How to extract messages and other files if they are not already in an export
You might have found out that some applications do not provide their information that you need (e.g. messages, call logs) by themselves it is due to information being encrypted by developer/manufacturer.
There are a few ways how to extract your needed information and that is by:
- Rooting / Jailbreaking your device
- Creating a physical image of your device
- Using an App downgrade function in our software MOBILedit Forensic Express
1) Rooting / Jailbreaking
Rooting
Most Android devices should be able to be rooted. However, the process of rooting is specific to each phone model, version of Android and build number, so you always need to find the right tool according to your phone model.
You can root a majority of modern Android phones using an app called KingoRoot, if for some reason this method doesn't work for you (locked bootloader, Knox, etc.), you may be able to find help on how to root your phone at XDA Developers, which is a website with a large active user community dedicated entirely to Android smartphones.
Please note that sometimes it is necessary to unlock your phone's bootloader in order to root it. You can find a step-by-step tutorial on how to unlock the bootloader on your phone manufacturer's webpage.
Once rooting has been completed successfully the phone is then switched to so-called "rooted mode", and you then will be able to extract and analyze the deleted data.
If you are in need of further assistance please let us know and we will look further to help resolve any issue you are experiencing.
Rooting your phone may void the manufacturer's warranty and could cause security risks. Please take this into consideration before performing this process.
Rooting a Samsung device will trip the Knox Warranty void flag which will make the data stored in Knox permanently inaccessible.
Jailbreaking
There are three ways of jailbreaking your iOS:
- Tethered - This method requires you to connect your iPhone to your computer and use an external application to jailbreak it. Once you restart your iPhone, the jailbreak is undone, but please note: your device will not be usable until you jailbreak it again using the same method.
- Semi-tethered - This method doesn't require you to connect your iPhone to a computer in order to jailbreak it, however, the jailbreak is still undone every time you reboot your device, or, after a certain amount of time passes.
- Untethered - This method doesn't necessarily require a computer to perform a jailbreak on your device and also modifies the iOS on a deeper level which means that no matter how many times you reboot your device, it stays jailbroken until you manually "un-jailbreak" it.
There are specific known ways to jailbreak almost every iPhone, iPad or iPod Touch running on almost every iOS, except the latest releases - as it usually takes a few months to find a way of jailbreaking the newest version of iOS.
This means that there is no way of describing them all in a single article.
However, currently, the most often used apps for jailbreaking iOS devices are Pangu or Cydia Impactor. You can learn more about how Cydia works on the app developer's official website at this link, or you can read this article which describes a simplified process of iOS jailbreaking.
You can see a full list of available jailbreaks for each device and version here.
Jailbreaking a device may void the manufacturer's warranty and could cause security risks.
Please take this into consideration before performing this process.
2) Creating a physical image of your device
There are many ways how to create a physical image from a device. You can, of course, use some tools of your own and use our software for extraction but our product MOBILedit Forensic Express does offer some tools as well:
MTK Hack
There is a way of extracting a physical image from phones with MediaTek chipsets without root access (rooting the phone).
This exploit method does not work on all MTK-equipped devices, but sometimes it is the only way of acquiring the physical image because the phone does not have to be booted up or unlocked in order to perform this operation; which means you can try even if the phone is off or locked.
This will not work for most MTK devices with locked bootloaders. In order to use MTK hack on such devices, the bootloader has to be unlocked first.
More information about how to use MTK Hack in MOBILedit Forensic Express can be found here.
EDL Hack
There is also a way of extracting physical images from phones with Qualcomm chipsets without root access (rooting the phone).
This exploit method does not work on all Qualcomm-equipped devices and it is best when used with an EDL cable.
More information about how to use EDL Hack in MOBILedit Forensic Express can be found here.
LG Hack
The "LG Hack" feature works on all LG smartphones with the new version of LG LAF protocol (this is a service download mode similar to Samsung Odin download mode). One of the first devices to feature this version was the first LG G flagship.
Every LG smartphone from the year 2013 and newer should, therefore, support our LG hack.
With some of them - LG G4 for example - you are even able to browse the phone's filesystem via the "Browse Phone" option in Forensic Express.
This exploit takes advantage of "LG Flash Mode" - used primarily for updating firmware.
TWRP Method
The device has to have its bootloader unlocked in order to proceed with this method.
Every Android phone has a "recovery“ partition which is by default used for performing factory resets using an OEM’s preloaded tools. However, this partition can be modified in order to replace the default tools by third-party recovery tools such as TWRP.
These recoveries are (unlike the stock ones) capable of modifying all the internal system partitions of your phone or tablet (they need this capability in order to flash custom firmware).
TWRP even comes with a built-in file manager with unlimited root access so you can modify, add or delete any system files manually. This process allows you to gain physical image, therefore bypass the otherwise locked device´s protection.
However, if the image is encrypted by the system itself, we are only able to get the encrypted physical image.
Dirty Cow
MOBILedit Forensic Express can also use a Dirty cow (Dirty Copy-On-Write) exploit which can temporarily root a device that has an Android version up to 7.
The root is removed once the device is restarted.
More information about how to use the Dirty cow exploit in MOBILedit Forensic Express can be found here.
3) Using an App downgrade function in our software MOBILedit Forensic Express
Due to better security, some applications manufacturers made restrictions on what data can be acquired from their apps. This is especially relevant for non-rooted phones.
To bypass this we have introduced the App downgrade, feature in MOBILedit Forensic Express, which will downgrade the apps to a version, in which there was no problem in obtaining the data from them directly.
Please note that only some apps support this feature as of yet, although we are working on expanding their list.
More information about how to use the App downgrade in MOBILedit Forensic Express can be found here.
Related Articles
Connector´s permissions (Android)
Due to Android´s policy changes, applications now do request permissions separately. After updating to a newer version of Forensic Express, you will be asked to confirm them manually. Connector app is installed automatically, in case you are ...Types of logs
Extraction logs Main log of the extraction process is located in export folder, filename is “log_full.txt”. It contains information about extracted files and everything else you can see on the screen during extraction process and during the report ...App downgrade
Due to better security, some applications manufacturers made restrictions to what data can be acquired from their apps. This is especially relevant for non-rooted phones. To bypass this we have introduced the App downgrade, feature in MOBILedit ...Data - System logs (Android only)
System logs and "DumpSys" files can be extracted from Android phones. Android system keeps these files for debugging and monitoring purposes and the files can contain various system data like recent locations, recently connected Wi-Fi networks, ...Copying messages to iOS
Because of the Apple policy, the newer versions of iOS doesn't allow users to write messages directly to the phone, therefore you will not be able to do it via MOBILedit. However, we do offer an alternative of method and that is via the MOBILedit ...