One key to rule them all: Recovering the master key from RAM to break Android's file-based encryption. (April 2021)
- Record Type:
- Journal Article
- Title:
- One key to rule them all: Recovering the master key from RAM to break Android's file-based encryption. (April 2021)
- Main Title:
- One key to rule them all: Recovering the master key from RAM to break Android's file-based encryption
- Authors:
- Groß, Tobias
Busch, Marcel
Müller, Tilo - Abstract:
- Abstract: As known for a decade, cold boot attacks can break software-based disk encryption when an attacker has physical access to a powered-on device, including Android smartphones. Raw memory images can be obtained by resetting a device and rebooting it with a malicious boot loader, or—on systems where this is not possible due to secure boot or restrictive BIOS settings—by a physical transplantation of RAM modules into a system under the control of the attacker. Based on the memory images of a device, different key recovery algorithms have been proposed in the past to break Full Disk Encryption ( FDE), including BitLocker, dm-crypt, and also Android's FDE. With Google's switch from FDE to File-based Encryption (FBE) as the standard encryption method for recent Android devices, however, existing tools have been rendered ineffective. To close this gap, and to re-enable the forensic analysis of encrypted Android disks, given a raw memory image, we present a new key recovery method tailored for FBE. Furthermore, we extend The Sleuth Kit (TSK) to automatically decrypt file names and file contents when working on FBE-enabled EXT4 images, as well as the Plaso framework to extract events from encrypted EXT4 partitions. Last but not least, we argue that the recovery of master keys from FBE partitions was particularly easy due to a flaw in the key derivation method by Google.
- Is Part Of:
- Forensic science international. Volume 36(2021)Supplement
- Journal:
- Forensic science international
- Issue:
- Volume 36(2021)Supplement
- Issue Display:
- Volume 36, Issue 2021 (2021)
- Year:
- 2021
- Volume:
- 36
- Issue:
- 2021
- Issue Sort Value:
- 2021-0036-2021-0000
- Page Start:
- Page End:
- Publication Date:
- 2021-04
- Subjects:
- Android -- EXT4 -- File-based encryption (FBE) -- Disk forensics -- Memory forensics -- Cold boot attacks
- Journal URLs:
- http://www.sciencedirect.com/ ↗
- DOI:
- 10.1016/j.fsidi.2021.301113 ↗
- Languages:
- English
- ISSNs:
- 2666-2817
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 19470.xml