In all cases, bypassing the lock screen will require retrieving a file from the device. Pattern locks are stored as hash values at /data/system/gesture.key and PIN/password locks are stored as hash values at /data/system/password.key (up to Android 5.0, Lollipop). Additionally, the password.key hash is salted; the salt value is stored at /data/data/com.android.providers.settings/databases/settings.db prior to Android 4.4, and /data/system/locksettings.db on devices running Android 4.4 and later.
Android 6.0 (Marshmallow) introduced Gatekeeper password storageāa new level of obfuscation to PIN and pattern locks. Now, the locks are stored in gatekeeper.pattern.key and gatekeeper.password.key and no longer use hashes. Gatekeeper uses Hash-based Message Authentication Code (HMAC) with a hardware-backed secret key to manage and verify passwords.
If the device is locked, how is an examiner supposed to access these files? Again, there is no magic solution that works every time, but some options are as follows:
- ADB:
- Requires root
- Requires USB Debugging
- Requires Secure USB Debugging pairing (depending on OS version)
- Booting into a custom Recovery Mode:
- Does not require root (root will be given through the recovery image)
- Does not require USB Debugging (accomplished via fastboot)
- Does not require Secure USB Debugging (this is bypassed entirely)
- Requires an unlocked bootloader
- Won't work on devices with encrypted userdata partition
- JTAG/Chip-off:
- Highly advanced
- Does not require any specific device settings or options
- Won't work on devices with encrypted userdata partition