Decrypt file on SD card of Samsung phone encrypted by Android 5.0

2

My Galaxy Note 4 does't recognize the encryption on my SD card anymore. I can't open any file. Now, since I have the password, I thought I could decrypt them myself, with Android Java or with C++ on Windows. I used the internal encryption of Android 5.0 lollipop. This is my last chance of getting my photos and videos back, I'm not confident this is going to work, but if, please help me.

schacker22

Posted 2015-09-18T04:56:20.640

Reputation: 146

If the GN4 cant read it, then I'd be suspicious theres a corruption/bitrot error. Encrypting the card thwarts a lot of recovery methods unfortunately though. – Linef4ult – 2015-09-18T06:40:45.537

@Linef4ult The weird thing is, that I can see all files. In my gallery all pictures are shown, but they aren't in full resolution, like a temporary picture. – schacker22 – 2015-09-18T10:42:32.737

Thats the thumbs file you're seeing, if thats intact then the drive may only be partially damaged. – Linef4ult – 2015-09-19T07:52:34.820

Answers

1

It would seem a long shot, but a logical step to follow might be to:

  1. Download an Ubuntu live Desktop ISO (or equivalent)
  2. Boot to Ubuntu and insert sdcard into PC.

  3. Identify SD card - you may be able to do this by running dmesg or cat /var/log/syslog or /var/log/messages, or by examining /dev/sd* devices.

  4. Run cryptsetup luksOpen /dev/sdX encdev

  5. Enter passphrase - hopefully this works
  6. mkdir /tmp/encdev; mount /dev/mapper/encdev /tmp/encdev
  7. Pull your data from /tmp/encdev

davidgo

Posted 2015-09-18T04:56:20.640

Reputation: 49 152

It says that the device isn't a valid LUKS device. I think this doesn't work because not the partition is encrypted but the files on it. I can see all files and folders on the SD card. – schacker22 – 2015-09-18T16:51:38.387

Are you sure you can see the files on it, and not only thumbnails ? Thumbnails are often generated and stored elsewhere to speed up access. Can you advise at what stage you are/were asked for the password to unlock your storage, and if you were using the encryption built into the OS, or if you got after-market software ? If the files are encrypted, you should be able to see random names as files when you insert the drive (in which case we use encfs to decrypt). Are you seeing meaningless filenames ? – davidgo – 2015-09-18T20:27:50.510

I suspect someone may have tried to "brute force" access to your phone, and you may have had a setting to delete the disk after X failed attempts. If that is the case, sorry, but your data is not recoverable off the device. – davidgo – 2015-09-18T20:30:49.177

I copied all the files to my computer, all folder structures and file names are still there. I was asked for the password after every restart on the login screen of Android. Yeah I think on the phone these are pretty sure thumbnails. On my computer I used a hex editor to analyse the header of a jpg that is on the SD card. I was not able to find the correct two start Bytes that usually characterize this format. – schacker22 – 2015-09-18T21:12:37.500

This does not make sense - The Samsung Note 4 (and most Android Phones - its baked into the OS) use full-disk encryption if you are being prompted for a password on startup. – davidgo – 2015-09-18T21:40:51.930

Then I think the SD card is broken. – schacker22 – 2015-09-19T23:42:10.403

Old post but I thought I'll leave a comment for anybody searching for an answer. It seems files are encrypted with (some variant of) ecryptfs. This is different type of encryption, in simple words it's directory encryption and not block device encryption. Hence different tool is required (if at all possible) – Greg0ry – 2017-04-09T20:19:55.413

Asked: 2015-09-18T04:56:20.640

Viewed: 5 810 times

Active: 2015-10-17T18:33:25.150