HDD GURU FORUMS :: View topic - mSD Sandisk 64GB cracked-good read via NAND-almost no data

HDD GURU FORUMS http://forum.hddguru.com/

mSD Sandisk 64GB cracked-good read via NAND-almost no data http://forum.hddguru.com/viewtopic.php?f=10&t=41459	Page 1 of 2

Author:

melvin [ July 1st, 2021, 4:08 ]

Post subject:

mSD Sandisk 64GB cracked-good read via NAND-almost no data

Hello,

Got this cracked mSD card. I got full ID via NAND 453EAAA2, got memory dump, corrected and reread in more than 95%. Some red blocks here and there but most is good. So it's not a situation where bad blocks would ruin every file. It was used in many phones. Last one was Xiaomi Mi A2 Lite. I recovered only 69 jpegs, 10 of them work good. They are old, from another phone. I scanned the dump in every possible way. Results are the same. Client doesn't know if the card was encrypted by the phone.

But, if it was encrypted, why did i find some old pictures? It should be encrypted in 100%, right?
Looking for someone with more experience willing to check it.

Attachments:

img_0002 (1).jpg [ 118.54 KiB | Viewed 17374 times ]

Author:	Lardman [ July 1st, 2021, 4:28 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
Phones aren't my thing but AFAIK they encrypt the fs not the device - assuming you read it as chip off. What's it look like in hex and have you run anything to check the entropy of the image?

Author:	einstein9 [ July 1st, 2021, 4:36 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
Xiaomi Mi A2 Lite came with Android 8.1 (encrypted Internal phone mem) BUT MicroSD is NOT by default unless you do manually. Now, am not sure about Xiaomi but in Huawei for example you can set Default Mem as the MicroSD for example here and by then will be Encrypted (some cases) BUT if you leave it as a default (not enc.) and you set Camera saving to MicroSD then its not Enc. (FAT32) which i believe your case here and that is why you are getting some images. Conclusion Check those images/Apps/files footage details (dates) and ask your client, he is the only one who should know

Author:	melvin [ July 1st, 2021, 4:59 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
He has no clue, phone is long gone. Photos i recovered are from 2015, from another phone the mSD was used in. Photos from Xiaomi are not recovered. My answear would be that they were encrypted but if so, does the phone encrypt only new data? Cause that's the only idea i got to answer the question, why i recovered few old photos. There should be more of them anyway. This card was used for few years and photos were collected in fidderent folders. Can't recover the structure, only RAW results.

Author:	Arch Stanton [ July 1st, 2021, 5:35 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
It's possible files are individually encrypted (FBE). If you scan with my tool JpegDigger (the logical image) you may be able to tell by looking at entropy map (cyan = encryption-ish entropy) although that's not conclusive 'evidence'. Also individually encrypted files I see contain string "CONSOLE". Attachment: console.png [ 9.76 KiB \| Viewed 17352 times ]

Author:	melvin [ July 1st, 2021, 7:39 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
Didn't find any "CONSOLE" except console.log files. Jpegdigger cannot determine the file system type. Used override, set 64GB but when pressed "scan" i get: Run-time error `13: Type mismatch and the program closes. Funny thing is that beginning of logican image looks good. Looks like fat, many words can be recognized like "scroll the app" but the rest looks like garbage.

Author:	Arch Stanton [ July 1st, 2021, 10:03 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
melvin wrote: Didn't find any "CONSOLE" except console.log files. Jpegdigger cannot determine the file system type. Used override, set 64GB but when pressed "scan" i get: Run-time error `13: Type mismatch and the program closes. Funny thing is that beginning of logican image looks good. Looks like fat, many words can be recognized like "scroll the app" but the rest looks like garbage. Well how about that!? I scanned 100's of cards, disk images and what not, I recommend it here once and it crashes! Sorry about that. I can not replicate doing steps you took, maybe something specific with that file. Can only fix if I have the file (or possibly even part of it) if you and would be willing to share.

Author:	melvin [ July 1st, 2021, 11:24 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
Link sent.

Author:	Arch Stanton [ July 1st, 2021, 11:39 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
Thank you!! Of course here it just runs fine. Weird. You were using 2.6.280 too? https://imgur.com/bSyOiPj Cyan = superhigh entropy which suggests it's encrypted data.

Author:	arvika [ July 1st, 2021, 15:36 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
Its easy to check if encrypted. Look for partition with "android meta" "android expand"

Author:	arvika [ August 5th, 2021, 12:07 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
What was the result?

Author:	Amarbir[CDR-Labs] [ August 5th, 2021, 12:36 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
arvika wrote: Its easy to check if encrypted. Look for partition with "android meta" "android expand" Hello, IF you see these then its encrypted or whats the story ,I do not work on mobiles and mobile MSD so interested to know

Author:	Arch Stanton [ August 5th, 2021, 14:30 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
Amarbir[CDR-Labs] wrote: arvika wrote: Its easy to check if encrypted. Look for partition with "android meta" "android expand" Hello, IF you see these then its encrypted or whats the story ,I do not work on mobiles and mobile MSD so interested to know Okay. But I often get the files with story that they're corrupt, so I do not have this folder structure. If they're FBE encrypted I have seen this CONSOLE string many times and also seen it mentioned in other forums. So that's what I always check for.

Author:

arvika [ August 5th, 2021, 15:02 ]

Post subject:

Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da

Case from today. RAW scan gives nothing. Card is crypted by mobile phone.

Attachments:

android_crypt.jpg [ 30.72 KiB | Viewed 15469 times ]

Author:	Arch Stanton [ August 5th, 2021, 15:32 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
arvika wrote: Case from today. RAW scan gives nothing. Card is crypted by mobile phone. Can you open a JPEG just for laughs? And see if they have this CONSOLE string in header?

Author:	arvika [ August 5th, 2021, 16:03 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
Arch Stanton wrote: Can you open a JPEG just for laughs? And see if they have this CONSOLE string in header? It is not possible, because I do not found any file headers. String CONSOLE is absent too at image.

Author:	Arch Stanton [ August 5th, 2021, 16:16 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
Ah, I see. No folder tree either? So entire volume is encrypted? Probably CONSOLE string is in files encrypted with file based encryption. So your card was configured as internal memory. Other option is as portable storage and in that case encryption is optional. And if enabled it's probably FBE AFAIK.

Author:	Amarbir[CDR-Labs] [ August 5th, 2021, 21:08 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
Arch Stanton wrote: Ah, I see. No folder tree either? So entire volume is encrypted? Probably CONSOLE string is in files encrypted with file based encryption. So your card was configured as internal memory. Other option is as portable storage and in that case encryption is optional. And if enabled it's probably FBE AFAIK. Obviously , Its never a File Based Encryption in these i guess

Author:	Arch Stanton [ August 6th, 2021, 6:06 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
[quote="Amarbir[CDR-Labs]" Obviously , Its never a File Based Encryption in these i guess[/quote] What do you mean? What's obvious and what do you mean by 'these'?

Author:	Amarbir[CDR-Labs] [ August 6th, 2021, 10:32 ]
Post subject:	Re: mSD Sandisk 64GB cracked-good read via NAND-almost no da
Arch Stanton wrote: [quote="Amarbir[CDR-Labs]" Obviously , Its never a File Based Encryption in these i guess What do you mean? What's obvious and what do you mean by 'these'?[/quote] Hi, By These i mean mobile phones and the way they encrypt the MSD cards

Page 1 of 2	All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/