Android Forensics Study of Password and Pattern Lock Protection

We have recently mentioned the ability to decode Android device Pattern Lock. Let’s see what Pattern Lock is, how to access, determine or even get rid of it? We’ll also speak about Password Lock Protection and find out what it has in common with Pattern Lock. And finally we’ll try to understand how these locks are related to forensic investigation process.

What is Pattern Lock?

Generally pattern lock is a set of gestures that phone user performs to unlock his smartphone when he needs to use it. It seems to be complicated, but actually it is not. A user has 9 points to create a ‘unique’ pattern. The minimum number of points in the pattern is 4, maximum 9. To make it even clearer let’s substitute points with digits just like on phone num pad to receive a numeric value for the pattern.

Even if it is a multidigit number it is still a number limited to the set of 9 digits. Moreover, the user cannot move over one point several times, in other words digits cannot be the same. So finally we have only 895824 variants of patterns available in Android OS devices. This is only 0.1% of all possible 9-digit numbers. It is a huge cut, isn’t it?

How Android stores Pattern Lock?

Pattern lock data is kept in a file named gesture.key and stored in the /data/system folder. Lock sequence is encrypted with a SHA1 hashing algorithm. Since SHA1 is a one-way algorithm there is no reverse function to convert hash to original sequence. To restore the code the attacker will need to create a table of sequences with hash strings. The best way here could be to have a dictionary to recover the pattern. For example, it takes only several minutes to create a full dictionary for 895824 numbers from 1234 to 987654321. You can download this dictionary and then easily find hash that will recover the original pattern. There is still one small trick with Pattern lock. Smartphone encrypts the pattern of 1234 not as a string ‘1234’, but as a sequence of bytes 0×00 0×01 0×02 0×03. In other words we have a 0×00 for the first point and 0×08 for the last one. Then Android uses SHA-1 and places it in a gesture.key file.

Example! Let’s say that a gesture.key file contains 0×82 0×79 0x0A 0xD0 0xAD 0xEB 0×07 0xAC 0x2A 0×78 0xAC 0×07 0×03 0x8B 0xC9 0x3A 0×26 0×69 0x1F 0×12 bytes value.

Using pattern lock dictionary we can find out that it corresponds to 0×06 0×04 0×01 0×02 0×05 0×08 values, which means that we have a 752369 pattern.

What is Password Lock?

So, while the Pattern Lock is a number, Password Lock can contain characters, numbers, and special marks. Unlike patterns passwords can be a real problem for the attacker as the number of variants grows tremendously. Of course, this is true if you want to brute force Password lock just like the Pattern. Well, definitely you have something more effective to do. But we’ll speak about it a bit later. The password lock file is located in /data/system folder and named pc.key. Android OS uses exactly the same method to store the password. Once the user sets the password, device hashes it with SHA-1 and saves result into the file. When the user enters the password to unlock, the smartphone compares its SHA-1 hash with stored one and decides whether to give access or not.

How to access gesture.key and pc.key files?

There is no direct access to these files by default, since they are in /data/system folder. There are still ways to grab them:

  1. Use ADB interface and have root rights to access full file system. In other words the device must be already rooted and have USB Debugging mode ON. Too strict conditions! Not many devices will allow the attacker to restore the pattern in this case.
  2. Use a special recovery boot loader to start device with access to these files. This way has much more chances to be used to access the lock files. Once you get a physical access to the file system you can easily grab the files.

So, finally you’ve got the files. It was easy to recover gesture.key, but what about pc.key? How to recover a user unlock password? Of course, you can use brute force and hope to find out the same SHA-1 as you have in pc.key some day. But this is not the best idea in our case.

Do we really need to recover the lock sequence?

The answer is NO! Why? Just see the previous part. If you have root access you can easily remove the file or replace it with the one that you prepared and know the pattern. And then unlock the device. Moreover, if you’re lucky and used Option 1 to access the files you even don’t need to unlock the device. ADB interface or mobile forensic software like Oxygen Forensic Suite will allow you to pull all the data you need without unlocking the device. So, what does it mean?

If you’re able to grab pattern key file you don’t need it. Nonsense, but True.

Here is the article recap:

  1. Pattern and Password locks are stored as SHA-1 values in /data/system/ folder.
  2. There is no direct access to this folder unless you have a root access.
  3. There are much easier ways to perform forensic data extraction from the device if you have the root access.
  4. Usually lock files don’t have a real forensic value. This is just the encrypted password to unlock the device.

Stay tuned!

This entry was posted in Articles, News and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>