Recovering “boot looping” Samsung devices

Are you experiencing issues with Samsung devices becoming stuck in a “boot loop” and never progressing past the Samsung logo when starting up?

Commercial forensic tools sometimes experience problems when attempting to perform lock bypass and/or physical extractions of Samsung devices and these issues can result in the examiner being unable to boot the device normally.

Help is at hand!

As part of our Defeating Android Locks & Encryption course we teach students how to recover from boot loops and return devices to their correct operation.

Not only that, we teach delegates how to bypass lock screens on a wide range of recent Samsung models without the need for commercial forensic tools.

Contact us to check availability and pricing.

Extra Foundation in Mobile Phone Forensics course date added

Due to increased demand for places, we have added an extra Foundation in Mobile Phone Forensics course into our schedule, running 18-22 March. This 4½ day course is designed for staff starting out in mobile device forensics and prepares them for undertaking evidential casework.
In the words of two delegates from our September 2018 course:

  • “Best course I’ve been on in 20 years in the job!”
  • “The trainer was superb, the course was fun, dynamic and interactive.”

Contact us to enquire about availability

Squeezing even more out of your training budget

Our next Demystifying Hex Data course runs 4-7 March and we’re offering a special incentive to those who want to recover more evidence from apps and physical extractions. If you book one delegate place on the March course at full price, you will be entitled to book a place for a colleague at half price.

Demystifying Hex Data is a 3½ day training course which aims to take the fear factor away from working with raw data extracted from any electronic device. The end result is that delegates are able to decode apps and recover deleted data which forensic tools may have missed.

Contact us to find out more.

Book 2019 courses at 2018 prices

For the first time in 4 years, our prices will be increasing in January 2019. The price rise applies to bookings received after December 31st 2018.

You can still book courses taking place in 2019 at our current prices by submitting your booking forms before January 1st 2019.

Although the cost of purchasing a new Training Pass will increase, the credit costs for individual courses will remain the same (so current holders of a Training Pass are not affected).

Get in touch if you would like more information.

New training tackles Android locks and encryption

We’ve extended our range of mobile forensic training in 2018 with a brand new 4½ day Defeating Android Locks & Encryption course. This advanced level course is designed to give delegates the knowledge and tools to gain access to data on locked and encrypted Android devices.

The course is aimed at teaching delegates advanced “custom recovery” techniques for bypassing device locks and encryption on current Android devices. The training is heavily “hands-on” with an emphasis on current Samsung devices; delegates will learn how to bypass locks regardless of whether USB debugging is on or Full Disk Encryption is enabled.

As well as these advanced acquisition methods, delegates will learn how to develop an in-house password cracking capability using dedicated multi-GPU hardware and intelligent password cracking strategies. Delegates will gains hands-on experience cracking Android PINs, passwords and Full Disk Encryption (FDE).

Our next course runs 24 February  – 28 September 2018 at Wyboston Lakes, Bedfordshire, UK. Get in touch to check availability.

Hex analysis training is back on the menu

We’re delighted to announce the launch of a new 3½ day hex analysis training course for digital forensic practitioners, Demystifying Hex Data. This intermediate level course will explain hex data in simple terms and give existing mobile forensic examiners a true understanding of the data recovered and decoded by forensic software tools. Delegates will leave the course confident in navigating and carving data using a hex editor, and capable of recovering and presenting evidence which commercial forensic tools may have missed.

The course not only covers text encodings (including ASCII and Unicode), regular expressions and Endian-ness but crucially shows delegates how these concepts have practical application in tasks such as finding and then repairing unplayable 3GP/MP4 video files.

Our next scheduled course runs 9-12 July 2018 at Wyboston Lakes, Bedfordshire (UK). Get in touch to check availability.

Over 140 ‘direct eMMC’ pinout schematics on emmcpinouts.com

Direct eMMC is a technique for securing a physical extraction of a wide variety of mobile devices including Android and Windows handsets and tablets, satnavs and even some Chromebooks. The technique involves connecting to specific points on the circuit board of the phone which are typically documented on a pinout diagram. Locating a reliable pinout diagram for the device is key to success and efficiency with the technique which is why Control-F launched emmcpinouts.com in collaboration with FoneFunShop.

emmcpinouts.com currently hosts clear and (most importantly) tested pinout diagrams for over 140 devices and it is regularly updated as we trace new devices. We’re always keen to hear about devices that you would like to see pinouts for.

Annual subscriptions offering unlimited access to the site are only 280GBP + VAT but browse the site today for free to see which devices are represented.

Get in touch if you’d like to find out how direct eMMC could help your department or how to get access to emmcpinouts.com

Samsung Galaxy S6 chip-off

Samsung introduced UFS flash memory with the Samsung Galaxy S6 on account of it’s faster read/write speeds compared with eMMC chips. Samsung uses UFS in the S7 and will in the S8, and the technology is being adopted in flagship devices from other manufacturers. Performing chip-off on UFS flash memory is possible but requires specific equipment and variations on standard techniques.

Our 4½ Flash Memory Chip Removal training course teaches students how to safely remove and recover evidence from eMMC, UFS and proprietary flash memory chip formats. The techniques are ideally suited to locked, damaged or unsupported devices where no other practical option exists for extracting data. Students will get hands-on experience of performing chip-off on a Samsung Galaxy S6.

Here’s what delegates on our March 2017 course had to say:

  • “Probably the most I’ve learnt on any course I’ve been on.  Good group and good trainers and good learning material”
  • “Very professional and enthusiastic trainers who are a credit to the company.  I would have no hesitation in recommending this course or any other Control-F courses”

Get in touch to check availability on our next course.

Understanding Write Ahead Logging in SQLite

Write Ahead Logging (WAL) is a mechanism used by SQLite databases to manage pending changes to their contents; such pending changes are stored initially in files with the suffix -wal. WAL files represent a potential source of key evidence as they can contain app data (e.g. messages, browser history etc.) which is not live within the main database file and therefore may be missed by some forensic software tools. Understanding WAL files and how to recover evidence from them is a key part of investigating pre-installed and 3rd party apps.

In our 4½ day Smartphone App Forensics course we teach delegates techniques for preserving the contents of WAL files and ensuring that those contents can be viewed, interpreted and presented in evidence. Get in touch to check availability on our next course.

Chip-off – isn’t that just for BlackBerrys?

We’ve been running chip-off training since 2013 and during that time we’ve taught a lot of delegates how to recover evidence from locked BlackBerry handsets. It feels like the right time to dispel some myths about chip-off and explain how the technique is just as relevant as it’s ever been (despite BlackBerry’s demise!)

chip_off_training_lab_web

 

MYTH 1 – Chip-off is only useful for locked BlackBerrys (and we hardly see any these days)

It’s true that locked BlackBerrys have historically been the most common scenario when chip-off has been utilised, but the same techniques can be applied to other devices with great results. Previous course delegates are routinely using chip-off techniques to secure physical extractions of Windows Phone devices which can’t be performed in commercial tools as well as locked and unsupported Android devices where even Direct eMMC (ISP) isn’t viable.

 

Delegates on our Flash Memory Chip Removal course perform chip-off on Nokia Lumia and Sony Xperia devices for which chip-off is ideally suited.

 

 

MYTH 2 – Chip-off is destructive to the device

Chip-off is typically performed using hot air to de-solder the flash memory from the printed circuit board (PCB) of the device, and usually components are damaged during the process. In other words, chip-off is undertaken in such a way that the device won’t work again (but acquiring the memory contents can justify this). But it doesn’t need to be so.
Using the right techniques, it’s possible to de-solder the flash memory chip (whilst protecting the rest of the device), read the chip and then re-solder it and re-assemble the device. If the device can be used after chip-off then new opportunities arise, such as entering passwords (recovered from the extracted data) into the device. This means that the device itself can be used to unlock and decrypt stored data and a manual examination or logical extraction can be performed. The approach won’t work in every case (so the process should still be assumed to be destructive), but the ability to restore the device to a working condition is extremely powerful.

 

We have been busy refining such techniques; our record is de-soldering and re-soldering the same eMMC chip ten times and the handset still works! We now teach delegates how to re-solder flash memory chips after data has been extracted from them.

 

MYTH 3 – Chip-off is really expensive

The simple answer to this is that chip-off can be expensive, but it absolutely doesn’t need to be. Infra-red rework stations can be used to de-solder flash memory chips instead of using a hot-air approach. Although these can be effective, they are expensive and are not well suited to flash memory which has been glued to the PCB using epoxy. For these reasons we use a cheaper and more flexible approach of hot air guns and hot air pencils in our training.

 

The equipment needed to de-solder and extract data from the eMMC flash memory chips found in almost all current smartphones and tablets can be purchased for under £2,000(including a fume extraction system). For organisations already outsourcing devices for chip-off, these equipment costs are easy to justify.