Embedded Files
1. Factory Reset Experiment: (Before VS After Reformat)
1. Factory Reset Experiment: (Before VS After Reformat)
Reformatting Experiment On Android
Reformatting Experiment On Android
Rational To Conduct This Experiment: As we previously saw that we were able to see the previous batch's deleted files/data like messages, media, etc. Thus, what if a unsuspecting user's phone is stolen and extracted, won't a attacker be able to carve out all of the user's deleted data?
In this document you would see the results of what information you can get before encrypting/reformatting the device, which contains some crafted data for the user of Alice Chan. The device used in this experiment is Samsung Galaxy S5 Plus.
FINDINGS - Before Encrypting And Reformatting Data Available
In this document you would see the results of what information you can get after encrypting the device and also what information you can get after reformatting the encrypted device. The device used in this experiment is Samsung Galaxy S5 Plus.
FINDINGS - 1/11 Week 9 Day 4 - Findings/Things Done
Conclusion: It was found that after encryption & Reformatting, the differences are as follows:
1. You would need to type in the password of "12345" when trying to open the extracted data in UFED Physical Analyzer.
2. By comparing the above 2 extractions of before and after encrypting and reformatting, No data prior to the reformat (of the user Alice Chan) could be carved out/recovered
**NOTE: If the device is rooted, encryption would not be possible! You would need to disable root first.
Reformatting Experiment On iOS
Reformatting Experiment On iOS
Rational To Conduct This Experiment: As we previously saw that we were able to see the previous user's (Kelvin Ng's data starting from 2015) deleted files/data like messages, media, etc. Thus, what if a unsuspecting user's phone is stolen and extracted, won't a attacker be able to carve out all of the user's deleted data?
In this document you would see the results of what information that was available on an iOS device (iPhone 4), which contained some data by the prior user, kelvin ng.
FINDINGS - Before reformatting iPhone 4
In this document you would see the results of what information you can get after reformatting on an iOS device (iPhone 4).
FINDINGS - 31/10 Week 9 Day 3 - Findings/Things Done
Conclusion: After comparing, you are able to see that no data prior to the reformat could be carved out/recovered. This may be because iOS devices has data protection and encryption on by default, and after reformatting, a new key is generated, rendering the old key useless and thus making the data before the reset irretrievable (as decryption is impossible without the old key, which was replaced with the newly generated key).
2. Using Google Account To Do Factory Reset On Android:
2. Using Google Account To Do Factory Reset On Android:
Reason For This Research:
Reason For This Research:
- What if a user lost his/her phone?
- What if a user's phone got stolen?
- What if you forgot to reformat the phone before selling it?
- Important/confidential data can be easily accessed by the person who stole/picked up/bought the phone (especially if the device has a simple password/no password protecting it.
*NOTE: The device must be logged into a Google Account first!
*NOTE: The device must be logged into a Google Account first!
We explored the usage of Google Account to do a remote factory reset in the event that any of the above cases is faced
We explored the usage of Google Account to do a remote factory reset in the event that any of the above cases is faced
Below shows the Google Find My Device Portal.
If you select reformat, you would be prompted to re-enter the password for your Google Account to confirm this action. Afterwhich, the following would appear on the screen. -->
The document below shows the Google Find My Device Portal and also what could be extracted from the device after using the Google Find My Device Portal to remotely conduct a factory reset.
Prior to this experiment we crafted some data by logging into alicechan0355@gmail.com and sending an email to Bobby Tan. We also had a OTP message from Google and some images on the device.
FINDINGS - 14/11 Week 11 Day 3 - Findings/Things Done
Conclusion: It can be observed that the data that we crafted on the device is not longer retrievable/cannot be carved out. Thus this is also another viable method to completely wipe data from a device if you have confidential data and you lost your phone, or are intending to sell you phone or your phone is stolen.
3. External Researches/Sources About Factory Reset:
3. External Researches/Sources About Factory Reset:
Research article about what Cellebrite Can/Cannot Retrieve After A Factory Reset
Research article about what Cellebrite Can/Cannot Retrieve After A Factory Reset
In this article by ADISA (an organization that recommends standards for safely disposing of information technology equipment), it is found that Blackberry and iOS phones data would be safe after a factory reset, in regards of the fact that you are not able to carve any data deleted during a factory reset on these devices and since we do not have Blackberry devices to test out, this article makes a clear understanding that Android does not completely wipe all the data (may be possible that it works exactly like a linux/unix way of file deletion, removal of the reference to the file.
*Conclusion: Android is not safe against mobile forensics, namely file carving as compared to iOS and Blackberry.
*Conclusion: Android is not safe against mobile forensics, namely file carving as compared to iOS and Blackberry.
RESEARCH - Article By ADISA About Reformatting
Thesis About What Android Factory Reset Does:
Thesis About What Android Factory Reset Does:
This thesis by Laurent Simon & Ross Anderson, clearly describes the what happens during a factory reset on an android device. It also goes in further to state the practical usability of forensic on phones.
RESEARCH - Other's Thesis On Function of Restore Factory.pdfRESEARCH - Other's Thesis On Function of Restore Factory
Source: https://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf
4. Clone SIM Cards
4. Clone SIM Cards
We tried to clone the SIM card and see if we are able to retrieve any data through it and see if it can be used as a SIM Card on it's own. Through this research we found out that you are not able to use this independently to make any calls or SMSes, and you are also not able to retrieve any data from it. However, any contact saved on the SIM Card can be seen in the contacts in the device.
FINDINGS - 22/10 Week 8 Day 2 - Findings/Things Done
5. Rooted Vs Prior To Rooting (Android)
5. Rooted Vs Prior To Rooting (Android)
This section is to explore the impact of rooting (Android devices) on the capability of Cellebrite to extract data
This section is to explore the impact of rooting (Android devices) on the capability of Cellebrite to extract data
The document below shows what data you can retrieve before rooting
FINDINGS - Before Rooting Extracted Data
The document below shows what data you can retrieve after rooting
FINDINGS - After Rooting Data Extracted
To have a wider idea of rooting effects on the data that can be extracted and on a wider variety of devices, here is an Official detailed documentation/matrix from Cellebrite on supported device and the data it can extract from each device:
FINDINGS - Android Detailed List.xlsxFINDINGS - Android Detailed List.xlsx
Conclusion: It was found that after rooting, the differences are as follows:
- You are able to see the plain text passwords of limited account/wifi password, in this case the wifi PENTest's password is recovered and also alicechan0355@gmail.com's password is also there.
- In addition, according to the matrix from Cellebrite, there are no effects to the amount/type of data extracted with or without rooting the device
6. Jail-broken VS Prior To Jail-breaking
6. Jail-broken VS Prior To Jail-breaking
This section is to explore the impact of jail-breaking (iOS devices) on the capability of Cellebrite to extract data
This section is to explore the impact of jail-breaking (iOS devices) on the capability of Cellebrite to extract data
To have a wider idea of jail-breaking effects on the data that can be extracted and on a wider variety of devices, here is an Official detailed documentation/matrix from Cellebrite on supported device and the data it can extract from each device:
FINDINGS - UFED iOS device contents extracted.xlsxFINDINGS - UFED iOS device contents extracted.xlsx
Conclusion: The difference between the data extracted from a jailbroken iOS and prior to jailbreaking is that email cannot be retrieved if the iOS device is not rooted previously.
To View More Matrix For Other Devices Click Below:
To View More Matrix For Other Devices Click Below:
7. Device Specification & Speed Of Device Impact
7. Device Specification & Speed Of Device Impact
This section is to explore the impact of the specifications of the devices (Hardware) & also does the speed/age of the device affect the capability of Cellebrite to extract data
This section is to explore the impact of the specifications of the devices (Hardware) & also does the speed/age of the device affect the capability of Cellebrite to extract data
Android
Android
Physical Extraction: It is observed that an older device like the Nexus S, may allow you to gather more information (like the password/pin) using the Physical Extraction as compared to doing a Physical Extraction newer device, like the Samsung Galaxy S5 Plus, where you cannot extract the password/pin of the device but it allows you to extract everything from the device despite it being locked. But there is a significant difference in the timing required to extract from either device, e.g. Nexus S would need 2 hours to perform a Physical Extraction while a Samsung Galaxy S5 Plus only needs 1 hour to do the same physical extraction.
Logical Extraction: No significant difference between the Samsung Galaxy S5 Plus compared to the Nexus S as this is faster form of extraction to begin with compared to Physical Extraction
File System Extraction: No significant difference between the Samsung Galaxy S5 Plus compared to the Nexus S as this is faster form of extraction to begin with compared to Physical Extraction
iOS
iOS
Physical Extraction: Nothing much to compare since only the iPhone 4 could do this
Logical Extraction: There was not much difference since Logical Extraction is much faster compared to Physical Extraction.
Advanced Logical Extraction: No significant difference between the iPhone 4 compared to the iPad 4 as this is faster form of extraction to begin with compared to Physical Extraction, even though it takes slightly longer and gets more information than Logical Extraction.
File System Extraction: No significant difference between the iPhone 4 compared to the iPad 4 as this is faster form of extraction to begin with compared to Physical Extraction
Release Dates:
Release Dates:
- Android
- Samsung Galaxy S5 Plus --> 11 April 2014
- Nexus S --> 16 December 2010
- iOS
- iPhone 4 --> 24 June 2010
- iPhone 4s --> 14 October 2011
- iPad 4 --> 2 November 2012
Conclusion: Correlating the device age (based on release date) the hardware Specifications & the benchmarking done on the devices, the faster and newer the phone, the faster the Physical Extraction but it is not able to get information like plain text password/pin to unlock the device. However, the slower and older the phone, the slower the Physical Extraction but it is able to get more information like plain text password/pin to unlock the device.
Google Sites
Report abuse