Digital Forensics for Samsung Devices
As of Q1 2016, Samsung is the global leader in smartphone sales with a 23.2% market share. This success comes in the wake of their line of Galaxy smartphones and the J-series smartphones that originated in Japan, although recent quarters have seen vendors like Huawei and Xiaomi beginning to take some of Samsung’s market share. Controversy surrounding the spontaneously combusting Galaxy Note 7 has certainly not helped Samsung, causing them to go so far as to completely recall the device in early October 2016. It’s fortunate for Samsung that they’re one of the most product-diverse organizations in the world and they may be able to cover their losses with some of the other industries they’re involved in, including appliances, robotics, and even military arms development. Regardless of their current business situation, Samsung will likely continue to be a big player in the mobile device market for years to come, meaning they are also likely to be a mainstay in forensics labs.
In the mobile device space, Samsung is most well-known for their galaxy, note, tab, J-series, and Z-series devices, though they also sell feature phones and flip phones, some of which can be classified as “burner” phones. There are many times when forensics work is required of burner phones, as criminals tend to favor them for their inexpensive and transitory nature.
In addition to their smartphones and feature phones, Samsung also sells smartwatches and tablets. They produce a whole host of other devices including virtual reality wearables and their popular line of solid state drives/USB thumbdrives, but the probability of encountering those devices in a Samsung forensics case, compared to a mobile device, is a bit lower.
In terms of operating systems, the vast majority of Samsung mobile devices run Android, though there are a few non-Android Samsung devices running operating systems such as Tizen. Their smartwatches, for example, all run on the Tizen operating system in the ‘Wearable’ profile while their India-based Z3 smartphone runs on Tizen in the ‘Mobile’ profile. Compared to an Android device, working on these Tizen-based devices would require an examiner to know the basics of how the Tizen OS works and how this might impact their examination. This breadth of knowledge and experience with different devices, manufacturers, operating systems and more is a good indicator of an experienced forensic examiner. With this in mind, Gillware is more than capable to assist in any Samsung forensics work- whatever the device and operating system may be.
Android-based Samsung Devices
Android is an open-source operating system that is based on the Linux kernel. Given that a majority of Samsung devices run Android and Samsung has the largest global market share in the smartphone market, there are many Android-based devices that come into the our lab.
There are some difficulties in forensics when working on Android devices. Unlike iPhones, Android devices can have both eMMC chips and SD cards. The SD cards are removable and afford Android users with greater storage capacity than whatever the standard capacity of their device is. This can complicate an analysis since application data can be split up between multiple storage locations. For example, the Samsung Galaxy S4 has storage on internal NAND chips, the eMMC chip, and a microSD card. The Samsung Galaxy S5 is similar, though different chipsets and OS versions, among other things, can alter data analysis when compared with the S4. At Gillware, we can also perform forensic analyses on Samsung Galaxy S6 and Galaxy S7 devices, which use a UFS flash memory chip.
The most recent three iterations of Android are Lollipop, Marshmallow, and Nougat, each of which brings their own complications to the forensics process. These different versions can complicate an examination because they each have their own features and security updates, meaning the specific work required on an Android device may be dependent upon which OS version is installed.
Despite the complexities that come along with working on Android devices, our team is able to work on them by utilizing a wide array of forensics tools in conjunction with years of valuable experience.
One feature relevant to Samsung forensics work is their proprietary security system, Samsung Knox. Unveiled in the Samsung S4 with the 4.3 update, Knox is Samsung’s enterprise-grade answer to mobile security. The multi-layered hardware/software-integrated solution allows users to isolate their work data in an encrypted environment that is separate from any personal data on the device, a feature that can certainly hinder forensic analysis of a Samsung device.
Another concern with Knox involves device isolation. Properly isolating a device from outside interference is an important step in any forensic examination, but becomes even more important if Knox is present because users with MyKnox can remotely control, sync, and wipe the contents of the device. It’s obviously harmful to any serious examination if someone is allowed to alter or erase data from a device, making it imperative that examiners are aware of Knox and its capabilities when working on a Samsung forensics case.