Due to the increase in user awareness and the ease of functionality, there has been an exponential increase in the usage of passcode options to lock Android devices. Hence, bypassing the device's screen lock during a forensic investigation becomes increasingly important. The applicability of the screen lock bypass techniques discussed so far are based on the situation. Note that some of these methods may result in making changes to the device. Make sure that you test and validate all the steps listed on non-evidentiary Android devices. The examiner must have authorization to make the required changes to the device, document all steps taken, and be able to describe the steps taken if a courtroom testimony is required.
Currently, there are three types of screen lock mechanisms offered by Android. Although there are some devices which have voice lock, face lock, and fingerprint lock options, we will limit our discussion to the following three options since these are most widely used on all Android devices:
The following section details some of the techniques to bypass these Android lock mechanisms. Depending on the situation, these techniques might help an investigator to bypass the screen lock.
If USB debugging appears to be enabled on the Android device, it is wise to take advantage of it by connecting with adb using USB, as discussed in the earlier sections. The examiner should connect the device to the forensic workstation and issue the adb devices
command. If the device shows up, it implies that USB debugging is enabled. If the Android device is locked, the examiner must attempt to bypass the screen lock. The following are the two methods that may allow the examiner to bypass the screen lock when USB debugging is enabled.
Deleting the gesture.key
file will remove the pattern lock on the device. However, it's important to note that this will permanently change the device as the pattern lock is gone. This should be considered if conducting cover operations. This is how the process is done:
adb.exe shell cd /data/system rm gesture.key
To update the settings.db
file, perform the following steps:
gesture.key
as explained earlier.In Android, recovery refers to the dedicated partition where the recovery console is present. The two main functions of recovery are to delete all user data and install updates. For instance, when you factory reset your phone, recovery boots up and deletes all the data. Similarly, when updates are to be installed on the phone, it is done in recovery mode. There are many enthusiastic Android users who install custom ROM through a modified recovery module. This modified recovery module is mainly used to make the process of installing custom ROM easy. Recovery mode can be accessed in different ways depending on the manufacturer of the device, which is easily available on the Internet. Usually, this is done by holding different keys together such as the volume button and power button. Once in recovery mode, connect the device to the workstation and try to access the adb connection. If the device has a recovery mode which is not modified, the examiner may not be able to access the adb connection. The modified recovery versions of the device present the user with different options and can be easily noticed as shown in the following screenshot:
There are mechanisms available to flash the recovery partition of an Android device with a modified image. The Fastboot utility would facilitate this process. Fastboot is a diagnostic protocol that comes with the SDK package, used primarily to modify the flash file system through a USB connection from a host computer. For this, you need to start the device in boot loader mode, in which only the most basic hardware initialization is performed. Once the protocol is enabled on the device, it will accept a specific set of commands that are sent to it via the USB cable using a command line. Flashing or rewriting a partition with a binary image stored on the computer is one such command that is allowed. Once the recovery is flashed, boot the device in recovery mode, mount the /data
and /system
partitions, and use adb to remove the gesture.key
file. Reboot the phone and you should be able to bypass the screen lock. However, this works only if the device bootloader is unlocked. Also, flashing permanently alters the device. Instead of flashing, you could use the fastboot boot
command to boot to a recovery image temporarily to delete the key file without permanently changing the recovery partition.
There are several automated solutions available in the market for unlocking Android devices. Commercial tools such as Cellebrite and XRY are capable of bypassing the screen locks, but most of them require USB debugging to be enabled. We will now examine how to unlock an Android device using the UFED user lock code recovery tool. Also, this tool only works on those devices that support USB OTG. This process also requires a UFED camera, Cable No. 500-Bypass lock, and Cable No. 501-Bypass lock. Once the tool is installed on the workstation, follow these steps to unlock an Android device:
Most of the latest Android phones come with a service called Android Device Manager, which helps owners of a device to locate their lost phone. This service can also be used to unlock a device; however, this is possible only when you know the Google account credentials that are configured on the device. If you have access to the account credentials, then follow these steps to unlock the device:
http://google.com/android/devicemanager
on your workstation.It can be done without knowing the credentials of the computer where the login is saved (that is, the suspect's PC). Similarly, if you are dealing with a Samsung device, you can also try Samsung's FindMyMobile service, which enables you to set a temporary password to unlock the device.
In rare cases, a smudge attack may be used to deduce the password of a touchscreen mobile device. This attack relies on identifying the smudges left behind by the user's fingers. While this may present a bypass method, it must be said that a smudge attack is unlikely since most Android devices are touchscreen and smudges will also be present from using the device. However, it has been demonstrated that under proper lighting, the smudges that are left behind can easily be detected as shown in the following screenshot. By analyzing the smudge marks, we can discern the pattern that is used to unlock the screen. This attack is more likely to work while discerning the pattern lock on the Android device. In some cases, PIN codes can also be recovered depending upon the cleanliness of the screen. So, during a forensic investigation, care should be taken when the device is first handled to make sure that the screen is not touched.
If you know the username and password of the primary Gmail address that is configured on the device, you can change the PIN, password, or swipe on the device. After making a certain number of failed attempts to unlock the screen, Android provides an option named Forgot Pattern or Forgot Password, as shown in the following screenshot:
Tap on that link and sign in using the Gmail username and password. This will allow you to create a new pattern lock or passcode for the device.
If the screen lock is a third-party app rather than the inbuilt lock, it can be bypassed by booting into safe mode and disabling it. To boot into safe mode on Android device 4.1 or later, long-press the power button until the power options menu appears. Then long-press the Power Off option and you'll be asked if you want to reboot your Android device into safe mode. Tap the OK button as shown in the following screenshot.
Once you're in safe mode, you can disable the third-party lock screen app or uninstall it completely. After this, reboot the device and you should be able to access it without any lock screen.
As mentioned earlier, while using USB debugging, if the Always allow from this computer option is checked, the device will not prompt for authorization in future. This is done by storing certain keys, namely adbkey
and adbkey.pub
, on the computer. Any attempt to connect to adb
from an untrusted computer is denied. In this case, the adbkey
and the adbkey.pub
files can be pulled from the suspect's computer and copied to the investigators workstation. The device will then assume that it is communicating with a known, authorized computer. The adbkey
and adbkey.pub
files can be found at C:Users<username>.android
on Windows machines.
As explained in the earlier sections, the secure USB debugging feature introduced in Android 4.4.2 allows only authorized workstations to connect to the device. However, there's a bug in this feature as reported at https://labs.mwrinfosecurity.com/ which allows bypassing the Secure USB debugging feature and connecting the device to any workstation. Here are the steps to follow to bypass Secure USB debugging on an Android 4.2.2 device:
$ adb kill-server $ adb shell
$ adb shell pm clear com.android.keyguard
On devices running Android 5.0 to 5.1.1, the password lock screen (not pin or pattern lock) can be bypassed by crashing the screen UI. This can be accomplished by following these steps as explained at http://android.wonderhowto.com/:
All of the previously mentioned techniques and the commercial tools available prove to be useful to the forensic examiner trying to get access to the data on the Android devices. However, there could be situations where none of these techniques work. To obtain a complete physical image of the device, techniques such as chip-off and JTAG may be required when commercial and open source solutions fail. A short description of these techniques is mentioned here.
While the chip-off technique removes the memory chip from a circuit and tries to read it, the JTAG technique involves probing the JTAG Test Access Ports (TAPs) and soldering connectors to the JTAG ports in order to read data from the device memory. The chip-off technique is more destructive because once the chip is removed from the device, it is difficult to restore the device back to its original functional state. Also, expertise is needed to carefully remove the chip from the device by desoldering the chip from the circuit board. The heat required to remove the chip can also damage or destroy the data stored on that chip. Hence, this technique should be looked upon only when the data is not retrievable by open source or commercial tools or the device is damaged beyond repair. When using the JTAG technique, JTAG ports help an examiner to access the memory chip to retrieve a physical image of the data without needing to remove the chip. To turn off the screen lock on a device, an examiner can identify where the lock code is stored in the physical memory dump, turn off the locking, and copy that data back to the device. Commercial tools, such as Cellebrite Physical Analyzer, can accept the .bin
files from chip-off and JTAG acquisitions and crack the lock code for the examiner. Once the code is either manually removed or cracked, the examiner can analyze the device using normal techniques.
Both the chip-off and JTAG techniques require extensive research and experience to be attempted on a real device. A great resource for JTAG and chip-off on devices can be found at http://www.forensicswiki.org/wiki.