Decrypting Databases Using RAM Dump – Health Data | By Michal Rozin

September 21, 2020

Decrypting Databases Using RAM Dump – Health Data

Extracting memory from Samsung devices to decrypt Samsung Health DB’s can uncover critical data for investigators

Samsung Health is a wellness application that helps users track their physical activities. As one might expect, the application stores a lot of interesting location data that interests the forensics community and specifically law enforcement investigators. As of today, no commercial tool decrypts the database of the application as Samsung uses Android’s “KeyStore” to encrypt and decrypt their data.

In this blog, I will demonstrate a method to decrypt the databases and extract meaningful data using a RAM dump. The phone’s RAM stores the decryption keys for the application after extracting the relevant keys from KeyStore and manipulating them. I will present an end-to-end procedure that starts with the RAM extraction and ends with the decryption and display of Samsung Health’s databases.

I hope that by releasing this blog the mobile forensics community will be inspired to continue to examine memory dump methodologies and spark the community to share their findings.


My research started when our decoding group decided to focus on finding....

Notify of

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023