If USB debugging appears to be enabled on the Android device, it is wise to take advantage of it by connecting with adb using USB, as discussed in the earlier sections. The examiner should connect the device to the forensic workstation and issue the adb devices command. If the device shows up, it implies that USB debugging is enabled. If the Android device is locked, the examiner must attempt to bypass the screen lock. The following are the two methods that may allow the examiner to bypass the screen lock when USB debugging is enabled.

Deleting the gesture.key file will remove the pattern lock on the device. However, it's important to note that this will permanently change the device as the pattern lock is gone. This should be considered if conducting cover operations. This is how the process is done:

To update the settings.db file, perform the following steps:

In Android, recovery refers to the dedicated partition where the recovery console is present. The two main functions of recovery are to delete all user data and install updates. For instance, when you factory reset your phone, recovery boots up and deletes all the data. Similarly, when updates are to be installed on the phone, it is done in recovery mode. There are many enthusiastic Android users who install custom ROM through a modified recovery module. This modified recovery module is mainly used to make the process of installing custom ROM easy. Recovery mode can be accessed in different ways depending on the manufacturer of the device, which is easily available on the Internet. Usually, this is done by holding different keys together such as the volume button and power button. Once in recovery mode, connect the device to the workstation and try to access the adb connection. If the device has a recovery mode which is not modified, the examiner may not be able to access the adb connection. The modified recovery versions of the device present the user with different options and can be easily noticed as shown in the following screenshot:

There are mechanisms available to flash the recovery partition of an Android device with a modified image. The Fastboot utility would facilitate this process. Fastboot is a diagnostic protocol that comes with the SDK package, used primarily to modify the flash file system through a USB connection from a host computer. For this, you need to start the device in boot loader mode, in which only the most basic hardware initialization is performed. Once the protocol is enabled on the device, it will accept a specific set of commands that are sent to it via the USB cable using a command line. Flashing or rewriting a partition with a binary image stored on the computer is one such command that is allowed. Once the recovery is flashed, boot the device in recovery mode, mount the /data and /system partitions, and use adb to remove the gesture.key file. Reboot the phone and you should be able to bypass the screen lock. However, this works only if the device bootloader is unlocked. Also, flashing permanently alters the device. Instead of flashing, you could use the fastboot boot command to boot to a recovery image temporarily to delete the key file without permanently changing the recovery partition.

There are several automated solutions available in the market for unlocking Android devices. Commercial tools such as Cellebrite and XRY are capable of bypassing the screen locks, but most of them require USB debugging to be enabled. We will now examine how to unlock an Android device using the UFED user lock code recovery tool. Also, this tool only works on those devices that support USB OTG. This process also requires a UFED camera, Cable No. 500-Bypass lock, and Cable No. 501-Bypass lock. Once the tool is installed on the workstation, follow these steps to unlock an Android device:

Most of the latest Android phones come with a service called Android Device Manager, which helps owners of a device to locate their lost phone. This service can also be used to unlock a device; however, this is possible only when you know the Google account credentials that are configured on the device. If you have access to the account credentials, then follow these steps to unlock the device:

It can be done without knowing the credentials of the computer where the login is saved (that is, the suspect's PC). Similarly, if you are dealing with a Samsung device, you can also try Samsung's FindMyMobile service, which enables you to set a temporary password to unlock the device.

In rare cases, a smudge attack may be used to deduce the password of a touchscreen mobile device. This attack relies on identifying the smudges left behind by the user's fingers. While this may present a bypass method, it must be said that a smudge attack is unlikely since most Android devices are touchscreen and smudges will also be present from using the device. However, it has been demonstrated that under proper lighting, the smudges that are left behind can easily be detected as shown in the following screenshot. By analyzing the smudge marks, we can discern the pattern that is used to unlock the screen. This attack is more likely to work while discerning the pattern lock on the Android device. In some cases, PIN codes can also be recovered depending upon the cleanliness of the screen. So, during a forensic investigation, care should be taken when the device is first handled to make sure that the screen is not touched.

Smudges visible on a device under proper lighting (source: https://www.usenix.org/legacy/events/woot10/tech/full_papers/Aviv.pdf)

If you know the username and password of the primary Gmail address that is configured on the device, you can change the PIN, password, or swipe on the device. After making a certain number of failed attempts to unlock the screen, Android provides an option named Forgot Pattern or Forgot Password, as shown in the following screenshot:

Forgot pattern option on an Android device

Tap on that link and sign in using the Gmail username and password. This will allow you to create a new pattern lock or passcode for the device.

If the screen lock is a third-party app rather than the inbuilt lock, it can be bypassed by booting into safe mode and disabling it. To boot into safe mode on Android device 4.1 or later, long-press the power button until the power options menu appears. Then long-press the Power Off option and you'll be asked if you want to reboot your Android device into safe mode. Tap the OK button as shown in the following screenshot.

Safe mode in Android

Once you're in safe mode, you can disable the third-party lock screen app or uninstall it completely. After this, reboot the device and you should be able to access it without any lock screen.

As mentioned earlier, while using USB debugging, if the Always allow from this computer option is checked, the device will not prompt for authorization in future. This is done by storing certain keys, namely adbkey and adbkey.pub, on the computer. Any attempt to connect to adb from an untrusted computer is denied. In this case, the adbkey and the adbkey.pub files can be pulled from the suspect's computer and copied to the investigators workstation. The device will then assume that it is communicating with a known, authorized computer. The adbkey and adbkey.pub files can be found at C:Users<username>.android on Windows machines.

As explained in the earlier sections, the secure USB debugging feature introduced in Android 4.4.2 allows only authorized workstations to connect to the device. However, there's a bug in this feature as reported at https://labs.mwrinfosecurity.com/ which allows bypassing the Secure USB debugging feature and connecting the device to any workstation. Here are the steps to follow to bypass Secure USB debugging on an Android 4.2.2 device:

On devices running Android 5.0 to 5.1.1, the password lock screen (not pin or pattern lock) can be bypassed by crashing the screen UI. This can be accomplished by following these steps as explained at http://android.wonderhowto.com/:

All of the previously mentioned techniques and the commercial tools available prove to be useful to the forensic examiner trying to get access to the data on the Android devices. However, there could be situations where none of these techniques work. To obtain a complete physical image of the device, techniques such as chip-off and JTAG may be required when commercial and open source solutions fail. A short description of these techniques is mentioned here.

While the chip-off technique removes the memory chip from a circuit and tries to read it, the JTAG technique involves probing the JTAG Test Access Ports (TAPs) and soldering connectors to the JTAG ports in order to read data from the device memory. The chip-off technique is more destructive because once the chip is removed from the device, it is difficult to restore the device back to its original functional state. Also, expertise is needed to carefully remove the chip from the device by desoldering the chip from the circuit board. The heat required to remove the chip can also damage or destroy the data stored on that chip. Hence, this technique should be looked upon only when the data is not retrievable by open source or commercial tools or the device is damaged beyond repair. When using the JTAG technique, JTAG ports help an examiner to access the memory chip to retrieve a physical image of the data without needing to remove the chip. To turn off the screen lock on a device, an examiner can identify where the lock code is stored in the physical memory dump, turn off the locking, and copy that data back to the device. Commercial tools, such as Cellebrite Physical Analyzer, can accept the .bin files from chip-off and JTAG acquisitions and crack the lock code for the examiner. Once the code is either manually removed or cracked, the examiner can analyze the device using normal techniques.