Oxygen Forensics - ...
 
Notifications
Clear all

Oxygen Forensics - Decrypt android dumps

15 Posts
8 Users
0 Likes
6,076 Views
(@john000)
Posts: 45
Eminent Member
Topic starter
 

Hi all,

I'm trying to use the new 'Android dumps decryption' method added to Oxygen Forensics v12.1 and I experienced some difficulties.
It seems that even if Oxygen successfully extracts the Hardware-backed keys, the extraction is still encrypted.

I do see in the extracted folder the .BIN file + Keys.json but is there any way to combine between them?
How I can import the BIN to JetEngine and use the keys to decrypt the files?

Thank you,
John

 
Posted : 17/12/2019 10:29 am
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

John, if you are using OFD 12.1 then the algorithm is the following
1) You extract the device in Oxygen Forensic Extractor that creates a physical dump and extracts the hardware keys.
2) Once extraction is finished the dump is automatically imported into OFD main interface (you call it JetEngine).
3) During import there must be a window asking you to enter the user password. Once you enter it the dump will be decrypted. So hardware keys are just used in decryption process.
In the upcoming versions we will add the opportunity to bruteforce this password.
If you still experience problems you can contact us directly or leave your email in PM here and our support team will do their best to help you.

 
Posted : 17/12/2019 11:42 am
(@john000)
Posts: 45
Eminent Member
Topic starter
 

John, if you are using OFD 12.1 then the algorithm is the following
1) You extract the device in Oxygen Forensic Extractor that creates a physical dump and extracts the hardware keys.
2) Once extraction is finished the dump is automatically imported into OFD main interface (you call it JetEngine).
3) During import there must be a window asking you to enter the user password. Once you enter it the dump will be decrypted. So hardware keys are just used in decryption process.
In the upcoming versions we will add the opportunity to bruteforce this password.
If you still experience problems you can contact us directly or leave your email in PM here and our support team will do their best to help you.

Thank you for the quick reply.
But i'm wondering what is the user password? How can I get it?

 
Posted : 17/12/2019 11:50 am
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

This is the password to lock the device screen. If Secure startup option is enabled by the device owner you need to enter the password in our software to decrypt the physical dump. As we have previously written we will soon add the ability to find this password using bruteforce. If Secure startup is not activated on the device our software must decrypt the physical dump without asking for the password.

 
Posted : 17/12/2019 12:16 pm
(@the_grinch)
Posts: 136
Estimable Member
 

To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?

 
Posted : 17/12/2019 3:05 pm
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?

Yes, we can image an Android phone with Secure Startup enabled. Once you create an image you have an unlimited number of attempts to decrypt it in our software.

 
Posted : 17/12/2019 3:45 pm
(@the_grinch)
Posts: 136
Estimable Member
 

To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?

Yes, we can image an Android phone with Secure Startup enabled. Once you create an image you have an unlimited number of attempts to decrypt it in our software.

And if it's not secure startup, but just a password you would be able to bypass it? As an example, an SM-G955U?

 
Posted : 17/12/2019 3:51 pm
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?

Yes, we can image an Android phone with Secure Startup enabled. Once you create an image you have an unlimited number of attempts to decrypt it in our software.

And if it's not secure startup, but just a password you would be able to bypass it? As an example, an SM-G955U?

Yes, we offer various screen lock bypass methods for Android devices. This particular model is not supported but we are working on its support.

 
Posted : 18/12/2019 7:33 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

To confirm, Oxygen has the ability to image a phone (with secure startup) and then allow unlimited attempts to unlock the encrypted extraction?

Yes, we can image an Android phone with Secure Startup enabled. Once you create an image you have an unlimited number of attempts to decrypt it in our software.

Which devices are supported for imaging an Android phone with Secure Startup enabled using OFD ?! I've read the latest release notes, but I didn't find what I'm looking for…

 
Posted : 30/12/2019 8:38 pm
(@smc409)
Posts: 1
New Member
 

I am trying to get a physical dump from Redmi Note 4 but after physical image extraction  it failed to obtain the decryption key and also device stucked into edl mode not booting to normal.

Please help me to solve this issue.

 
Posted : 30/08/2020 4:50 pm
Page 1 / 2
Share: