Android Forensics Study of Password and Pattern Lock Protection

By | November 30, 2011

Source: Forensic Focus


Let’s see what Pattern Lock is, how to access, determine or even get rid of it? We’ll also speak about Password Lock Protection and find out what it has in common with Pattern Lock. And finally we’ll try to understand how these locks are related to forensic investigation process.

What is Pattern Lock?

Generally pattern lock is a set of gestures that phone user performs to unlock his smartphone when he needs to use it. It seems to be complicated, but actually it is not. A user has 9 points to create a ‘unique’ pattern. The minimum number of points in the pattern is 4, maximum 9. To make it even clearer let’s substitute points with digits just like on phone num pad to receive a numeric value for the pattern.

Even if it is a multidigit number it is still a number limited to the set of 9 digits. Moreover, the user cannot move over one point several times, in other words digits cannot be the same. So finally we have only 895824 variants of patterns available in Android OS devices. This is only 0.1% of all possible 9-digit numbers. It is a huge cut, isn’t it?

How Android stores Pattern Lock?

Pattern lock data is kept in a file named gesture.key and stored in the /data/system folder. Lock sequence is encrypted with a SHA1 hashing algorithm. Since SHA1 is a one-way algorithm there is no reverse function to convert hash to original sequence. To restore the code the attacker will need to create a table of sequences with hash strings. The best way here could be to have a dictionary to recover the pattern. For example, it takes only several minutes to create a full dictionary for 895824 numbers from 1234 to 987654321. You candownload this dictionary and then easily find hash that will recover the original pattern. There is still one small trick with Pattern lock. Smartphone encrypts the pattern of 1234 not as a string ‘1234’, but as a sequence of bytes 0×00 0×01 0×02 0×03. In other words we have a 0×00 for the first point and 0×08 for the last one. Then Android uses SHA-1 and places it in a gesture.key file.

Example! Let’s say that a gesture.key file contains 0×82 0×79 0x0A 0xD0 0xAD 0xEB 0×07 0xAC 0x2A 0×78 0xAC 0×07 0×03 0x8B 0xC9 0x3A 0×26 0×69 0x1F 0×12 bytes value.

Leave a Reply