1. Overview

Editor’s note: Jan-2018, it’s reported that the China Police has found a Samsung smartphone to be involved in a gambling crime might contain useful evidence which was carried by the suspect; and the suspect refused to unlock the screen lock of the targeted smartphone in any way. The investigator tried to get access to the operating system of the targeted device through the flashing method but failed due to the unknown reason so led the result that the targeted phone cannot be powered on. Fortunately, SalvationDATA experts possess the rich experiences of dealing with this kind of situation and assisted the police investigator to extract data from the suspected device successfully.

2. Analysis

1. The reason why the phone couldn’t be booted up might be the damage of firmware. It was caused by the misoperation of implementing the flash program to the targeted device. Consequently,  there are two options: 1)Re-Flash the official and authorized recovery program package to the unallocated partition of internal storage; 2)Re-Flash third-party ROM.

2. It is important and reasonable to choose the appropriate third-party ROM after the flashing operation being done.

3. As the operating system has been restored, we can use SPF to extract and analyze the data is contained in the targeted device.

3. Operation

Step 1. Below picture shows the system failed to boot up:

SalvationDATA Mobile Forensics Extraction Bricked Phone

Step 2. Hold the “power” button to power off, then hold “power” “home” and “Volume-“ to enter download mode:

2

Step 3. Flash third-party recovery, then power off and hold power” “home” and “Volume+“ to enter recovery mode:

3

Step 4. Smartphone failed to enter recovery mode and automatically enters the system. After analysis we found that this phone must be flashed with v6.0.5 cwm recovery, remove the battery and enter recovery mode.

Step 5. Then use SPF Pro to extract the smartphone data, open the Samsung physical extractor and image the whole memory chip.

Image 6.jpg

Step 6. After physical imaging completed, load and analyze the image files with SPF Pro

Image 8.jpg

Image 9.jpg

Step 7. SPF Pro automatically switches to the analysis page, users could also generate the forensic report with SPF Pro.

Image 10.jpg

4. Conclusion
For some of the old Samsung models, there is no CROM lock. So if the screen cannot be unlocked, we can try to use Samsung’s download mode to flash third-party recovery. And then use SPF to create a physical image of the smartphone. For some of the other models, we need to remove the battery when failed to enter recovery mode.

 

 

 

Advertisements