±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 1
New Yesterday: 2
Overall: 27631
Visitors: 71

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Best Practice to bypass Android lock

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Best Practice to bypass Android lock

Post Posted: Mon Nov 18, 2013 6:14 pm

Like most, our department is seeing more and more pattern locked Android phones. We currently use Cellebrite UFED for our extractions, but with most Androids, rare is the day that one that already has USB debugging checked, and then we are stuck.

We are coming up on a fresh budget year and I am looking for advice on best practices / training that would assist us in more technical methods other than banging my head against the Cellebrite or trying to interpret greasy fingerprints on the screen. Are there any good resources in rooting or other methods I should be looking at? I'm willing to learn - just need a good direction to start.

Det. David Feyen
City of Waukesha Police
Waukesha, WI 53188  

gryhound
Newbie
 
 
  

Re: Best Practice to bypass Android lock

Post Posted: Tue Nov 19, 2013 8:12 am

If usb debugging is enabled, try (by using Android Debug Bridge) to remove gesture.key file from a phone.  

MemoryLeak
Newbie
 
 
  

Re: Best Practice to bypass Android lock

Post Posted: Tue Nov 19, 2013 11:02 am

- gryhound
Like most, our department is seeing more and more pattern locked Android phones. We currently use Cellebrite UFED for our extractions, but with most Androids, rare is the day that one that already has USB debugging checked, and then we are stuck.


On UFED Touch Ultimate/UFED 4PC if debugging mode is not checked, it is still possible to bypass the pattern lock on Androids and at least obtain a physical dump and on most models the pattern code as well.

Am i right in thinking you have the UFED Classic?  

DCS1094
Senior Member
 
 
  

Re: Best Practice to bypass Android lock

Post Posted: Tue Nov 19, 2013 1:46 pm

Det. Feyen,

Cellebrite is constantly updating capabilities, so I wouldn't lose faith on that front. You may also want to take a look at ViaForensics and their experience/capabilities with Android.

viaforensics.com/home/

I would take a good look at JTAG training and equipment. Teel Technologies offers a course for LE.

www.teeltech.com/tt3/r...asp?cid=38

Regards,

Jesse  

jlindmar
Member
 
 
  

Re: Best Practice to bypass Android lock

Post Posted: Fri Dec 06, 2013 4:05 am

But i think JTAg or chip off is not that easy way to do in every case. And your device could be damaged.

The pattern lock and/or the passcode of the device is stored in a secure part of the android file system. It's safed as a hash. I think it was a SHA-1.
When you get that data you easily can decode it and get your patternlock or passcode.

There are some solutions to extract physical data without having on USB-debugging. But every solution I know needs to get root rights.
So you need to get some information how to root the device you want to investigate.

There are some howtos describing the axtraction and finding the patternlock hash. Just google for it for more information.

But I think the hardest part is to get (forensic safe) root access.

As much as I know is that the forensic tools like EFED or XRY use a temporarly root-hack or exploit to get the root access. But I dont know if there are any changes to the system memory of the device.



Greets

Patrick  

Sandfurz
Newbie
 
 
  

Re: Best Practice to bypass Android lock

Post Posted: Fri Dec 06, 2013 8:22 am

Use the rubberducky from hak5 to brute force it.
Doesnt work for all phones but if it supports a keyboard it supports the ducky.  

kbertens
Senior Member
 
 
  

Re: Best Practice to bypass Android lock

Post Posted: Fri Dec 06, 2013 3:19 pm

If USB Debugging is not enabled, you can still bypass the lock by installing a custom recovery (such as TWRP or CWM) which will allow USB debugging in recovery mode automatically. However, unlocking bootloader might initiate a wipe of the /data partition, but there are also ways to install custom recovery bypassing a wipe (a lot of info can be gained from xda-developers forum).

And given android's flash infrastructure, even if info is wiped, you can always recover it by dumping the physical partition after bypassing the lock (of course this might not be adequate if it's an official investigation).

Good luck!  

Alistair
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next