Wednesday, February 6, 2013


Today I rooted the Samsung Galaxy camera. Someone already figured out how to do this, so it made my research process go a lot faster. There are multiple tutorials online for rooting the camera, but the one I found to be the easiest can be found here.

The first thing I did was shut off the camera and downloaded the recovery and cache package, CF-Auto-Root and and flashing tool, Odin3. I then held the Power On + Volume Down + Camera buttons to get the camera to boot to download mode.

Once in download mode, I opened Odin3 and plugged in the camera to my workstation. The ID:COM section will turn yellow when the camera is recognized, which can be seen  below.

Next in the PDA section, I selected the CF-Auto-Root.tar.md5 file and pressed start. When the process was over and the camera was rooted, Odin showed me this:

The camera automatically rebooted and started as normal. I knew the device was rooted because the application SuperSU was found.

I unplugged the camera and then plugged it back in. I opened FTK Imager hoping that the camera would at least be recognized, but it wasn't. I tried to use dd to image the device, but had no luck doing so. DD did not recognize the camera either. Running out of options, I decided to try EnCase 7 to try to acquire the device. EnCase 7 has smartphone acquisition capabilities and obviously Android was an option.

Once the acquisition was complete, I was able to view all the contents of the camera. Now that I know I can acquire the camera, I will start deleting some data to see if I can find it later in EnCase 7.

Monday, February 4, 2013

Roadblock #1

So for some reason I had the idea that everything would work out smoothly. I would generate some data on the camera, delete some emails and pictures, image the camera and start my analysis. Luckily, I was proved to be wrong early on in the acquisition process. The camera gets recognized as a portable media player and cannot be imaged with FTK Imager. I thought this was a slight hiccup, and maybe I could use some other method to extract the data. I decided to go to Champlain's on campus forensic lab and use the XRY software we have.

Everything seemed to be going smoothly. XRY recognized the camera as a Samsung USB modem, but could not acquire it. I'm really unsure as to why this happened, but my guess is the software I was attempting to use was not made for cameras. My next option was to image the SD card and see what I could get. To my surprise, there wasn't one at all. Just a piece of plastic in the microSD slot. I could obviously buy an SD card, but would that provide me with Facebook, Twitter, and email data? Probably if I moved the application data to that external storage. But how often are people doing this? From a forensic point of view, I doubt we would find much from an SD card being that most users don't think to store their applications on the SD card and use internal storage instead.

I remembered an activity we did in my mobile forensics class using Santoku and decided to try this method just for fun. I  downloaded the ISO and created a virtual machine. A tutorial on how to use Santoku with Android can be found here: Below are the results AFLogical presented to me when I attempted to extract data from the camera:

AFLogical OSE was installed on the camera using the command 'adb install AFLogical-OSE_1.5.2.apk'

Next, I used the mkdir command to create a folder for the output. 'ADB pull' pulls data from the SD card

I located the output files

Inside both output folders, these files were found

This was the only picture extracted from the camera

So although there is no SD card, AFLogical was still able to extract one picture from the Samsung Galaxy camera. Call logs, contacts, MMS, and SMS were not extracted by the software, so I needed another option to get all the data I want.

I looked into grabbing RAM using LiME and also another Android data extraction method, DDMS. I only did some preliminary research on these tools and have not yet tried them. I found a way to root the camera, so I think I will try that out first because I know it will give me access to the data I'm looking for. If I have time toward the end of this project, I will try to extract data using LiME and DDMS.