Monday, April 21, 2014

Daily Blog #302: Sunday Funday 4/20/14 Winner!

Hello Reader,
        When I make these Sunday Funday Challenges and I include a specific version I'm usually looking to see how common the knowledge of something is. This challenge was no different as Android 4.4 offers a new logical acquisition option called the Android Backup which I was happy to see in this weeks winning answer. Though I did receive many good responses this week I thought this one best answered the question in terms of acquiring data in the context of an Android 4.4 device.

The Challenge:
Answer the following questions for an Android 4.4 device:

1. What effect would device encryption being on have on a physical acquisition?
2. What effect would device encryption being on have on a chip off acquisition?
3. What effect would device encryption being on have on a logical  acquisition?
4. What are the different types of logical acquisition available for an Android 4.4 device?

The Winning Answer:
Joerie de Gram

In answering the questions I'm assuming the credentials required for decryption are unknown to the examiner.

1. What effect would device encryption being on have on a physical acquisition?

Naive physical acquisition methods would result in the /data partition being inaccessible due to device encryption. If the required passphrase is not available to the examiner, a dictionary or brute force attack may be launched in an attempt to recover it.

As argued in literature by Casey et al. [1], overcoming device encryption requires adapting the legal framework, tactical approach and acquisition procedures. For Android devices utilising device encryption, tailored acquisition methods could allow key recovery through means other than brute force or dictionary attacks. For example, if a target device is acquired while it's fully booted (i.e. the encryption keys are memory-resident) and the lock screen is not barring access to the phone, combining ADB (Android Debug Bridge) with privilege escalation exploits might allow acquisition of volatile memory using LiME [2].

If the device is fully booted, yet the lock screen is barring access to the device, a way of either disabling or bypassing the lock screen is required first if ADB is unavailable. A thorough analysis of the target device model might yield surprising results, as demonstrated by Ossman and Osborn [3], whom leverage port multiplexing on the Samsung Galaxy Nexus to gain a shell on the device.

If the lockscreen cannot be disabled or circumvented, hardware attacks (e.g. JTAG) might allow for acquistion of volatile memory (and subsequently encryption keys) or unencrypted data directly. Finally, 'cold boot' attacks apply to smartphones as they apply to PC hardware and could lead to recovery of encryption keys [4] if the target device allows booting 'custom' images.

2. What effect would device encryption being on have on a chip off acquisition?

A chip off acquisition would yield a similar result to a 'naive'
physical acquisition. If volatile memory has not been acquired prior to performing a chip off, the examiner will have to resort to attempting to crack the encryption key.

3. What effect would device encryption being on have on a logical  acquisition?

- None if the target device is fully booted and either no lock screen is present, or the acquisition method is able to bypass it, as device encryption is transparent to filesystem-level acquisition methodologies.
- If the acquisition method would normally work regardless of whether a device lock (pattern, password, pin, etc.) is present, device encryption prevents logical acquisition if a device is initially powered off.

4. What are the different types of logical acquisition available for an Android 4.4 device?

- File transfer via ADB (optionally combined with privilege escalation exploits)
- Usage of the 'backup' functionality [5].
- I believe backup functionality was introduced in 4.0 (as per Nikolai Elenkov's great writeup [6], which I forgot to cite in my deadline-haste - I cited the backup extraction tool only). There have been some changes to key derivation which affect backups in 4.4 though [7].

[1]: Casey, E, Fellows G, Geiger M, et al, The growing impact of full disk encryption on digital forensics, Digital Investigation, Volume 8, Issue 2, November 2011
[2]: LiME - Linux Memory Extractor, https://code.google.com/p/lime-forensics/
[3]: Ossman, M and Osborn, K, Multiplexed Wired Attack Surfaces, https://media.blackhat.com/us-13/US-13-Ossmann-Multiplexed-Wired-Attack-Surfaces-WP.pdf
[4]: Müller, T and Spreitzenbarth, M, FROST: Forensic Recovery Of Scrambled Telephones, https://www1.informatik.uni-erlangen.de/frost
[5]: Android backup extractor,