Forensic Challenge: Recovering Data From A Jolla Smartphone

answered 2016-09-29 23:05:11 +0300

martonmiklos
2891 ●55 ●122 ●110

http://balubati.atw.hu/bl...

updated 2016-09-29 23:05:33 +0300

Since the phone disassembly revealed the use of an MTK processor

It should be Qualcomm, but nevermind.

answered 2016-09-29 23:33:19 +0300

dmnk
2726 ●39 ●59 ●65

http://www.dmnk.org/

that's "funny". shouldn't the device lock code be queried at the recovery / telnet session?

answered 2016-09-30 14:01:41 +0300

juiceme
4027 ●54 ●78 ●89

updated 2016-09-30 14:32:24 +0300

Yes, I too think that there is something hazy in the way the article presents the use of recovery mode.

If I remember correctly it has always been so that when recovery mode is activated and user connects to the device via telnet it only presents a numeric menu where such actions as "shell" and "btrfs balance" can be selected byt any of the options require entering the device lock code.

However, in the beginning of the article it was clearly stated that the device had 5-digit lock code activated...

---- Edit ---

OK, now when reading the article through with the comments at the end I believe the device probably did not have security code enabled. The way it is said in describing the device lead me to believe so, but in fact it probably meant "The device had a 5-digit pin code before, and then it was factory reset"

After the reset there was no active security code, and the forensics team was attempting to retrieve information from the user data that had been in the device before reset....

To me a more valid case should have been to try to break into a non-factory-resetted device with an active security code.

answered 2016-11-18 23:32:53 +0300

mattiaep
41 ●2 ●2

Hi dmnk and juiceme, I am one of the author of the experiment we did with the Jolla Phone.

I am very pleased that you read the article and I'd like to provide you some answers to your questions and doubts.

First of all, the experiment was a "challenge" to try to demonstrate how it is possibile to recover data from a smartphone also when the owner thought to have deleted all the contents. The test was made during an hacking camp in an absolutely informal environment so it is not in any way intended as to be a tested and complete digital forensics methodology to analyze a Jolla phone, neither a security assessment of the phone.

Personally I have never delt with a Jolla phone in a real case so it was an interesting test to perform.

First of all there was an error in the article: now it is corrected with the Qualcomm chip. Sorry for that.

Secondly, as explictly cited in the article the phone WAS protected with a 5 digits pin code BEFORE it was reset twice, so when we got it it was WITHOUT a pin code. We didn't made any test with an actually locked device.

Third point: the encryption was not activated by the user before the reset.

With these two points in mind, I agree with dmnk "hey we can restore data from a not erased partition": this is exactly what we wanted to obtain.

With the experiment we understood that:

a) Encryption is not activated natively

b) It is possible on a reset phone to have access as root and obtain a full physical dump

That means, in general, that reset a Jolla phone is not enough to "cover the tracks" or "protect my privacy".

Just to make a comparison with other phones, this is not the case with the iPhone and with the latest Android version.

In any case, I think that having new operating system in the mobile world is alwyas a good thing and this kind of tests from us as "forensic guys" can help to enforce the security of the operating system.

Anyway, I am available to go on with the discussion if you like!

Thanks a lot

(Sorry for some typos and errors, I am writing from my phone :)) )