Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Sometimes a question is asked at forensic conferences and on Internet sites: “Is it possible to create a complete copy of the memory of a mobile device without superuser’s privileges (i.e. create a full copy of the memory of the” non-rooted “mobile device)?” Yes, it is possible. You can use hardware methods to create a complete copy of the memory of such a device: a method of connecting to a device using the testing and debugging interface (JTAG interface), or a method of reading data directly from a memory chip (“chip-off” method) as well as software methods. Using software methods that typically exploit various vulnerabilities in system software you can extract data from mobile devices without having root privileges. This is possible for modern LG devices and a number of other devices, for example, devices that use “MTK” processors (MediaTek Inc.). In this article, we’ll talk about how to make a complete copy of the memory of a LG mobile device without having superuser’s rights, and discuss a number of other features of expert’s work with LG mobile devices.
LG has developed a technology that greatly simplifies the replacement of system firmware in the device. This technology is called “LAF” (LG Advanced Flash). Initially, LAF technology was developed for LG service centers. In particular, it allowed to restore working capacity of LG mobile devices which do not turn on and do not react to attempts to turn them on (often mobile devices go into this state when trying to increase user’s privileges in their operating system or in the case of errors in updating the system software produced by Unqualified users).However, a large number of utilities that use this technology appeared quite quickly outside specialized service centers for flashing the modified system software of LG mobile devices.
LAF protocol
LAF documentation is the property of LG and was not published in open access. However, there are enthusiasts who conducted the reverse development of proprietary files “Send_Command.exe”, “LGD855_20140526_LGFLASHv160.dll” and received the following data [1]:
LAF is a simple request / response protocol that works via USB interface. Each message consists of a header followed by a body. The header contains 32-bit words. The integers are coded in direct sequence.
Structure of the message
LAF instructions
List of identified instructions:
Boot Mode
The main conditions for the successful creation of a complete copy of the memory of a LG mobile device and transferring the device to the Download Mode are:
1) Installing the latest driver for mobile devices, LG
2) Following the instructions for transferring the device to the Boot Mode.
Fig. 1. Instructions for transferring a LG mobile device to the “Oxygen Forensic Suite” download mode
There is an alternative instruction for transferring a LG mobile device to the Download Mode published on the site “LG Download Mode utility and documentation” [1]
Fig. 2. The image on the LG phone screen switched into the “Firmware Update” mode.
Creating a physical dump
To create a full copy of the memory of the LG mobile device you must:
Run the Data Extraction Wizard and select the option “LG Android dump”:
Fig. 3. The main window of the Data Extraction Wizard
Then you need to use the instructions in the “Download Mode” section of this article.
After that click on the button “Next” and after a short time you will see that the device is connected to the Data Extraction Wizard and you can go directly to creating a full copy of the mobile device’s memory.
Fig. 4. Image of the Data Extraction Wizard window with a connected mobile device LG
Fig. 5. The process of creating a full copy of the mobile device’s memory
Disabling screen lock
You can disable the screen lock for LG mobile devices. It does not matter which type of lock is set by the device owner: PIN, pattern, or fingerprint access.
To perform this operation the option “Unlock the screen lock” is selected in the main window of the Data Extraction Wizard.
Fig. 6. The item “Unlocking the screen”
Then follow the instructions of the Data Extraction Wizard.
Fig. 7. Instructions for the Data Extraction Wizard that are required to unlock the phone screen
When the program is running, it gives a command ‘unlock device’ to the LG phone. After that the phone will be unlocked. Changing other data of the system section of the mobile device does not occur.
The peculiarity of the approach to the devices with Android 6 operating system
When examining mobile devices running the Android operating system version 6, the expert may encounter the following problems:
Conclusion
Getting a full copy of the mobile device’s memory, gaining access to the data in the locked mobile device are important steps in obtaining meaningful information when investigating cases. This article explored how to get a full copy of the LG mobile device’s memory without having superuser privileges and how to access the data of a locked LG mobile device, regardless of the type of lock installed by the device owner. Features of working with mobile devices running the Android 6 operating system have been considered.
Sources:
Authors:
Igor Mikhaylov & Oleg Skulkin
Speak to a Specialist Now
Get Help Now