Hello All,
Right now I have a device that is locked out using Avast Anti-Theft app. I suspect this phone is rooted as there were other devices included in this case that were rooted/jailbroken. This device is of great interest and I am trying to find a way to defeat this app.
The root version of this software is able to lockout USB access entirely and I believe that is what is happening. It will boot, go to the lock screen (pattern lock), then after a short period of time a prompt will display from the avast software saying that the device has been stolen and prompting for authentication via a pin.
I have available to me Paraben DS7, Magnet Acquire, and Access Data MPE nField as well as FTK. So far I have not been able to image it and I have no way in to check whether debugging is enabled. I do have a RIFF box JTAG unit and the MFC-BOX unit. JTAG will be my last resort.
Does anyone have any suggestions?
Thanks!
An update, I have confirmed that the device is rooted (I saw a super user permission granted prompt flash briefly on the lock screen). I am able to boot into Safe Mode and the Avast lockout screen does not come up.
I have attempted using ADB to connect. It shows up as a device but it lists as unauthorized. Now I am in the process of trying to crack the swipe pattern lock. I have the option to enter a back up pin as well by clicking the forgot pattern option. However it is not limited to a 4-digit pin, it seems to accept any amount of digits but thankfully it is only numerical no letters or special characters.
I would really appreciate any input as this is a time sensitive case.
Thanks!
Hello,
Some ideas
1) Have you tried Andriller (http//andriller.com/) for password cracking the device?
2) Also, I am sure you already looked, but if you access to the phone owner's workstation (laptop/desktop) computer, you could create a forensic image of the workstation, then use password recovery tools (Passmark/OSForensics) to identify passwords from the workstation that might be the same as the phone's password.
I believe one can login to Avast.com from a computer and retrieve a phone's password, so if you can recover the Avast.com login ID and password from the individual's workstation, you might find the passwords you need.
Also, not sure if you are Law Enforcement, but if you are, could you not contact Avast for the login credentials via a warrant?
Thanks for your reply UnallocatedClusters!
1. I had a trial of Andriller in the past but it has since expired. I never tried out the password cracking tools with it. I will try to reach out to them.
2. I have access to multiple other devices of the owner and I am processing them right now in FTK. Once that is done I will definitely look for anything Avast related.
I am not Law Enforcement but rather an organization that is in a joint task force with many departments and agencies. It may come down to contacting Avast with a warrant, but I am trying my best not to resort to that since it will take some time for that to go through.
I am in the process of trying to force debugging via ADB as I can enter recovery mode but it is being a real pain to deal with. I've never had so much trouble with an Android Device!
Thanks Again!
I don't know how this software works, but you should be able to use a custom recovery partition to access the user data partition.
This won't work if the data is encrypted of course, but as far as I can see the software isn't encrypting anything.
I know Ufed is able to use a custom recovery and do a physical extraction, not sure if your device is supported. You can do it yourself too with clockworkmod for example.
Thought I'd give a quick update on this device. I was able to acquire the device after many failed attempts.
I was not able to JTAG this phone as one of the Tap solder pads had been damaged.
After a few days of researching I came across this
http//
I was skeptical of trying it as I knew there is always a risk of data corruption or bricking a device when sideloading anything. This was a last resort as I had exhausted all of my other options.
I followed the instructions on the site listed above. However, as soon as the zip finished installing it started wiping data. Needless to say I panicked, so I pulled the battery. Once I got the device to boot back up I was greeted with a new device setup prompt and though "well that's it, it's all gone". But, I decided to go through the prompt and try to see if anything was still there.
After I got to the home screen it was quite apparent that all of the data was gone. I quickly enabled USB Debugging and tried to image it using Paraben, no dice. I then tried out Magnet Acquire, sure enough it started the acquisition. One odd thing I noticed is that even though the device was "wiped" it was still rooted. Once Acquire finished I tried to put the image into FTK but it kept telling me it was an invalid image and would not let me add it. I decided to try my luck with Autopsy, thankfully it worked very well.
To wrap things up
I am not sure what, if any, data was lost or corrupted in the cobbled together process that I used. I can say that I got all of the data I was looking for and Autopsy did a great job at carving out what I needed. There was a ton of great data recovered. Even though it got hairy there for a few hours it all worked out in the end.
Thanks for the great input from everyone, I appreciate it!
Did you ever try for a physical image via download mode?
Have you tried booting to safe mode . It worked on a phone for me a few weeks ago.
I think it was Macafie on mine.