As useful as our Android pattern/PIN/password lock bypass is to so many of our customers, at times, the password itself is needed. Perhaps a forensics examiner wants to validate extraction results manually, or believes the same password protects a different device.
Still, not all physical extractions are automatically decoded. Without the file system reconstruction that decoding provides, examiners must manually carve the password from wherever it is stored within the device’s operating system. This can add time to the forensic process, especially if the examiner must refer the device to a specialist. It might even be impossible if the examiner lacks carving skills, or the access to an expert who has them.
With our soon-to-be-released UFED Physical Analyzer 3.7, we’re pleased to introduce a new Android password carver—thanks to the efforts of the CCL Group, the United Kingdom’s largest private digital forensics company. Having produced 300 scripts as part of its digital forensics research and development efforts, last year CCL Group’s lab developed a Python code that could carve a numeric password from an Android physical extraction or from third-party image files.
The premise, as they explained in their blog:
As with the pattern lock the code is sensibly not stored in the plain, instead being hashed before it is stored. The hashed data (both SHA-1 and MD5 hash this time) are stored as an ASCII string in a file named passcode.key which can be found in the same location on the file system as our old friend gesture.key, in the /data/system folder.
However, unlike the pattern lock, the data is salted before being stored. This makes a dictionary attack unfeasible – but if we can reliably recover the salt it would still be possible to attempt a brute force attack.
The CCL developers made their code openly available for other researchers to dig into. Cellebrite’s co-CEO and Chief Technology Officer, Ron Serber, believed that the code was a natural fit within the UFED Physical Analyzer platform.
However, the code was written independently of our infrastructure. With CCL’s permission and partnership, we rewrote the Python code so that it could be used within our platform. On its own or as part of a plugin chain, the carver enables recovery of numeric passwords from physical image files extracted by UFED, JTAG, chip-off or other tools.
We’re introducing the carver together with UFED Physical Analyzer 3.7 in just a few days. Current license holders will receive an email with download links; if you’re not a current customer, please download our free UFED Physical Analyzer 30-day demo.