Rational To Conduct This Experiment: As we previously saw that we were able to see the previous batch's deleted files/data like messages, media, etc. Thus, what if a unsuspecting user's phone is stolen and extracted, won't a attacker be able to carve out all of the user's deleted data?
In this document you would see the results of what information you can get before encrypting/reformatting the device, which contains some crafted data for the user of Alice Chan. The device used in this experiment is Samsung Galaxy S5 Plus.
FINDINGS - Before Encrypting And Reformatting Data Available
In this document you would see the results of what information you can get after encrypting the device and also what information you can get after reformatting the encrypted device. The device used in this experiment is Samsung Galaxy S5 Plus.
FINDINGS - 1/11 Week 9 Day 4 - Findings/Things Done
Conclusion: It was found that after encryption & Reformatting, the differences are as follows:
1. You would need to type in the password of "12345" when trying to open the extracted data in UFED Physical Analyzer.
2. By comparing the above 2 extractions of before and after encrypting and reformatting, No data prior to the reformat (of the user Alice Chan) could be carved out/recovered
**NOTE: If the device is rooted, encryption would not be possible! You would need to disable root first.
Rational To Conduct This Experiment: As we previously saw that we were able to see the previous user's (Kelvin Ng's data starting from 2015) deleted files/data like messages, media, etc. Thus, what if a unsuspecting user's phone is stolen and extracted, won't a attacker be able to carve out all of the user's deleted data?
In this document you would see the results of what information that was available on an iOS device (iPhone 4), which contained some data by the prior user, kelvin ng.
FINDINGS - Before reformatting iPhone 4
In this document you would see the results of what information you can get after reformatting on an iOS device (iPhone 4).
FINDINGS - 31/10 Week 9 Day 3 - Findings/Things Done
Conclusion: After comparing, you are able to see that no data prior to the reformat could be carved out/recovered. This may be because iOS devices has data protection and encryption on by default, and after reformatting, a new key is generated, rendering the old key useless and thus making the data before the reset irretrievable (as decryption is impossible without the old key, which was replaced with the newly generated key).
Below shows the Google Find My Device Portal.
If you select reformat, you would be prompted to re-enter the password for your Google Account to confirm this action. Afterwhich, the following would appear on the screen. -->
The document below shows the Google Find My Device Portal and also what could be extracted from the device after using the Google Find My Device Portal to remotely conduct a factory reset.
Prior to this experiment we crafted some data by logging into alicechan0355@gmail.com and sending an email to Bobby Tan. We also had a OTP message from Google and some images on the device.
FINDINGS - 14/11 Week 11 Day 3 - Findings/Things Done
Conclusion: It can be observed that the data that we crafted on the device is not longer retrievable/cannot be carved out. Thus this is also another viable method to completely wipe data from a device if you have confidential data and you lost your phone, or are intending to sell you phone or your phone is stolen.
In this article by ADISA (an organization that recommends standards for safely disposing of information technology equipment), it is found that Blackberry and iOS phones data would be safe after a factory reset, in regards of the fact that you are not able to carve any data deleted during a factory reset on these devices and since we do not have Blackberry devices to test out, this article makes a clear understanding that Android does not completely wipe all the data (may be possible that it works exactly like a linux/unix way of file deletion, removal of the reference to the file.
RESEARCH - Article By ADISA About Reformatting
This thesis by Laurent Simon & Ross Anderson, clearly describes the what happens during a factory reset on an android device. It also goes in further to state the practical usability of forensic on phones.
RESEARCH - Other's Thesis On Function of Restore Factory
Source: https://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf
We tried to clone the SIM card and see if we are able to retrieve any data through it and see if it can be used as a SIM Card on it's own. Through this research we found out that you are not able to use this independently to make any calls or SMSes, and you are also not able to retrieve any data from it. However, any contact saved on the SIM Card can be seen in the contacts in the device.
FINDINGS - 22/10 Week 8 Day 2 - Findings/Things Done
The document below shows what data you can retrieve before rooting
FINDINGS - Before Rooting Extracted Data
The document below shows what data you can retrieve after rooting
FINDINGS - After Rooting Data Extracted
To have a wider idea of rooting effects on the data that can be extracted and on a wider variety of devices, here is an Official detailed documentation/matrix from Cellebrite on supported device and the data it can extract from each device:
FINDINGS - Android Detailed List.xlsx
Conclusion: It was found that after rooting, the differences are as follows:
To have a wider idea of jail-breaking effects on the data that can be extracted and on a wider variety of devices, here is an Official detailed documentation/matrix from Cellebrite on supported device and the data it can extract from each device:
FINDINGS - UFED iOS device contents extracted.xlsx
Conclusion: The difference between the data extracted from a jailbroken iOS and prior to jailbreaking is that email cannot be retrieved if the iOS device is not rooted previously.
Physical Extraction: It is observed that an older device like the Nexus S, may allow you to gather more information (like the password/pin) using the Physical Extraction as compared to doing a Physical Extraction newer device, like the Samsung Galaxy S5 Plus, where you cannot extract the password/pin of the device but it allows you to extract everything from the device despite it being locked. But there is a significant difference in the timing required to extract from either device, e.g. Nexus S would need 2 hours to perform a Physical Extraction while a Samsung Galaxy S5 Plus only needs 1 hour to do the same physical extraction.
Logical Extraction: No significant difference between the Samsung Galaxy S5 Plus compared to the Nexus S as this is faster form of extraction to begin with compared to Physical Extraction
File System Extraction: No significant difference between the Samsung Galaxy S5 Plus compared to the Nexus S as this is faster form of extraction to begin with compared to Physical Extraction
Physical Extraction: Nothing much to compare since only the iPhone 4 could do this
Logical Extraction: There was not much difference since Logical Extraction is much faster compared to Physical Extraction.
Advanced Logical Extraction: No significant difference between the iPhone 4 compared to the iPad 4 as this is faster form of extraction to begin with compared to Physical Extraction, even though it takes slightly longer and gets more information than Logical Extraction.
File System Extraction: No significant difference between the iPhone 4 compared to the iPad 4 as this is faster form of extraction to begin with compared to Physical Extraction
Conclusion: Correlating the device age (based on release date) the hardware Specifications & the benchmarking done on the devices, the faster and newer the phone, the faster the Physical Extraction but it is not able to get information like plain text password/pin to unlock the device. However, the slower and older the phone, the slower the Physical Extraction but it is able to get more information like plain text password/pin to unlock the device.