Remember the days of just dealing with lock screens on Android? Those days are gone. Let’s take a look back.  Google announced the release of version 5, Lollipop, in fall 2014.¹ Full disk encryption was introduced, but performance issues existed, so Google backed down on enforcing it. At this point, brute force was an easy option for us to gain access. Android 6, Marshmallow, was introduced in the fall of 2015. Marshmallow made full disk encryption mandatory if the device hardware met requirements set by Google. In addition, Gatekeeper password storage was introduced and prevents the password from being salted and stored in the file (gatekeeper.password.key). This makes cracking a Gatekeeper password almost impossible if a backup password is not in use. More will be covered on this in the locked Android portion of Section 2.

Nougat was the gamechanger. Like iOS, Nougat (Android v7) introduced file-based encryption as an option to the OEM. Each file is locked with a different key, making the data more secure. This also enhances the speed of the device because a file being requested can be decrypted rather than dealing with decrypting the entire file system. This also enables the device to unlock files needed for booting the system and providing notifications to the user while the device is locked.¹ The OEM has the choice between FBE or FDE on each device. Also, Secure Startup and Secure Boot were introduced. We’ll look at each of these and their differences in a few slides.

Android Oreo (v8) was publicly released in August 2017, followed by Android Pie (v 9) in late summer 2018. While these new versions are sought after by users, most devices are not capable of upgrading to this version. Android 10 , Android 11, and Android 12 are more difficult to acquire, which makes analysis and research harder than before. We often rely on root access to fully examine the data in these new releases, and the lack of a functioning root for multiple devices makes this difficult. In this section and Section 2, we will look at changes that Nougat initially introduced and how it changes the playing field in our examinations. Look out for blog posts on www.smarterforensics.com and https://thebinaryhick.blog as new artifacts are uncovered, as this research is ongoing. We have tried to go file by file on as many devices and operating systems as possible. Why? So you won’t have to!

Reference:

[1] Tamma, Skulkin, Mahalik, and Bommisetty, Practical Mobile Forensics, Third Edition (Birmingham, UK: Packt, 2018).