Encryption & security
Introduction
Encryption is a crucial aspect of mobile security, ensuring that sensitive data stored on devices remains inaccessible to unauthorized users. In digital forensics, understanding and handling encrypted data is essential. MOBILedit Forensic PRO & PRO+ have certain features for bypassing security on mobile devices, but certain encryption methods pose unique challenges. This guide covers the key types of encryption you might encounter and explains the capabilities and limitations of MOBILedit Forensic when dealing with encrypted data.
Encryption types
Full Disk Encryption
Full Disk Encryption (FDE) protects all data on a device by encrypting it at the hardware level with a single key. When a device is powered off, the entire storage is inaccessible without the correct decryption key, usually derived by entering a user password or PIN. In digital forensic investigations, bypassing full disk encryption typically requires specialized techniques and tools.
Key Points:
Encryption Scope: Entire storage, including operating system files and user data.
Challenges: Accessing data without the decryption key is extremely difficult.
MOBILedit Forensic PRO can attempt to obtain a physical image using security bypassing techniques. However, importing an encrypted physical image will result in a “failed to import” notification. MOBILedit Forensic PRO+ can bypass FDE in certain cases.
File-Based Encryption
File-Based Encryption (FBE) allows individual files to be encrypted with different keys, providing more granular control over data access. This method encrypts individual files rather than the entire disk, which enhances security.
Key Points:
Encryption Scope: Individual files, with separate keys for different files.
Challenges: Requires decryption keys for each file, making forensic analysis more complex.
MOBILedit Forensic: While MOBILedit Forensic can extract the physical image, decrypting the individual files requires knowing or obtaining the specific keys for each file. Even though it may be possible to get a physical image, if the image is re-imported and is encrypted, it will result in a “failed to import” notification. MOBILedit Forensic PRO+ can bypass FBE in certain cases.
File-Based Encryption with Metadata
File-Based Encryption with Metadata extends file-based encryption by encrypting the metadata associated with the files. This additional layer of security makes it even harder to interpret the data without proper decryption. This means not only are you unable to open and read the contents of the files, but you will also not see the filename or directories they are stored in.
Key Points:
Encryption Scope: Individual files and their associated metadata.
Challenges: Accessing and interpreting encrypted metadata adds another layer of difficulty.
MOBILedit Forensic: Extracting files and metadata is possible with MOBILedit Forensic PRO, but MOBILedit Forensic PRO+ is required for decryption to access the correct individual decryption keys.
How to identify what encryption is being used
Live-connected device (Android)
To identify the type of encryption the device is using, connect the device and once correctly connected and MOBILedit Forensic has recognised it, click on the “Browse content” button. The Forensic Connector app will need to be installed.
Using the file manager select, “Extra (applications1)” and then open the “getprop.txt” file. Scroll down to “ro.crypto.*”.
By Android version
Android Version | Description |
|---|---|
1.0 - 4.4 KitKat | No encryption recommended or compulsory. Not upgradable to FDE or FBE |
5.0 Lollipop | FDE recommended. Older devices may not support OTA upgrade to FDE |
6.0 Marshmallow | FDE compulsory. Some older devices may not support FDE |
7.0 Nougat to 8.0 Oreo | FBE recommended. Devices without hardware support cannot upgrade to FBE |
9.0 Pie | FBE compulsory. Devices without hardware support cannot upgrade to FBE |
10 to 12 | FBE with Metadata recommended. Not all devices support Metadata due to hardware limitations |
13+ | FBE with Metadata is compulsory. Only devices with compatible hardware can use Metadata |
Application security
App security protects applications from malicious attacks, prevents unauthorized access, and safeguards user data. One key aspect of app security is sandboxing, a technique where applications run in isolated environments. This isolation prevents apps from interacting with each other or with sensitive system components without explicit permission. Even if one app is compromised, sandboxing ensures it cannot affect other apps or the overall system, enhancing device security.
Even though data for apps may be stored in plain and readable text within the databases, ap security prevents access to read this data. Usually, the data can only be read through the device and app user interfaces with the correct authentication and permission.
In digital forensics, root access might be necessary to extract data effectively. Root access allows investigators to gain full control over the device, potentially enabling the extraction of a physical image. However, if the physical image is encrypted and cannot be decrypted, alternative methods such as logical extraction with root access or app downgrading must be considered. These techniques can help access the required data while navigating the challenges of encryption and app security measures.
Please use the “Supported apps” database to see if root access is required to extract data from an app.
iOS security
iOS security is implemented differently from Android security and iOS has always been a step ahead of Android in device HW and data security for end-users.
OS Version | Description |
|---|---|
1.0 - 4.2 | No encryption recommended or compulsory. |
4.3 | Introduced hardware encryption for devices with A5 chip and later. |
5.0 | Full-disk encryption (FDE) using hardware encryption. |
6.0 | Improved FDE and encryption of email attachments. |
7.0 | FDE made compulsory for all devices with A5 chip and later. |
8.0 | Enhanced encryption for iMessages and other app data. |
9.0 | App Transport Security (ATS) enforced, requiring apps to use HTTPS. |
10.0 | Strengthened encryption protocols and made encryption compulsory for backups in iTunes. |
11.0 | Introduced new security features like Secure Enclave and Face ID. |
12.0 | Improved hardware and software encryption mechanisms. |
13.0 | Enhanced privacy features and encryption for location data. |
14.0 | Enforced stricter app permissions and data encryption policies. |
15.0 | Introduced advanced encryption for iCloud and data privacy features. |
16.0 | Further improvements to encryption and security protocols. |
Conclusion
Encryption and application security pose significant challenges in mobile digital forensic investigations. While MOBILedit Forensic offers powerful tools to extract and analyze data, dealing with encrypted information often requires additional steps and capabilities. Understanding the type of encryption and the associated challenges is crucial for successful forensic analysis. For comprehensive decryption capabilities, consider using MOBILedit Forensic PRO+ to enhance your ability to manage and decrypt encrypted data. There are still viable methods available within MOBILedit Forensic PRO for bypassing security to extract and analyse data from mobile and other devices.