Advanced techniques to get more information from the device

Some applications do not provide the information that you need (e.g. messages, call logs) by themselves since the information is encrypted by the developer/manufacturer.

There are a few ways how to extract the information you need:

1. Rooting / Jailbreaking your device

2. Creating a physical image of your device

3. Using an App downgrade function in our software MOBILedit Forensic

Rooting / Jailbreaking

Rooting

Most Android devices should be able to be rooted. However, the process of rooting is specific to each phone model, version of Android, and build number, so you always need to find the right tool according to your phone model. 

You can root a majority of modern Android phones using an app called KingoRoot, if for some reason this method doesn't work for you (locked bootloader, Knox, etc.), you may be able to find help on how to root your phone at XDA Developers, which is a website with a large active user community dedicated entirely to Android smartphones.

Please note that sometimes it is necessary to unlock your phone's bootloader in order to root it. You can find a step-by-step tutorial on how to unlock the bootloader on your phone manufacturer's webpage.

Once rooting has been completed successfully the phone is then switched to so-called "rooted mode", and you then will be able to extract and analyze the deleted data.

If you are in need of further assistance please let us know and we will look further to help resolve any issue you are experiencing.

Rooting your phone may void the manufacturer's warranty and could cause security risks. Please take this into consideration before performing this process.
Rooting a Samsung device will trip the Knox Warranty void flag which will make the data stored in Knox permanently inaccessible. 

Jailbreaking

There are three ways of jailbreaking your iOS:

1. Tethered - This method requires you to connect your iPhone to your computer and use an external application to jailbreak it. Once you restart your iPhone, the jailbreak is undone, but please note: your device will not be usable until you jailbreak it again using the same method. 

2. Semi-tethered - This method doesn't require you to connect your iPhone to a computer in order to jailbreak it, however, the jailbreak is still undone every time you reboot your device, or, after a certain amount of time passes.

3. Untethered - This method doesn't necessarily require a computer to perform a jailbreak on your device and also modifies the iOS on a deeper level which means that no matter how many times you reboot your device, it stays jailbroken until you manually "un-jailbreak" it.

There are specific known ways to jailbreak almost every iPhone, iPad or iPod Touch running on almost every iOS, except the latest releases - as it usually takes a few months to find a way of jailbreaking the newest version of iOS. 

This means that there is no way of describing them all in a single article.

Currently, the most often used apps for jailbreaking iOS devices are Pangu or Cydia Impactor. You can learn more about how Cydia works on the app developer's official website here, or you can read this article which describes a simplified process of iOS jailbreaking.

You can see a full list of available jailbreaks for each device and version here.

Jailbreaking a device may void the manufacturer's warranty and could cause security risks.
Please take this into consideration before performing this process.

Creating a physical image of your device

There are many ways how to create a physical image from a device. You can, of course, use some tools of your own and use our software for extraction but our product MOBILedit Forensic does offer some tools as well:

MTK

There is a way of extracting a physical image from phones with MediaTek chipsets without root access (rooting the phone). 

This exploit method does not work on all MTK-equipped devices, but sometimes it is the only way of acquiring the physical image because the phone does not have to be booted up or unlocked in order to perform this operation; which means you can try even if the phone is off or locked.

This will not work for most MTK devices with locked bootloaders. In order to use MTK method on such devices, the bootloader has to be unlocked first. 

More information about how to use MTK method in MOBILedit Forensic can be found here.

EDL

There is also a way of extracting physical images from phones with Qualcomm chipsets without root access (rooting the phone). 
This exploit method does not work on all Qualcomm-equipped devices and it is best when used with an EDL cable.
More information about how to use EDL method in MOBILedit Forensic can be found here.

LAF

The "LAF bypassing" feature works on all LG smartphones with the new version of LG LAF protocol (this is a service download mode similar to Samsung Odin download mode). One of the first devices to feature this version was the first LG G flagship.

Every LG smartphone from the year 2013 and newer should, therefore, support our LG method.

With some of them - LG G4 for example - you are even able to browse the phone's filesystem via the "Browse Phone" option in Forensic. 

This exploit takes advantage of "LG Flash Mode" - used primarily for updating firmware.

More information about how to use LG method in MOBILedit Forensic can be found here.

TWRP Method

The device has to have its bootloader unlocked in order to proceed with this method.

Every Android phone has a "recovery“ partition which is by default used for performing factory resets using an OEM’s preloaded tools. However, this partition can be modified in order to replace the default tools with third-party recovery tools such as TWRP.

These recoveries are (unlike the stock ones) capable of modifying all the internal system partitions of your phone or tablet (they need this capability in order to flash custom firmware).

TWRP even comes with a built-in file manager with unlimited root access so you can modify, add or delete any system files manually. This process allows you to gain a physical image, therefore bypassing the otherwise locked device´s protection.

However, if the image is encrypted by the system itself, we are only able to get the encrypted physical image.

More information about how to use the TWRP method in MOBILedit Forensic can be found here.

Rooting

In MOBILedit Forensic there are 4 methods for temporary rooting.

The root access is removed once the device is restarted or by pressing “Stop Communication service”. 

More information about how to use the Rooting exploits in MOBILedit Forensic can be found here.

Odin

Connecting the phone in Odin mode allows flashing a custom recovery (for example TWRP), providing root access.

More information about how to use the Odin exploit in MOBILedit Forensic can be found here.

Fastboot

The special boot for Android devices. It allows flash custom recovery into the device, you will get root access to the device.

More information about how to use the Fastboot exploit in MOBILedit Forensic can be found here.

Spreadtrum

The “Spreadtrum” feature work on the Spreadtrum chipset.

This method provides a possibility to create a physical dump of internal memory without a passcode or pattern lock.

More information about how to use the Spreadtrum exploit in MOBILedit Forensic can be found here.

Using an App downgrade function in our software MOBILedit Forensic

Due to better security, some application manufacturers made restrictions on what data can be acquired from their apps. This is especially relevant for non-rooted phones.

To bypass this we have introduced the App downgrade, feature in MOBILedit Forensic, which will downgrade the apps to a version, in which there was no problem in obtaining the data from them directly.

Please note that only some apps support this feature as of yet, although we are working on expanding their list.

More information about how to use the App downgrade in MOBILedit Forensic can be found here.