Groß T, Busch M, Müller T (2021)
Publication Language: English
Publication Type: Conference contribution, Conference Contribution
Publication year: 2021
Conference Proceedings Title: Proceedings of the Eighth Annual DFRWS Europe
Event location: Cyberspace
As known for a decade, cold boot attacks can break software-based disk encryption when an attacker has physical access to a powered-on device, including Android smartphones. Raw memory images can be obtained by resetting a device and rebooting it with a malicious boot loader, or—on systems where this is not possible due to secure boot or restrictive BIOS settings—by a physical transplantation of RAM modules into a system under the control of the attacker. Based on the memory images of a device, different key recovery algorithms have been proposed in the past to break Full Disk Encryption (FDE), including BitLocker, dm-crypt, and also Android's FDE. With Google's switch from FDE to File-based Encryption (FBE) as the standard encryption method for recent Android devices, however, existing tools have been rendered ineffective. To close this gap, and to re-enable the forensic analysis of encrypted Android disks, given a raw memory image, we present a new key recovery method tailored for FBE. Furthermore, we extend The Sleuth Kit (TSK) to automatically decrypt file names and file contents when working on FBE-enabled EXT4 images, as well as the Plaso framework to extract events from encrypted EXT4 partitions. Last but not least, we argue that the recovery of master keys from FBE partitions was particularly easy due to a flaw in the key derivation method by Google.
Groß, T., Busch, M., & Müller, T. (2021). One key to rule them all: Recovering the master key from RAM to break Android's file-based encryption. In Proceedings of the Eighth Annual DFRWS Europe. Cyberspace: Elsevier.
Groß, Tobias, Marcel Busch, and Tilo Müller. "One key to rule them all: Recovering the master key from RAM to break Android's file-based encryption." Proceedings of the DFRWS EU 2021, Cyberspace Elsevier, 2021.