FROST: forensic recovery of scrambled telephones

Authors:
Tilo Müller;Michael Spreitzenbarth
Affiliations:
Department of Computer Science, Friedrich-Alexander University of Erlangen-Nuremberg, Germany;Department of Computer Science, Friedrich-Alexander University of Erlangen-Nuremberg, Germany
Venue:
ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security
Year:
2013

Citing 9
Cited 1

Data remanence in semiconductor devices

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Tamper resistance: a cautionary note

WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2
Lest we remember: cold boot attacks on encryption keys

SS'08 Proceedings of the 17th conference on Security symposium
Smudge attacks on smartphone touch screens

WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
TRESOR runs encryption securely outside RAM

SEC'11 Proceedings of the 20th USENIX conference on Security
Data remanence in flash memory devices

CHES'05 Proceedings of the 7th international conference on Cryptographic hardware and embedded systems
SP 800-132. Recommendation for Password-Based Key Derivation: Part 1: Storage Applications

SP 800-132. Recommendation for Password-Based Key Derivation: Part 1: Storage Applications
TreVisor: OS-independent software-based full disk encryption secure against main memory attacks

ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
TARDIS: time and remanence decay in SRAM to implement secure protocols on embedded devices without clocks

Security'12 Proceedings of the 21st USENIX conference on Security symposium

Deadbolt: locking down android disk encryption

Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices

Quantified Score

Hi-index	0.00

Visualization

Abstract

At the end of 2011, Google released version 4.0 of its Android operating system for smartphones. For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently encrypts user partitions. On the downside, encrypted smartphones are a nightmare for IT forensics and law enforcement, because brute force appears to be the only option to recover encrypted data by technical means. However, RAM contents are necessarily left unencrypted and, as we show, they can be acquired from live systems with physical access only. To this end, we present the data recovery tool Frost (Forensic Recovery of Scrambled Telephones). Using Galaxy Nexus devices from Samsung as an example, we show that it is possible to perform cold boot attacks against Android smartphones and to retrieve valuable information from RAM. This information includes personal messages, photos, passwords and the encryption key. Since smartphones get switched off only seldom, and since the tools that we provide must not be installed before the attack, our method can be applied in real cases.