Having trouble viewing this email? View it as a Web page. |

TECHNICAL-ADVISORY-2020-001

FILE CONCEALMENT SMARTPHONE APPS

SUMMARY

DECRYPTION OF FILES IN “PHOTO VAULT” SMARTPHONE APPS

This technical advisory provides updated insights into software programs designed to conceal multimedia on smartphones. They are commonly called Photo Vault apps, and some can be used to hide digital photographs, videos, and other file content. In the past, such Photo Vault apps had weak security, including passwords stored in plaintext and content stored unencrypted. More recent versions have strengthened security but can still be exploited for forensic purposes.

TECHNICAL CHALLENGE

Forensic examiners using commercial forensic tools might not be able to access data associated with newer Photo Vault apps. There is a need for methods to extract valuable digital evidence, recover encryption keys, and decrypt concealed content. There is also a need for tools to perform the process in an efficient, reliable, complete, transparent, and repeatable manner.

DETAILS

DC3 forensic practitioners observed Photo Vault apps installed on a subject smartphone, and found encrypted files stored in directories associated with the application. Commercially available digital forensic tools did not decrypt the content of these files. In one case, specialists in the DC3 CFL analyzed the encrypted files within the EnchantedCloud Private Photo Vault app and determined that the key was stored in the iOS keychain. In another case, specialists in the DC3 CFL worked together to analyze the NQ Vault application code and encrypted files. This in-depth analysis determined that the first 128 bytes were AES encrypted and saved in the file. Other Photo Vault applications encountered in casework use mechanisms that are easier to work around such as Calculator Vault Hider which simply MD5 hashes the user password and prepends 10 bytes to each file.

Reverse engineering Photo Vault applications to uncover their concealment mechanisms enables DC3 to create tools that recover the original content. Such automated recovery capabilities help practitioners obtain more complete and timely results with an associated audit trail for forensic purposes.

SYNOPSIS

Do not overlook content concealed by Photo Vault apps. When a Photo Vault app is found on a smartphone, do not assume that the encrypted content is unrecoverable. When dealing with a digital photograph, it might be possible to replace encrypted segments with a generic file header rather than decrypt, but this may not work for all file formats. In addition, rather than grafting content from another file, it is easier to explain that decryption recovers the original content. 

When it is possible to recover the user password configured in a Photo Vault app, this can be potentially useful to investigators for accessing other data sources protected using the same password.

Contributors Acknowledgements

Technical Advisories are a five-minute read to raise awareness among investigators, forensic practitioners, attorneys, and judges about an emerging trend in Digital/Multimedia Forensics.

• Alex Zaferiou, Dr. Jeffrey Angel, Kevin Westerman (DC3/CFL Forensic Examiners)

• DC3 Editorial Board (Curation, Review, & Publication)

For additional information and automated decryption capabilities please reach out to DC3 at hub@dc3.mil.

Relevant Forensic Artifacts

DC3 is building a crowdsourced catalog of forensic artifacts, created by practitioners for practitioners, to curate expertise across the digital forensic community, making it available as a user friendly, online knowledge management platform. In this context, a digital artifact is defined as a singular unit of interpretable data that can be extracted from a given data source.