Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Divorce, custody battles, and other
Everything you need
Effective Expert Witness in Court
Today we are going to talk about unlocking Android mobile devices. There are two main types of locks: Pattern and PIN/Password. To crack it, a forensic examiner need to extract one or two files from the mobile device. Of course, there is no universal solution, but there are three main options:
To crack Pattern lock you need just one file, located at /data/system/. The filename is gesture.key. This file contains an unsalted SHA-1 hash of device Pattern lock. The number of patterns is limited due to each number (0 – 8) can be used only once. To crack it a rainbow table with all possible variations need to be created. We are not going to reinvent the wheel, because talented digital forensics analysts from CCL have already created a Python 3 script, that can solve the problem. You can download it here. Run the script and in about 30 minutes you’ll get an sqlite database with all possible pattern hash variants. Now you can search the DB for hash extracted from your gesture.key file.
To crack PIN or password you need two files. The first file is password.key, located at /data/system/, the second – settings.db (for Android prior to 4.4), located at /data/data/com.android.providers.settings/databases/, or locksettings.db (for Android 4.4 and higher), located at /data/system/. We need two files instead one, because this time the hash is salted. In settings.db the salt can be found in the “secure” table, in locksettings.db – in the “locksettings” table. Use your favourite SQL browser to find the lockscreen.password_salt key. Of course, if you are a hex editor addict, you can use your favourite tool. Now it’s time to use oldy-moldy brute-force. And again, CCL has a Python 3 script to solve the problem. It can be downloaded here. To start cracking, you should run the script with filled in the hash, the salt and max code length (4 – 16).
To tell the truth, you don’t even need to crack Pattern, PIN or password. You can bypass it by deleting the relevant files. Of course, it’s not forensically sound. Nevertheless, this is the only way to bypass Lollipop devices locks.
Great article –
One question: If an Android device is screen locked with a pattern, and one cannot get to the “Trust this device” check box on the Android device’s screen, then how does one access the gesture.key file located at /data/system/, which I assume resides on the locked Android device?
Hello, Laurence! Thanks for your comment, we appreciate it. You’ll find the answer to your question in this article:
Save my name, email, and website in this browser for the next time I comment.
Notify me of follow-up comments by email.
Notify me of new posts by email.