A proof-of-concept Android application to detect and defeat some of the Cellebrite UFED forensic toolkit extraction techniques.

LockUp

An Android-based Cellebrite UFED self-defense application

LockUp is an Android application that will monitor the device for signs for attempts to image it using known forensic tools like the Cellebrite UFED. Here is a blog I wrote.

• Proof-of-Concept. Not meant as an in-depth defense
• Android API 28, Does not require root
• Relies on RECEIVE_BOOT_COMPLETED to start a Service and AccessibilityService
• Monitors USB events through ACTION_USB_DEVICE, package installations, and known exploit staging locations on the filesystem
• Detects Logical Extractions, File System Extractions, and Physical Extractions leveraging ADB
• Will automatically respond with a factory reset with DeviceAdminReceiver
• Beginning steps to researching more robust anti-forensic techniques

Signature Detection

• Exploit staging directories and known filenames
• Known file hashes
• Application names and certificate metadata

TODO Signatures

• Binary-level identifiers
• Hardcoded RSA keys used for ADB authentication (requires root)

Installation

I avoided including everything needed to build LockUp, making this application so accessible that it may be easily used to avoid criminal prosecution was not my goal. Instead, my goal was to help support my research into forensic tools in showing how they aren’t immune to software issues.

Author

Matt Bergin, KoreLogic

History

Most recently I presented my research at Blackhat Asia 2021.

I’ve released security advisories for the Cellebrite UFED which you may also be interested in:

• KL-001-2020-003: Cellebrite EPR Decryption Relies on Hardcoded AES Key Material
• KL-001-2020-002: Cellebrite Restricted Desktop Escape and Escalation of User Privilege
• KL-001-2020-001: Cellebrite Hardcoded ADB Authentication Keys

License

Creative Commons Zero 1.0