There are several lock options for Android devices. The first is the pattern lock (swipe code), which was introduced by Android. The others include a simple PIN lock, alphanumeric passcode, and biometric locks. The alphanumeric passcode is the hardest to crack. Biometric locks are backed with a pattern lock or a PIN/password. So, they are as difficult to crack as the backup method for protecting the biometrics. Make sure you never take a device that someone unlocks for you without obtaining the passcode! Android 8 required you to enter the passcode to enable Developer Mode, even on unlocked devices. 

Currently, tools like Hashcat, Andriller, Oxygen, XRY, and Cellebrite can crack both PIN locks and pattern locks for most devices. The USERDATA/system/ directory holds the gesture.key, password.key, gatekeeper.password.key, and *.key files.1 If these keys are not present, it is because the device was never locked by the user, or your tool extraction wasn’t capable of extracting the required files. If the user locks their device and then removes the lock, the files still exist. The gesture.key contains the hash of the pattern. The forensic tools simply decode the hash to obtain the pattern lock. The password.key is also hashed, which is comprised of the password and the salt from the USERDATA/data/com.android.providers.settings/databases/settings.db.2 This file no longer stores the password salt on modern Android devices. The salt can be recovered from /USERDATA/system/locksettings.db. When extracting these two databases, always grab the WAL just in case the salt isn’t committed to the database when extraction occurs. For these situations, the WAL will store the salt. When gatekeeper is involved, these rules may not apply.

For devices you cannot bypass, services are offered by CAS (Cellebrite Advanced Services) to unlock most Android phones, even those that are encrypted.

Best practices are to grab any .key-related file that the device may be using to store the password or backup password/PIN hash. These are commonly password.key, fmmpassword.key, fingerprintpassword.key, and sparepassword.key. Beware that some keys may not be accessible on encrypted devices or those being protected by Gatekeeper. The Gatekeeper (introduced with Android 6 Marshmallow) prevents the password from being salted and then cracked by the tools. The password/PIN/pattern is authenticated in a Trusted Execution Environment (TEE), which is essentially a hardware-encoded secret key required to crack the lock.⁴ Refer to the blog by Magnet for more information on Gatekeeper: https://www.magnetforensics.com/blog/gatekeeper-password-storage-android-secures-devices/.  We will also continue to do research on Gatekeeper, so keep your eye out for blog posts on SmarterForensics.com/blog. 

For all .key files you can pull, do it. Tools like Andriller and Hashcat will also accept these files for password cracking. To know which one is in use, start with examining the file size or look at the device if it’s readily available. A file size of 0 bytes indicates that file is not in use. Any Hex editor can be used to examine these files.

If the device is rooted, these lock files can be removed via ADB. Make sure you practice on a test device before trying this on live evidence. Again, if you cannot acquire these files from the device, you cannot magically unlock the device for acquisition.

Fingerprint, complex passcodes, and Face Unlock are other options. For Face Unlock settings, the user’s face is detected, and the device unlocks. To protect a user from someone using a picture to access her device, the Face Liveness Check was introduced. The liveness check requires the user to blink when using the Face Unlock method.³

References:

[1] https://for585.com/hashcat

[2] https://for585.com/erge (Face Unlock article)

[3] https://for585.com/gatekeeper