±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35750
New Yesterday: 1 Visitors: 123

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Samsung Secure Folder -> decrypt?

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

th9010
Newbie
 

Samsung Secure Folder -> decrypt?

Post Posted: Jul 02, 19 11:01

Hello everybody,

I have an unlocked Samsung Galaxy S9 device on my desk. From mobile traffic interception of the sim card we know there have been some apps used that dont show up on the normal screen. We suspect the apps are hidden inside the secure folder.

I am trying to get my hands on the oxygen device (https://www.forensicfocus.com/News/article/sid=3186/) but as far as i understand it this only works if the secure folder has been backedup. I dont know if there is a backup.

So, has anyone any experience of information to share on the decyprtion of secure folder? Any sucess someone so far?

Thank you  
 
  

OxygenForensics
Senior Member
 

Re: Samsung Secure Folder -> decrypt?

Post Posted: Jul 02, 19 12:37

Some information from us:

1. You can check if it was backuped up in Settings/Backup and Restore/Samsung Account on the device.

2. To extract and decrypt Samsung Secure folder from the cloud you need to know a Samsung account login and password.

3. As far as we know physical extraction of Samsung devices does not give access to the Secure Folder and using, for example, a custom recovery method leads to a KNOX counter reset and a complete inability to access the Secure Folder.  
 
  

the_Grinch
Senior Member
 

Re: Samsung Secure Folder -> decrypt?

Post Posted: Jul 02, 19 13:12

Only time I encountered this the user used the same password for the Secure Folder as the device and Gmail password. It was an older version of Android so we were able to crack it. Something to think about!  
 
  

shahartal
Member
 

Re: Samsung Secure Folder -> decrypt?

Post Posted: Jul 05, 19 08:21

Cellebrite Advanced Services can fully extract KNOX-protected Secure Folder contents (without cloud access or tripping warranty bit, of course).  
 
  

Puntz
Newbie
 

Re: Samsung Secure Folder -> decrypt?

Post Posted: Jul 09, 19 11:55

I've just received a Samsung Galaxy S9 and the suspect has saved all the evidence in the Secure Folder. Luckily we have the PIN for the handset and the pattern for the Secure Folder.

My extractions haven't obtained these images and videos and I was wondering what the best practice would be to extract them from the phone? I can obviously just remove them from the Secure Folder but I'm changing too much data, and copying them to a USB would alter the date and times. Is a manual review the best choice, or is there something I'm blindly missing?

Thanks Smile  
 
  

the_Grinch
Senior Member
 

Re: Samsung Secure Folder -> decrypt?

Post Posted: Jul 10, 19 15:12

Did you unlock the folder before starting the extraction? My understanding is if it is locked during the extraction then it will not be extracted.  
 
  

Puntz
Newbie
 

Re: Samsung Secure Folder -> decrypt?

Post Posted: Jul 11, 19 11:47

- the_Grinch
Did you unlock the folder before starting the extraction? My understanding is if it is locked during the extraction then it will not be extracted.


I did two extractions, one without unlocking the folder and one after I unlocked it, and I was unable to see the images and videos in UFED.  
 

Page 1 of 2
Page 1, 2  Next