Android Forensics Study of Password and Pattern Lock Protection

Let’s see what Pattern Lock is, how to access, determine or even get rid of it? We’ll also speak about Password Lock Protection and find out what it has in common with Pattern Lock. And finally we’ll try to understand how these locks are related to forensic investigation process.

What is Pattern Lock?

Generally pattern lock is a set of gestures that phone user performs to unlock his smartphone when he needs to use it. It seems to be complicated, but actually it is not. A user has 9 points to create a ‘unique’ pattern. The minimum number of points in the pattern is 4, maximum 9. To make it even clearer let’s substitute points with digits just like on phone num pad to receive a numeric value for the pattern.

Even if it is a multidigit number it is still a number limited to the set of 9 digits. Moreover, the user cannot move over one point several times, in other words digits cannot be the same. So finally we have only 895824 variants of patterns available in Android OS devices. This is only 0.1% of all possible 9-digit numbers. It is a huge cut, isn’t it?


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

How Android stores Pattern Lock?

Pattern lock data is kept in a file named gesture.key and stored in the /data/system folder. Lock sequence is encrypted with a SHA1 hashing algorithm. Since SHA1 is a one-way algorithm there is no reverse function to convert hash to original sequence. To restore the code the attacker will need to create a table of sequences with hash strings. The best way here could be to have a dictionary to recover the pattern. For example, it takes only several minutes to create a full dictionary for 895824 numbers from 1234 to 987654321. You can download this dictionary and then easily find hash that will recover the original pattern. There is still one small trick with Pattern lock. Smartphone encrypts the pattern of 1234 not as a string ‘1234’, but as a sequence of bytes 0×00 0×01 0×02 0×03. In other words we have a 0×00 for the first point and 0×08 for the last one. Then Android uses SHA-1 and places it in a gesture.key file.

Example! Let’s say that a gesture.key file contains 0×82 0×79 0x0A 0xD0 0xAD 0xEB 0×07 0xAC 0x2A 0×78 0xAC 0×07 0×03 0x8B 0xC9 0x3A 0×26 0×69 0x1F 0×12 bytes value.

Using pattern lock dictionary we can find out that it corresponds to 0×06 0×04 0×01 0×02 0×05 0×08 values, which means that we have a 752369 pattern.

What is Password Lock?

So, while the Pattern Lock is a number, Password Lock can contain characters, numbers, and special marks. Unlike patterns passwords can be a real problem for the attacker as the number of variants grows tremendously. Of course, this is true if you want to brute force Password lock just like the Pattern. Well, definitely you have something more effective to do. But we’ll speak about it a bit later. The password lock file is located in /data/system folder and named pc.key. Android OS uses exactly the same method to store the password. Once the user sets the password, device hashes it with SHA-1 and saves result into the file. When the user enters the password to unlock, the smartphone compares its SHA-1 hash with stored one and decides whether to give access or not.

How to access gesture.key and pc.key files?

There is no direct access to these files by default, since they are in /data/system folder. There are still ways to grab them:

  1. Use ADB interface and have root rights to access full file system. In other words the device must be already rooted and have USB Debugging mode ON. Too strict conditions! Not many devices will allow the attacker to restore the pattern in this case.
  2. Use a special recovery boot loader to start device with access to these files. This way has much more chances to be used to access the lock files. Once you get a physical access to the file system you can easily grab the files.

So, finally you’ve got the files. It was easy to recover gesture.key, but what about pc.key? How to recover a user unlock password? Of course, you can use brute force and hope to find out the same SHA-1 as you have in pc.key some day. But this is not the best idea in our case.

Do we really need to recover the lock sequence?

The answer is NO! Why? Just see the previous part. If you have root access you can easily remove the file or replace it with the one that you prepared and know the pattern. And then unlock the device. Moreover, if you’re lucky and used Option 1 to access the files you even don’t need to unlock the device. ADB interface or mobile forensic software like Oxygen Forensic Suite will allow you to pull all the data you need without unlocking the device. So, what does it mean?

If you’re able to grab pattern key file you don’t need it. Nonsense, but True.

Here is the article recap:

  1. Pattern and Password locks are stored as SHA-1 values in /data/system/ folder.
  2. There is no direct access to this folder unless you have a root access.
  3. There are much easier ways to perform forensic data extraction from the device if you have the root access.
  4. Usually lock files don’t have a real forensic value. This is just the encrypted password to unlock the device.

Stay tuned!

14 thoughts on “Android Forensics Study of Password and Pattern Lock Protection”

    • If you miss lock pattern 5 times the phone will block this function for over 30 seconds. But you will be able to unlock the device by entering the account data into corresponding fields on the phone display.
      If they are known or can be obtained (f.e. from a PC) all you need is to press “Forgot pattern” and enter e-mail address and its password which were used for this particular device.
      Unfortunately during this procedure the original user pattern will be lost.

  1. Anyone have a procedure for this part:

    “Use a special recovery boot loader to start device with access to these files. This way has much more chances to be used to access the lock files. Once you get a physical access to the file system you can easily grab the files.”

    Or even just the name of one of these boot loaders? This is something I’d like to have in my toolbox.

    • Unfortunately it’s not that easy. There is no universal boot loader and for each particular device you have to find its own boot loader to have an access to the file system.

  2. there must be a lot fewer combinations than 895824 as you can only move to adjacent ‘numbers’ when gesturing,
    e.g. 987654321 is impossible since after ‘987’, you cannot reach ‘6’ – you can only reach the digits ‘4’ or ‘5’ (6 is too far away, and ‘8’ has already been used).

    • On my phone, I am able to use 987654321. However, there are combinations that won’t work, as you can’t go “through” an adjacent number to the one past it. So if you try to go from 3 to 9, it’ll be 3,6,9. But you can go 7 to 6 because the diagonal doesn’t cut through any other numbers.

    • Actually we should distinguish 2 processes: uploading custom bootloader and flashing the device. When you upload custom loader you unlock the device. So you can flash it or what is more important in our case – get full access. And of course flashing the device will wipe the data, but we doesn’t want to flash.

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 22 hours ago

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles