Greetings all,
Let me start by saying I'm a long-time reader of the forum. This is just a challenge I'm working on. Does not have anything to do with a case. I own the device in question, so no privacy concerns.Â
I'm working with a Cricket Dream, model EC211001, running Android 11. It is an interesting device. From what little I read it doesn't have a very high rating from people who owned and used them as their daily phones, but the specs are pretty incredible. It's currently just a WiFi-only device (no service plan).
The bootloader is unlocked, it is rooted, and I am able to access the entire file structure on the phone through Total Commander. Termux is on it, as well as Termux API which allows access to storage/emulated/0 from that command line. Kali Nethunter is installed and it can run the chroot environment. Nethunter Terminal is able to run in Android, AndroidSU and Kali modes. There are also several other apps from the Nethunter store installed.
Here is the challenge: There are two main Google accounts associated with this device, both of which have a few hundred passwords in their password managers for various other sites. One is still on the device, the other was signed out. Same with regards to different apps, such as Facebook, Cashapp, Pandora, etc. I'm trying to reestablish the sessions for those apps, but if it turns out I'm not able to, then find and decrypt the passwords and attempt to login both on that device and a separate, unfamilar device.
I took a full physical copy of the device and have been examining it using Autopsy. I have found several different databases that have session data and cookies. One database in particular I found in /data/system_ce/0 called accounts_ce.db has what appears to be a buttload of authtokens.
Another database chromesync.data_store looks like it has all of the passwords from both password managers. Under the password index, every single one of them is a random 28-character string, and each one ends with a =
Are these the hashed passwords? Does anyone know which hash they used to get these? I ran a few through online hash identifiers and they all come back saying "Peoplesoft," which I'm not familiar with. I know they're salted as well, but I have not yet been able to find where the salt is located. I do remember reading in a couple places that Android uses the lockscreen pin as a salt, but have not verified that.
What are your thoughts, aside from it would probably be easier to attempt to restore the session with Burpsuite?