All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: Android SD card decryption
PostPosted: July 25th, 2018, 9:26 
Offline

Joined: May 19th, 2010, 13:31
Posts: 80
Hello folks,

Is there any way to decrypt the contents of an ""encrypted Android SD card". The encryption is done through the android internal encryption process.

The phone is broken. Anyone managed to solve any similar case?

Any help or leads on this will be appreciated. Thanks


Regards,
Omi


Top
 Profile  
 
 Post subject: Re: Android SD card decryption
PostPosted: July 25th, 2018, 12:23 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2358
Location: Kuwait
omi786 wrote:
Hello folks,

Is there any way to decrypt the contents of an ""encrypted Android SD card". The encryption is done through the android internal encryption process.

The phone is broken. Anyone managed to solve any similar case?

Any help or leads on this will be appreciated. Thanks


Regards,
Omi


Your Question is not fully clear here... or can say not providing enough info.

Phone Model?
Android ver.? (if you know)
Formatted phone?
Phone can be repaired or totally toasted?

and the most important question, Forensic case or just silly customer looking for some photos/contacts (budget?)

I know few close friends experts from some part of the world who enjoy doing such cases but you will need to pay (well i mean)

but if you Think someone will answer this question for FREE then am telling you you will never find him (and if you do please let me know)

good luck

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
 Post subject: Re: Android SD card decryption
PostPosted: July 25th, 2018, 15:09 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 10848
Location: Australia
Show us a photo of the phone's PCB.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Android SD card decryption
PostPosted: July 25th, 2018, 16:06 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 10848
Location: Australia
einstein9 wrote:
omi786 wrote:
... and the most important question, Forensic case or just silly customer looking for some photos/contacts (budget?)

Very illuminating.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Android SD card decryption
PostPosted: July 25th, 2018, 17:26 
Offline

Joined: May 19th, 2010, 13:31
Posts: 80
einstein9 wrote:
omi786 wrote:
Hello folks,

Is there any way to decrypt the contents of an ""encrypted Android SD card". The encryption is done through the android internal encryption process.

The phone is broken. Anyone managed to solve any similar case?

Any help or leads on this will be appreciated. Thanks


Regards,
Omi


Your Question is not fully clear here... or can say not providing enough info.

Phone Model?
Android ver.? (if you know)
Formatted phone?
Phone can be repaired or totally toasted?

and the most important question, Forensic case or just silly customer looking for some photos/contacts (budget?)

I know few close friends experts from some part of the world who enjoy doing such cases but you will need to pay (well i mean)

but if you Think someone will answer this question for FREE then am telling you you will never find him (and if you do please let me know)

good luck



Okay, let me explain again. I am talking about the data in the external 32 GB MciroSD card . The phone is broken so its useless at the moment. It was a Samsung Note Edge running Android version 6.0. There is an option in new android versions to Encrypt the contents of the MicroSD card and this happened to this card. The contents were encrypted by the Android Phone and now the Phone is dead. So we have the MicroSD card only. I have found a file .metaEcfsFile on root, which seems interesting as it was last accessed/modified when the phone was operational. I may be wrong about this file but it caught the eye.

About the budget, i dont think the client will be ready to pay for $$$$. I am "trying" to work on it for my own interest but its leading nowhere. Thats why i put it on the forum to avail more information.

Regards
Omi


Top
 Profile  
 
 Post subject: Re: Android SD card decryption
PostPosted: July 25th, 2018, 17:42 
Offline

Joined: October 16th, 2013, 13:21
Posts: 717
Location: Brazil
the reason for the questions about the phone is because fixing the phone may be the easiest/cheapest solution to the problem.

Otherwise, a good amount of $$ will need to change hands.


Top
 Profile  
 
 Post subject: Re: Android SD card decryption
PostPosted: July 26th, 2018, 2:48 
Offline

Joined: May 19th, 2010, 13:31
Posts: 80
rogfanther wrote:
the reason for the questions about the phone is because fixing the phone may be the easiest/cheapest solution to the problem.

Otherwise, a good amount of $$ will need to change hands.


Yes i got what you are pointing at. But lets "assume" the mobile pcb board is fried/or the phone has been factory reset. Is there any possibility for decryption?

As far as i know the user password encrypts ----> the master password which -----> encrypts the user data on the SD card. Now the question is, is there any way around to get it, apart from the Bruteforce (maybe)? and what if we DUMP the Mobile phone's EMMC contents? would we be able to get the master key in some partition?

Regards


Top
 Profile  
 
 Post subject: Re: Android SD card decryption
PostPosted: July 26th, 2018, 5:40 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2358
Location: Kuwait
omi786 wrote:
rogfanther wrote:
the reason for the questions about the phone is because fixing the phone may be the easiest/cheapest solution to the problem.

Otherwise, a good amount of $$ will need to change hands.


Yes i got what you are pointing at. But lets "assume" the mobile pcb board is fried/or the phone has been factory reset. Is there any possibility for decryption?

As far as i know the user password encrypts ----> the master password which -----> encrypts the user data on the SD card. Now the question is, is there any way around to get it, apart from the Bruteforce (maybe)? and what if we DUMP the Mobile phone's EMMC contents? would we be able to get the master key in some partition?

Regards


I think that Most Pro. in any field MUST diagnose it again and re-evaluate, for some people (experts) it might be beyond repair, but for others ITS NOT and CAN BE FIXED
honestly, i saw and met real experts i mean repair experts doing the impossible and it all depends on $$$ (budget) and how important is the data

Back to the main subject, to answer your question If you Encrypt the MicroSD via android and by some how you factory reset the phone then it means the Enc. Key is gone/changed
i got to know that some experts claim to recover it back if the phone is not touched after (its possible in theory and few talks about it,, join the club).

Conclusion:
If you or your client are not going to pay then i wish you good luck with this case
its not going to be easy,, but again not impossible.

good luck

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
 Post subject: Re: Android SD card decryption
PostPosted: July 31st, 2018, 2:41 
Offline

Joined: July 20th, 2018, 2:14
Posts: 7
Location: Oregon, United States
Older versions of android used LUKS encryption, most any Linux distro can unlock it and then you can make an image with dd/ddrescue. Newer versions have a different scheme but there's tools for reading that as well, though I can't think of any off the top of my head.


Top
 Profile  
 
 Post subject: Re: Android SD card decryption
PostPosted: August 4th, 2018, 11:07 
Offline

Joined: May 19th, 2010, 13:31
Posts: 80
einstein9 wrote:
omi786 wrote:
rogfanther wrote:
the reason for the questions about the phone is because fixing the phone may be the easiest/cheapest solution to the problem.

Otherwise, a good amount of $$ will need to change hands.


Yes i got what you are pointing at. But lets "assume" the mobile pcb board is fried/or the phone has been factory reset. Is there any possibility for decryption?

As far as i know the user password encrypts ----> the master password which -----> encrypts the user data on the SD card. Now the question is, is there any way around to get it, apart from the Bruteforce (maybe)? and what if we DUMP the Mobile phone's EMMC contents? would we be able to get the master key in some partition?

Regards


I think that Most Pro. in any field MUST diagnose it again and re-evaluate, for some people (experts) it might be beyond repair, but for others ITS NOT and CAN BE FIXED
honestly, i saw and met real experts i mean repair experts doing the impossible and it all depends on $$$ (budget) and how important is the data

Back to the main subject, to answer your question If you Encrypt the MicroSD via android and by some how you factory reset the phone then it means the Enc. Key is gone/changed
i got to know that some experts claim to recover it back if the phone is not touched after (its possible in theory and few talks about it,, join the club).

Conclusion:
If you or your client are not going to pay then i wish you good luck with this case
its not going to be easy,, but again not impossible.

good luck


Yes you are right. I am researching on FDE and these explains a little more the topic further
https://www.forensicswiki.org/wiki/How_ ... Encryption
http://bits-please.blogspot.com/2016/06 ... -keys.html

Also i will be getting the dead phone soon, so i might taken the EMMC dump, but phone was factory reset, that is for sure.


Top
 Profile  
 
 Post subject: Re: Android SD card decryption
PostPosted: August 4th, 2018, 11:08 
Offline

Joined: May 19th, 2010, 13:31
Posts: 80
datahaze wrote:
Older versions of android used LUKS encryption, most any Linux distro can unlock it and then you can make an image with dd/ddrescue. Newer versions have a different scheme but there's tools for reading that as well, though I can't think of any off the top of my head.


Its was a Note Edge running Android 6.0.1, Android introduced Full Disk Encryption with version 6.0.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group