Best Practice to by...
Clear all

Best Practice to bypass Android lock

12 Posts
12 Users
Posts: 2
New Member
Topic starter

Like most, our department is seeing more and more pattern locked Android phones. We currently use Cellebrite UFED for our extractions, but with most Androids, rare is the day that one that already has USB debugging checked, and then we are stuck.

We are coming up on a fresh budget year and I am looking for advice on best practices / training that would assist us in more technical methods other than banging my head against the Cellebrite or trying to interpret greasy fingerprints on the screen. Are there any good resources in rooting or other methods I should be looking at? I'm willing to learn - just need a good direction to start.

Posted : 19/11/2013 5:14 am
Posts: 3
New Member

If usb debugging is enabled, try (by using Android Debug Bridge) to remove gesture.key file from a phone.

Posted : 19/11/2013 7:12 pm
Posts: 146
Estimable Member

Like most, our department is seeing more and more pattern locked Android phones. We currently use Cellebrite UFED for our extractions, but with most Androids, rare is the day that one that already has USB debugging checked, and then we are stuck.

On UFED Touch Ultimate/UFED 4PC if debugging mode is not checked, it is still possible to bypass the pattern lock on Androids and at least obtain a physical dump and on most models the pattern code as well.

Am i right in thinking you have the UFED Classic?

Posted : 19/11/2013 10:02 pm
Posts: 30
Eminent Member

Det. Feyen,

Cellebrite is constantly updating capabilities, so I wouldn't lose faith on that front. You may also want to take a look at ViaForensics and their experience/capabilities with Android.

I would take a good look at JTAG training and equipment. Teel Technologies offers a course for LE.




Posted : 20/11/2013 12:46 am
Posts: 7
Active Member

But i think JTAg or chip off is not that easy way to do in every case. And your device could be damaged.

The pattern lock and/or the passcode of the device is stored in a secure part of the android file system. It's safed as a hash. I think it was a SHA-1.
When you get that data you easily can decode it and get your patternlock or passcode.

There are some solutions to extract physical data without having on USB-debugging. But every solution I know needs to get root rights.
So you need to get some information how to root the device you want to investigate.

There are some howtos describing the axtraction and finding the patternlock hash. Just google for it for more information.

But I think the hardest part is to get (forensic safe) root access.

As much as I know is that the forensic tools like EFED or XRY use a temporarly root-hack or exploit to get the root access. But I dont know if there are any changes to the system memory of the device.



Posted : 06/12/2013 3:05 pm
Posts: 88
Trusted Member

Use the rubberducky from hak5 to brute force it.
Doesnt work for all phones but if it supports a keyboard it supports the ducky.

Posted : 06/12/2013 7:22 pm
Posts: 23
Eminent Member

If USB Debugging is not enabled, you can still bypass the lock by installing a custom recovery (such as TWRP or CWM) which will allow USB debugging in recovery mode automatically. However, unlocking bootloader might initiate a wipe of the /data partition, but there are also ways to install custom recovery bypassing a wipe (a lot of info can be gained from xda-developers forum).

And given android's flash infrastructure, even if info is wiped, you can always recover it by dumping the physical partition after bypassing the lock (of course this might not be adequate if it's an official investigation).

Good luck!

Posted : 07/12/2013 2:19 am
Posts: 159
Estimable Member

The Cellebrite kits ( Touch and UFED4PC) both get past locks on the Androids. whether USB debug is enabled or not
You have to do a Physical extraction, place cable into handset and boot loader loads up, average time on the Touch is approx. 2 hours for Galaxy S2/3/4/, however on the UFED4PC it can be around 25 mins

Posted : 08/12/2013 5:56 pm
Posts: 184
Estimable Member

Okay Android ha, So what you want to do is Root + CMW an android device which will automatically turn on the USB-Debuggning which is the most important stage of android forensics, then you can use ADB mode to deleted the password.key or gesture.key, or you can use CCL script to identify those codes by knowing the encrypted value of gesture.key and someonetimes knowing the salted hash if theres an alphabetic password used, then using those hashes to decrypt the original passcode. Those values can be extracted by taking a file system dump then going to thier directory to read the hashes, the file system dump could be taken by cellebrite after (rooting and CWM) [ usb debugging on], or by connecting direclty to the phone by JTAG and the difficulties of this process depends on the model of the phone.

I hope this helps.

Posted : 17/12/2013 9:49 am
Posts: 38
Eminent Member

I strongly suggest to test it on a "safe" device if its a sensitive case. There are numerous of devices that store encrypted backups of .key files and the settings.db in other partitions.

After reboot the device will try to match hashes with the backup files and restore them eventually or do a wipe (worst case)

So its a try&error method anyway.

Posted : 19/12/2013 5:41 pm
Posts: 14
Active Member

Often, you have quite a few of options

- Attempting to read the device as it is with a standard mobile forensics package such as a UFED.
- Attempting to read data via ADB if the device is on.
- Attempting to fastboot a recovery mod with root access, such as CWRM directly into RAM like a boot CD by using fastboot boot (no one has mentioned this yet?) and doing a full nanddump, for example to a previously-wiped SD-card you've inserted in the device. This way you often get all the benefits of root access and a recovery mod without rooting or flashing the device.
- Attempting to read the device via a flasher box, such as a RIFF box (you have fairly little risk if you're using jigs and you test the box a few times to see how it works).
- Attempting to read data via ADB.
- Using other rooting methods, such as the auto-root function in Oxygen Forensics.

Often, you can just follow this list from top to bottom…

Posted : 22/12/2013 11:57 pm
Posts: 8
Active Member

A couple of weeks ago, the iPhone world discovered an exploit (not fixed) that allowed anyone to bypass the lockscreen and access the phone, messages, and even pictures.

Well, the bug has been caught in the GS3 world now, too. A few days ago, mobile enthusiast Terence Eden discovered a flaw that also allowed limited access to certain features of your Samsung Galaxy S3, and only in very certain circumstances. And it works no matter what protection you have enabled…Pattern Lock, PIN, Password, or Face Unlock.

Steps to Exploit #1
Lock your phone and turn the screen back on.
Go to Emergency Call.
Select the Emergency Contact icon on the bottom left.
When in the Emergency Contact screen, hit the Home button.
You will see a flash of your Home Screen (no matter what launcher you are using).
In that second when the Home Screen flashes, you can select an app/widget to execute.

The limitations with this exploit are that almost anything you select will run in the background, and you will be back at the lock screen. Where this exploit can be effective is if, let's say, you have a Direct Dial widget on your homescreen. In this case, someone can hit this widget, and the call will go through.

While this is something that should be fixed, it doesn't actually allow you to do much, so really, it's not all that scary. Unfortunately, the fun doesn't end there.

Yesterday, Sean McMillan of Full Disclosure opened up the initial exploit and discovered something much scarier. If successful, not only will this exploit open up the full contents and capabilities of your S3, but it will disable the lock screen completely until the phone is rebooted.

Steps to Exploit #2
Lock your phone and turn the screen back on.
Go to Emergency Call.
Select the Emergency Contact icon on the bottom left.
When in the Emergency Contact screen, hit the Home button.
Immediately after hitting Home, press the Power button.
If you did this correctly, the next time you press Power, your device will go directly to your homescreen.
This is obviously not good. Sean does note that you may need to do this multiple times to get it to work. Also, it doesn't matter what launcher you are using, or whether you are using a lockscreen replacement or not.

In the interest of full disclosure, I tried about 30 times, both with my rooted/modded phone, and with a bone-dry stock phone, and I couldn't replicate it.

But, just because I couldn't do it, doesn't mean it isn't real and dangerous. At this point, there has not been any word out of Samsung regarding this exploit, but I imagine a response and a patch will be on their way shortly.

This tip came from an iPhone repair center, where it’s common for people to bring in a phone for fixing and then forget to provide the pass-code.
Atif Naser

Posted : 23/12/2013 10:49 am
Share to...