and when Ryan taps, okay, extractor should go, “Oh yeah, there we go.” So, Extractor is trying to query the device, but it hadn’t made the right connection, but now it has and it sees it out there. So now it’s going to install the agent and if Ryan pulls the camera up, we might be able to watch that on the screen.

And there it is, waiting for the host. And as Ryan’s doing this live right now, it’s looking for the host on whatever port. That’s great. And now it’s sitting there getting ready to do what it wants to do and it says “Granting permissions” on the screen. And Ryan, are you able to drag your phone a little bit to the right on the screen? Because it’s got the little up and down, oh, there we go. Perfect. That’ll work better. Just so that thing’s not right in the way. Just go to the app settings, make sure all the permissions are granted, continue.

Now select the data to be extracted. Here’s where we would throw in the caution, right? And I’m going all the way down immediately to the installed APKs selected box there and I would turn that off. You know, that’s the one that’s going to kill you from a time and space when, if you don’t know what you’re getting into right there. But here’s a great baseline, right? This is a great baseline for device support. Those 30,000 Androids out there, you know, however many they are, then Ryan’s turning off video and making a few selections, but this is why this menu is here: so you can make those selections and get the appropriate data you’re after or not. So, fine, Ryan clicks ok, and probably clicks extract. And if we go look on the phone, can you see that it is out there on the camera on the phone?

So you can watch the agent run on the phone right there and you see those little blue bars scrolling across the screen. It is out there gathering the data from those sections we gave permission to and pulling it back to our success screen so we can then pull the detective and, you know, analyze it. That’s pushing it over the wire. Now that’s one way you can run the agent. Looks remarkably similar when we do it from an OTG, except we have some automation capability available to us and we have the third-party application parser available to us.

Now, don’t think for a second nobody’s been to developers and said, “Hey, by the way, this menu really needs to exist here, as well.” Not quite as easy, but they’re well aware of our desires for that. So, Ryan is in the reading images files data, who knows what he has in there. But we can set that to the side and we’ll come back to it because in the interim I want to be sure to get through this next video and look at the OTG methodology of doing this and then leave a minute for questions if we have any conversations we want to have. 

So, in this video, now watch this on the screen, we’re going back to the old extractor and we’re doing that because the methodology of getting the agent external to the computer onto this OTG device occurs in the old tools menu right now. Right now. That’ll eventually make its way over, as well. So pause that just a second, Ryan. Ryan is on one hand, or he has an SD card under his thumb and index finger right there on his left hand, and he’s turned his OTG device to the side to show us an SD card section or port I guess there and he is kind of navigating the OTG. 

Now, a couple of things: one; pause there, Ryan. We see that he flipped open that USB port, so there was a micro USB inside there, inside the regular USB that you’d hook up to the computer. Then he flipped it over and we have a USBC. So at that point, you know, we’re pretty much accommodating all the Androids out there that we’d want to care about today with a micro USB port or USBC port, plus the ability to stick it back in a computer. Now you also notice these are blue, right? So we’re going USB3 here because if we do get a ton of data, the faster we can get it back into the computer: great.

This device, this OTG thing stands for “on the go” if you’ve never played with one before. And my analogy is, you know, you’re at the concert, you know, recording videos and taking pictures and all of a sudden you’re out of the room on your phone. Like, well, wouldn’t it be great if I had a device I could plug in and offload all my videos and pictures So I’m back in business recording again? Thus the on the go device. And, you know, I act like that’s a primary contributor to its development and creation. Who knows? But that’s a great use case for it. That’s what it’s designed to do. There is no storage in it, it’s not a USB device proper, it’s a vehicle for other storage things like the SD card and Ryan’s hand, or in this particular case, Ryan, can you get to a point where you can see the actual USB port built into this OTG device on the side?

Will we be able to see that ever? So Ryan’s inserting his, the right way, inserting his SD card and that maybe we won’t see it there, but that particular one, that device actually has a built-in USB port, so you could hook an actual USB up to that OTG. So if you needed a ton of storage, I mean, maybe you have Key Scout on it, maybe you have other tools on it that you, oh, oh, there it went. You’re never, oh, you did, nice shot. Wow, wow. Nice pause. So, on that side of the OTG you can see the tiny SD slot and you can see an actual USB port. So I have in mind, I have a little like 256 gb, one of those little nubbie things, right? Plug them in the side. So I have dedicated USB in mind. But look, everybody in the world should have one of these in their pocket.

And from a use case perspective and a law enforcement side of the house, everyone on the road should have, well, anybody should have one, because if you have a victim or you’re in a consent conversation, “Hey, can I just grab that data from your phone?” You know, if it’s an Android, plug in, grab data, bring it home. If, well, you can apply whatever scenario you want to that. In the corporate world, look, I don’t want to take everybody’s phones. I’m going to stop by, plug in, grab what I want, and you can be back in business. I’m going to give you this thing, I’m going to tell you what to do with it, and you don’t have to send your phone, you know, to me for three days or whatever it is. There are all kinds of use cases for OTGs and agents like that.

So, on the left hand side we see the menu. I want to talk through the menu for a second because there’s some relevance to the steps that are there. In this video, in this older version of Extractor, the conversation says, “Select the path below to save the Oxy agent to an SD card.” Okay, so what that means for Ryan is he would plug it in, find a drive letter and save it out there. The next bullet says, “Safely remove the SD card.” You’re like, “Okay.” Then it says, “Insert the SD card into the, examine the device and install the Oxy agent.” Launch the agent, do everything, extract data from it. Remove the SD card from the device, connect the SD card back to the PC, and click next. This menu is assuming we’re doing all of this in one fell swoop, one long fluidic movement. And we’re not, we’re getting the agent on the SD card in our OTG device, and we’re out of here, we’re mic dropping and we’re going to go out in the street and start gathering data. Then we’ll bring it back and import it. 

Now, that’s a school of thought. The point Extractor is making that we all need to be aware of is, oh yeah, we can stick the SD card in the phone. I mean, what if the port’s bad on the bottom of the phone? We’re trying to plug in our OTG. Well, that stinks, so what could we do? Let’s adapt and overcome by taking the SD card and putting it right into the phone. Then we’re following the steps like they are in that menu: run the agent, save back to the SD card, pull the SD card, bring it back to the machine. So there are schools of thought here, for sure, for sure. Hey, is the phone charged? Is it just going to sit there with my OTG plugged into it and drained into oblivion?

Maybe it’s a wireless charging set it on charging point while you’re doing this operation. I mean, there are all kinds of considerations around this. So, sorry, Ryan, I just want to have that conversation while we had this menu on the screen. So, Ryan got to the point, his Gdrive  saved his agent out to it. And okay, now I think Ryan, at the bottom, I can see the blue light under your phone. Ryan has plugged his OTG into the bottom of the phone. And I don’t know how many of these things we’ll encounter in the video, but, you know, there could be a couple things you have to overcome here. And I say that lightly because there are only a trillion different Android variations out there of, you know, maybe this one, the operating system is set to not let you install from USB. They’ll turn that off, or it won’t install third-party applications, you might have to turn that off. 

I mean, you might have to do a couple things to get the agent to install, but Ryan was just there and he saw the agent APK, he navigated to it and he’s installing it right now on the device. So when he taps that, kind of the same process of pushing it with a USB except you’re doing it manually in your hand right here, or sitting across from somebody at the table and they’re starting to sweat cause they’re like, what are you doing? What do you mean you are going to put an agent on my phone? What is that going to do? What is it going to get, right? Now stop right here, Ryan. So here it is. “Hey, user, you’re installing a new app, it wants access to your contacts.” Sure thing. Yes, yes. And then what’s after contacts? So then you can hit play, Ryan, and look, it wants access to photos. Give it permission to everything. That’s the whole point. Again, Android world, right? Widest range of support right here. Throw an agent on there, give it access to everything and go to town. 

Now, look at this menu. This is essentially what was going on in the background when we push it over the USB. The top menu is what was happening, or the top item is what was happening in the background. Go ahead and hit that, Ryan, just from a parity sake, let’s look at the, or what I’m acting like, looking at it live and you’re doing it right there. Nevermind.

Ryan:In this video I think we start with taking screenshots. 

Keith: Totally fair. I’m acting like I’m looking at your finger live. It’s that natural. So, but hold on, go back a second. Ryan’s saying we’re starting with taking screenshots. Let’s expand on that a minute. Those two middle menu items are the caveated brilliance of why you would do this from an OTG. So take screenshots and record the screen. What this does, and you’ll see it, but I’m going to preface you with it or preface the conversation for you. You’ll get a little red clicker on your screen and it allows you to click and take a screenshot or click and take a video while you’re navigating around. And there’s automation. You’ll get an up and down arrow if you pick the automated ones. Now think about this. You could jump into the text thread between Ryan and this phone. It’s only 10 miles long. So you could sit there and read it or you could use the automated clicker and it’ll take a screenshot and it’ll page up a screen or down, whichever way you’re going, and screenshot and screenshot and screenshot until the entire text thread is captured in screenshots.

You’re like, “What a tedious process.” Yeah. Well let’s take that back to Detective now and think about your technology availability. Let’s OCR all of those screenshots of the chat messages. Because if we optically character recognize them, then we can search them. Oh yeah, as Randy the Macho Man would say. I mean, that’s you helping your tool help you both become the better investigative team because you’re taking the mundane work and letting a tool do it like this on the phone for you and then taking it back to the shop and letting the kind of, we call it AI, we call it the technology helping out with optical care recognition so then you can search for all that stuff. That’s a great workflow to keep in your head. Okay, so Ryan, pressing that, go ahead and run through that screen. 

Ryan: Did you want to do this live? Because I have it hooked up.

Keith: Oh, do you? Go for it? 

Ryan: Yeah.

Keith: Sure. Put the camera up there. Ryan’s in the back. How many hands do you have today, Ryan? You have one controlling this, one controlling that. Ryan, yep, I could see it plugged into this phone right here. I wouldn’t know the difference. I’m looking at the recording thinking, is it live or is it recorded? And now you’re going to put me in a, wow, so two alternate realities at once. So Ryan’s got it live. Now here’s the thing. You see it says autonomous mode at the top. You might have to engage a couple settings here because what you’re going to do is apply an overlay on the device and that’s typically the one you have to go ahead and say, “Hey agent. Yeah, you can do overlays, that’s cool.” and select a place to store things when you do them.

Critical point, you know, we really drive that home in class because if you store them internally on the phone and walk away, yeah, that’s not good. You want to store them back out to your OTG device. So, common thing we have to overcome is to store it in the right way. But Ryan is now going down to the permission thing. You see the agent was off and it says right there, “Hey, Android agent wants to…” and we’re talking about giving you permission to make swipes. You know, like, if it was our hand or our finger swiping this way or pinching that way or whatever to control the screen and put the overlay up there. So that’s cool, we’ll give it those permissions. And now check these out: Semi-automated screenshots, manual screenshots, semi-automated screen recordings or just straight-up screen recordings. So, Ryan, your show, you pick whatever you want to navigate however you want. So Ryan picked, was that manual screenshots? 

Ryan: Yeah. 

Keith: Okay. And apps could appear on top. So he just did the overlay thing. And now, look at that little clicker there. He’s dragging it down toward the bottom of the screen. So if he taps that, he just took a picture, took another one, and now you can use your Android navigation and navigate all over the phone and take pictures, right? And look, I’ve had people come to us before and say, “Give us a solution to this problem because we’re on scene somewhere” and I think this is more of a law enforcement type conversation. And they’re like, “There are bad things on that phone. So we’re taking pictures of the bad things with our phone to bring them back to use them for our purposes.” I’m like, “No, don’t do that. Don’t put them on your phone. Put the agent on there.” And look, you see Ryan just jumping all over and taking pictures into the secure format of the agent file structure to import into analysis technology versus taking the pictures of that stuff on your phone. No, no, bad. 

So cool. Ryan, you got some pictures there. We’ll get a recording thing up. I want to see the red one because we’re at the top of the hour, but I do want to see it before we go. Oh, we’ve got to show third party one time. So everybody, I’m going to stay here until we’re done. I probably got about five more minutes if I get my way. Please stay. You’re welcome to, otherwise you can see this later I’m sure, but Ryan has now done a recording, so now’s got a little red target there. Tap that thing and now he’s got a video going, see a little timer there. So you could be navigating around to the, you know, browser history, whatever you want to record, you are now recording your navigation of this phone in real time. And that will be available to you in Detective, not to mention, oh gosh, what if you go find all these crazy videos of all the co-conspirators or bad people, whatever, and in Detective, now you can grab all the frames of the video and do facial categorization on everybody and the video. How cool is that, right?

So that’s, I mean, there’s some super awesome functionality from the OTG method of employment of the agent. Ryan, jump back and let’s do one third party so we can watch the magic of you not touching anything and the agent is doing it. So look at this. Ryan is hitting this third-party menu and he’s doing the normal caveats of, hey, we’re going to store this stuff coming up and Ryan can continue, but look at what we have available to us: Discord, Firefox, Kick Line, Signal, just scroll to the right Ryan so we can see the other page of the application support. And these are third-party parsers we’re building to go attack those applications much more in depth than just an agent poll. So, you pick, Ryan, whichever one, you have some data and let’s fire one up.

Ryan: So, it requires that they’re logged in and I don’t think any of these are currently logged in for this device, but we can show what it’ll look like to go through say, Discord.

Keith: Do you have any in your video, Ryan? Did you do one in the video? The one that was  recorded?

Ryan: It just launches the application. And if you’re not logged in or if it doesn’t have a way to grab that data, it’s going to fail, but we could still show that process.

Keith: Okay, I didn’t know if you had one in the video or not that was all the way through, so no worries. Okay. So, Ryan’s doing discord, right? Yeah. Extract user room folks, extract, extract contacts, extract chat, extract everything. So you get some flexibility in what you want. You can do it all. And the part where I get so excited is, yes, if you were doing this for real, you could tap the button and the agent essentially tells you touch nothing, you know, and you stand back and it will do it all for you. Look at that, Ryan’s touching nothing right there and it’s automatically parsing through Discord and grabbing all the account data and everything it’s trying to get. So it didn’t get much, not engaged right now, but that’s super cool, especially when you’re trying to make somebody sweat it out because they’re seeing all their pictures and their messages scroll across the screen while the agent is capturing all that for you and you pull back the detective.

So, I want to get through all those. That’s taking a look at a lot of different Android extraction capabilities that are available to you while you have a device in your possession. Who knows under what circumstances you have that device in your possession, but you got it. And while you’ve got it, go to town. I mean, get everything you can before you don’t have it anymore. 

So I am looking at the application that runs the webinar and I’m going to look in the questions section because I haven’t done that in our entire time and I see one in there, but I have to make this bigger to read it. Oh, I see two, three or four in there. “Did it start to fix my audio?” Sorry, that was my fault on the audio. Everything’s good now. “Is there any scenario when the tool says that an exploit is available but still the extraction can’t be completed even after patiently trying multiple times. Kindly answer based on your experience. What’s the maximum number of times you’ve tried before giving up on it?” I am not going anywhere near that answer because you obviously know by now I have no patience. That’s a great question because I always end up at the middle spot of that question, but you still can’t complete it even after patiently trying multiple times, then I call Ryan. So Ryan, when do you give up?

Ryan: Right, that’s super tough to answer because especially if you know the exploit works on this device, right, we say it’s supported, you know it’s supported. Maybe you’ve gotten this exploit or extraction before, but now it’s just being extra difficult on this particular day. Personally, my perseverance and my pride says no, I’m not going to give up. I’m going to continue until I either throw the phone out the window or the computer goes with it.

But I keep trying, you know, and it’s maddening at points and I don’t know that, you know, depending on the time that you have when it comes to or your timeline in the investigation or extraction time frame that you have, you know, if I’m doing a physical extraction and I know these exploits are available and are working, I’m going to continue to try, I’ll change my cable, I’ll change the positioning of the phone. I know that sounds crazy, but how the phone is being connected to the port matters, right? And I’ll clean the port, right?

I always have a little bit of isopropyl alcohol and a little brush. I’ll clean that port out to see maybe some debris getting in there. Maybe there’s some lint that’s allowing or not allowing the connection to go through. You know, I will continue to try and try and try because what’s even more maddening every time you try again, it may get a little bit further in the process and that tells you that the method will work. It’s just a matter of when it will work.

And this is standard across any acquisition tool set or methodology that I’ve tried. You know, you just have to continue to try until you get to that point where it’s like, I can’t waste my time on this device anymore. I would set it aside, continue with my other devices and then come back to it, right? And see what I can get at that point because maybe the device itself needed a break, and I’m pretty convinced that cell phones have emotions and computers and so placating to that, giving them a break is helpful.

Keith: Yeah. So anger management. The computer did nothing to you, you threw it out the window. Mental notes. Okay,  So, there are a couple of other questions there relative to this is everything we did was with your Galaxy with an Android, I think the iOS was 8. And this is, you can get everything from them. This is true. This is the model and thing of display that is susceptible to everything we want to show today. And the variation of operating system, I’ve caveated that all along. You know, some things may work or may not based on the OS, the security patch, the model of phone, the firmware, all those things. Totally right in that commentary. And I mean, that’s not to say all is lost when you have Android 12. Maybe it’s time for an agent. Maybe that’s the recourse we have at that point.

Maybe it’s 11, maybe it’s encrypted. I mean, there are still all things to do above and beyond what we’re showing with this phone just because it’s so compatible for our display this morning. But that’s a fair, great comment. I’m with you. That’s why we have all these different methods to try. There’s another comment or question that is, “What would be the preferred and fastest method if we’re mainly interested in IM apps, having the complete user cooperation?” Depends on what the apps are, you know, depends on what they are.

If they’re supported with the agent, I would fire one in there with the OTG device and let it gather everything, you know, and you can step up depending on the time and what you have. Is it susceptible to a file system exploit? I’d go there, too. Are those apps downgradable? Maybe, I mean, you could theoretically run through this workflow trying them all to get the maximum amount of that app data. Everything we looked at today is some type of cooperation with the device. Whether the user has given you the lock code, if it was locked, right? You have to be able to, when the ones we looked at anyway, get the phone in debugging mode so you have some type of cooperation, but the fastest way would depend on what the apps are and how much data you’re after and what you’re getting as you’re running through the workflow all of them. 

“What about Android 12 and 13?” Yes, as you heard me say, another question, as you heard me say in the ATK downgrade, I was hoping to see 12 there because that is high on the feature list of doing applications in version 12. The build Ryan has right now, there’s a new one next week, maybe we get lucky and it’s in there, but that is certainly on the horizon as far as things were after all the time. Let me keep scrolling down. I’ve seen on one forensic tool that doing a downgrade should be done as a last resort. Almost making it sound like a bad thing you do. Your webinar makes this look very easy and something to not be afraid to try. What are your warnings on doing the downgrade?

So listen: I’m glad the tool makes it look easy to do. The caveats to any of you asking that question in your head are what your local policies are or your jurisdiction rules are. I mean, some places can’t jailbreak a phone because it’s considered damaging. They have to, you know, do an agent at that point. If you can’t do one thing, do another. 

This is a methodology. I’m not going to tell you to employ it over anything else or not to. It’s a way if you need it, right? If all else fails and that’s your only recourse, there’s a way to do it. It, yeah, look pretty easy right there, Ryan. I’ll credit the tool and Ryan’s deference to the process. The warnings are, you know, be responsible for your own agent, your own locale. And the great example of that is cloud extraction. You know, people get a cloud extractor and jump into somebody’s online account, start getting data and they don’t have the authority to do that. Well, I’m not going to not give you the tool, I’m going to count on you to be responsible with it is the warning is what I would apply to that or the caveat to apply to any of this, frankly.

I mean, you know, the phone, if your Android pops up on the screen of a knife stuck through it, you might have damaged something bad. All of this is be responsible. So, mI won’t say do one thing over another. It’s all relative to your needs and abilities. “Is the acquisition logical or physical? Also, does the extraction leave some evidence of extraction? If data can be exfiltrated without a trace, it can also be placed without a trace.” Now I’m going to assume that question is relative to the agent because we were just, that’s the last one we were doing. so I’ll answer like that. As far as logical or physical, it’s what you see, this is a what you see is what you get one. We’re not getting deleted data, we’re not getting, you know, things like that with an agent pull. 

“Does it leave some evidence?”Yeah, look, the agent was installed on the device. You can delete it, you can uninstall it. I’m sure there’s a log of that somewhere. So when using the word exfiltration, that makes me think of tradecraft and spy work. yeah, there’ll probably be traces of that left there. It’s not completely spy to my knowledge. There’s probably a log of it being installed or not. So there will be traces, yes. And what type of extraction, it’s basically what it can see and what it can get permissional access to is what it can get, Okay? “Does the agent get WhatsApp messages?” Absolutely. WhatsApp and WhatsApp VBusiness. It’s dreadfully awesome with WhatsApp. That’s was one of the early-on third-party applications parsers. And it is phenomenal especially to, I think there’s a video out there somewhere on YouTube and I think it’s me actually doing a WhatsApp extraction with the agent and I’m just making total fun of it because I’m not touching anything and it’s doing all the work for. So absolutely on the WhatsApp question. Good questions.

Okay, anything else? I’ve gotten down the list, I think, of all the questions that I’ve seen. This is recorded. I’m not sure when it will post, but it’ll be up there for anybody that wants to come find it later or bring someone else along to watch it. And listen, you can always find us. Ryan if you have, well, I think the last slide of that presentation said “Thanks for attending and good hunting.” You know, we’re here to help too. If you get in a spot and you’re trying to work on any of these extractions, I love the comment. It makes it look so easy. But you have to be also caveat the entire time you have to have patience.

If it doesn’t work the first time, maybe you’re using the wrong cable and shooting yourself in foot. I tell you, so somebody says, “Hey, thank you, step back a second and just breathe.” Oh yeah. So give us a holler or if you need some help, we’ll gladly help with any of these things. Oh wait, hey, last one. And we tried the agent on Android 12 with WhatsApp with no joy. So find me, get in contact with us after this and let’s work on that because I want to figure that one out.  look on our handouts. Oh, Amanda says, hey Amanda, “Look under handouts for the certificate before you leave.” Hey listen, this is a great hour towards certification maintenance. Haha. So, you know, or certificate of just attending those are in the webinar. What is it? The handout section? Amanda, right? Amanda, man, I’m going to find you an unmute second so you can speak to that really quickly and give the best answer. There you go, Amanda, talk about that.

Amanda: Okay, can you hear me?

Keith: Yes.

Amada: Okay. It’s right under where you put your questions, or right above it, actually. So, where all of your controls are in the little control panel, you’ll see a handout dropdown and it says webinar Android cert.

Keith: Oh, you know what? So, Ryan, if you drag the controller onto your screen, the webinar controller, you can see that handout section 105 that Amanda’s talking about. I had mine off the screen, but I’m not sharing my screen at this point. Anyway, hopefully everybody can see that from Amanda’s description right down at the bottom where you were entering your questions. Right underneath that is the handout section.

And Ryan, can you pull up a text file up there and just put my email in there and your email so the question, hey, what’s your mail in there when I’m saying find us so we can try to figure out what’s going on with that one situation, because I always love problem solving. So, here’s mine and then Ryan will not put his in or put something fictitious in there for himself. keith.lockhart@oxygen-forensic.com, and then that would be Ryan’s, not Keith’s. Okay, Amanda, anything else? I’m glad you brought that up. Thank you.

Amanda: All good. That’s it.

Keith: Okay. Get in touch with us. Thanks for attending. Have a great weekend.

Leave a Comment