Digital incursion: Breaching the android lock screen and liberating data

Sammanfattning: Android is the most used operating system in the world, because of this the probability of an android device being acquired in an investigation is high. To begin to extract data from an android device you first need to gain access to it. Mechanisms like full system encryption can make this very difficult. In this paper, the advantages and disadvantages of different methods of gaining access and extracting data from an android device with an unlocked bootloader are discussed. Many users unlock the bootloader of their android device to gain a much greater level of control over it. Android forensics on a device without a unlocked bootloader is very limited. It is therefore interesting to study how you can extract data from an android device that doesn’t have this limitation to android forensics. A literature study is done on previous related research to gather methods for gaining access and extracting data. The methods collected are then tested by performing experiments on a Oneplus 3 android 9 and Oneplus 8 android 11. The research of this paper found that it is possible to perform a brute force attack within a reasonable time against a PIN of length 4-5 or pattern of length 4-6 on the lock screen of an android device. It found that you can optimise the attack by performing a dictionary attack by using public lists of the most used PIN codes. A list of all possible pattern combinations sorted and optimised for a dictionary attack is generated based on statistics of pattern starting location and length. A proof of concept is made by creating a copy of a fingerprint with common cheap materials to gain access through the fingerprint sensor. A device image were able to be extracted by using a root shell through Android Debug Bridge and common command-line tools. Memory forensics were performed by using Frida and was able to extract usernames, passwords, and emails from Google Chrome and Gmail. The custom recovery image TWRP was used to boot the device, gain root access, and was able to extract a full device image with common command-line tools. The results of the TWRP backup feature is also analysed. The results of the data extraction is then analysed manually and with Autopsy.