Keepsafe Forensics
Keepsafe Forensics
Keepsafe Forensics
Bart Bailey
for
Dixie State University CJ-!"#
Dr$ %ary Cantrell& Instructor
KeepSafe Android Image Security Tool
Introduction
T'e Android application KeepSafe is a file security tool used to (eep images private$ As an
image privacy tool t'is application is of great interest to forensic investigators )'o need to access and
retrieve t'ose images$ T'ere are 'undreds of file privacy tools availa*le in t'e %oogle +lay Store for
Android$ T'ese applications may use different tec'ni,ues to prevent access to t'e su*-ect files$ .'ile
specific met'ods for examiners to access files stored *y t'e KeepSafe application may not *e relevant
to ot'er applications& t'e process used to discover KeepSafe/s met'ods are$ Analy0ing t'e application
and its files to determine 'o) t'e information is stored& secured and retrieved *y t'e application )ill *e
of value to forensic investigators )or(ing on KeepSafe cases and provide a potential investigative pat'
for t'ose )or(ing on similar applications$
+ro-ect %oals
T'e ultimate goal of t'is pro-ect is to provide forensic investigators t'e means to recover
KeepSafe 'idden images from a forensic image or via t'e application if necessary$ To ac'ieve t'is goal
t'e follo)ing o*-ectives are set to guide t'e process1
2$ Discover )'ere are t'e application& configuration and data files are located in t'e
filesystem3
4$ Determine 'o) are t'ose files can *e recovered for forensic examination3
5$ Do t'e configuration files contain data relevant to accessing t'e data files3
$ Determine 'o) t'e data in t'e file is stored i$e$ encrypted& o*fuscated or
em*edded in ot'er files3
"$ Discover if and 'o) can t'e original file image can *e recovered including1
2$ 6ecovering data t'roug' t'e application itself *y *rea(ing t'e pin code or
moving t'e data to anot'er p'one )it' a (no)n code$
4$ 6ecover t'e data t'roug' t'ird party tools to de-o*fuscate or decrypt t'e data
files$
7$ Determine if t'e data recovery met'ods discovered *e used across multiple
p'one8device *rands in an easy step-*y-step process usa*le *y ot'er
investigators3
9et'odology
T'e )or(ing met'od for t'is pro-ect )ill include t)o android devices& a %oogle :exus ! )it'
Android version $$4 and a ;eri0on 9otorola Droid 6A<6 9 Android version $2$4$ T'e :exus ! is a
personal ta*let t'at is used on a daily *asis& )'ile t'e Droid 6A<6 is p'one t'at 'as *een cleared )it'
a factory reset$ T'e t)o devices )ill *e used to examine t'e application on differing devices$ T'e
:exus and 6A<6 'ave *een set up using different usernames and gmail accounts$ Additionally t'e
+age1 4 of =
Droid 6A<6 )ill *e rooted to allo) o*servation of t'e files used *y t'e application t'at may *e
inaccessi*le on t'e loc(ed :exus$
To *egin t'e pro-ect I )ill root t'e Droid 6A<6 using t'e saferoot root (it$ I 'ave t'ree test
images of our family turtle >+'il*ert& female& 44 years of age? to *e used t'roug'-out t'e pro-ect$ T'ey
are1
Filename SHA1 Hash
philbert-1.jpg 9d67c8d401b6ed70455198a!6b14b604041179!
philbert-!.jpg 48cab60eb!a4704c07b81d61be!586e950!a5d8a
philbert-".jpg 01579!d04a47eadd8!0a4d8"!e51e4b7c18a4
#hilbert-1.jpg #hilbert-!.jpg #hilbert-".jpg
T'ese t'ree files 'ave *een added to t'e $sdcard$#ict%res$&%rtles folder of t'e :exus !
using ad*$ I t'en installed t'e KeepSafe application from t'e +lay Store on *ot' t'e :exus ! and t'e
Droid 6A<6$ 6evie)ing t'e availa*le portions of t'e :exus ! via ad* I determined t'at a ne)
directory $sdcard$.'eepsae 'as *een created$ Accessing t'e rooted Droid )it' ad* allo)s us to
explore t'e restricted $data$data folder )'ere applications are installed$ A ne) folder 'as *een
installed@ $data$data$c(m.'ii.sae$ It contains t'e su*folders cac'e& data*ases& files& li* and
s'aredAprefs$
Using KeepSafe on t'e :exus ta*let I added t'e t'ree turtle images to safe using t'e pass)ord
"!4!2!$ After closing t'e application I c'ec(ed t'e $sdcard$#ict%res$&%rtles folder and
found t'e images 'ad *een deleted from t'eir original location$ I t'en accessed t'e ta*let t'roug' ad*
to explore t'e $sdcard$.'eepsae folder )'ic' no) contained a su*folder called 9ain Bolder$
T'e standard ls command )as used to list t'e no) 'idden files1
bbaile)* ls
1"9681710164!.philbert-".jpg.'sd
1"9681710!096.philbert-!.jpg.'sd
1"9681710!409.philbert-1.jpg.'sd
A copy of t'e 'idden files )ere copied to an examination mac'ine using t'e ad* pull
command $ T'ey )'ere t'en 'as'ed using SCA2 alongside )it' t'e original files$
Filename SHA1 Hash
1"9681710!409.philbert-1.jpg.'sdc6d0577abba0ce16a!0466cb647a460"9c0b47"8
1"9681710!096.philbert-!.jpg.'sd57a84ca14ad8988b057"8ee"7eb6c"ea5c90a
1"9681710164!.philbert-".jpg.'sdc4!1b081bba79146a14d677!"844b!68c6"dc
philbert-1.jpg 9d67c8d401b6ed70455198a!6b14b604041179!
philbert-!.jpg 48cab60eb!a4704c07b81d61be!586e950!a5d8a
philbert-".jpg 01579!d04a47eadd8!0a4d8"!e51e4b7c18a4
+age1 5 of =
Attempts to vie) t'ese images on t'e examination mac'ine s'o)ed t'e $(sd file type )as not
associated )it' any application$ I used t'e unix ile command to see )'at t'e file )as representing
itself to *e )it' 'eaders and footers1
bbaile)* ile 1"9681710164!.philbert-".jpg.'sd
1"9681710164!.philbert-".jpg.'sd+ #,- image data100 100 8-bit$c(l(r
.-/A0 n(n-interlaced
I t'en forced t'e +revie) application to open t'e file>s?$ T'e follo)ing image )as s'o)n as t'e
contents of eac' file1
+art of t'e ne) file name loo(ed li(e a timestamp$ I used DCDDE to evaluate t'e first portion
of t'e filename )'ic' seems to confirm a timestamp prepended to t'e original file name$ T'e UTC
times are consistent )it' t'e time I added t'e files to KeepSafe$
1"9681710164! S%n0 06 April !014 !0+45+01 1&2
1"9681710!096 S%n0 06 April !014 !0+45+0! 1&2
1"9681710!409 S%n0 06 April !014 !0+45+0! 1&2
Dur next o*-ective is to determine 'o) t'ese files could *e recovered for forensic examination$
As s'o)n a*ove t'e files 'ave *een o*fuscated in some )ay )it' t'eir file type c'anged from $-pg to
$png$ I )ill loo( at t'e c'anges to t'e files in greater detail later 'o)ever& is it possi*le to recover t'e
original image )it'out (no)ing 'o) t'e files )ere o*fuscated or t'e pass)ord of KeepSafe on t'e
suspect device3
Using t'e 9otorola Droid 6A<6 I opened and set up KeepSafe )it' a pass)ord of 245$ I
t'en used ad* to transfer t'e o*fuscated images from t'e :exus ta*let to t'e 6A<6$
bbaile)* adb p%sh 1"9681710!409.philbert-1.jpg.'sd
$sdcard$.3eepsae$4ain5 F(lder$
bbaile)* adb p%sh 1"9681710!096.philbert-!.jpg.'sd
$sdcard$.3eepsae$4ain5 F(lder$
bbaile)* adb p%sh 1"9681710164!.philbert-".jpg.'sd
$sdcard$.3eepsae$4ain5 F(lder$
Dpening KeepSafe on t'e 6A<6 using t'e 245 pass)ord s'o)ed t'ree images in t'e 9ain Bolder$
+age1 of =
T'e images appear to *e t'e same as t'e ones t'at )ere originally 'idden on t'e :exus ! ta*let$ T'is
experiment s'o)s t'at moving KeepSafe image files to anot'er device )it' a (no) pass)ord is a
via*le option for vie)ing t'e files$ It also reveals somet'ing a*out t'e o*fuscation met'od$ It appears
t'at t'e 'iding met'od is not attac'ed to t'e pass)ord or pin code& nor it is attac'ed to a particular user
name or gmail account$
:o) t)e 'ave discovered one tec'ni,ue for recovering t'e KeepSafe image files I )ill
determine 'o) forensically sound t'e met'od is& i$e$ do t'e recovered s'a2 'as' values matc' t'e
original images 'as' values$ To ans)er t'is ,uestion I must compare t'e 'as' values of all t'ree sets of
files$ T'e o*fuscated KeepSafe files on *ot' t'e 6A<6 and t'e :exus )ere un'idden using t'e
KeepSafe application$ T'e resulting files *earing t'e original names )ere restored to t'e
$sdcard$#ict%res$&%rtles folder of *ot' devices$ T'e recovered files )ere copied to separate
folders on t'e examination mac'ine using ad* and compared using s'a2 'as'ing$
Cas'ed restored files from t'e :exus !
Filename SHA1 Hash
philbert-1.jpg 1595bc98"8e0aee"7!051cb05aeb8771e9
philbert-!.jpg d4cec!da"64648!15ea8"156d8"1690d961187ce
philbert-".jpg dba""!b60e"7d0""!d6!589!6b8069!1aa9!!
Cas'ed restored files from t'e Droid 6A<6
Filename SHA1 Hash
philbert-1.jpg 1595bc98"8e0aee"7!051cb05aeb8771e9
philbert-!.jpg d4cec!da"64648!15ea8"156d8"1690d961187ce
philbert-".jpg dba""!b60e"7d0""!d6!589!6b8069!1aa9!!
Cas'ed original files
Filename SHA1 Hash
philbert-1.jpg 9d67c8d401b6ed70455198a!6b14b604041179!
philbert-!.jpg 48cab60eb!a4704c07b81d61be!586e950!a5d8a
philbert-".jpg 01579!d04a47eadd8!0a4d8"!e51e4b7c18a4
T'e initial tec'ni,ue for recovering images from KeepSafe recovers same Fplain textG files
from t'e same o*fuscated files as verified )it' 'as'ing$ T'e recovered files& 'o)ever are different
from t'e original images prior to *eing 'idden$ T'is may affect t'eir evidentiary value$ Explaining
+age1 " of =
'o) t'e originals and recovered images are different and s'o)ing t'at all images recovered from t'e
same o*fuscated files are t'e same may mitigate t'e overall loss of t'e original image$
I compared original si0e in *ytes to restored si0es using t'e unix stat -67 8ilename9
command$
Driginal
Filename Si7e:b)tes;
philbert-1.jpg 5794"6
philbert-!.jpg 544660
philbert-".jpg 496570
KeepSafe 'idden
Filename Si7e:b)tes; <ierence
1"9681710!409.philbert-1.jpg.'sd 58"158 :- 5794"6 = "7!!;
1"9681710!096.philbert-!.jpg.'sd 548"8! :- 544660 = "660;
1"9681710164!.philbert-".jpg.'sd 500!9! :- 496570 = "7!!;
6estored files from eit'er device s'o)s t'at restored files are 54= *ytes smaller t'an t'e original$
Filename Si7e:b)tes; <ierence
philbert-1.jpg 5788"0 :-58"158 = -4"!8;
philbert-!.jpg 544144 :-548"8! = -4!"8;
philbert-".jpg 496054 :-500!9! = -4!"8;
It is apparent t'at t'e restored files are missing some of t'e original data$ I examined t'e
original and restored files using a 'ex editor in an attempt to understand )'at data is missing$ 9ost of
t'e data appears to *e missing from t'e portion of t'e file containing some& *ut not all EHIB data$ I
also examined t'e o*fuscated files in an attempt to understand t'e 'idden file structure$ Eac' 'idden
file 'as a +:% 'eader *eginning at *yte # >#x##? follo)ed *y +:% data ending at *yte 5!# >#xE!=?
complete )it' a full +:% IE:D c'un($
I ran some *asic cryptograp'ic tests to see if o*vious patterns in t'e o*fuscated data could *e
found$ T'ese tests consisted of using HD6& D6 and A:D functions to compare original file data and
t'e o*fuscated file data$ I performed t'ese functions on first 2# *ytes >)it' t'e +:% 'eader removed?
and last 2# *ytes of t'e files loo(ing for a pattern$ I )as not a*le to find an o*vious pattern$ It is
un(no)n& 'o)ever if I )as actually comparing t'e same parts of t'e files to eac' ot'er due to t'e
c'ange in file si0e *et)een t'e original and o*fuscated files$
Caving determined t'at data recovery is possi*le across multiple devices using a second
installation of KeepSafe )it' a (no)n pass)ord t'e next o*-ective is to determine 'o) to recover t'e
images on t'e original device$ Using t'e rooted 6A<6 it is possi*le to explore t'e application folders
in t'e restricted areas of t'e filesystem$ Accessing t'e 6A<6 using ad* and *ecoming root allo) us to
navigate to t'e $data$data$c(m.'ii.sae folder$ To allo) for easier examination t'e ad* pull
command )as used to move t'e application folder to an accessi*le sdcard )'ere it is accessa*le to non-
root users and t'en to t'e examination mac'ine as follo)s1
bbaile)* adb shell
cd s% -
cd $data$data
cp -. c(m.'ii.sae $sdcard$
I t'en exited ad* and used t'e pull command to copy t'e c(m.'ii.sae folder to t'e examination
mac'ine$
bbaile)* adb p%ll $sdcard$c(m.'ii.sae
.it' t'e application folder availa*le on t'e examination mac'ine I )as a*le to access t'e folder and
+age1 7 of =
files using multiple tools$
An interesting file in t'e data*ases folder is (sAinternalAsd($d*$ A revie) of t'is data*ase using
9o0illa SIJite 9anager s'o)s it contains a ta*le called (sA*rea(inAlog$ T'is log lists failed login
attempts as )ell as listing t'e location of p'otos ta(en *y t'e application during t'e failed attempt$
T'e forensic values of t'is log include not only documentation of attempts to access t'e
application& *ut also potential pass)ords for ot'er applications and t'e location of possi*le images of
t'e suspect or ot'ers attempting to access t'e application$
Bindings
T'e s'aredAprefs folder 'olds configuration documents in plain text xml format$ T'e
8data8data8com$(ii$safe8s'aredAprefs8com$(ii$KeepSafe$preferences$xml file contains an xml element
called preference-pin-final )'ic' contains t'e pass)ord in plain text$
8string name=>preerence-pin-inal>91!"48$string9
T'is investigation 'as s'o)n t'at t'e KeepSafe application can *e attac(ed *y investigators
t'roug' at least t)o met'ods1
2$ T'e application can *e installed on an examination device using a (no)n pass)ord and t'e
o*fuscated files can *e copied to t'e examination device/s $(eepsafe folder and opened using
t'e (no)n pass)ord8pin$
4$ If root access to t'e suspect device can *e made& t'e suspect/s pass)ord8pin is accessi*le in
plain text in t'e
$data$data$c(m.'ii.sae$shared?pres$c(m.'ii.3eepSae.preerenc
es.@ml file$
It 'as also *een discovered t'at t'e 'iding and recovery process alters t'e original image file&
'o)ever files restored from t'e o*fuscated files are t'e same even if restored on different devices$ It
does not appear t'at t'e encryption or o*fuscation is *ased on any user supplied information implying
t'at t'e o*fuscation routine is a 'ardcoded and symmetrical$ As s'o)n& t'e files can *e restored on
different devices using different pass)ords and user account information$ Cidden files restored on
different devices are also t'e same as s'o)n *y t'e SCA2 'as'$ T'is information allo)s t'e
investigator to s'o) t'at images restored on an examination device are t'e same as t'ose t'e suspect
could 'ave restored on 'is device$ .'ile I )as a*le to discover some information a*out t'e tec'ni,ues
used to 'ide t'e files& I )as not a*le to easily determine a t'ird party met'od of accessing t'e
o*fuscated file$ 9ore researc' t'ere may include t'e necessity of de-compiling t'e application to learn
more a*out t'e o*fuscation met'od$
An additional find during t'e researc' )as t'e existence of a *rea(-in log and images ta(en
during failed access attempts$ T'e log and images could *e vital to an investigation *y putting t'e
+age1 ! of =
suspect in possession of t'e device& using t'e application$
Conclusion
Applications t'at encrypt or ot'er)ise 'ide illegal data are availa*le t'roug' t'e %oogle +lay
Store$ Borensic investigators must not only (no) 'o) t'ese applications mig't )or(& *ut also 'o) to
investigate and understand ne) and unfamiliar applications )'en found on suspect devices$ By
applying a common sense approac' to examining 'o) t'e application )or(s and )'ere it stores
information& strategies can *e developed to exploit )ea(nesses in t'e application design$ I )as una*le
to discover t'e met'od KeepSafe uses to 'ide images$ Co)ever& *ecause )e 'ave examined t'e
applications *e'avior and its storage and configuration files )e are a*le to find t)o met'ods of
retrieving its 'idden data$ T'ose t)o met'ods are repeata*le for ot'er examiners )or(ing )it'
KeepSafe$
T'roug' t'is approac' )e also discovered additional areas of evidence t'at may 'elp lin(
suspects to t'e images$ T'e detailed examination of t'e suspect files also provided valua*le
information for t'e examiner )'o may need to explain to investigators or a court 'o) image files are
c'anged )'en processed *y KeepSafe$
+age1 = of =