A proof-of-concept Android application to detect and defeat some of the Cellebrite UFED forensic toolkit extraction techniques.
LockUp
An Android-based Cellebrite UFED self-defense application
LockUp is an Android application that will monitor the device for signs for attempts to image it using known forensic tools like the Cellebrite UFED. Here is a blog I wrote.
Proof-of-Concept. Not meant as an in-depth defense
Android API 28, Does not require root
Relies on RECEIVE_BOOT_COMPLETED to start a Service and AccessibilityService
Monitors USB events through ACTION_USB_DEVICE, package installations, and known exploit staging locations on the filesystem
Detects Logical Extractions, File System Extractions, and Physical Extractions leveraging ADB
Will automatically respond with a factory reset with DeviceAdminReceiver
Beginning steps to researching more robust anti-forensic techniques
Signature Detection
Exploit staging directories and known filenames
Known file hashes
Application names and certificate metadata
TODO Signatures
Binary-level identifiers
Hardcoded RSA keys used for ADB authentication (requires root)
Installation
I avoided including everything needed to build LockUp, making this application so accessible that it may be easily used to avoid criminal prosecution was not my goal. Instead, my goal was to help support my research into forensic tools in showing how they aren't immune to software issues.