When the Easy button fails! Cell Phone analysis of a Samsung Galaxy Note 2 (SPH-L900)
Often times clients come to Flashback Data because their forensic examiners have “run out of tools” to use on cell phones. Literally, an examiner will have run through their entire toolbox, ranging from UFED, Lantern, Susteen, Oxygen, XRY, MPE+, etc. The examiners will usually tell me “XYZ forensic product says the device and operating system are covered” or “I even reached out to the company for help.”
It has been my experience that these hard-working professionals are desperate for something that will allow them to obtain data from a cellular device. Usually because one of their bosses is breathing down their neck due to a case backlog. I can literally hear the desperation in the forensic examiner’s voices, it’s as if to say “WHY CAN’T ANYTHING JUST WORK!” I have even heard their desperation conclude with a statement along the lines of “Dude, I even tried BitPim”. HOLY COW! REALLY! Man, you are desperate!
But all in all, I know what these examiners are feeling. For some reason, it never seems to happen on just a “run of the mill case”. NO! It happens on cases that are either live or die by the forensic evidence obtained. It will happen on a homicide, a major felony, a multimillion-dollar lawsuit, or some other major intellectual property theft. I myself have had this happen way too many times, and quite frankly it leaves me feeling a bit HACKED OFF!
Yup! Your boss is breathing down your neck. He just doesn’t understand why yesterday you were able to find evidence on a phone and produce a report within hours, and today you ran $30,000 dollars’ worth of software against a device and nothing. Although my bosses understand that software fails, it is still a pain to me when the traditional “easy button” for data extraction fails.
Sorry to blog about this, but I had to let out some frustration because this same thing just happened to me. We recently had a client who wanted deleted text messages from a Samsung Galaxy Note 2 (Model: SPH-L900) running Android 4.4.2 (KitKat). I whipped out the ole’ trusty UFED Touch with the most current update. Sure enough, this showed to support a physical acquisition of the device, and then it happened. That precious little DING sound that we are all too familiar with. It doesn’t matter where you are at in the lab, but when you hear that sound it the same feeling. It’s as if a group of ninjas descended from the heavens and all decided to kick you in the gut at the same time. BAME!
We tell ourselves “No problem, I know how finicky those physical acquisitions can be”, but in the back of your mind your thinking “my goose is cooked”. I restarted the acquisition, except this time add the step of hitting the button tucked away in my top drawer. FAIL! Dang you “Easy Button”, you failed me again. Okay, well I guess I’ll be happy with just grabbing the file system. So once more I initiate the sequence and again DING!
This time I get the awesome message “Operating system not supported”. I tell myself there might be a workaround. I take to the next step that most examiners who are pressed for time do, Google. Yup, we have all done it! There is no shame in it. I start to research the Galaxy Note 2, and at the same time shoot an email over the awesome team at Cellebrite.
I get the response “I can tell you that the new version of UFED should have support on 4.4.2 and below” I will say this the Cellebrite engineers are great and have helped in several cases especially when it has come to whip out a Python Script for certain tasks. This time they gave several suggestions, but nothing worked.
I think to myself, a year ago I saw an episode of C.S.I. where they placed a cellular device onto the table, and it immediately threw all the contents onto a holographic wall. I thought what the heck, so out of desperation I placed the device up to my computer screen. I had a glimmer of hope that through some sort of data osmosis the “mmssms.db” would be projected onto the holographic wall in the lab. That’s when it hit me, nope somewhere in our budget the line item expense “holographic wall” had been denied.
I didn’t throw every tool in the toolbox at it, but I did quickly check to see if JTAG would be an easy option. Nope! I made the decision to resort to the good ole’ down and dirty. Yep, Chip-Off. Now, all I had to do was contact the client and receive their authorization. You know how that conversation goes. UM yes, that’s right, your phone will never work again. They usually ask something along the lines of “will I be able to turn it back on again and keep it for (XYZ reason)”. NO [INSERT FAVORITE WORD HERE], your phone is going to be destroyed in the process. I will give you all the pieces back though if you like. After it sinks in for a minute the client realized the data was more important than ever getting the phone back in a working manner. WHEW! We jumped that hurdle.
So now the fun begins. Disassemble the Samsung Galaxy Note 2. It’s irritating taking your time to get the device open without breaking anything. I know the device will never work again, so I wish I could just smash and pry my way to what I want. Nope! After all, we are an Accredited Crime Laboratory so unfortunately, I have to put on my “kiddy gloves” to get at the phone.
After watching a few youtube videos I was able to get the housing off of the phone. It’s funny, in those videos have you ever notice how the creator’s device always seems to magically just “fall apart.” It’s either because they edited 20 minutes of manipulating and prying or because they had already misplaced about half of the screws from the 18 previous times they dismantled their device.
Another minute or two I removed the logic board for the phone, and now it was time to begin the ‘tedious’ work of actually removing the embedded multimedia card from the logic board. Bingo! After a bit more work it’s removed. Clean it up, and “vuala” I have what I need. Now it’s just a matter of getting my favorite imaging tool to read the chip and BAM! instant DD file to import into Cellebrite. We all know from there it’s just a matter of going through the data, and looking getting what I want.
In your face easy button!