Android SD card decryption

[omi786]

Hello folks,

Is there any way to decrypt the contents of an ""encrypted Android SD card". The encryption is done through the android internal encryption process.

The phone is broken. Anyone managed to solve any similar case?

Any help or leads on this will be appreciated. Thanks


Regards,
Omi

[einstein9]

Hello folks,

Is there any way to decrypt the contents of an ""encrypted Android SD card". The encryption is done through the android internal encryption process.

The phone is broken. Anyone managed to solve any similar case?

Any help or leads on this will be appreciated. Thanks


Regards,
Omi

Your Question is not fully clear here... or can say not providing enough info.

Phone Model?
Android ver.? (if you know)
Formatted phone?
Phone can be repaired or totally toasted?

and the most important question, Forensic case or just silly customer looking for some photos/contacts (budget?)

I know few close friends experts from some part of the world who enjoy doing such cases but you will need to pay (well i mean)

but if you Think someone will answer this question for FREE then am telling you you will never find him (and if you do please let me know)

good luck

[fzabkar]

Show us a photo of the phone's PCB.

[fzabkar]

... and the most important question, Forensic case or just silly customer looking for some photos/contacts (budget?)

Very illuminating.

[omi786]

Hello folks,

Is there any way to decrypt the contents of an ""encrypted Android SD card". The encryption is done through the android internal encryption process.

The phone is broken. Anyone managed to solve any similar case?

Any help or leads on this will be appreciated. Thanks


Regards,
Omi

Your Question is not fully clear here... or can say not providing enough info.

Phone Model?
Android ver.? (if you know)
Formatted phone?
Phone can be repaired or totally toasted?

and the most important question, Forensic case or just silly customer looking for some photos/contacts (budget?)

I know few close friends experts from some part of the world who enjoy doing such cases but you will need to pay (well i mean)

but if you Think someone will answer this question for FREE then am telling you you will never find him (and if you do please let me know)

good luck

Okay, let me explain again. I am talking about the data in the external 32 GB MciroSD card . The phone is broken so its useless at the moment. It was a Samsung Note Edge running Android version 6.0. There is an option in new android versions to Encrypt the contents of the MicroSD card and this happened to this card. The contents were encrypted by the Android Phone and now the Phone is dead. So we have the MicroSD card only. I have found a file .metaEcfsFile on root, which seems interesting as it was last accessed/modified when the phone was operational. I may be wrong about this file but it caught the eye.

About the budget, i dont think the client will be ready to pay for $$$$. I am "trying" to work on it for my own interest but its leading nowhere. Thats why i put it on the forum to avail more information.

Regards
Omi

[rogfanther]

the reason for the questions about the phone is because fixing the phone may be the easiest/cheapest solution to the problem.

Otherwise, a good amount of $$ will need to change hands.

[omi786]

the reason for the questions about the phone is because fixing the phone may be the easiest/cheapest solution to the problem.

Otherwise, a good amount of $$ will need to change hands.

Yes i got what you are pointing at. But lets "assume" the mobile pcb board is fried/or the phone has been factory reset. Is there any possibility for decryption?

As far as i know the user password encrypts ----> the master password which -----> encrypts the user data on the SD card. Now the question is, is there any way around to get it, apart from the Bruteforce (maybe)? and what if we DUMP the Mobile phone's EMMC contents? would we be able to get the master key in some partition?

Regards

[einstein9]

the reason for the questions about the phone is because fixing the phone may be the easiest/cheapest solution to the problem.

Otherwise, a good amount of $$ will need to change hands.

Yes i got what you are pointing at. But lets "assume" the mobile pcb board is fried/or the phone has been factory reset. Is there any possibility for decryption?

As far as i know the user password encrypts ----> the master password which -----> encrypts the user data on the SD card. Now the question is, is there any way around to get it, apart from the Bruteforce (maybe)? and what if we DUMP the Mobile phone's EMMC contents? would we be able to get the master key in some partition?

Regards

I think that Most Pro. in any field MUST diagnose it again and re-evaluate, for some people (experts) it might be beyond repair, but for others ITS NOT and CAN BE FIXED
honestly, i saw and met real experts i mean repair experts doing the impossible and it all depends on $$$ (budget) and how important is the data

Back to the main subject, to answer your question If you Encrypt the MicroSD via android and by some how you factory reset the phone then it means the Enc. Key is gone/changed
i got to know that some experts claim to recover it back if the phone is not touched after (its possible in theory and few talks about it,, join the club).

Conclusion:
If you or your client are not going to pay then i wish you good luck with this case
its not going to be easy,, but again not impossible.

good luck

[datahaze]

Older versions of android used LUKS encryption, most any Linux distro can unlock it and then you can make an image with dd/ddrescue. Newer versions have a different scheme but there's tools for reading that as well, though I can't think of any off the top of my head.

[omi786]

the reason for the questions about the phone is because fixing the phone may be the easiest/cheapest solution to the problem.

Otherwise, a good amount of $$ will need to change hands.

Yes i got what you are pointing at. But lets "assume" the mobile pcb board is fried/or the phone has been factory reset. Is there any possibility for decryption?

As far as i know the user password encrypts ----> the master password which -----> encrypts the user data on the SD card. Now the question is, is there any way around to get it, apart from the Bruteforce (maybe)? and what if we DUMP the Mobile phone's EMMC contents? would we be able to get the master key in some partition?

Regards

I think that Most Pro. in any field MUST diagnose it again and re-evaluate, for some people (experts) it might be beyond repair, but for others ITS NOT and CAN BE FIXED
honestly, i saw and met real experts i mean repair experts doing the impossible and it all depends on $$$ (budget) and how important is the data

Back to the main subject, to answer your question If you Encrypt the MicroSD via android and by some how you factory reset the phone then it means the Enc. Key is gone/changed
i got to know that some experts claim to recover it back if the phone is not touched after (its possible in theory and few talks about it,, join the club).

Conclusion:
If you or your client are not going to pay then i wish you good luck with this case
its not going to be easy,, but again not impossible.

good luck

Yes you are right. I am researching on FDE and these explains a little more the topic further
https://www.forensicswiki.org/wiki/How_ ... Encryption
http://bits-please.blogspot.com/2016/06 ... -keys.html

Also i will be getting the dead phone soon, so i might taken the EMMC dump, but phone was factory reset, that is for sure.

[omi786]

Older versions of android used LUKS encryption, most any Linux distro can unlock it and then you can make an image with dd/ddrescue. Newer versions have a different scheme but there's tools for reading that as well, though I can't think of any off the top of my head.

Its was a Note Edge running Android 6.0.1, Android introduced Full Disk Encryption with version 6.0.