Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
DFU Mode or Device Firmware Upgrade mode allows all devices to be restored from any state. It is essentially a mode where the BootROM. DFU is burned into the hardware, so it cannot be removed.
In this mode, a custom recovery image can be downloaded to the mobile device.
A custom recovery image allows you to:
Experts, using custom recovery images can:
For each model of the mobile device, a custom recovery image is formed. You cannot use a custom recovery image from one model of the mobile device to another.
The disadvantages of this method are:
A lot of pieces of mobile forensic software support this functionality.
IOS Forensic Toolkit (Elcomsoft) [1]
With this tool you can:
1) make the physical dump of the iOS device.
2) Extract the file system of the iOS device.
3) Recover the password of the locked iOS device.
Fig. 1. Recovered iOS Forensic Toolkit password to the locked iPhone.
Oxygen Forensic [2]
1) Get physical dumps of Samsung Android devices without rooting.
2) Decrypt encrypted partitions with user data
Fig. 2. The main window of Oxygen Software Extractor.
At present, Oxygen Software users have two ways of working with custom recovery images:
1) Using custom recovery images that are included in the distribution program.
2) Using custom recovery images, available in the Personal Area.
If you select the Samsung Android dump method in the Oxygen Software Extractor window, the user will see several different icons:
Fig. 3. The Oxygen Software Extractor window.
If the custom recovery image is included in the distribution of the program, the device will be marked with a green icon. You can work with this device without installing additional custom recovery images. However, it is recommended to download a new package custom recovery images from the Personal Area. With the help of new custom recovery images, Oxygen Forensic extracts data faster, works more stably, and also allows decrypting encrypted user partitions of devices.
If the device has a custom recovery image, but it is not installed on the user’s PC, the selected mobile device model will be marked with a blue icon. This means that you should download the custom recovery image from the Personal Cabinet and install it on your PC in any convenient folder. The program will automatically find and apply the custom recovery image installed.
If the device has not been supported yet, it will be marked with a red icon.
The appearance of the section with custom recovery images in the Personal Area is due to the fact that the new custom recovery images are collected each for a specific model of the Samsung device, unlike the old custom recovery images. If all new custom recovery images are included in the distribution, then its volume will be several gigabytes. A distribution of this size is inconvenient for users and creates an additional load on the company’s update servers. It was decided to share the custom recovery images in the regions where such devices are most common, and provide them to users not in the main distribution, but separately in the Personal Area. Supported device models can be viewed before downloading the image package by clicking the appropriate link.
UFED (Cellebrite) [3]
As with previous tools, this tool supports the download of custom recovery images in iOS devices and Samsung Android devices.
A special feature of the tool is the creation of physical dumps of Windows phone devices.
Fig. 4. The UFED 4PC window.
Magnet ACQIRE [4]
More recently, this functionality for downloading custom recovery images to mobile devices appeared in Magnet ACQIRE. And although today the distribution does not include custom recovery images, it is likely to happen in the near future.
Conclusion
In this article was examined DFU Mode and its use in mobile forensics. The advantages of this method and its shortcomings are indicated. The main advantages of this method are: password recovery to the locked devices, decryption partitions with user data.
Sources
1) iOS Forensic Toolkit https://www.elcomsoft.com/eift.html
2) Oxygen Forensic Detective https://www.oxygen-forensic.com/en/
3) UFED http://www.cellebrite.com
4) Magnet ACQIRE https://www.magnetforensics.com/magnet-acquire/
Authors:
Igor Mikhaylov & Oleg Skulkin
Please enter the result of the calculation above.
Save my name, email, and website in this browser for the next time I comment.
Δ
Speak to a Specialist Now
Get Help Now