As the development of smartphone software advances it becomes increasingly difficult to gain privileged access to the device. On devices that are locked, this often prevents an investigator from being able to extract any data. To help you acquire the most complete forensic image as possible, Magnet AXIOM supports several advanced mobile acquisition methods that increase your chances of getting a full image of the device. Some methods require that you flash the device with a recovery image, while others take advantage of download modes or device hardware features.
RECOVERY IMAGES FOR SAMSUNG
If a Samsung device is locked or is otherwise preventing you from gaining privileged access, you can flash a recovery image to the device to attempt to extract a full image. By flashing a supported device with a recovery image, this allows Magnet AXIOM to grant itself root ADB access and bypass the device password. The recovery image is flashed to a partition on the device that’s separate from system and data partitions, as to not affect the integrity of the data. The full image that gets extracted even gives you access to deleted data on the device, including data left behind after a factory reset. Magnet AXIOM offers recovery images for more than 1300 Samsung device models.
Note: This bypass method is only available for devices that have an unlocked bootloader and don’t have FRP enabled.
To use recovery images for Samsung, complete the following steps:
- Download all Recovery Images .zip files from the Downloads and Supported Devices section.
- Extract the contents to your computer by using an extraction tool such as 7zip or WinRar.
- Double-click Magnet Recovery Images setup.exe and follow the instructions in the wizard.
After installation is complete, follow the Recovery workflow. In AXIOM Process, navigate to Evidence Sources > Mobile > Android > Acquire Evidence > Advanced (Lock Bypass) > Samsung > Recovery (FULL IMAGE).
RECOVERY IMAGES FOR MOTOROLA
Magnet AXIOM also supports the ability to flash certain Motorola devices with a recovery image. This method works in the same way that recovery images can be used with some Motorola devices and also results in the ability to extract a full image.
Note: This method does not work with all Motorola product lines and devices.
To use recovery images for Motorola, complete the following steps:
- Download the Recovery Images .zip file from the Downloads and Supported Devices section.
- Extract the contents to your computer (for example, by using a tool such as 7zip or WinRar).
- Double-click Recovery Images for Motorola setup.exe and follow the instructions in the wizard.
After installation is complete, follow the Bootloader Bypass workflow. In AXIOM Process, navigate to Evidence Sources > Mobile > Android > Acquire Evidence > Advanced (Lock Bypass) > Motorola > Bootloader Bypass (FULL IMAGE).
DOWNLOAD MODE FOR LG DEVICES
On some LG devices, Magnet AXIOM can bypass the password and extract a full image by exploiting LAF (LG Advanced Flash). LAF is a tool that’s used for downloading and uploading firmware for the device. Using LAF, Magnet AXIOM can put an LG device into download mode and extract its data.
This method works on devices that were released up until late 2017.
To use this bypass method, follow the LG Download Mode workflow. In AXIOM Process, navigate to Evidence Sources > Mobile > Android > Acquire Evidence > Advanced (Lock Bypass) > LG Electronics > LG Download Mode (FULL IMAGE).
Click here to see a video demonstration of this method.
DOWNLOAD MODE FOR MTK CHIPSETS
Some MediaTek (MTK) chipset hardware allows Magnet AXIOM to bypass the password on some Android devices that use certain chipsets. A successful bypass allows you to obtain a full image of the device.
To use this method, follow the MTK workflow. In AXIOM Process, navigate to Evidence Sources > Mobile > Android > Acquire Evidence > Advanced (Lock Bypass) > Other > MediaTek (MTK) (FULL IMAGE).
FINDING SUPPORTED DEVICES
To learn if your device is supported, click the Compatible devices link in the Downloads and Supported Devices section below. You can also use one of the following websites to determine whether the device has an affected chipset.
EDL MODE FOR QUALCOMM CHIPSETS
Emergency Download (EDL) mode is a Qualcomm feature that can enable you to perform tasks like unbricking or flashing a device, and downloading data. On supported devices, Magnet AXIOM can use EDL mode to extract a full image. You can read more about how to start a device in EDL mode at www.magnetforensics.com/blog/qualcomm-phone-edl-mode/.
Before you attempt to acquire a Qualcomm device using EDL mode, complete following steps:
- Download the drivers from the Downloads and Supported Devices section.
- Extract the contents of the .zip file to a location on your computer.
- Double-click driver_installer.exe and follow the instructions in the wizard.
- Download the EDL Programmers installer.
- Double-click the installer and follow the instructions in the wizard to install the programmers in your Magnet AXIOM directory.
- In AXIOM Process, navigate to Evidence Sources > Mobile > Android > Acquire Evidence > Advanced (Lock Bypass) > Other > Qualcomm to start the workflow.
After the workflow starts, Magnet AXIOM attempts to select a compatible programmer based on the device type. While it’s possible to manually select a programmer, it’s recommended that you allow Magnet AXIOM to choose one for you.
Note: Programmers are not available for all Qualcomm devices. And some programmers can work with more than one device type.
DOWNLOADS AND SUPPORTED DEVICES
|Recovery images for Samsung devices||8 GB||April 2, 2019||View compatible devices|
Download recovery images – Part 1
Download recovery images – Part 2
|Recovery images for Motorola devices||39 MB||April 26, 2018||Download recovery images|
|Download mode for MTK chipsets||N/A||June 21, 2018||View compatible devices|
|Download mode for LG devices||N/A||February 28, 2018||Download drivers|
|EDL Mode for Qualcomm Chipsets||4 MB||September 13, 2018||Download EDL programmers|
Download EDL drivers