Article

How to decrypt PIN-Based encrypted backup data of Samsung smartphones

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Smartphones, which are a necessity for modern people, have become important to forensic investigators, as they have a lot of user information which can be potential evidences. In order to obtain such evidences, forensic investigators should first extract the data from the smartphone. However, if the smartphone is lost or broken, it would be difficult to collect the data from the phone itself. In this case, the backup data can be very useful because it stores almost all information that the smartphone has. Nevertheless, since the backup data is basically encrypted by applications provided by vendors, the encrypted backup data which acts as anti-forensic is difficult to use. Therefore, it is crucial to decrypt the acquired encrypted backup data in order to effectively use it. In this paper, we propose a method to decrypt the Samsung smartphone backup data which is encrypted by a user input called PIN (Personal Identification Number) and a Samsung backup program called Smart Switch. In particular, we develop algorithms to recover the PIN and to decrypt the PIN-based encrypted backup data as well. We have experimentally verified the PIN recovery backup data decryption up to 9 digits of PIN. Our implementation using a precomputed PIN-table with memory 30.51 GB takes about 11 min to recover a 9-digit PIN. To the best of our knowledge, this is the first result of decrypting PIN-based encrypted backup data of Samsung smartphones.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... To address these limitations, Myungseo et al. (2018) analyzed the backup process of a smartphone, and revealed the encryption processes of the Samsung smartphone using the Smart Switch 4.1.16 (Park et al., 2018). ...
Article
Digital investigators sometimes obtain key evidence by extracting user data from the smartphones of suspects. However, it is becoming more difficult to extract user data from smartphones, due to continuous updates and the use of data encryption functions, such as Full Disk Encryption (FDE) and File Based Encryption (FBE). Backup data are usually stored in an encrypted form, in order to protect user privacy. Therefore, it is essential for digital investigators to be able to transform encrypted backup data into a form that can be used as evidence. For this purpose, an analysis of the backup method used in a smartphone is needed. In the research reported in this paper, we first analyze the backup process of Huawei smartphones, and then propose a method for decrypting Huawei smartphone backup data encrypted with a user-entered password. This process is performed by analyzing the Huawei application and PC program called KoBackup and HiSuite, respectively. We developed a tool for user-entered password recovery and encrypted backup data decryption. To the best of our knowledge, this is the first result analyzing all of the backup processes available for Huawei smartphones and decrypting their backup data.
Article
Smartphones, which offer various features such as SMS/MMS, scheduling, messaging, and SNS, have become an integral part of modern life. Smartphones manage information intimately related to users in a self-contained manner, allowing them to provide such convenience efficiently. Such data, which can be used as key digital forensic evidence, are prime targets for investigators. However, exacting relevant data from smartphones with complicated structures requires considerable expertise. The analysis of smartphone backups is one approach to solving this problem. Smartphone manufacturers provide users with programs that include a backup protocol for backing up smartphone data. These programs allow investigators to easily extract smartphone data. Efficient smartphone data extraction is possible by integrating backup programs using different backup protocols into one framework. To achieve this integration, it is necessary to analyze each smartphone manufacturer's backup protocol. In this paper, we describe the results of analyzing the Huawei smartphone backup program HiSuite. HiSuite uses its backup protocol to produce backups of smartphones. We uncovered the entire process of the backup protocol through reverse engineering. We also experimentally verified that it is possible to obtain backup data from Huawei smartphones using the tool we developed to replace HiSuite based on our analysis. We believe this paper will help digital forensics investigators develop a better approaches to collecting data from smartphones.
Article
Many mobile apps use encryption to protect user data. Therefore, research on the use of encrypted data in forensic investigations is warranted. When encrypting data, developers can incorporate data such as user information and passwords during the encryption key generation process. Currently, encryption keys can be protected by hardware security modules such as KeyStore and KeyChain using an OS-provided API. Hardware security modules use a built-in random number generator to create random keys and securely store them. As a result, it is practically impossible to decrypt data that have been encrypted using a hardware security module. However, cryptographic algorithm misuse, regardless of whether encryption keys are acquired, present an opportunity for data acquisition. In this paper, we show that a reused key attack that exploits a vulnerability caused by encryption scheme misuse can be used against a secure email service, ProtonMail, and Korea’s representative instant messenger KakaoTalk.
Article
A smartphone is a personal device, so the information is always tied to its user. Possibly, as the smartphone usage increase, more relevant data of the respective users end up. The smartphone manufacturers, who provide data backup services, prevent users from losing data in the event of physical damage, such as loss or breakage of the smartphone. The backup data store the same data as the user data in the smartphone, but the personal data related to the user are encrypted, and some data related to data restoration and information are stored in plain text format. When it is difficult to analyze the smartphone itself in a digital forensic investigation, the backup data are a useful analysis target to replace the data from the smartphone itself. In particular, smartphones made by Samsung, a leading manufacturer in the smartphone market, have been continually studied. In this paper, we analyzed the latest version of Smart Switch, a backup program provided by Samsung, in Windows and macOS environments. We analyzed the encryption method used in the latest version of Smart Switch and found that nine algorithms were used in both Windows and macOS environments. Using the analysis results, we decrypted all encrypted backup data and classified the backup data based on the encryption method. We identified the differences through comparison with previous studies. In addition, assuming that the PIN could not be obtained, we measured the time and resources required to recover the PIN. To the best of our knowledge, it is the first time Smart Switch has been analyzed in the macOS environment.
Article
During digital forensics investigations, smartphone application data are an important target, because they store personal user data, such as memos, images, and videos. Some applications use data hiding or encryption to protect application data, including personal user information. While these methods are excellent for data protection, they act as anti-forensics in digital forensic investigations. The LG smartphone provides Content Lock as a system application to protect the privacy of the user's memo and multimedia files. Content locked by Content Lock can only be accessed by entering the password specified by the user. In this paper, we identified the password verification process of Content Lock using reverse engineering, and recovery of the password input by the user. The original data in the locked file were acquired by analyzing two applications, QuickMemo+ and Gallery, that use Content Lock. No special data were required to obtain the original data. Our research enabled us to obtain original data hidden or encrypted by system apps on LG smartphones. Our research suggests that it is possible to obtain original data hidden or encrypted by system apps on LG smartphones.
Article
Backups on smartphones protect user data from the risk of data corruption and loss by storing personal information, media data, application data, and other settings. Although backups were originally designed to maintain and protect user data, these data can be important in criminal investigations requiring the verification of suspect behavior-related information at the time of an incident. However, backup data are often encrypted by each manufacturer using different scheme to protect user privacy. Since the encryption acts as a disturbance to the use of backup data in investigations, it is necessary to decrypt backup data by analyzing the encryption schemes of each manufacturer. In this paper, we propose a widely applicable methodology that efficiently analyzes various encryption backup schemes. Our methodology checks the backup features, identifies the backup data, and their encrypting locations reverses encryption schemes used in the backup and finally decrypts encrypted backup data. As a case study, we apply our methodology to the latest Samsung smartphone backup system consisting of a Samsung SmartSwitch Mobile and a Samsung SmartSwitch PC. We acquired the backup data including the encrypted data generated by the Samsung smartphone backup in plain form, and revealed a technique to recover the Personal Identification Number (PIN) used for encryption through the authenticator included in the backup data. We also identified, through reverse engineering, a hidden feature that could be used to extract more data than was possible using the normal backup. Finally, we developed a decryption tool to verify that the encrypted backup data were correctly decrypted. Although, in this paper, we focused on the Samsung smartphone backup, our methodology could be applied to any smartphone backup system on Android platform. We believe that our work will be very helpful to mobile investigators.
Article
Instant messenger (IM) apps, which store a variety of behavioral information about users, such as secret chats, group chats, and file sharing, are important tools for digital forensics investigation. Messenger apps on mobile devices store user-friendly data, but data collection can be difficult due to various constraints. PC messenger data, on the other hand, can be collected relatively easily, but tend to be less informative than data from mobile messengers. Most messengers are cross-platform, supporting both mobile devices and PCs, and providing synchronization services, a situation which can overcome the constraints of data extraction for evidence acquisition. This allows for complementary interaction when extracting data generated by the use of IMs. However, some IMs encrypt their data for protection against external threats. The use of encryption can effectively protect the user's data, but poses a significant challenge to digital forensics, in which data should be decrypted to be used as evidence. Such IMs normally use a combination of key derivation functions and cryptographic algorithms to encrypt data. It is therefore necessary to identify the relationships between the functions used for encryption, in order to decrypt IM data, so that it can be used as evidence, and to determine the secret values used for generating keys. In this paper, we propose methods for acquiring user data, including conversation history protected by encryption by analyzing the Telegram X and BBM-Enterprise apps that perform in various mobile and PC operating environments. Both applications encrypt their databases using an SQLite extension module called SQLCipher. In order to decrypt these databases, we identified the parameters of SQLCipher, and derived a Passphrase, the main secret. In addition, We validated our approach by conducting an experiment to decrypt the encrypted databases of Telegram X and BBM-Enterprise.
Article
As the storage capacity of smartphones increases, more user data such as call logs, SMS records, media data, and instant messages are stored in smartphones. Therefore, it is important in digital investigation to acquire smartphones containing the personal information of users. However, even when a prime suspect's smartphone is acquired, it is difficult to extract user data without obtaining root privilege. In this situation, smartphone backup data may be a valuable alternative to the extraction of user data. Using a smartphone backup, an investigator can extract most of the data stored in a smartphone including user data, with straightforward methods, and transfer them to a storage device such as an SD card, a USB, or a PC. Despite its convenience, backup data are hard to use as evidence, because backup data are encrypted using different methods depending on smartphone manufacturers, in order to protect user privacy. In this paper, we propose methods for decrypting encrypted backup data of Sony smartphones. In our analysis, we reverse-engineered the backup processes of the local backup and the PC backup provided by Sony smartphones, and analyzed the encryption methods applied to each set of backup data. In particular, we developed an algorithm for decrypting encrypted backup data on Sony smartphones, which we experimentally verified. As far as we know, this is the first research that has addressed the decryption of backup data on Sony smartphones.
Presentation
Full-text available
As smartphone have more convenient functions and become necessary of our daily life, it stores a variety of information including personal information of users in it. In the event of lost device or the system update (operating system and application), moreover, it may cause loss or leak of data stored in the device. In this regard, smartphone backup data is important for the purpose of data protection and users start to use backup function to store their private data. Backup data can be stored in internal/external SD card of smart devices, or hard disk of connectable PC or cloud server. However, these files are normally encrypted and stored to protect data. In this case, the files lose the value as digital evidences due to difficulties in decryption even though they are artifact that can reveal stored information of smartphone at the time of backup of files. This paper aims to suggest digital forensic investigation for smartphone backup data stored in PC and to analyze the encryption and encoding process of backup files.
Article
As various features of the smartphone have been used, a lot of information have been stored in the smartphone, including the user's personal information. However, a frequent update of the operating system and applications may cause a loss of data and a risk of missing important personal data. Thus, the importance of data backup is significantly increasing. Many users employ the backup feature to store their data securely. However, in the point of forensic view these backup files are considered as important objects for investigation when issued hiding of smartphone or intentional deletion on data of smartphone. Therefore, in this paper we propose a scheme that analyze structure and restore data for Kies backup files of Samsung smartphone which has the highest share of the smartphone in the world. As the experimental results, the suggested scheme shows that the various types of files are analyzed and extracted from those backup files compared to other tools.
Global smartphone market share by vendor
  • Jeb Decompiler
  • Software
JEB Decompiler by PNF Software, https://www.pnfsoftware.com. Global smartphone market share by vendor 2009e2017, https://www.statista.com/ statistics/271496/global-market-share-held-by-smartphone-vendors-since-4th-quarter-2009/, accessed: 2018-02-12.
PKCS5: Password-based Cryptography Specification Version 2.1, RFC 8018
  • K Moriarty
  • B Kaliski
  • A Rusch
Moriarty, K., Kaliski, B., Rusch, A., January 2017. PKCS5: Password-based Cryptography Specification Version 2.1, RFC 8018.
Password Storage Cheat Sheet
  • J Steven
  • J Manico
  • D Righetto
Steven, J., Manico, J., Righetto, D., February 2018. Password Storage Cheat Sheet, Tech. rep., OWASP accessed: 2018-02-19. https://www.owasp.org/index.php/ Password_Storage_Cheat_Sheet/.