The Android pattern lock feature found sudden fame when it recently became the focus of a federal search warrant petition. FBI investigators referred to the pattern-locking mechanism when they asked that the court require Google to provide either access to the suspect’s account that the fail-over unlock code was maintained by or to “turn over a Samsung default code” or instructions to pass the pattern lock and gain access to the device.
The Android pattern lock is an incredibly user-friendly, and safe, method of locking an Android device’s screen. During set-up of the pattern lock users connect a series of dots in the pattern of their choice and set the lock. Other options for locking include the conventional entry of a pass code consisting of letters, numbers and special characters.
Several mobile phone forensics groups commented publicly that the Android pattern lock was a force to be reckoned with from a technical perspective. Most experts cited the lock-out effect, meaning that the phone will stop allow attempts to enter the correct pattern after repeated failed attempts. Once this stage is reached the remedy for the average user is to use their Google email account to reset the lock. The lock out effect also means that a brute force attack on the lock pattern will only repeat in a fast shut-out of future attempts to guess the pattern.
Overcoming the Android pattern lock does not have to mean a brute force attack or a resulting lock out. The most important part of the Android pattern lock workaround is the understanding that the pattern lock does not encrypt the device data, it simply protects access to the data. This places the emphasis on gaining access to the underlying system and file data and not cracking the lock. By using a forensics tool to root the device and engage the USB debugging mode, the reviewer is able to create a replica of the full file system, application data, logs, cached information, databases, and past geo-data.
Replacing the current pattern lock with a new, known pattern lock entirely is also easily achieved when the device is rooted. The critical dependencies for the pattern lock are the pc.key and gesture.key files in the data/system/ folders. Replacing the pattern sequence in that file with a new pattern sequence will allow for entry post reboot. Replacing the pattern sequence becomes easier if the reviewer copies a the sequence from a test device’s pc.key or gesture.key file. It is important to note that injecting new files into an evidence phone file system is not best-practice but practical knowledge of what these files look like and where they are located can be helpful during an actual forensic device review.
For many types of reviews, the above workaround will provide the level of information necessary. However, rooting a device with any tool has inherit risks and some evidence-gathering procedures require that the system files, including rooting of the device, remain unchanged during the collection of evidence as was the case with the recent FBI search warrant. Barring these issues, the workaround presented here cuts to the chase and gains access to the information behind a pattern lock quickly and in most cases without complication.
Finally, a great tool for reviews and performing discovery is the Oxygen Forensics Suite. And remember, if your agency or prosecution team has a policy against the rooting of a device, ie. changing the phone settings in any way, be sure to turn off the auto-rooting function of your tools or use the tools manually instead of running the wizards.
Author Carol Glennon