Cracking Android’s full disk encryption
At the end of 2011, Google released version 4.0 of its Android operating system. For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently scrambles user partitions, thus protecting sensitive user information against targeted attacks that bypass screen locks. On the downside, scrambled telephones are a a nightmare for IT forensics and law enforcement, because once the power of a scrambled device is cut any chance to recover data other than bruteforce is lost.
We present FROST (Forensic Recovery Of Scrambled Telephones), a tool set that supports the forensic recovery of scrambled telephones. To this end we perform cold boot attacks against Android smartphones and retrieve disk encryption keys from RAM. We show that cold boot attacks against Android phones are generally possible for the first time, and we demonstrate our attacks practically against Galaxy Nexus devices from Samsung.
The FROST version for the Galaxy Nexus and some more information to the topic can be found here.
The technical report with all details to the cold-boot-attack inside our FROST recovery image can be found here.