Lock screens are the most challenging aspect of Android forensic examinations. Frequently, the entire investigation depends on the examiner's ability to gain access to a locked device. While there are methods to bypass them, this can be highly dependent on the OS version, device settings, and technical capabilities of the examiner. There is no magical solution that will work every time on every device. Commercial forensic tools such as Cellebrite and Oxygen have fairly robust bypass capabilities, but are far from infallible. This chapter will show how an examiner can increase their odds of bypassing locked devices with free tools and methods.

There are many methods used to secure a device, and the methods for bypassing each vary:

• None/slide
• Pattern
• PIN
• Password
• Smart Lock: Trusted Face, Trusted Voice, Trusted Location, Trusted Device, On-body Detection

Other security options may exist; as Android is open source, the possibilities are only limited by the developer's imagination. These are the options that are available in the stock version of Android Oreo released by Google. Most security options used by vendors generally use one of these stock options as a failsafe in case a user is unable to log in with their unique options. Versions in which the setting was first used also refer to stock Android; various manufacturers may have implemented them sooner.

The Slide to unlock screen is the default setting of most Android devices. It provides no level of security, and is bypassed by sliding a finger on the screen in the indicated direction.

Pattern lock screens are the iconic Android security method. Frequently referred to as swipe codes or similar names, these require the user to trace a pattern on the device with a finger. A common bypass for this lock is the smudge attack, looking for patterns left on the screen by the user's finger.

Users familiar with Apple's iOS will recognize this option. It requires a user to type a password or PIN in order to unlock the device. These are lumped together because, forensically, they are identical: they store their passwords the same way.

Smart Lock is a term introduced in Android Lollipop, although the Face unlock option was previously available. They require a specific condition to unlock the device: a user's face must be recognized, the user must be in a known location, or a specific other device must be nearby.

Face unlock works exactly as it sounds: it uses facial recognition to determine if the user has been previously been set up as a trusted user. Older versions of Face locks were easily fooled by pictures of a trusted user, though newer versions may require the user to blink in order to unlock the device.

The OK Google phrase can be used by the user to unlock the phone. This type of lock isn't available on many devices, as the phone has to actively listen for the user's voice while the screen is off, and it drains the battery.

Trusted Location is also commonly referred to as geo-fencing. If a user is in a location that has been marked as trusted (such as home or work), the device will not lock. There's no input required from the user, but the GPS must be enabled.

Trusted Device works via Bluetooth; if a device that has been set up as a trusted device is nearby, the lock screen will be disabled. This may be used with smart watches, vehicles that pair over Bluetooth, Bluetooth headsets, or any other Bluetooth–capable device.

On-body Detection uses phone's motion sensors, for example, the accelerometer and gyroscope, to keep it unlocked while it's in the user's hand, pocket, or bag.

In all cases, bypassing the lock screen will require retrieving a file from the device. Pattern locks are stored as hash values at /data/system/gesture.key and PIN/password locks are stored as hash values at /data/system/password.key (up to Android 5.0, Lollipop). Additionally, the password.key hash is salted; the salt value is stored at /data/data/com.android.providers.settings/databases/settings.db prior to Android 4.4, and /data/system/locksettings.db on devices running Android 4.4 and later.

Android 6.0 (Marshmallow) introduced Gatekeeper password storage—a new level of obfuscation to PIN and pattern locks. Now, the locks are stored in gatekeeper.pattern.key and gatekeeper.password.key and no longer use hashes. Gatekeeper uses Hash-based Message Authentication Code (HMAC) with a hardware-backed secret key to manage and verify passwords.

If the device is locked, how is an examiner supposed to access these files? Again, there is no magic solution that works every time, but some options are as follows:

• ADB:
  • Requires root
  • Requires USB Debugging
  • Requires Secure USB Debugging pairing (depending on OS version)
• Booting into a custom Recovery Mode:
  • Does not require root (root will be given through the recovery image)
  • Does not require USB Debugging (accomplished via fastboot)
  • Does not require Secure USB Debugging (this is bypassed entirely)
  • Requires an unlocked bootloader
  • Won't work on devices with encrypted userdata partition
• JTAG/Chip-off:
  • Highly advanced
  • Does not require any specific device settings or options
  • Won't work on devices with encrypted userdata partition

Depending on the device you are examining and its operating system version, you may need to delete different files. If the device contains *.key files under /data/system/, you need to remove these files; if there are no such files, you may need to remove locksettings.db, if possible, or update some of its records (see the next section).

Here is how to remove the files of interest via ADB:

adb shell
su
cd /data/system
rm *.key

Now the device should be rebooted. After the reboot, there will be no PIN or password.

There are no *.key files on recent Android devices, such as those running Oreo or Pie, but there is still the lockscreen.db database under /data/system.

Here is how to remove the PIN or passwords for making changes in this database:

adb shell
su
cd /data/system
sqlite3 locksettings.db
update locksettings set value=0 where name='lockscreen.password_salt';
update locksettings set value=0 where name='sp-handle';
.quit

Reboot the device and the screen lock will be removed.