1. Overview
Editor’s note: Jan-2018, the Sichuan police solved a gambling case, a Samsung smartphone was found when capturing the suspect. And the suspect refused to give up the password. The investigator mistakenly corrupted the phone’s operating system when trying to flash it, and the phone couldn’t power up. Let’s see how SalvationDATA forensic experts managed to extract data from such corrupted device.
2. Analysis
1. The phone couldn’t boot up, the firmware is corrupted. This is caused by some error when flashing the phone. So we have two options to deal with this: 1. Flash the phone with official package except for the data partition. 2.Flash third-party ROM.
2. In order to extract the smartphone data after flashing, choosing a third-party ROM seems more reasonable.
3. After system restored, we can use SPF to extract and analyze the smartphone data.
3. Operation
Step 1. Below picture shows the system failed to boot up
Step 2. Hold “power” button to power off, then hold “power” “home” and “Volume-“ to enter download mode
Step 3. Flash third-party recovery, then power off and hold power” “home” and “Volume+“ to enter recovery mode
Step 4. Smartphone failed to enter recovery mode and automatically enters the system. After analysis we found that this phone must be flashed with v6.0.5 cwm recovery, remove the battery and enter recovery mode.
Step 5. Then use SPF to image the smartphone data, create a task and image the whole memory chip
Step 6. After imaging complete, load and analyze the image with SPF
Step 7. SPF will automatically switch to analysis page, users can also generate a report with SPF
4. Conclusion
For some of the old Samsung models, there is no CROM lock. So if the screen cannot be unlocked, we can try to use Samsung’s download mode to flash third-party recovery. And then use SPF to create an image of the smartphone. For some models, we may need to remove the battery when failed to enter recovery mode.
SalvationDATA Blog 