Keith: Hey, welcome. This is Keith Lockhart from Oxygen Forensic Training. How’s it going? So listen, here’s a video on some MediaTek extraction, but more specifically when you have a device that’s encrypted (file based encrypted) where the user has gone above and beyond the default_password world, and we not only need to extract that device, ideally physically, but to be able to attack that encryption as well so we can actually get the data we want from the extraction we get.
So, this is kind of new stuff with the latest release of Detective 15.0. I think it’s Build 126 maybe where it’s up to, as well as the Extractor 2.0 world or the 2.5 it’s up to now, but the 2XWizard world. So if you haven’t seen that in a while, you’re going to get a kind of a preview of that and how that works as well as looking at this new media tech extraction platform as we talk through it.
So as we do, like, in our extraction class, every platform we address, we kind of talk about the device research associated with that. Meaning, “Hey, do we have a device that is actually susceptible to this exploit or is the right chipset or is there a security patch issue or a firmware,” or whatever it is.
So, I want to make sure we’re going on the right path before I waste a bunch of time and effort. Then we make sure we fully understand the extractor itself and the steps involved in, “Oh wow, I’ve got to stand on my head and, you know, shout at the moon to make this one get into download mode or this, and I have to hold this button this way while pressing that one for 10 seconds.”
And there’s all kinds of variations on how to get devices into the state they need to be in for the extractor to recognize them and work its magic.
And then we extract the data. And it’s kind of interesting, you know, and the ones that we really get wild after, largely because we can attack the encryption.
So, in a disc encryption world, we want to get the encryption attack done first, generally to get the, you know, a master key or key set available to us to unlock the data that we want to go ahead and pull.
In a file-based encryption world, we do it the opposite way and pull all the data first, then go back and read the hardware key information and try to meld that into the magic sauce that lets us get to the keys.
So, this is a file based encryption environment exploit. So, what we’ll see in this video (lucky for video), is I’m going to run the process, but then I’m literally going to let the…I think this is a 128 gig device storage wise, so I’m going to let the entire extraction record so we can get to the end to see what happens.
But, you know, someday when you see this, I’ll be able to rerecord it, narrate over it and fast forward through it. So, thankfully we have that going on our side!
But we really want to get to that encryption attack. And that’s where we can provide, you know…this is where, just like any encryption thing you’ve done over time in your life, because, you know, everybody does that for sure, right? We want to provide good intel to our technology.
I mean, the more we know about our target, the better chances we have, or the better chances our technology has of actually performing an attack and succeeding. So, you know, just for example, I’m Keith Lockhart, if you’ve ever met me in your life, or our lives, you know I’m a sci-fi fan.
So none of my passwords have to do with Star Wars, Star Trek, Mandalorian, you know, things like that. But you’re right there, you’re social engineering me, because now you’re going to go out and web crawl all those websites, make word lists.
Or, you know, in my days of FTK, the best user defined dictionary on the planet is probably an index of somebody’s device, computers, phones, whatever it is. I mean, things about them because boy oh boy, we leave footprints all over the place and we’re human!
You know, you hear me say this again somewhere else in the video I’m sure, but “What do people use for passwords?” And true or false, they use them over and over and over again, even when they work in this industry. So there you go.
And then at the end, you know, maybe a couple troubleshooting things that you might run into in this extraction specifically if the hardware keys aren’t read correctly, you can go back and do that process again.
And it happens, you know, not everything’s 100% all the time. So we want to make sure we cover that so we’ll know how to find our best, easiest remedy right out of the gate. Okay? Let’s have a look at what’s going on here.
Okay, so I’ve got Extractor up and look, let me just give you the quick tour because this is the 2.X interface world I’m talking about.
And what I mean by that is if I go to the tools section and Extractor these days, I can go start this version of the Extractor, which you may have been used to from days gone by, or maybe used to because you use Extractor all the time.
But if you haven’t seen Extractor in a while, check this out! Remember that? And this menu is kind of sparse these days because almost all of these things have been moved over into the new world.
Matter of fact, at this point, even the UICC, the SIM card readers into the new interface also. But these are some old ones and one by one, we’re either, you know, disbanding them or recalculating or constituting them to go into the new environment. And this is what it looks like now.
You know, there’s a couple different views you can put in this layout. I happen to like this kind of concise one, especially from a video perspective where I can just scroll up and down through…There’s the iOS ones and the Android ones and the other category and, you know, little description on a button.
We’re going to use today for this experiment (I went right past it) the MTK Android, right? Not a boot loader modification for a file system extraction, but a physical one where we can attack that encryption, like I said earlier. So, this’ll be our extractor of choice, right this minute.
Over here in the camera window (still on, there we go) I have a Xioami Redmi phone, I think it’s Redmi 10, and we’ll look at that here in a second. But I’ll…well matter of fact, let’s look at this now because what I want to be able to do…
Let me just start with the obvious: you know, what model phone is this? (And can I get that in the light?) A 2106119 AL and AG…whatever those letter codes are color variations of these builds. So that’s the model of choice right now.
If I just scroll down through settings here, let’s look at “about phone”. So this is a Redmi 10, it’s got Android 11 on it. And if I look at “all specs”: an Octa-core Max2. And it doesn’t say it right there, but that is a Helio G88, and that is one of them that is the MT6768, I’m pretty sure, which is susceptible to this exploit. And that’s the model 2106119AL.
Right, so if I go back from this just by course of observation, you know, if I lock the phone…oh wait, if I power button the phone, and go to activate it again (I think I have to double tap on it as well) you see me swiping, there is no protection.
All right, let me do that again: I’ll hit the power button and I can just tap myself back into a screen with no protection. Because if I go look at the passwords and security, the screen lock is off. Right, now if I turn that on and let’s actually go initiate a password here, the stronger of all of them.
Remember your password, right? If you forget this, you’ve got to erase everything. 10-4 got that. And it even waits to make sure you’re going to read it. So I got it. And I’m gonna put “oxygen” as a password. “Oxygen”, can’t forget that. Make sure it’s “oxygen”. Good. Continue. And I’ll have to do that again. And “oxygen”. Add a fingerprint? No, cancel that. Now I’ve got a screen lock.
Now it just so happens as part of the mechanics of this infrastructure, that screen lock has now also become the protection for my file-based encryption, okay? So I’m going to go ahead and power button it again, and double tap, and now if I swipe, I got issues, right?
Now, let’s have the conversation for a second. One of the most popular things is, “hey, can you unlock this phone?” Well, that turns into a larger question: “what do you mean unlock this phone? What kind of lock are we talking about? Is it a screen lock password? Is it a secure boot password?”
And you know, this lends to the conversation of: is it before first unlock or is it after first unlock? Because you know, the very first time you turn a phone on, there’s a lot…if it’s encrypted, then secure boot with something changed by the user to their own variation of password protection, that changes everything.
And a lot of things have to happen on that very first phone turn-on to get access to things after that, it’s just a screen lock. Or it could be just, you know, “protecting access to the desktop,” quote-unquote.
So those are really big questions in this regard. And in this case, this particular protection is the protection of protections. So, we’ll need to get that password so we can then use it in conjunction with the meta key or the metadata from the hardware keys that we can go extract later to recreate and exploit this encryption process.
So, I’m going to go ahead and I’ll double tap here and (oops), make sure I’m locked. Okay, so I’m going to hold down the power button and turn the phone off. And you know, just to validate that (here, let me fire the phone back on real quick.) Okay, here we go. Let’s try to get in there, and we’re protected. Good enough. Okay, so I’ll turn the phone off again. And that’s our, you know, basically first preparation.
So, we’ve done some device research, we’ve kind of figured out what’s going off the phone. Actually we’ve prepped the phone the way we need it. Let me come over here and start the MTK Android Extractor.
And, you know, you can tell there’s been an update, we have an update flag or, you know, we have a new button or a new flag, if there’s a new extractor here, then the list, that’s great.
I’m going to go ahead and pick “MTK Android”, and let’s read a little bit: “This method is designed for extracting data from Android devices based on media tech chipsets.” Cool. “Extraction of physical image and the hardware encryption keys is supported for devices based on the following sets: MT (MediaTek) 6580, 6737, 6739, 6753, 6765, 6785 and 6768, (which I believe this one is, we’ll see.)”
It’s funny because I have a couple 6737s that I haven’t been able to get into. But like, any good cold case device as Extractor updates, I’m always going backwards to see.
So, you know, if I look at the list of supporter devices I filter down to 1416, that’s always cool. I’ll go back to my methods here. (Whoops, and I’ll just jump back in there I guess.)
And when you got…during the extraction process, you might have to disconnect it during the extraction and put it back on the cable. I’ve had to do that before, and have not had to do that before sometimes so…but be prepared for that. In the middle of the extraction you may come back and it could be sitting there saying, “hey, yeah, unhook and hook back up the device”.
“Encryption is enabled on the device but the hardware keys could not have been read. User data will be unaccessible.” That stands to reason. But one of our best troubleshooting options is right here, “Hey, let’s hook the device back up and extract the hardware keys again.”
Hardware keys, right? So I have to have the hardware, physical device, in conjunction with the blob of data to get the data I need, and we can actually see this process and show what it looks like when it works.
Okay? “Make sure the preloader driver’s in here” fair enough. If not, it’s going to point you to them to install them. And look if it’s not loading in normal mode after you’re done, then pull the battery and whatever.
But every time I’ve done my device here on, on the particular Redmi 10 I can just mash the power button down until it cycles itself and it comes back just fine. Fully charge that, you know, it’s kind of common, some will 80% or higher.
It’s always good practice to have, you know, a full charged device if you’re going to do something like this. And you might need to disable the download agent authority. And that’s a tick box we’ll hit during the process anyway, it’s no big deal, as part of the extraction to overcome the security of the exploit.
Okay, so I’ve got a pass set, I’ve got 161 gig available, that’s good considering the size of the device. If I do this, it’s going to go out there, the Extractor is going to go out there and say, “Okay listen, your drivers are good. What download agent do you want to use for this device?”
And a whole plethora of them are available. Here’s some great, you know, an all in one with security patch, all in one that doesn’t have that. A bunch of device specific ones. You can load your own. I mean, you can make your own download agent files for devices.
So, I’m just going to pick (because I know it’s going to work) is this all in one default one. I’ll go ahead and tick the “disabled DAA protection”, and I’ll click “connect”. Now, while we’re here, there’s the blue line, “turn off the device”.
I’m going to go ahead and hit the “I” for information here and just read for a second. “Connecting an MTK device or a MTK device. Disconnect from the cable. Turn the device on and off. Switch it off and then connect it. If can’t switch it off, hold the battery, then connect it. Some devices you might have to hold down volume up and volume down at the same time to connect it!”
And this is one of those devices, so, you know, in the first couple times you try and don’t succeed, oh yeah, this could be a volume up/volume down one. Fair enough. We’re going to have to do that. So, I’ll just go there.
And it’s waiting, it’s looking now. So, on my device I have a USB-C cable here, and I’ve got a port at the bottom, USB-C port. So I’m going to come to the device and here on the volume up and down, here we go with both at the same time. (Oh there’s me!)
And I’ll plug in. And cool, I get the “MTK 6768 chipset recognized”. And, you know, this is a good sign when you see nothing, that’s fantastic. And I’ll go ahead and start the extraction. So, it reads some device parameters and off it goes.
So, not that you’re going to know that I’m going to set my headset down, but I’m going to set my headset down and go do something for the next foreseeable amount of time, and we’ll be able to fast forward at the end.
At the end though you’ll note (and watch for this) “encryption type check”, yes, it’s file based encrypted. We’re going to expect to see that, right? And all Androids, they are encrypted. Just the problem occurs when somebody changes some of the default values of the encryption mechanism.
So, good, okay, we’ll see each other back here and quite a bit of time and then we’ll figure out how this works at the end.
Okay, so now that that’s done, or finishing up here shortly, I want to talk about two other things before we finish kind of the part one of this experiment and move into part two, which would be the actual decryption attack. And that occurs when you import this extraction into Detective.
So, the first thing we want to do is look at the extraction itself. And I’m jumping ahead just a tiny bit, but as soon as the extraction completes and the hash value’s calculated, we’re at the screen where we can either import the data into detective or view it.
So, I’m jumping ahead like we’re viewing it, and we’re actually going to cut a little time out of the hashing portion so we can get to this quicker. But here’s what the view looks like.
So, obviously here’s the large BIN file that is the physical extraction, and several other things including a key.json file, and a cache folder which is full of all kinds of good proprietary things that help us do our magic.
So, I’ll just go back here and look at the keys.json and note that the time, the last modified time, is 5:10pm. That’s going to be important when we utilize that second feature of extracting hardware key information, you know, kind of after the fact. Maybe something didn’t work correctly the first time, but I do want to show that troubleshoot. So, we use this small video to accomplish seeing the key structure as we go do the troubleshoot.
Okay, and the second thing is the encryption type. And you can see just underneath the image extraction line that the type check occurs. The encryption type is validated as file-based encryption and we expected that. But that’s just back to say “Listen, today it’s all encrypted.”
The real problem set arises when somebody changes the default encryption variables. So, that occurs in this instance, and you know, it says in the description there may be a dual opportunity to disconnect and reconnect the device.
It even listed right there and the extraction of hardware keys steps before they started that it wanted to disconnect and reconnect the device. As I said in the beginning, I’ve had to do that before and not had to do that before.
So, you know, if you don’t have to do it, everything might be splendid, if you have to do it, everything is usually splendid either way. So, in this case it blew right past that, read the hardware keys and is calculating the hash.
So, as I said, I’m going to kind of cut this right here and end up at the end of that process so we can view the data and import it into Detective.
Okay, and after the cut we’re done and here’s our success. We see we have the entire extraction completed and we have the option to open extracted data and show extracted data.
So, the show is the short window-based file explorer view we looked at a minute ago. But the open extracted data is going to be the process of importing that into Detective, and that’s where we meet the rubber on the road magic portion of attacking the encryption.
Okay, so back to the full screen, let’s import it. So, I’m going to open extracted data, here I go. This automatically opens Detective. (Okay, just throwing a little fade, Hollywood magic there to get a big screen for a Detective.)
So, it’s going to bring up our extraction screen. Again, not a Detective class, but I am going to go in and turn off the analytic options of facial recognition, optical character recognition and image categorization just to speed things up even though we’re not going to go that far. Kind of a old habits die hard thing.
And, you know, from an extraction perspective I’m going to pretend I don’t know the password because that’s half of our battle right here. So, I’ll click import and we’ll get an import notification down here as that process starts.
But as it occurs, we should get the recognition of, “Hey listen, there’s a problem here, user. That’s right, this is password protected, you need to attack it.” Or, you know, more simply said, “Use Passware Kit Mobile to retrieve the password”.
Now there’s a whole treasure trove of education on Passware that’s included in Detective, by the way, this is nothing that you don’t have. But what I am going to do is at least look at the selected algorithms. I have enough intel to know it’s a password, the pins and the patterns and swipe code stuff, not interested because I know that’s not it.
It’s blue, which means I can change it, so I’m going to click that. And just looking at our custom attack world, I’m not even going to go through the process of building a custom attack because I have some in here.
And all of these three happen to be the English language dictionary and no concatenation, no spelling, no craziness, just trying words in the English language. Now you remember “oxygen” is in there. So, if I just tick that, and I’m going to turn off patterns, and I’ll turn off pins, just that one, and close that.
Now that’s my custom attack. Don’t know what I’m checking yet, but I’m going to click the start button and let it queue itself up.
Now look, this could be the case of the year or the investigation of the year or the matter of the year or the make or break, got to get this, let it go to the end, whatever. So the attacks have process checked 7,639…well, you know, what?
Hold on a second. Let’s see where we get here. 16,000. We might get to the end of this and get “oxygen”, let’s see. At no time do my fingers leave my hands. Well that’s smoking. 30,000, 40,000 and oh, look at that. So, down at the bottom right here, you can see the password “oxygen” was found in that dictionary attack. Fantastic. And this import occurs.
Okay, so, I don’t even care about that at the moment. I’m just going to go ahead and start Extractor again, because I want to finish this conversation with that troubleshoot.
Let’s say, you didn’t find the password, you’re like “man, dang, I know that’s in there. I’m sure everything worked out right.” Who knows for whatever reason. I’m going to go back to the methods, and let’s go find MTK Android again.
Now remember, here’s our extraction world. My keys.json file was modified at 5:10, okay? Don’t forget that part. I’ll just move this up here and I’m going to come back in this time extract hardware keys.
Now I’m gambling because my phone is still sitting hooked up like it was when we started, haven’t touched it. Hope it’s still plugged in. Hope it didn’t run out of power or anything like that. Falling out of a plug.
But let’s see. I’ll jump in the folder. I’m going to grab the BIN file, because we need that. The information we want is in there compared with information from the device itself. I’ll open it, it’s looking for the driver check, should get a check mark there.
Looking for encryption. Should get a check mark there, file-based, good. I’m gonna go ahead and tick the “disabled DAA” and start the hardware key read. “Disconnect from the cable, turn it on, turn it off and reconnect it.” So let’s see if I can’t get my camera back here.
Okay, so here’s the device still and it wants to turn on, turn off and reconnect it. So, here we go. I’m going to disconnect from USB, as it said, I’ll turn it on. So, we’ll get it booted up and it should boot up to the password protection screen like we had seen before.
Turn on to find the device. Still good there. Okay, I’ll turn it off. Oh, I’ll turn it off. So, remember this is a volume up/volume down conversation. So I’m just going to grab the device and do volume up and volume down together and plug it in.
And you can see the device connection and the hardware key read and everything’s done just like that. We have green check marks through and through. But let’s check here. Here’s my key.json now at 2:53am modified right now with a read right then.
And I’ve got a new cache folder with all the same proprietary good stuff that we need to incorporate the magic. So, that’s just a quick example of the troubleshoot on rereading the keys, including the device and the previously extracted data.
Okay, listen, that’s the…I guess a 25 minute preview of the MTK update. Pretty cool. Always love it. And we can save sending phones away for other people to break them open for us.
You know, and this is the full iteration of, “Hey, can you get into this phone? Can you unlock this?” All the way through to a secure boot and the file based encryption key recovery, so we can import things and do what we want, just a quick check here.
Oh look, password, the “oxygen”’s still there. Open the extraction so we can see that we succeeded. And look, we’ve got not just files, but actual data. Okay? As I would always say, keep on learning. Thanks for watching. Catch you later.