Data wiping of some cellphones during unlocking process adds to difficulties of mobile forensics, and the avoiding of which bears great importance. In this issue, data recovery experts from the Key Laboratory of Sichuan Province explains methods to avoid data wiping during cellphone unlocking by taking Samsung Note 5 and Huawei P7 as examples.
I The Purpose of Cellphone Locks: To Ensure System Stability
Cellphone enthusiasts are aware of expanded accesses following Android cellphone root and tend to root their phones to streamline or modify the system. Cellphone root bears equal importance for mobile forensics since a more complete set of data is only available when the cellphone is rooted. Locks loaded on cellphones when they leave the factory hinder the rooting and system reinstalling processes of cellphones and these two kinds of operations have many similarities. So how are cellphone locks defined and what are their purposes?
Cellphone locks refer to locks protecting cellphone ROMs, on which operating systems and pre-loaded apps are installed, and preventing any modification of system files. Their purposes are to prevent unexpected circumstances, including accidentally deletion of vital apps, and to avoid system instability or even breakdown.
II Unlocking Cellphones Might Cause Data Loss
A cellphone lock ensures system stability but hinders cellphone rooting, which is the basis for many operations, and limits the data that can be extracted during cellphone forensics. Thus, removing of cellphone locks is the first step leading to full access of cellphones.
Some cellphone manufacturers, with the intention of protecting data security, set the phone to erase data automatically during the cellphone unlocking process. But, the default setting is a disadvantage for cellphone forensics and researches on its avoidance bears great importance. After conducting a series researches on the relationship between cellphone locks and data wiping, data recovery experts from the Key Laboratory of Sichuan Province found methods to avoid data wiping during cellphone unlocking.
III Methods to Avoid Data Loss during Cellphone Unlocking
A. Unlocking Samsung Note 5
1. New models of Samsung phones are loaded with CROM SERVICE locks, which should be disabled before cellphone rooting or system reinstalling. Instructions for unlocking of Samsung Note 5: download and install CROM tool developed by Samsung (picture 1), and complete the unlocking process following software prompts step by step (picture 2).
Picture 1: Download and install CROM tool
Picture 2: Complete unlocking following software prompts
2. Enter Downloading Mode (also referred to as ODIN mode; enter by pressing Voice Down, Home and Power Button together with power off) to check whether unlocking is successfully done. The presentation of ‘Unlock’ on the screen indicates successful unlocking (picture3).
Picture 3: ‘Unlock’ indicates successful unlocking
Current research results revealed that this approach ensures high probability of successful unlocking, avoids data wiping, and sets the foundation for further data extraction.
B. Unlocking Huawei P7
Many Huawei phones are loaded with bootloader locks, and cellphone rooting, data extraction and data recovery can be conducted only after these locks are disabled. Unlocking methods for Huawei phones are explained in the following section by taking Huawei P7 as an example.
1. Preparation
① Download Mobile Phone Driver from the official website of Huawei terminals and install the drive on PC.
② Download ADB Tool-box developed by Google and install the tool-box on PC. If the tool-box is installed in the directory D:\adb_tools-2.0, please make sure file fastboot.exe exists in the same directory.
③ Apply an unlocking code on the official website of Huawei (http://www.emui.com/) , as shown in picture 4.
Picture 4: Apply an unlocking code on Huawei official website
2. Unlocking Procedures
① Enter Fastboot Mode
Enter fastboot mode by following these steps (picture 5): Turn off the cellphone (shut down the ‘Quick Boot’ function in Settings, or remove the battery from the cellphone for more than 2 seconds), and press Voice Down and Power Button together (Voice Up and Power Button for Huawei tablets) for more than 10 seconds.
Under conditions where entering fastboot failed through the afore-mentioned steps, follow the following instructions:
Turn off the cellphone (shut down the ‘Quick Boot’ function in Settings, or remove the battery from the cellphone for more than 2 seconds), plug in USB cable, and press Voice Down and Power Button together for more than 10 seconds.
Picture 5: Cellphone is locked under fastboot mode
② Connect Cellphone to PC
Use USB cable to connect cellphone to PC, open command window on PC, enter ADB installation directory (picture 6), and ensure proper connection between cellphone and PC (affirming method: enter “fastboot devices” in command window, information on proper connection, such as 28cc48bc fastboot, will be presented).
Picture 6:Ensure proper connection between cellphone and PC
③ Execute Unlocking Command
Enter “fastboot oem unlock ****************” in PC command window (*sequence represents the 16-digit unlocking code applied on Huawei official website), as in picture 7.
Picture 7:Execute unlocking command
④ Wait until Completion of Unlocking Process
Picture 8:Cellphone unlocking completed
Consistency of applications and data before and after unlocking indicates successfully avoidance of data wiping and prepares the cellphone for further extraction and recovery.
Picture 9:Cellphone screen before and after unlocking
Conclusion:
Cellphone rooting and system reinstalling are vital during cellphone forensics processes and could only be realized after cellphone unlocking. The problem of possible data wiping during unlocking is successfully addressed by methods developed by data recovery experts from the Key Laboratory of Sichuan Province. With cellphone unlocked, further procedures, including data recovery, data extraction, forensics analysis and authentication, can be conducted through systems such as SalvationDATA SPF(SmartPhone Forensic System) and MTF(Mobile Track Visualization Forensics).
Click HERE to learn more about SPF.
SalvationDATA Blog 