FBE (File Based Encryption) – Mobile Device Forensics

A method where each file on a mobile device’s partition is individually encrypted, requiring forensic tools to decrypt specific files for evidence analysis.

Key Features of FBE
Per-File Encryption: FBE encrypts each file individually using a unique key derived from the user’s credentials. This approach provides better security and flexibility compared to FDE.
Direct Boot Support: FBE allows for a new partition called « Device Encrypted (DE) Storage, » which contains data that can be accessed before the user unlocks the device. This enables features like receiving calls or alarms while the device is locked.
Key Hierarchy: FBE uses a hierarchical key structure, where a master key is derived from the user’s credentials, and then per-file keys are derived from the master key. This allows for efficient key management and quick key derivation.
Metadata Encryption: In addition to file contents, FBE also encrypts file metadata, such as file names and timestamps, adding an extra layer of security.

Impact on Android Forensics
Data Acquisition: FBE complicates the data acquisition process, as traditional physical acquisition methods may not be able to decrypt the individual files without the user’s credentials. Investigators may need to rely on logical acquisition techniques or exploit-based methods to access the encrypted data.
Passcode Recovery: Obtaining the user’s passcode or decryption key becomes crucial for accessing FBE-encrypted data. Investigators may need to use brute-force techniques, dictionary attacks, or other methods to recover the passcode.
Partial Data Access: Due to the Direct Boot feature, some data may be accessible even without the user’s passcode. However, this data is limited to specific apps and may not provide a complete picture of the device’s contents.

Techniques for Handling FBE
Logical Acquisition: Logical acquisition techniques, such as Android Backup or Android Debug Bridge (ADB) pulls, can be used to extract data from an unlocked FBE-encrypted device. However, this approach relies on the device being accessible and unlocked.
Chipset Exploits: Some chipset-specific exploits, such as the Qualcomm EDL (Emergency Download Mode) exploit, can be used to bypass FBE and gain access to the encrypted data. However, these exploits are device-specific and may not work on all Android devices.
Decryption Tools: Specialized tools have developed techniques to handle FBE-encrypted data. These tools may leverage exploits or use brute-force methods to recover the decryption keys.

FAQs
What is FBE in Android forensics? FBE (File-Based Encryption) is an encryption scheme introduced in Android 7.0 (Nougat) that encrypts individual files rather than the entire disk. It provides more granular control over encrypted data and enables features like Direct Boot. FBE poses new challenges for Android forensic investigators when acquiring and analyzing data from encrypted devices.
How does FBE impact Android forensic investigations? FBE complicates the data acquisition process, as traditional physical acquisition methods may not be able to decrypt individual files without the user’s credentials. Investigators may need to rely on logical acquisition techniques or exploit-based methods to access the encrypted data. Obtaining the user’s passcode or decryption key becomes crucial for accessing FBE-encrypted data. Additionally, the Direct Boot feature may allow partial data access even without the passcode, but this data is limited to specific apps.