You're reading from Practical Mobile Forensics Forensically investigate and analyze iOS, Android, and Windows 10 devices

Product type Paperback

Published in Apr 2020

Publisher Packt

ISBN-13 9781838647520

Length 400 pages

Edition 4th Edition

Languages

Swift

Tools

Android

Concepts

Forensics

Authors (4):

Heather Mahalik

Oleg Skulkin

Rohit Tamma

Satish Bommisetty

View More author details

Screen lock bypassing techniques

Because of the increase in user awareness and the ease of functionality, there has been an exponential increase in the usage of passcode options to lock Android devices. This means that bypassing the device's screen lock during a forensic investigation becomes increasingly important. The applicability of the screen lock bypass techniques discussed so far is based on the situation. Note that some of these methods may result in us making changes to the device. Make sure that you test and validate all the steps listed on non-evidentiary Android devices. You must have authorization to make the required changes to the device, document all steps taken, and be able to describe the steps taken if courtroom testimony is required.

Currently, there are three types of screen lock mechanisms offered by Android. Although there are some devices that have voice-lock, face-lock, and fingerprint-lock options, we will limit our discussion to the following three options, since these are the most widely used on all Android devices:

Pattern lock: The user sets a pattern or design on the phone and the same pattern must be drawn to unlock the device. Android was the first smartphone to introduce a pattern lock.
PIN code: This is the most common lock option and is found on many mobile phones. The PIN code is a four-digit number that needs to be entered to unlock the device.
Passcode: This is an alphanumeric passcode. Unlike the PIN, which takes four digits, the alphanumeric passcode includes letters as well as digits.

The following section details some techniques you can use to bypass these Android lock mechanisms. Depending on the situation, these techniques might help an investigator to bypass the screen lock.

Using ADB to bypass the screen lock

If USB debugging appears to be enabled on the Android device, it is wise to take advantage of it by connecting with adb using a USB connection, as discussed in the earlier sections of this chapter. You should connect the device to the forensic workstation and issue the adb devices command. If the device shows up, it implies that USB debugging is enabled. If the Android device is locked, you must attempt to bypass the screen lock. The following two methods may allow you to bypass the screen lock when USB debugging is enabled.

Deleting the gesture.key file

Deleting the gesture.key file will remove the pattern lock on the device; however, it's important to note that this will permanently change the device, as the pattern lock is gone. This should be considered if you are conducting covert operations. The following shows how the process is done:

Connect the device to the forensic workstation (a Windows machine, in our example) using a USB cable.

Open the command prompt and execute the following instructions:

adb.exe shell
cd /data/system rm gesture.key

Reboot the device. If the pattern lock still appears, just draw any random design and the device should unlock without any trouble.

This method works when the device is rooted. This method may not be successful on unrooted devices. Rooting an Android device should not be performed without proper authorization, as the device is altered.

Updating the settings.db file

To update the settings.db file, go through the following steps:

Connect the device to the forensic workstation using a USB cable.
Open the command prompt and execute the following: /data/data/com.android.providers.settings/databases sqlite3 settings.db:

Exit and reboot the device.
The Android device should be unlocked. If it is not, attempt to remove the gesture.key as explained earlier.

We will have a look at the recovery mode and ADB connection in the following section.

Checking for the modified recovery mode and ADB connection

In Android, recovery refers to the dedicated partition where the recovery console is present. The two main functions of recovery are deleting all user data and installing updates. For instance, when you factory-reset your phone, recovery boots up and deletes all the data. Similarly, when updates are to be installed on the phone, it is done in recovery mode.

There are many enthusiastic Android users who install custom ROM through a modified recovery module. This modified recovery module is mainly used to make the process of installing custom ROM easy. Recovery mode can be accessed in different ways, depending on the manufacturer of the device; information on which method is right for which manufacturer's devices is easily available on the internet. Usually, this is done by holding different keys together, such as the Volume button and Power button. Once in recovery mode, connect the device to the workstation and try to access the adb connection. If the device has a recovery mode that is not modified, you may not be able to access the adb connection. Modified recovery versions of the device present the user with different options as shown in the following screenshot:

Next, we will see how to flash the recovery partition.

Flashing a new recovery partition

There are mechanisms available to flash the recovery partition of an Android device with a modified image. The fastboot utility facilitates this process. Fastboot is a diagnostic protocol that comes with the SDK package and is used primarily to modify the flash filesystem through a USB connection from a host computer. For this, you need to start the device in boot loader mode, in which only the most basic hardware initialization is performed.

Once the protocol is enabled on the device, it will accept a specific set of commands that are sent to it via the USB cable using a command line. Flashing or rewriting a partition with a binary image stored on the computer is one such command that is allowed. Once the recovery is flashed, boot the device in recovery mode, mount the /data and /system partitions, and use adb to remove the gesture.key file. Reboot the phone and you should be able to bypass the screen lock; however, this works only if the device bootloader is unlocked. Also, flashing permanently alters the device. Instead of flashing, you could use the fastboot boot command to boot to a recovery image temporarily to delete the key file without permanently changing the recovery partition.

Using automated tools

There are several automated solutions available on the market for unlocking Android devices. Commercial tools, such as Cellebrite and XRY, are capable of bypassing the screen locks, but most of them require USB debugging to be enabled. We will now examine how to unlock an Android device using the UFED user lock code recovery tool. This tool only works on those devices that support USB OTG. This process also requires a UFED camera, Cable No. 500-Bypass lock, and Cable No. 501-Bypass lock. Once the tool is installed on the workstation, go through the following steps to unlock the Android device:

Run the tool on the workstation and press 1, as shown in the following screenshot:

UFED user lock code recovery tool

Now, connect side A of Cable No. 500-Bypasslock to a USB port of the workstation. Also, connect side B of Cable No. 500-Bypasslock to Cable No. 501- OTG and then connect the other end to the device.
Once connected, the tool prompts you to select the recovery profile. Select [1] Manually select the recovery profile..
Now, select the lock type used on the device and the recovery profile, and proceed by following the instructions on the screen.

After this, make sure that the keypad appears on the device screen and that it's ready to accept the PIN code.
Close any message windows that may appear. Press 1 and hit Enter. Now, make five incorrect login attempts by entering random input, and click on Forgot pattern at the bottom of the device.
Follow the instructions on the screen, wait for the camera window to open, and then click on the camera window.
Use the cursor to select any nonempty area on the device's screen by placing the green square over it—for example, select any number on the screen. This is used by the tool to detect whether the device is unlocked. Press Enter to start the process.
The tool will try a number of combinations to unlock the device. Once unlocked, it will prompt you to end the process.

We will now learn about the Android Device Manager and how to unlock a device using it.

Using Android Device Manager

Most of the latest Android phones come with a service called Android Device Manager, which helps the owner of a device to locate their lost phone. This service can also be used to unlock a device; however, this is possible only when you know the Google account credentials that are configured on the device. If you have access to the account credentials, then follow these steps to unlock the device:

Visit http://google.com/android/devicemanager on your workstation.
Sign in using the Google account that is configured on the device.
Select the device you need to unlock and click on Lock, as shown in the following screenshot:

Android Device Manager

Enter a temporary password and click on Lock again.
Once it's successful, enter the temporary password on the device to unlock it.

This can be done without knowing the credentials of the computer that the login is saved on (that is, the suspect's PC).

Bypass using Find My Mobile (for Samsung phones only)

Using Find My Mobile is a technique that's worth attempting if you're handling a Samsung device; however, it only works if the device owner is already logged into the Samsung account on the device and you know the Samsung credentials that are configured on the device.

To start the process, access the Find My Mobile service from the web browser and then log in using the Samsung account credentials registered on the device, as follows:

Tap on the Lock My Screen option located on the left side.:

Now, enter any temporary PIN and then tap on the Lock button. (You may also see the unlock my screen option for some devices, which also serves the same purpose). The phone can now be unlocked with the temporary PIN that was set earlier.

Next, let's take a look at a smudge attack.

Smudge attack

In rare cases, a smudge attack may be used to deduce the password of a touchscreen mobile device. This attack relies on identifying the smudges left behind by the user's fingers. While this may present a bypass method, it must be said that a smudge attack is unlikely to work since most Android devices are touchscreen and smudges will also be present from using the device; however, it has been demonstrated that, under proper lighting, the smudges that are left behind can be easily detected, as shown in the following screenshot.

By analyzing the smudge marks, we can discern the pattern that is used to unlock the screen. This attack is more likely to work while discerning the pattern lock on the Android device. In some cases, PIN codes can also be recovered depending upon the cleanliness of the screen. So, during a forensic investigation, care should be taken when the device is first handled to make sure that the screen is not touched:

Smudges visible on a device under proper lighting

We will now be looking at the next method, which is the forgot password option.

Using the forgot password/forgot pattern option

If you know the username and password of the primary Gmail address that is configured on the device, you can change the PIN, password, or swipe on the device. After making a certain number of failed attempts to unlock the screen, Android provides an option called Forgot pattern? or Forgot password?, as shown in the following screenshot:

Forgot pattern option on an Android device

Tap on that link and sign in using the Gmail username and password. This will allow you to create a new pattern lock or passcode for the device.

Note that this works only on devices running Android 4.4 or earlier.

Bypassing third-party lock screens by booting into safe mode

If the screen lock is a third-party app, rather than the in-built lock, it can be bypassed by booting into safe mode and disabling it. To boot into safe mode on an Android device 4.1 or later, press and hold the Power button until the Power options menu appears. Then, press and hold the Power button and you'll be prompted to reboot your Android device into safe mode. Tap the OK button, as shown in the following screenshot:

Safe mode in Android

Once you're in safe mode, you can disable the third-party lock screen app or uninstall it completely. After this, reboot the device and you should be able to access it without any lock screen.

Secure USB debugging bypass using ADB keys

As mentioned earlier, while using USB debugging, if the Always allow from this computer option is checked, the device will not prompt for authorization in the future. This is done by storing certain keys, namely adbkey and adbkey.pub, on the computer. Any attempt to connect to adb from an untrusted computer is denied. In this case, the adbkey and the adbkey.pub files can be pulled from the suspect's computer and copied to the investigator's workstation. The device will then assume that it is communicating with a known, authorized computer. The adbkey and adbkey.pub files can be found at C:Users<username>.android on Windows machines.

Secure USB debugging bypass in Android 4.4.2

As explained in earlier sections, the secure USB debugging feature introduced in Android 4.4.2 allows only authorized workstations to connect to the device; however, there's a bug in this feature, as reported at https://labs.mwrinfosecurity.com/, which allows a user to bypass the Secure USB debugging feature and connect the device to any workstation. Here are the steps to follow to bypass Secure USB debugging on an Android device:

On an unlocked device, attempt to use adb. An error message will be shown by the device.
Now, navigate to either the emergency dialer or the lock-screen camera and execute the following commands:

$ adb kill-server
$ adb shell

The confirmation dialog will be triggered and the workstation can now be authorized without unlocking the device. The confirmation dialog box will be displayed on the emergency dialer, as shown in the following screenshot:

Secure USB debugging in Android 4.2.2

Once connected to the device through adb, try to bypass the lock screen using the following command:

$ adb shell pm clear com.android.keyguard

Next, let's see how to bypass the screen lock by crashing the lock screen.

Crashing the lock screen UI in Android 5.x

On devices running Android 5.0 to 5.1.1, the password lock screen (not the PIN or pattern locks) can be bypassed by crashing the screen UI. This can be accomplished by performing the following steps, as explained at https://android.gadgethacks.com/:

Click on the Emergency Call option on the lock screen and then enter any random input (for example, 10 asterisks) on the dialer screen.
Double-tap the field to highlight the entered text, as shown in the following screenshot, and select Copy. Now, paste it into the same field:

Crashing lock screen UI

Repeat this process to add more characters. Do this until the field no longer highlights the characters on double-tapping.
Go back to the lock screen and open the camera shortcut. Now, pull down the notifications screen and tap the Settings icon. You will then be prompted to enter a password.

Press and hold the input field and select Paste, repeat this process multiple times. Once enough characters are pasted into the field, the lock screen will crash, allowing you to access the device.

Now, let's look at some more techniques.

Other techniques

All of the aforementioned techniques and available commercial tools are useful to any forensic examiner, like you, trying to get access to the data on an Android device; however, there could be situations where none of these techniques work. To obtain a complete physical image of the device, techniques such as chip-off and JTAG may be required when commercial and open source solutions fail. A short description of these techniques is included here.

While the chip-off technique removes the memory chip from a circuit and tries to read it, the JTAG technique involves probing the JTAG test access ports (TAPs) and soldering connectors to the JTAG ports in order to read data from the device memory. The chip-off technique is more destructive because, once the chip is removed from a device, it is difficult to restore the device to its original functional state. Also, expertise is needed to carefully remove the chip from the device by desoldering the chip from the circuit board. The heat required to remove the chip can also damage or destroy the data stored on that chip, which means that this technique should be used only when the data is not retrievable by open source or commercial tools or the device is damaged beyond repair. When using the JTAG technique, JTAG ports help you to access the memory chip to retrieve a physical image of the data without needing to remove the chip. To turn off screen lock on a device, you can identify where the lock code is stored in the physical memory dump, turn off the locking, and copy that data back to the device. Commercial tools, such as Cellebrite Physical Analyzer, can accept .bin files from chip-off and JTAG acquisitions and crack the lock code for you. Once the code is either manually removed or cracked, you can analyze the device using normal techniques.

Both the chip-off and JTAG techniques require extensive research and experience to be attempted on a real device. A great resource for JTAG and chip-off on devices can be found at https://forensicswiki.xyz/page/Main_Page.

In this section, we looked into various ways to bypass a screen lock on Android device. We will now learn what Android rooting is all about.