Good afternoon all,
I am a Detective working on a case involving a Samsung Tab 4, running Android 5.1.1. The Tab is locked with an alphanumeric password. I obtained a partial file system utilizing Cellebrite. Through the partial, I was able to get the device_policy, password.key, and the locksettings.db. I know the password is 9 in length, with 3 numeric and 6 lowercase. Based on several forensic website, I was under the impression Hashcat would be able to crack with a brute force attack. Unfortunately, it did not work.
My question is two fold;
Where would I look to see if the Tab is encrypted? A chip off is an option; however, if the Tab is encrypted, I'm up creek without a paddle.
Second, does anyone have any other suggestions?
Thank you,
If it was encrypted you wouldn't be able to get password.key, locksettings and device_policy.xml files out of a filesystem. With hashcat, there are 2 options for cracking Android hashes. One for generic phones (-m 110) and one, for Samsung based devices (-m 5800) as they're different. Could be either this, a wrong mask or wrong hash/salt. If i remember correctly, hashcat requires hash (first 40 hex characters from password.key) to be lowercase and salt also converted from into lowercase hex.
asdqwe123 - the most common pattern for what the OP asked )