|
CASE-BRIEF-2021-001
ENCRYPTED MICRO SD CARD FROM ANDROID DEVICE
|
|
In a narcotics investigation, the DC3/CFL Imaging & Extraction section received a pattern-locked Android cellphone that included an encrypted micro SD Card. Investigators requested all data on the mobile device and memory card related to distribution/sale of controlled substances on a military base. Commercial available tools could only obtain decrypted logical files from the micro SD Card while inserted in the device. Advanced techniques were used to decrypt the micro SD Card and enable full forensic analysis, including deleted data in unallocated space |
|
Android 6 devices, and newer versions, present users with a simple option to encrypt micro SD Cards, making it more difficult to recover data stored on them. Commercial available tools can only obtain decrypted logical files, missing potentially useful deleted data on the memory card. The technical challenge is to extract a decrypted full physical copy of micro SD Card, to include unallocated data. |
|
DC3 forensic practitioners observed that the micro SD Card in the Android cellphone did not have a detectable file system. Further inspection determined that the memory card was encrypted. Using commercially available tools, a forensic extraction of the cellphone was performed with the memory card connected to the device. Although a decrypted physical extraction was obtained of the encrypted cellphone internal memory, only a logical extraction of the micro SD Card was captured with it inserted into the phones slot during acquisition. |
|
Specialists in DC3/CFL worked together to decrypt and acquire a full forensic duplicate of the memory card. This process was accomplished by cloning the original memory card to a donor hard drive, extracting the necessary encryption key in “/data/misc/vold” on the cellphone forensic copy, and employing Linux commands in a virtual environment to apply the encryption key to the encrypted partition. The dc3dd forensic acquisition tool was then used to obtain a decrypted forensic image, including unallocated space |
|
|
The decryption of the partition enabled DC3/CFL to image 30GB of data whereas the logical extraction only yielded 5 GB of logical data. Further, this case also demonstrates the need to learn and understand methods for reviewing data in raw form and the value of using open source utilities, such as Linux and its accompanying command line utilities, to process the data manually.
.
|
|
Android devices are increasingly encrypting inserted memory cards, and commercial tools can only decrypt logical files from such memory cards while inserted in the device. Using open source utilities, additional information of potential probative value, including unallocated data, can be recovered from encrypted micro SD cards. |
|
The increasing use of encryption on Android devices requires new forensic methods to access encryption keys, including from the protected KeyStore. In addition, different implementations of encryption ware emerging on Android devices, which require further attention to develop decryption methods. Any decryption process can benefit from automation to perform the multitude of steps involved in an efficient and repeatable manner. |
|
Contributors Acknowledgements
Case Briefs cover aspects of a specific investigation to inform members of the D/MM Forensic community (e.g., first responders, investigators, forensic examiners, analysts, developers, researchers, attorneys, judges) about emerging opportunities and challenges. This body of work was derived from subject matter research and in support of an actual DC3/CFL examination.
- Jeffrey Angel, Pricilla Perkins, Kevin Westerman (DC3/CFL Forensic Examiner)
- DC3 Editorial Board (Curation, Review, & Publication)
For additional information and specific requests please reach out to DC3 at hub@dc3.mil.
|
|
|
|
