Data Recovery

Physical Imaging Of A Samsung Galaxy S7 Smartphone Running Android 7.0

by Oleg Skulkin & Igor Shorokhov

The release of Android Nougat has brought new challenges to mobile forensic examiners: the smartphones running this version most likely have encrypted partitions with users’ data, their bootloaders are locked and classic custom recovery acquisition, which is widely used especially for Samsung smartphones, may not work anymore. But thankfully, things are not always this bad for the examiners. From time to time we find some interesting and original ways to extract data on the physical level from the smartphones we examine. And of course it’s very important to share the knowledge, so we decided to show you a way to perform a physical acquisition of a Samsung Galaxy S7 smartphone running Android 7.0.

The most challenging part of the acquisition process of this device is that it has an encrypted user data partition, and this is the most important part of the smartphone’s memory, as it contains user-created content, so even if we perform a chip-off extraction, we’ll get a quite useless image.

The method we are going to use is pretty like the custom recovery method with one exception – there is no custom recovery. And yes, this method works for bootloader locked devices!

You will need:

Let’s go!

  1. Put the device in the Download mode
  2. Start modified ODIN on your workstation
  3. Connect the device to your workstation and choose the appropriate boot image, look at the following figure:

4. Click ‘Start’ and wait till the process is finished. There is some magic: if there is a passcode, flashing this boot image resets it. So you can enable USB-debugging now.

5. Unpack the files for rooting and start ‘root.bat’. Now the smartphone is rooted and ready for physical acquisition.

We are going to use Magnet ACQUIRE to image the phone, but you can use the tool of your choice.

Start ACQUIRE and choose the right device. As you can see in the figure, our device has privileged access. What does that mean? It’s rooted and ACQUIRE detects it.

As our device has privileged access, we can choose ‘Full’ image type and get the entire contents of the smartphone – the physical image.

Finally choose the destination folder and image name, and fill in other available fields. Click the ‘ACQUIRE’ button and the imaging process will start.

As you can see on figure 6, ACQUIRE is imaging a decrypted (!) data partition.

In our case, it took 3 hours and 27 minutes to create the image (without calculating image hashes).

The whole process took 3 hours and 48 minutes – we got a 23.24 GB SM-G891A image.

Let’s make sure it’s really decrypted and process it with Magnet AXIOM.

First, start AXIOM Process and create a new case.

Choose the evidence source and artifacts type you want AXIOM to extract. As we are dealing with a smartphone image, we’ve chosen all mobile artifacts.

Click “ANALYZE EVIDENCE” button to start processing.

Once the image is processed, you’ll see that it’s really decrypted: we have lots of different forensic artifacts extracted by AXIOM, as shown in figure 11.

If you change Artifacts view to File System view, you can browse the file system and see once again that the image isn’t encrypted.

As you can see, sometimes it is quite useful to spend more time on research, as it can help to find new ways of physical imaging even for new devices with built-in anti-forensic technologies. Of course, the demonstrated technique isn’t as forensically sound as we would like it to be, but it’s better than trivial logical acquisition. Don’t forget to document everything you do thoroughly, especially dealing with non-standard acquisition techniques.

About the authors

Oleg Skulkin, MCFE, ACE, is a digital forensic examiner from Sochi, Russia. He is the author of Windows Forensics Cookbook (with Scar de Courcier) and Cyber Forensicator blog (with Igor Mikhaylov).

Igor Shorokhov, MCFE, ACE, OSFCE, is Chief Information Officer at Digital Forensics Corp.

About Scar de Courcier

Scar de Courcier is Senior Editor at Forensic Focus.


26 thoughts on “Physical Imaging Of A Samsung Galaxy S7 Smartphone Running Android 7.0

  1. In step 4, you state:

    “if there is a passcode, flashing this boot image resets it.”

    To be clear, you are saying if the device has a passcode (and in my experience this is increasing true), this process will reset the _user data_ partition, correct?


    Posted by ahoog42 | August 9, 2017, 1:21 pm
  2. We used this method for 2 passcode-protected S7 devices, and no, flashing this boot image resets the passcode, but doesn’t reset the userdata partition.

    Posted by Oleg Skulkin (@oskulkin) | August 10, 2017, 9:53 am
  3. I have tried several times to complete this process and each time it fails. Need help!!!

    Posted by bill | August 14, 2017, 10:05 pm
  4. Bill, you need another boot image, because you have different model, check XDA Developers to find it.

    Posted by Oleg Skulkin (@oskulkin) | August 15, 2017, 8:06 pm
  5. Does the boot file work for a SM-G935F or is it just for SM-G891A?

    Posted by Per Johansson | August 16, 2017, 10:03 am
  6. I thought that maybe the answer but didn’t know where else to look. Thanks for the info.

    Posted by Bill | August 16, 2017, 11:56 am
  7. What is the patch Android installed in the phone you used for this experiment?
    Can you repeat this experiment with a SM-G935F with a new patch?
    Thank you

    Posted by jumha | August 19, 2017, 6:46 am
  8. Oleg, is there a solution for sm-g930f or sm-g935f?

    Posted by Rafael | August 20, 2017, 1:17 pm
  9. Great content and thanks a lot for sharing!

    Posted by Agufa Semenye | August 20, 2017, 3:47 pm
  10. hi guys~~ thanks…
    um.. Can I use this image on another model?

    Posted by kgc | August 23, 2017, 8:19 am
  11. hi 🙂
    Did you modify the Odin program? Or is it just the 3.12.7 version?

    Posted by hansomeguy | August 24, 2017, 7:08 am
  12. Once a android phone is rooted, can I get a decrypted image from any android phone?

    Posted by Alex | September 2, 2017, 2:38 am
  13. Hellio,
    is there solution for SM-G935F?

    Posted by Alen | September 4, 2017, 8:23 am
  14. Working on any model other than SM-G891A?

    Posted by Wayne Flores | November 5, 2017, 11:54 am
  15. Boss, excellent content. Is there any way to get magnet axiom for free? Or, is there any other tools that could be used? Thanks. Kalam

    Posted by Kalam | February 21, 2018, 11:15 am
  16. Downloads are gone…. Is it for the SM-G930F? It mean G891A, is this also a Samsung S7?

    Posted by Colin | April 17, 2018, 8:43 am
  17. A smartphone running Android 7 is really great becasue after the release of the Nogut the full view of android has been changed becasue of it new awesome features. I have loved the OS very much for its awesome features.

    Posted by Firefox Technical Support | August 11, 2018, 6:02 pm
  18. You write “There is some magic: if there is a passcode, flashing this boot image resets it.”
    What if the phone is additionally secured via password before booting like described here ?
    As far as I understand there is no “default_password” anymore and thus userdata can’t be read by this method.

    Posted by Thorsten | May 3, 2019, 12:14 pm
  19. Great piece! Concise. Really appreciate your sharing the knowledge. 🌟🌟🌟🌟🌟

    Posted by Tony | June 4, 2019, 2:33 pm


  1. Pingback: iOS vs. Android: Physical Data Extraction and Data Protection Compared | ElcomSoft blog - October 20, 2017

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,297 other followers

%d bloggers like this: