Python Forensics – Mobile Forensics

Forensic investigation and analysis of standard computer hardware, such as hard drives, has developed into a stable discipline, aided by techniques for analyzing non-standard hardware or transient evidence.

While smartphones are increasingly being used in digital investigations, they are still considered non-standard.

Forensic Analysis

Forensic investigations search for data from smartphones, such as incoming or outgoing calls. This can include text messages, photos, or any other evidence of a crime. Most smartphones have a screen lock feature that uses a passcode or alphanumeric characters.

Here, we will illustrate how Python can help break the screen lock passcode to retrieve data from a smartphone.

Manual Inspection

Android supports locking with a PIN or alphanumeric passcode. Both passcodes have a limit of 4 to 16 characters. Smartphone passwords are stored in a special file called password.key in the Android system’s /data/system.

The Android system stores salted SHA1 hashes and MD5 hashes of passwords. These can be processed using the following code.

public byte[] passwordToHash(String password) {

   if (password == null) {
      return null;
   }

   String algo = null;
   byte[] hashed = null;

   try {
      byte[] saltedPassword = (password + getSalt()).getBytes();
      byte[] sha1 = MessageDigest.getInstance(algo = "SHA-1").digest(saltedPassword);
      byte[] md5 = MessageDigest.getInstance(algo = "MD5").digest(saltedPassword);
      hashed = (toHex(sha1) + toHex(md5)).getBytes();
   } catch (NoSuchAlgorithmException e) {
      Log.w(TAG, "Failed to encode string because of missing algorithm: " + algo);
}

return hashed;
}

Cracking the password using a dictionary attack is not feasible because the hashed password is stored in a salt file. This salt is a random 64-bit integer represented in hexadecimal. The salt can be easily accessed using a rooted smartphone or a JTAG adapter.

Rooted Smartphones

The dump of the file /data/system/password.key is stored in the SQLite database under the key lockscreen.password_salt. The password is stored in settings.db, and its value is clearly visible in the screenshot below.

JTAG Adapter

A special piece of hardware called a JTAG (Joint Test Action Group) adapter can be used to access the salt. Similarly, a Riff-Box or JIG-Adapter can be used to achieve the same functionality.

Using the information obtained from the Riff-Box, we can find the location of the encrypted data, i.e., the salt. The following are the rules –

• Search for the string “lockscreen.password_salt”.

• This byte represents the actual width of the salt, or its length.

• This is the actual length that is searched to obtain the smartphone’s stored password/PIN.

This set of rules helps to obtain the appropriate salt data.