Articles
Now Reading
Mobile Forensics: Device Firmware Upgrade
0

Mobile Forensics: Device Firmware Upgrade

by Igor Mikhaylov2017-05-16

DFU Mode or Device Firmware Upgrade mode allows all devices to be restored from any state. It is essentially a mode where the BootROM. DFU is burned into the hardware, so it cannot be removed.

In this mode, a custom recovery image can be downloaded to the mobile device.

 

A custom recovery image allows you to:

  • Install unofficial recovery images.
  • Install add-ons and fixes.
  • Connect to a computer via USB in removable storage mode.
  • Connect to a computer via USB in ADB mode.
  • Create backups for both a recovery image and its individual parts.
  • Restore data from a previously created backup.
  • Reset the device to the factory settings.
  • Format and create partitions on a memory card.

 

 

Experts, using custom recovery images can:

  • Obtain the physical dump of the device without rooting.
  • Extract encrypted data: mount a partition with user’s data with a known password.
  • Select the password for the encrypted partitions with user’s data.

 

For each model of the mobile device, a custom recovery image is formed. You cannot use a custom recovery image from one model of the mobile device to another.

 

 

The disadvantages of this method are:

  • Loss of warranty. When you download the custom recovery image, the device’s warranty is lost.
  • The custom recovery image remains in the device memory. In order to return the original recovery image to the device, you have to make a copy of it in advance.
  • Downloading the custom recovery image to the device is not always possible, as this function can be disabled. This lock is called FRP lock (Factory Reset Protection) and allows you to protect the device from unauthorized resetting of the user data. There are several ways to disable FRP lock, but as a rule, during the deactivation of this function, the user data is deleted.

A lot of pieces of mobile forensic software support this functionality.

 

IOS Forensic Toolkit (Elcomsoft) [1]

With this tool you can:

1) make the physical dump of the iOS device.

2) Extract the file system of the iOS device.

3) Recover the password of the locked iOS device.

Fig. 1. Recovered iOS Forensic Toolkit password to the locked iPhone.

 

 

Oxygen Forensic [2]

With this tool you can:

1) Get physical dumps of Samsung Android devices without rooting.

2) Decrypt encrypted partitions with user data

Fig. 2. The main window of Oxygen Software Extractor.

At present, Oxygen Software users have two ways of working with custom recovery images:

1) Using custom recovery images that are included in the distribution program.

2) Using custom recovery images, available in the Personal Area.

If you select the Samsung Android dump method in the Oxygen Software Extractor window, the user will see several different icons:

Fig. 3. The Oxygen Software Extractor window.

 

If the custom recovery image is included in the distribution of the program, the device will be marked with a green icon. You can work with this device without installing additional custom recovery images. However, it is recommended to download a new package custom recovery images from the Personal Area. With the help of new custom recovery images, Oxygen Forensic extracts data faster, works more stably, and also allows decrypting encrypted user partitions of devices.

 

If the device has a custom recovery image, but it is not installed on the user’s PC, the selected mobile device model will be marked with a blue icon. This means that you should download the custom recovery image from the Personal Cabinet and install it on your PC in any convenient folder. The program will automatically find and apply the custom recovery image installed.

 

If the device has not been supported yet, it will be marked with a red icon.

 

The appearance of the section with custom recovery images in the Personal Area is due to the fact that the new custom recovery images are collected each for a specific model of the Samsung device, unlike the old custom recovery images. If all new custom recovery images are included in the distribution, then its volume will be several gigabytes. A distribution of this size is inconvenient for users and creates an additional load on the company’s update servers. It was decided to share the custom recovery images in the regions where such devices are most common, and provide them to users not in the main distribution, but separately in the Personal Area. Supported device models can be viewed before downloading the image package by clicking the appropriate link.

 

 

UFED (Cellebrite) [3]

As with previous tools, this tool supports the download of custom recovery images in iOS devices and Samsung Android devices.

A special feature of the tool is the creation of physical dumps of Windows phone devices.

Fig. 4. The UFED 4PC window.

 

 

Magnet ACQIRE [4]

More recently, this functionality for downloading custom recovery images to mobile devices appeared in Magnet ACQIRE. And although today the distribution does not include custom recovery images, it is likely to happen in the near future.

 

 

Conclusion

In this article was examined DFU Mode and its use in mobile forensics. The advantages of this method and its shortcomings are indicated. The main advantages of this method are: password recovery to the locked devices, decryption partitions with user data.

 

Sources

1) iOS Forensic Toolkit https://www.elcomsoft.com/eift.html

2) Oxygen Forensic Detective https://www.oxygen-forensic.com/en/

3) UFED http://www.cellebrite.com

4) Magnet ACQIRE https://www.magnetforensics.com/magnet-acquire/

 

Authors:

Igor Mikhaylov & Oleg Skulkin

Leave a Response


Please enter the result of the calculation above.