One Key to Rule Them All: Recovering the Master Key from RAM to break Android’s File-Based Encryption

Abstract

As known for a decade, cold boot attacks can break software-based disk encryption when an attacker has physical access to a powered-on device, including Android smartphones. Raw memory images can be obtained by resetting a device and rebooting it with a malicious boot loader, or—on systems where this is not possible due to secure boot or restrictive BIOS settings—by a physical transplantation of RAM modules into a system under the control of the attacker. Based on the memory images of a device, different key recovery algorithms have been proposed in the past to break Full-Disk Encryption (FDE), including BitLocker, dm-crypt, and also Android’s FDE. With Google’s switch from FDE to File-based Encryption (FBE) as the standard encryption method for recent Android devices. However, existing tools have been rendered ineffective. To close this gap, and to re-enable the forensic analysis of encrypted Android disks, given a raw memory image, we present a new key recovery method tailored for FBE. Furthermore, we extend The Sleuth Kit (TSK) to automatically decrypt file names and file contents when working on FBE-enabled EXT4 images, as well as the Plaso framework to extract events from encrypted EXT4 partitions. Last but not least, we argue that the recovery of master keys from FBE partitions was particularly easy due to a flaw in the key derivation method by Google.

Paper: One Key to Rule Them All (by Tobias Groß, Marcel Busch and Tilo Müller)

Slides:Presentation (presented at DFRWS EU 2021, Cyberspace)

Implemented Tools

With this research we implemented three different modules to recover master keys and to forensically analyze FBE-enabled ext4 partitions:

• Extension of The Sleuth Kit, which now outputs encryption related metadata of files and can decrypt filenames and file content if master keys are provided
• Extension of Plaso, which can now extract events from FBE encrypted files if master keys are provided
• fbekeyfind script, which can recover EXT4 FBE master keys from a memory dump and userdata image of an Android Device

Installation

To install all the modules, simply download this script and execute it on an Ubuntu or Debian Linux system (tested on Ubuntu 18.04). This script will install all software dependencies with apt and pip, clones the code repositories and builds the projects in the right order. On some systems, Plaso needs forensic artifacts, additionally. If the Plaso tools are quitting with complaining about forensic artifacts, use this script. It will download the artifacts and copies them to the right path.

Get the Code

• The Sleuth Kit: https://faui1-gitlab.cs.fau.de/tobias.gross/sleuthkit-ext4-fbe
• pytsk: https://faui1-gitlab.cs.fau.de/tobias.gross/pytsk3
• dfVFS: https://faui1-gitlab.cs.fau.de/tobias.gross/dfvfs
• Plaso: https://faui1-gitlab.cs.fau.de/tobias.gross/plaso
• fbekeyfind: https://faui1-files.cs.fau.de/public/one_key_to_rule/fbekeyfind.tar.gz

Test Data

Here you can download test data including a memory dump, user data image and FBE master keys of an Android device, to verify the correctness of the build and installation of our tools. The following code lists example executions of the tools:

# Recovery of master keys. Will create fbe.keys file which includes the used FBE master keys
cd fbekeyfind
python3 findMasterKeys.py --part /path/to/testdata/test_userdata.img /path/totestdata/one_memdump

# Example usage of TSK fls tool.
# Without decryption
fls /path/to/testdata/test_userdata.img 122881
# With decryption
fls -K /path/to/fbe.keys /path/to/testdata/test_userdata.img 122881

# Example event extraction with Plaso tools
# master keys have to be provided with the --credential parameter in the format ext4_master:key_desc,key_part1,key_part2
log2timeline.py --credential ext4_master:6e6429b27d3ea260,c7dd3315d1f3232b82d6f780c8fde693fd879c74e5521fe15cf8295552e36c55,d3616f32ab7c57215dd9d7448867b2c68d2b6678df099243722598f94e195e33 --credential ext4_master:dc32ba6b0bb3e4fe,e128a34adb29f513b4a314fd113455a2d00dfeb7bc80e6f7f66f2695964cea7a,6e39dd463722f08509fe58957badd66272ce5f174ff38199d797c565a43a3b63 --credential ext4_master:8cc70c86db338e17,ddd5df1c7b9a0c0b1887b1bfac88915d157144830f5011e1f8e4fcf7f2c6c3b5,d2d06cb92340c353473dff3594b5b7674fd0699c9a2d5d42b826178f1ca66d34 test.plaso /path/to/testdata/test_userdata.img

# Generate event log from Plaso DB. Should include Chrome Cookies from the visit of nytimes.com.
# The cookies are stored encrypted on the user data image and log2timeline is able to decrypt them by providing the master keys.
psort.py -w test.log test.plaso