Decrypting Databases Using RAM Dump – Health Data | By Michal Rozin

Decrypting Databases Using RAM Dump – Health Data

Extracting memory from Samsung devices to decrypt Samsung Health DB’s can uncover critical data for investigators

Samsung Health is a wellness application that helps users track their physical activities. As one might expect, the application stores a lot of interesting location data that interests the forensics community and specifically law enforcement investigators. As of today, no commercial tool decrypts the database of the application as Samsung uses Android’s “KeyStore” to encrypt and decrypt their data.

In this blog, I will demonstrate a method to decrypt the databases and extract meaningful data using a RAM dump. The phone’s RAM stores the decryption keys for the application after extracting the relevant keys from KeyStore and manipulating them. I will present an end-to-end procedure that starts with the RAM extraction and ends with the decryption and display of Samsung Health’s databases.

I hope that by releasing this blog the mobile forensics community will be inspired to continue to examine memory dump methodologies and spark the community to share their findings.

Motivation

My research started when our decoding group decided to focus on finding location data in Android environments because of COVID-19. We looked for popular applications that store the user’s location. Samsung Health runs in the background and stores the user’s activity even when the GUI application is not running or used by the user.

Samsung Health Brief

Samsung Health is an application that tracks various aspects of daily life contributing to well-being such as physical activity, diet, and sleep. The application was introduced to Samsung users on July 2, 2012 with the new Samsung Galaxy S3 smartphone. Today the app is installed by default on Samsung phones and on some models, it cannot be removed without root. It can also run on all recent Android and iOS phones.

Samsung Health Cryptography Internals

The Android KeyStore system lets you store cryptographic keys in a safe location in order to make it difficult to extract them from the phone. The keys can be used for encryption and decryption operations without entering the application because the cryptographic operations are handled in the operating system with a hardware-backed system.

For more information: https://medium.com/knowing-android/modern-security-in-android-part-2-743cd7c0941a

How Does Samsung Health Encrypt/Decrypt Its Data?

First, it’s important to understand how Samsung Health runs. Samsung Health executes two processes:

  1. “com.sec.android.app.shealth:remote” – A none-graphic background process that runs all the time, even when the user is not actively interacting with the application. This process collects pedometer data and handles database operations.
  2. “sec.android.app.shealth” – A graphical application that the user can interact with.

When exiting the GUI application and killing it. The background application still runs and collects data.

Samsung Health has a large infrastructure for cryptographic operations on data. The application performs the following steps to get the decryption key to decrypt its database:

  1. It opens a file called “aks” (initials for Android KeyStore)
  2. It then decrypts the file using Android KeyStore key and iv generated from the output of a custom hash function named “getMagic.” This is implemented in a shared object called “libload-strings.so,” which gets a SHA256 of a unique Android id as it inputs and outputs the iv.

    The decryption of the AKS file looks like this:

The IV creator looks like this:

3. The decrypted data is used as a key for decrypting the sqlitecipher database.

Sqlitecipher is a cryptographic framework that wraps sqlite databases and supports decryption and encryption of sqlite databases. Samsung Health has implemented this framework in their code by a shared object called “libsecsqlite.so.” This shared object holds all the capabilities of sqlitecipher and has its own “special” configuration.

The shared object uses its own default configurations, these functions point to these default values:

The shared object gets a key from the Java application (as explained above) and generates the derived key. The derived key is stored as a format of: x’<96 characters of a-f or 0-9>’.

Finding The Key For Decryption

Extracting the key from a normal filesystem dump is not possible because the key is generated through Android KeyStore, which, as explained previously, is stored at a safe location that cannot be extracted in a normal filesystem dump. To extract the key, we found the following methods:

Frida framework (requires root)

Frida is a dynamic instrumentation framework that allows you to hook into applications for reversing, debugging, and research purposes.

As mentioned above, Samsung Health runs two processes. The first is the background process that runs without a GUI application. The other is the GUI application.

In order to hook the relevant functions that decrypt the databases, we need to hook the “com.sec.android.app.shealth:remote” process.

It is crucial to hook this process when it spawns, as it decrypts the databases at the start of its run time. To do so, spawn-gating is required.

RAM dump (used SBOOT dump – no root required)

Another way is extracting RAM data from the phone and finding the keys used to decrypt the databases. I expect the key to be in the RAM as the process is always running in the background and doing cryptography operations on the databases.

Extracting RAM Data

There are various ways to extract RAM data from an Android phone, in this blog I will only explain about S-Boot dump related to Samsung phones only, which requires no root privileges on the device.

Samsung has its own debugging mode called “Upload Mode.” Upload mode is a basic protocol that dumps memory from a device. It is used for debugging and reversing purposes; Samsung can use it to look at registers and stack memory to understand crashes.

The way this protocol works is by accepting a start and end address of the physical memory to be extracted and returns the memory dump. It can be used to dump the full range of memory as well. It does not require root, but it does need to be configured from within the phone.

How to make an SBOOT extraction:

  1. Enter upload mode:
    1. Dial *#9900#
    2. Turn “Debug Level” to High
    3. If possible, enable UploadMode
    4. Force reset your Samsung phone by holding “Power” + “Volume down”
    5. After the phone has shutdown. Hold “Bixby” + “Volume down”
    6. Your phone should enter upload mode
  2. Connect the Samsung to your computer
  3. Git clone https://github.com/bkerler/sboot_dump
  4. Run `python3 samupload.py -all

After Gaining The Memory Dump

The sqlitecipher keys are stored in the format mentioned above. To find those keys in the memory dump, extract all the strings from the memory dump and find (with regex) the sqlitecipher key

strings * | grep -E “x'[a-f0-9]{96}'”

The keys extracted:

The key relevant to Samsung Health:

In the next version of the Cellebrite Physical Analyzer (PA) we implemented a Samsung Health decryptor that when given a RAM dump, decrypts the databases and parses the locations from the DB:

Decrypt Using Cellebrite Physical Analyzer

To decrypt using PA, follow these steps.

After gaining the memory folder and the File System extraction:

  1. Move the extracted memory folder into a directory with a <FOLDER NAME> of your choosing
  2. Move <FOLDER NAME> directory to the same path of the .ufd file
  3. In the .ufd file, under [dumps] Add:

    Memory=<FOLDER NAME>
    [Memory]
    Type=Folder

  4. Open the .ufd in PA

The parsers that should run are “SbootDumpPasswords” and “Samsung Health.”

The keys extracted are shown in the tables in SecureHealthData.db:

Locations that are stored by default under SecureHealthData.db:

Locations that are stored under SportTracker.db (after some exercise) are shown below.

Locations mapped to models in PA look like this:

In Summary

Samsung Health uses strong cryptography methods that involve unique libraries. In order to extract meaningful information from the application, there is a need to extract decryption keys from the process’s memory. This is why knowing different methods to extract the key, how the decryption flow works, and how a detailed flow using SBOOT dump to decrypt the application’s databases via Cellebrite’s Physical Analyzer is so important.

Volitile memory analysis could provide a solution to parse data that could not be parsed using a filesystem dump.

Learn more about how Cellebrite’s Digital Intelligence solutions can help your investigations here.

The article was originally published: https://www.cellebrite.com/en/blog/decrypting-databases-using-ram-dump-health-data/

September 21, 2020
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023