Partnership with the CCL Group brings new Android password carver to UFED Physical Analyzer

As useful as our Android pattern/PIN/password lock bypass is to so many of our customers, at times, the password itself is needed. Perhaps a forensics examiner wants to validate extraction results manually, or believes the same password protects a different device.

Still, not all physical extractions are automatically decoded. Without the file system reconstruction that decoding provides, examiners must manually carve the password from wherever it is stored within the device’s operating system. This can add time to the forensic process, especially if the examiner must refer the device to a specialist. It might even be impossible if the examiner lacks carving skills, or the access to an expert who has them.

With our soon-to-be-released UFED Physical Analyzer 3.7, we’re pleased to introduce a new Android password carver—thanks to the efforts of the CCL Group, the United Kingdom’s largest private digital forensics company. Having produced 300 scripts as part of its digital forensics research and development efforts, last year CCL Group’s lab developed a Python code that could carve a numeric password from an Android physical extraction or from third-party image files.

The premise, as they explained in their blog:

As with the pattern lock the code is sensibly not stored in the plain, instead being hashed before it is stored. The hashed data (both SHA-1 and MD5 hash this time) are stored as an ASCII string in a file named passcode.key which can be found in the same location on the file system as our old friend gesture.key, in the /data/system folder.

However, unlike the pattern lock, the data is salted before being stored. This makes a dictionary attack unfeasible – but if we can reliably recover the salt it would still be possible to attempt a brute force attack.

The CCL developers made their code openly available for other researchers to dig into. Cellebrite’s co-CEO and Chief Technology Officer, Ron Serber, believed that the code was a natural fit within the UFED Physical Analyzer platform.

However, the code was written independently of our infrastructure. With CCL’s permission and partnership, we rewrote the Python code so that it could be used within our platform. On its own or as part of a plugin chain, the carver enables recovery of numeric passwords from physical image files extracted by UFED, JTAG, chip-off or other tools.

We’re introducing the carver together with UFED Physical Analyzer 3.7 in just a few days. Current license holders will receive an email with download links; if you’re not a current customer, please download our free UFED Physical Analyzer 30-day demo.

How our forensic R&D makes the previously impossible, possible

Before we launched our HTC and Motorola user lock bypass, our forensic customers had to go to through a painstaking process to recover data from these Android devices: obtain a search warrant to serve on Google, either to recover backup data or to obtain or reset the device user lock. In some cases, such as with a phone that was turned off, they may even have had to serve paper on the carrier as well.

This process could lead to delays because it could take days or even weeks to secure the paperwork and reach a law enforcement liaison. The providers’ success was limited by the type and complexity of the user lock—if they agreed to comply at all. This could slow down or altogether halt investigations’ progress.

Thanks to our work on this bypass, a number of happy customers have been able to access critical evidence which they previously could not. Said Deputy Steven Mueller of the Defiance County (Ohio) Sheriff’s Office and the Northwest Ohio Technology Crimes Unit: “I was given a HTC PD15100 in December with a pattern lock. I was unable to acquire it then. Today with the updates it is being acquired as I write this.” Mueller later updated us that he and his team were able to successfully carve graphics files from the image.

To learn more about how to perform user lock bypass and file system or physical extraction on HTC Android devices, see our new video:

Takeaways from “Mobile Evidence in Modern E-Discovery”

Tuesday, SANS instructors Paul Henry and Benjamin Wright joined Cellebrite’s forensic technical director, Yuval Ben-Moshe, for our joint webinar: Mobile Evidence in Modern E-Discovery. Ben discussed the need for policy that protects both employer and employee during collections, especially in BYOD organizations. Paul talked about the technical aspects of obtaining all necessary responsive data. And Yuval went over mobile forensics requirements, as well as the potential for alternative mobile forensics roles such as audits.

Questions and answers

Participants asked Ben, Paul and Yuval a number of good questions:

Q. Have the courts upheld the right of an employee to forcibly take hold of an employee’s personal device?

A. Ben noted that most precedent around mobile devices involves laptops. While no case stands out as the definitive precedent, he said it was likely that courts have upheld the employer’s right to seize any device deemed to hold evidence important to that employer.

Paul added that according to a December ZDNet article, an employee sued and won a sizable settlement after the employer wiped their personal device.

Q. If an employer/university is monitoring their own systems, can they get in trouble for seeing and/or collecting in logs Facebook or other personal site passwords that traverse their network?

A. Ben said that in situations where monitoring is an unavoidable part of security policy, it is wise for employers to be completely transparent about what they are doing, why they are doing it, and the risks it poses to their employees.

Q. Wouldn’t it be wise to do both a logical analysis–quick and easy to find data–and then pursue the physical data with a more intrusive analysis if necessary after the logical analysis?

A. Paul agreed with this assessment, saying that as often as he can, he starts with a basic logical extraction. This helps him define search terms and other examination goals so that his physical extractions are more efficient. In addition, logical extractions can validate existing data found during physical extractions, while using a tool such as a hex editor can validate logical extractions as well.

Q. MPE+ recently added support to port collections to Summation and the like. Is that coming down the pipeline for Cellebrite? If so, what is the anticipated launch date?

A. Yuval told listeners that UFED XML reports can already be ingested in tools such as Exterro Fusion, Nuix, Palantir and others. Moving forward, we plan to increase the number of systems with which we integrate.

Q. When will Cellebrite support BlackBerry 10?

A. Although Yuval could not provide a specific date, we will support logical extractions from BlackBerry 10 in an upcoming release.

Finally, we saw one question we didn’t get a chance to respond to: “Are you saying that because a tool is available to audit mobile devices, it should be done, regardless of the cost of implementing such systems/agents to the data?

No. Not all businesses have a need to audit their employees’ mobile devices. Rather, what we were saying is that mobile forensics tools like Cellebrite UFED make it easier to perform audits when they are called for. A basic logical or even limited file system extraction can be done in minimal time, can ensure compliance with any internal policy or industry regulation, and finally, provides existing data in the event of litigation.

Webinar poll questions

We asked three questions during the webinar:

  1. Does your employer/clients have a policy governing audits and collections?
  2. How often have you encountered mobile devices in your e-discovery in the past year?
  3. How do you manage forensics and/or collections?

In response to the first question, whether employer or clients had a policy governing audits and collections, 7% of our 54 respondents said their employer or client had a policy that covered both issued and BYO devices. Eight percent said BYOD was not permitted but that policy covered issued devices. Another 8% said their employer or client had no policy at all. Meanwhile, 15% said their employer or client both issue devices and permit BYOD, but do not have a policy for BYOD collections.


In response to the second question, how often they had encountered mobile devices in e-discovery in the past year, one-quarter of the 54 respondents said they had never encountered mobile evidence. Nine percent said they had encountered them between 1 and 5 times, while just 2% said they had seen mobile devices in their e-discovery more than six times in the past year.


Finally, asked how they manage mobile forensics and/or collections, 24% said they did so in-house. Only 3% each said they outsource directly, or belonged to a firm that performed forensics and/or collections for enterprise and law firm clients. One respondent each said they outsourced to a lawyer who employs a forensic examiner, or outsourced to a lawyer who in turn outsourced to a third party.


Additional resources

The webinar archive is available now from SANS. If you previously registered, you can view it at the webinar link. If you did not previously register, login with your SANS account to view and hear the archive.

We’re also making available a white paper. “Asking and Answering the Right Questions About Mobile Forensics Methods” is for attorneys employing or outsourcing to a digital forensic examiner, or consulting forensic examiners seeking to help attorneys better understand what you do. Download it here to learn more about effectively communicating with one another via proper documentation and other channels.