Samsung device data extraction in Oxygen Forensic® Detective

Samsung Electronics Co., Ltd. has been leading the global market in manufacturing mobile phones, smartphones, and tablet computers for many years. Gaining access to digital evidence stored in popular Samsung devices has always been of vital importance to forensic investigators. Knowing this, Oxygen Forensics offers comprehensive support for Samsung devices.

Let’s have a look at how Samsung data can be extracted using our software.

Samsung Smart Switch backups

In Oxygen Forensic® Detective 13.2 we’ve introduced the ability to import, decrypt, and parse data from Samsung Smart Switch backups. Samsung Smart Switch is a program used to transfer contacts, photos, music, messages, notes, and other media between Samsung Galaxy devices. Samsung Smart Switch backups can be created using Samsung Smart Switch on a desktop or with the mobile app.

This backup is a great alternative source of evidence when investigating Samsung devices. Currently, decryption is possible but only with a known password.

Once imported, the Samsung backup evidence set will include contacts, calls, messages, cached app pictures, apk files, Samsung web browser data, information about Wi-Fi connections, and access points.

Samsung Exynos Dump

Earlier this year, we introduced the ability to bypass screen locks, perform physical acquisitions, and decrypt data from Samsung devices based on Exynos chipsets. This functionality is available for Samsung devices running Android OS 7, 8, and 9 and covers over 100 device models. We have also built into the interface a way for users to request support for an unsupported Samsung model.

Oxygen Forensic® Detective performs physical acquisitions without changing the KNOX counter. If Secure startup is enabled on a device, our powerful software offers the ability to brute force the passcode in order to decrypt a physical dump.

If physical acquisition is not possible, investigators always have the option to run a logical extraction using the OxyAgent and ADB backup from any unlocked Samsung Android device. In using the OxyAgent utility, investigators will gain access to not only basic data like contacts, calls, and messages but will also be able to screenshot any Samsung Android data and extract WhatsApp and Signal Messengers.

Samsung Data from Cloud

In addition to data extraction and backups for Samsung devices, we offer exclusive access to Samsung data from the cloud. Currently, our Cloud Extractor supports 4 cloud services: Samsung Cloud backups, Samsung Secure Folder, Samsung Cloud data, and Samsung Health.

1. Samsung Cloud backups. Oxygen Forensic® Cloud Extractor offers authorization via login/password and token extracted from a mobile device.

Evidence sets will include:

  • Account information
  • Contacts
  • Calendars
  • Calls
  • SMS and MMS messages
  • Tasks
  • WiFi points
  • Web Browser bookmarks
  • We Browser saved pages
  • Apk file revisions, documents, music, voice recordings

2. Samsung Cloud Data. Authorization in this service is also possible via login/password or token extracted from a mobile device. Compared to Samsung Cloud backups, this service allows investigators to extract actual data available on Samsung Android devices.

Evidence sets will include:

  • Account information
  • List of registered devices
  • Contacts
  • Calls
  • SMS and MMS messages
  • Standard notes
  • SNote notes
  • Opened Web Browser pages
  • Web Browser bookmarks
  • We Browser saved pages
  • Photos and videos including deleted ones

Extracted photos and videos have 3 statuses: Normal, Trashed and Deleted. If an artifact is marked as trashed, the Oxygen Forensic® Cloud Extractor will fully recover it. However, if it is marked as deleted, investigators will only be able to view the file information.

3. Samsung Secure Folder. Authorization in this service is only possible via login/password.

Samsung Secure Folder allows users to store all their files, photos, videos, and apps in a secure place within the mobile device. The folder is protected by the defense-grade Samsung Knox security platform, making sure that information is kept safe from any malicious attacks. Using Oxygen Forensic® Cloud Extractor, investigators will gain access to the following evidence:

  • Apk file revisions
  • VCARD (contact cards, *.vcf)
  • VCAL (calendar cards, *.ics)
  • User documents

4. Samsung Health. Oxygen Forensic® Cloud Extractor offers authorization in this service via login/password and token extracted from a mobile device.

Evidence sets will include:

  • Account information
  • List of workouts
  • Geodata of workouts
  • Photos of workouts
  • Nutrition information
  • Information about health

Looking to try before you buy? Ask for a fully-featured demo license.

Leave a Reply

Your email address will not be published. Required fields are marked *