Research Techniques in Network and Information Technologies (IX)Research Techniques in Network and Information Technologies (IX)

Hi!

We continue with the ninth part of this study on unlocking cell phones in forensic procedures.

In this case, we will present a draft of the study, presenting the RESEARCH BACKGROUND AND WORK.

RESEARCH BACKGROUND AND WORK:

This paper will show the individual analysis of each of the research papers taken as a reference, analyzing what they present, the techniques and steps they take to carry out their analysis or their study of the panorama from their point of view, ending with a small study of what I believe are the strong and weak points of each one of them. Once the review of each one of them is finished, a presentation of the situation will be made based on what my analysis discerns from the articles to present those that contribute the most and the methods that can best be applied to the real world, at least according to my assessment.

Below is a brief summary of the Reviewed Articles, the most relevant papers in this field, which are as follows:

• «An Improvised Methodology to Unbar Android Mobile Phone for Forensic Examination»[2].
• “Cracking Android Pattern Lock in Five Attempts” [3].
• «Intellectualized Forensic Technique for Android Pattern Locks[4]».
• «Unlocking Digital Evidence: Recent Challenges and Strategies in Mobile Device Forensic Analysis»[5].
• «A New Model for Forensic Data Extraction from Encrypted Mobile Devices»[6].

Study of the article «An Improvised Methodology to Unbar Android Mobile Phone for Forensic Examination»[2]:

In the article, the researchers address the challenge posed by unlocking Android mobile devices for forensic investigations during a police investigation in which it is necessary to extract data from the mobile terminal without producing data. To do so, several approaches or methodologies are presented to be able to bypass or break the various mechanisms such as screen lock, gesture lock, PIN-based access and the classic password. Likewise, this scientific article attempts to demonstrate how these techniques can be effective in forensic procedures.

The methods used in this article are:

• Recovery login: The login lock is forced by repeatedly failing to log in incorrectly and then trying different recovery processes. This model presents certain problems for devices in which either Wi-Fi is not enabled as described by the researchers, or also in cases where there is no access to the accounts of the person under investigation (the victim in this case).
• Aroma file manager [7]: This process involves using a file manager installed on an SD card in recovery mode to delete the locked files from the mobile device. There are several problems, the first is that it requires the ability to insert an SD card and there are many devices that do not have these expansions.
• • Rooting and ADB: This involves performing the classic rooting process of the mobile device to use the Android Debug Bridge (ADB) mode [8]:  and to be able to remove lock files from the mobile device. The problem with this process is that it can cause damage to the system, introduce bugs or destroy the information contained, which would destroy the evidence.
• Unbar the pattern lock without removing the pattern: This method must start with a rooted mobile phone and then search for a specific file in the system and once located, execute a series of commands to later download a series of files to a computer prepared for forensic procedures and extract a series of values ​​that can be transformed into the gesture command to unlock the mobile terminal. The problem with this process is that the mobile phone must be rooted and a series of processes must be carried out that could corrupt the data, in addition to needing a means to extract the data from the mobile to a computer.

Strengths of the article and the model discussed:

After reviewing this work I can say that the strong points of this approach are:

• Different methods are presented for different scenarios.
• They use a very practical approach and discuss processes that can be followed without great difficulty to reproduce their experiments.

Weaknesses of the article and the model discussed:

As for the weak points, after reviewing this work we can say:

• Physical security risks for devices and stored data.
• Dependence on certain elements such as Wi-Fi connections, SD expansions, etc.

Future Lines of the Article:

After analyzing the article, the following future lines for work and improvement of the unlocking method can be described:

• Some of the techniques should be reviewed as they do not seem to be applicable to many cases.
• Work should be done to ensure the security of devices and data.

Study of the article «Cracking Android Pattern Lock in Five Attempts»[3]:

• Authors: Qiu Jiahao, Qiu Weidong, Wang Yangde, Zha Yan, Xie Yuming, Li Yan
• Publication: Chinese Journal of Network and Information Security, Volume 8, No. 1, February 2022

In the article «Cracking Android Pattern Lock in Five Attempts»[3] a video-based attack (or rather a method of cracking the lock) is presented to reconstruct Android lock patterns, using computer vision algorithms to track fingertip movements and deduce the pattern used. The experimental results show that the approach can be really useful since, after tests performed with 120 unique patterns collected from 215 independent users, it is able to unlock more than 95% of the devices before the device is automatically locked by the Android operating system. About this, in the article we are told that «Experimental results show that our approach can break over 95% of the patterns in five attempts before the device is automatically locked by the Android system.» (Qiu Jiahao, 2022)

The model proposes a computer vision algorithm to track fingertip movements on the screen in order to deduce the pattern or possible patterns that could “match” what the program has detected.

Using the geometric information extracted from the tracked movements, the approach can accurately identify a small number of candidate patterns to be tested by an adversary. There is an interesting fact about the vulnerability of complex patterns as the authors tell us: «We discovered that, in contrast to many people’s belief, complex patterns do not offer stronger protection under our attacking scenarios.» (Qiu Jiahao, 2022)

This device unlocking procedure will only be useful in the case of devices that use the Android Pattern Lock feature (gesture unlocking).

The problem with this approach is that recordings of the user handling their device will have to be available in order to pass it through the recognition program that analyzes the possible finger movements in search of the closest patterns in order to proceed to launch the five attempts that Android allows before locking.

Although this is the clear disadvantage of the model proposed and analyzed in the scientific article, it can be said that, in the case of a police investigation, a follow-up operation could be carried out on the suspect before his arrest, in addition to being able to access possible recordings in the areas where the person whose access to the mobile is to be hacked operates.

Steps used in this model:

Likewise, now that we are going to talk about the steps taken in the attack methodology, it is worth remembering that according to the authors «Our attack employs a computer vision algorithm to track the fingertip movements from the video. Using the geometry information extracted from the tracked fingertip motions, our approach is able to accurately identify a small number of (often one) candidate patterns to be tested by an adversary.» (Qiu Jiahao, 2022)

The breakdown into steps of the process to be carried out in the process proposed in this scientific article will be the following:

• First, the video must be recorded and processed: Here, the victim must be recorded (for example, with a mobile phone) unlocking the mobile phone, allowing distances of 2 meters for mobile phones and 9 meters for more precise cameras. After this, the video is edited for ingestion into the tracking program.
• Then, the tracking program is run in which a computer vision algorithm follows the finger frame by frame to generate the trajectory.
• Next, a set of rotational matrices is made to change the angle of the image to see the image from the user’s perspective. In order to determine the angle, an edge detection algorithm is used.
• The next step is the identification and classification of the possible patterns by mapping the detected trajectories and they are classified using heuristics considering the total length of the lines and the number of turns.
• Finally, the five patterns that are most likely to match the gesture password are tested.

Strengths of the article and the model discussed:

After reviewing this work I can say that the strong points of this approach are:

• The success rate of this model is really high, as described there is a 95% success rate in the five attempts allowed.
• It does not require capturing the screen or its content, which makes it simpler and more powerful than other models studied.
• The distance at which the victim can be recorded, between 2 and 9 meters (depending on the method used) makes it really easy to perform, exposing the attacker less, making the action less suspicious.

Weaknesses of the article and the model discussed:

As for the weak points, after reviewing this work we can say:

• There is a dependency point on the quality of the captured image since if there is no sharpness in the image, the capture quality and therefore the success rate decreases.
• Likewise, the image quality is affected by environmental conditions and lighting since fog, rain or darkness will increase the noise level.
• If the angle is estimated incorrectly, errors can be generated that will decrease the success rate. 

Future Lines of the Article:

After analyzing the article, the following future lines for work and improvement of the unlocking method can be described:

• The finger movement analysis algorithm must be developed.
• Work must be done to make the image analysis better adapted to variations in video quality, eliminate noise, etc.
• Angle calculation and image rotation must be improved to avoid possible distortion in the analysis of finger movements.

After reviewing this article, and in the words of the authors themselves «Since our threat model is common in day-to-day lives, our work calls for the community to revisit the risks of using Android pattern lock to protect sensitive information». (Qiu Jiahao, 2022)

Study of the article «Intellectualized Forensic Technique for Android Pattern Locks»[4].

• Authors: Qiu Jiahao, Qiu Weidong, Wang Yangde, Zha Yan, Xie Yuming, Li Yan
• Publication: Chinese Journal of Network and Information Security, Volume 8, No. 1, February 2022

Note: As an informative note, it must be said that the work of analyzing this article has been truly laborious because it is an article that has not been found in English but has had to be worked with the original in Chinese.

This article proposes a method to unlock Android mobile devices using lock patterns, using AI-based visual recognition to identify and decipher the possible lock patterns used on devices. This work was carried out by the same authors as in the previous case and follows a very similar line.

Steps used in this model:

The process to unlock the mobile device is almost identical to the previous article, and consists of:

• First, the recording process is carried out while the victim unlocks their mobile phone or the recording is collected from a means such as a security camera, traffic camera or similar.
• Then, the tracking program is run in which a computer vision algorithm follows the finger e identifica los movimientos de los dedos.
• Next, different algorithms and mathematical means are used to generate the mapping and eliminate noise, distortion or redundancies to determine the path taken by the fingers.
• Finally, after making a process of choosing the possible patterns, it is simplified and heuristics are used considering the total length of the lines and the number of turns.

Below we will discuss both the weaknesses and the strengths, but first we want to mention that both, strengths and weaknesses are almost identical to the previous scientific article.

Strengths of the article and the model discussed:

After reviewing this work I can say that the strong points of this approach are:

• The success rate of tests carried out in a controlled environment (laboratory conditions) shows a very high success rate, close to 100% under ideal conditions.
• It does not require capturing the screen or its content, which makes it simpler and more powerful than other models studied.

Weaknesses of the article and the model discussed:

As for the weak points, after reviewing this work we can say:

• There is a dependency point on the quality of the captured image since if there is no sharpness in the image, the capture quality and therefore the success rate decreases.
• Likewise, the image quality is affected by environmental conditions and lighting since fog, rain or darkness will increase the noise level.
• If the angle is estimated incorrectly, errors can be generated that will decrease the success rate. 

Future Lines of the Article:

After analyzing the article and comparing it with the previous one, it can be said that the future lines of this article are identical to the previous scientific article since the work has the same advantages and disadvantages and the evolution is limited.

• The finger movement analysis algorithm must be developed.
• Work must be done to make the image analysis better adapted to variations in video quality, eliminate noise, etc.
• Angle calculation and image rotation must be improved to avoid possible distortion in the analysis of finger movements.

Study of the article «Unlocking Digital Evidence: Recent Challenges and Strategies in Mobile Device Forensic Analysis»[5].

• Author: Bandr Fakiha
• Publication: Journal of Internet Services and Information Security (JISIS), Volume 14, Issue 2, May 2024

This article has a different approach to those studied so far, as it focuses on exploring the challenges and techniques that can be used to extract data from mobile devices and the techniques that must be followed to be able to analyze the data collected once extracted. Above all, the difference between this article and the others is that it focuses on the more analytical or theoretical part, leaving aside the purely practical part. On the other hand, this article also discusses the most common challenges of forensic processes in the mobile world, including device heterogeneity, data fragmentation, cloud synchronization, privacy and legal considerations.

Steps used in this study:

This article is not about following a series of operational steps, but rather about following a series of study steps in which different elements, operations, etc. for the forensic process on mobile devices are reviewed.

• The first point to be addressed is device exploitation: This will include the identification and exploitation of vulnerabilities existing in the operating system, firmware of mobile devices or any other error that can be used to bypass the device’s security mechanisms and thus obtain the elevated privileges necessary to unlock the device.
• Password cracking: This section discusses the use of different techniques for password cracking, such as brute force attacks, dictionary attacks, or the exploitation of bugs and weaknesses in password protection security measures to decipher passwords, patterns and biometric locks. Although here the author highlights that these are expensive and slow methods.
• File Carving[9]: This is a process that attempts to recover deleted or fragmented data from mobile devices using various specialized tools that identify files based on headers, specific signatures, or other distinctive elements.
• Database Reconstruction: This involves recovering and evaluating data stored in the mobile device’s database by understanding the database structure and executing some specific SQL queries.
• API Usage: This refers to techniques for accessing data stored in the service provider’s cloud (icloud, drive, etc.) by using the APIs provided by cloud service providers, but it has certain problems such as limitations of applicable regulations, such as the GDPR, or limitations due to the provider’s lack of collaboration.

Strengths of the article and the model discussed:

After reviewing this work I can say that the strong points of this approach are:

• This is an interesting article to review the literature, the options available, etc.
• Talks about relatively new technologies such as artificial intelligence and machine learning improve the accuracy and efficiency of forensic análisis
• It is a holistic view of the current state of forensic processes on mobile devices.

Weaknesses of the article and the model discussed:

As for the weak points, after reviewing this work we can say:

• It does not go into detail about any technique.
• It is not useful from the point of view of learning processes, only as an enumeration of processes, techniques and measures.

Future Lines of the Article:

After analyzing the article, the following future lines for work and improvement of the unlocking method can be described:

• With regard to this work, I think that we should work on future lines in order to make the study more technical, moving away from the theoretical part.

Study of the article «A New Model for Forensic Data Extraction from Encrypted Mobile Devices»[6].

• Authors: Aya Fukami, Radina Stoykova, Zeno Geradts
• Publication: Forensic Science International: Digital Investigation, Volume 38, September 2021

This article, like several of the previous ones, deals with the challenges that current mobile terminals present to forensic investigators, all from the point of view of the limitations that forensic investigators encounter when they have to work with forensic terminals, since the same measures that are supposed to protect the user are used to protect the criminal. Measures such as media encryption, screen locks, etc. make the forensic process more complicated and this means that the usual operations have to be changed and that one must think from the attacker’s side, proposing a forensic work model in which the vulnerabilities of systems and mobile terminals are exploited for the extraction of information in forensic procedures. The use of vulnerability exploitation and the bypass of security measures is proposed.

This approach seems very interesting to me and the work, although, as the previous one is theoretical in nature, goes a step further than the previous one to go into a little more detail on the technical part.

Proposed methods:

As in the previous one, these are not specific steps but rather a list of techniques that can be used, so they will be presented one after the other, but this does not mean that they must be executed (necessarily) in the order in which they are presented:

• Some vulnerabilities have been identified and their exploitation is proposed, both in terms of hardware, installed software and the Operating System.
• Bypass models are presented to circumvent security mechanisms.
• Hardware modification procedures are proposed for data extraction although these are dangers for the hardware.
• Describes the use of a custom bootloader on the device during the boot process to execute arbitrary code and allow physical data acquisition.
• Emerging techniques are proposed such as: Side-channel análisis, Fault injection, SoC reverse engineering.
• Legal aspects related to modern forensic technologies are discussed.

Strengths of the article and the model discussed:

After reviewing this work I can say that the strong points of this approach are:

• Innovation in Forensic Techniques and the exploitation of bugs, security flaws, etc.
• Possibility of applying different processes to different scenarios and devices.
• That it addresses legal aspects that have not been seen in other articles.

Weaknesses of the article and the model discussed:

As for the weak points, after reviewing this work we can say:

• Some of the proposed methods present certain security risks for the devices.
• Some aspects should be further developed.

Future Lines of the Article:

After analyzing the article, the following future lines for work and improvement it:

• I think that what should be done with this work, in addition to keeping it updated so that it maintains its freshness, is to extend the technical part so that it becomes a real guide to the different techniques described.

In conclusion to the article «A New Model for Forensic Data Extraction from Encrypted Mobile Devices»[6], I must say that despite being an eminently theoretical work, since it is dedicated to listing techniques, I do find it of great interest precisely because it is a really useful and well-developed compilation that not only presents the current options but also presents a projection into the future, in addition to the fact that the current techniques it presents are of great interest and quality.

Comparative analysis of the works analyzed and additional notes:

The research works studied present different profiles. On the one hand, there are works similar to the present one, in which a review of technical procedures is actually being carried out with the intention of listing possible models, tools, etc., while on the other hand, there are works related to the research, development and testing of more or less novel procedures. In this division we will make a new division since on the one hand there are articles like “Cracking Android Pattern Lock in Five Attempts” [3] or «Intellectualized Forensic Technique for Android Pattern Locks [4» in which argued, developed works are presented, with a well-developed scientific basis and with a series of tests with conclusions, while on the other hand, we have articles like «An Improvised Methodology to Unbar Android Mobile Phone for Forensic Examination» [2] that present a much simpler development, in which the steps of some methods are listed but no deep development or scientific basis is given. In this sense, the last article provides much less value than those previously mentioned.

The reviewed studies present different alternatives for unlocking mobile devices or for accessing the data contained in the device once unlocked. In the article «An Improvised Methodology to Unbar Android Mobile Phone for Forensic Examination» [2] different approaches are not presented, such as login recovery, the use of shortcuts to the device’s file systems, or even the cracking of file systems, from a more technical than theoretical point of view, but which suffers from a lack of theoretical background or deep explanations, which position it more as a set of tutorials or shoulds to solve certain problems than as an academic work; at this point, in my opinion, the work should be extended considerably, adding much more academic background, a more extensive theoretical basis, with coherent explanations that give a background to the work itself.

The studies “Cracking Android Pattern Lock in Five Attempts” [3] and “Intellectualized Forensic Technique for Android Pattern Locks[4]” are the antithesis of the above, as they present a great theoretical basis as well as a well-developed practical approach with well-developed examples and explanations and a series of notes on the results obtained that give both works great packaging. This is surely due to the fact that both projects have actually been carried out by the same group of researchers.

In my opinion, these two works are by far the most important works that I have reviewed throughout this study; with success rates in unlocking mobile devices in laboratories where the unlock rate exceeded 95% within 5 attempts and almost 100% success rate for unlocking mobile terminals in controlled laboratory environments, where up to 20 attempts were made, which is actually completely anomalous because the Android terminals with which they work, since they actually block the terminal after more than 5 attempts, present both a good development as a study, as well as a good technical solution.

With regard to these studies, I have a doubt that I will surely try to solve in the future, whether following the description of the activities they do and thinking about the theoretical basis on which they work, it would be possible to reproduce a mobile unlocking system similar to the one described, achieving a hit rate or success as high as the one they describe in their work.

Being realistic, the volume of work that has to be done starting from scratch and only following the theoretical descriptions that you discuss in your article, the work to be done is titanic and may perhaps be tackled in the future, as academic research associated with, for example, postgraduate work groups.

On the other hand, the scientific article «A New Model for Forensic Data Extraction from Encrypted Mobile Devices» [6] is rich from the point of view of the review of different technologies, methodologies, and also from the point of view of the number of sources of information it provides. But, on the other hand, from my point of view, it also suffers from a great weakness in the depth in which the different points studied are treated. On the one hand, when studying the traditional model of forensic procedures in mobile devices, several types of approaches are discussed: manual extraction, logical extraction, Hex Dumping/JTAG, extraction of non-volatile memory media known as chip-off and reading of memory media known as Micro-Read, traditional means that were already known and widely used.

Where I think this article adds its value beyond what was previously cited regarding the sources from which it draws to generate the documentation presented, is in the study of the impact of modern security methodologies versus traditional forensic operations, analyzing one after another the methodologies previously proposed in this same article.

On the other hand, it also shows a lot of interest in the part that talks about the new methodologies used for the extraction of information from mobile devices, including various current methodologies, these being the only ones that deal with, for example, the importance of data in the cloud from service providers to mobile devices, a point of great interest that is becoming more important every day given the dependence of data from different devices on elements uploaded to repositories or servers in the cloud.

Also of great interest in this article is the study of emerging models for unlocking mobile devices, including for example side-channel analysis, SoC reverse engineering, or Fault injection.

Finally, the most interesting thing I see in this article is perhaps section 5, which addresses the legal implications associated with modern forensic technologies, dealing with points such as the admissibility of forensic evidence in court, privacy and individual rights of those investigated, the ethics of the application of forensic technologies or international regulation and standards, dealing with the need to address the legal, ethical and privacy issues that arise with the adoption of modern forensic technologies, guaranteeing their responsible use and respect for human rights.

Finally, the article «Unlocking Digital Evidence: Recent Challenges and Strategies in Mobile Device Forensic Analysis» [5] addresses current challenges and techniques in mobile device forensic analysis from a somewhat superficial perspective, identifying various challenges such as mobile device heterogeneity, data fragmentation, synchronization and cloud storage, and certain legal and privacy considerations, also addressing certain techniques such as device exploitation, password cracking, file carving, database reconstruction, and reviewing certain forensic advances.

Mobile device forensics from an ethical point of view:

Throughout the various articles, considerations of privacy or confidentiality,respect for user data, compliance with current laws and regulations regarding data protection, confidentiality, institutional approval, respect for context and limits, as well as the veracity of data, transparency in procedures are discussed as we can see in “Unlocking Digital Evidence: Recent Challenges and Strategies in Mobile Device Forensic Analysis” and “A new model for forensic data extraction from encrypted mobile devices” [6].

At this point, forensic procedures on mobile devices should be discussed when one is in the middle of an investigation of a crime, a terrorist act, drug trafficking, or similar issues. In these cases, in particular, I think it would be interesting to open the can of worms, to a certain extent, by eliminating certain ethical restrictions that should be applied in most cases in access to data devices or other personal elements of conventional citizens; In the case of criminals such as sex offenders, traffickers or terrorists, the possibility of rescinding certain rights should be considered in order to enable any action to stop their illegal activities.

For this reason, I think that, as far as possible, local laws, and European Union laws, as well as certain regulations associated with legal procedures, Data Protection regulations, and regulations on forensic procedures, should be added to certain scenarios in which all ethical limitations will be eliminated.

Surely this point of view may not be entirely progressive, but in my opinion, the guarantee that the average citizen is protected against proven criminals should lead to these measures being taken. Of course, I am not talking about applying these types of measures to any case, but rather applying them in cases where, for example, there is already evidence or reliable proof that the person under investigation is a potentially dangerous criminal; An example of this could be having absolute certainty, with really solid evidence that this person has kidnapped a child (putting ourselves in the worst case scenario) and that his life is in danger if we do not manage to create the mobile phone to be able to access the data where he can store information about the child’s location.

That’s all for today.
We’ll continue in a few days.