One key to rule them all: Recovering the master key from RAM to break Android’s file-based encryption

Best Paper Award

As known for a decade, cold boot attacks can break software-based disk encryption when an attacker has physical access to a powered-on device, including Android smartphones. Raw memory images can be ob- tained by resetting a device and rebooting it with a malicious boot loader, ordon systems where this is not possible due to secure boot or restrictive BIOS settings – by a physical transplantation of RAM modules into a system under the control of the attacker. Based on the memory images of a device, different key recovery algorithms have been proposed in the past to break Full Disk Encryption (FDE), including BitLocker, dm-crypt, and also Android’s FDE. With Google’s switch from FDE to File-based Encryption (FBE) as the standard encryption method for recent Android devices, however, existing tools have been rendered ineffective. To close this gap, and to re-enable the forensic analysis of encrypted Android disks, given a raw memory image, we present a new key recovery method tailored for FBE. Furthermore, we extend The Sleuth Kit (TSK) to automatically decrypt file names and file contents when working on FBE-enabled EXT4 images, as well as the Plaso framework to extract events from encrypted EXT4 partitions. Last but not least, we argue that the recovery of master keys from FBE partitions was particularly easy due to a flaw in the key derivation method by Google.