androidcryptographyandroid-keystoreselinuxcomputer-forensics

Andoid 12 Keystore user_0 missing foder

I'm currently doing a study on application forensics on Android 12 API 31. in this study I need to use a private key from Keystore that I can find no problem in Android 11 that is usually located in "/data/misc/keystore/user_0/". but in Android 12 the folder of "user_0" cannot be found there, all I can find is a file named "persistent.sqlite" DB file. is there any updates am i missing on the documentation on AOSP or maybe that i miss concept the understanding of Keystore persistent.sqlite file

Android 12 Keystore file Structure

emulator64_x86_64_arm64:/data/misc/keystore # ls -la
total 156
drwx------  2 keystore keystore   4096 2022-02-14 14:57 .
drwxrwx--t 64 system   misc       4096 2021-12-11 11:35 ..
-rw-------  1 keystore keystore 126976 2022-02-14 14:57 persistent.sqlite
-rw-------  1 keystore keystore      0 2021-12-11 11:37 timestamp
-rw-------  1 keystore keystore  16384 2021-12-11 11:36 vpnprofilestore.sqlite

Android 11 Keystore file Structure

generic_x86:/data/misc/keystore/user_0 # ls -la
total 88
drwx------ 2 keystore keystore 4096 2022-02-13 21:59 .
drwx------ 3 keystore keystore 4096 2022-02-13 21:59 ..
-rw------- 1 keystore keystore  169 2022-02-13 21:50 .10087_chr_USRPKEY_unstable+^825349ac930c2370b39f30e7d789963b+^2
-rw------- 1 keystore keystore  158 2022-02-13 21:50 .10087_chr_USRPKEY_unstable+^c7202ece89390c490b1b94d5b71225e1+^+]3617777111701302822
-rw------- 1 keystore keystore  158 2022-02-13 21:50 .10087_chr_USRPKEY_unstable+^c7202ece89390c490b1b94d5b71225e1+^1127810549181744279
-rw------- 1 keystore keystore  158 2022-02-13 21:50 .10087_chr_USRPKEY_unstable+^c7202ece89390c490b1b94d5b71225e1+^116472976498382090
-rw------- 1 keystore keystore  153 2022-02-13 21:50 .1010_chr_USRPKEY_MacRandSecret
-rw------- 1 keystore keystore  169 2022-02-13 21:59 .10121_chr_USRPKEY_SignalSecret
-rw------- 1 keystore keystore 1331 2022-02-13 21:50 10087_CACERT_unstable+^c7202ece89390c490b1b94d5b71225e1+^+]3617777111701302822
-rw------- 1 keystore keystore 1331 2022-02-13 21:50 10087_CACERT_unstable+^c7202ece89390c490b1b94d5b71225e1+^1127810549181744279
-rw------- 1 keystore keystore 1331 2022-02-13 21:50 10087_CACERT_unstable+^c7202ece89390c490b1b94d5b71225e1+^116472976498382090
-rw------- 1 keystore keystore  310 2022-02-13 21:50 10087_USRCERT_unstable+^825349ac930c2370b39f30e7d789963b+^2
-rw------- 1 keystore keystore  824 2022-02-13 21:50 10087_USRCERT_unstable+^c7202ece89390c490b1b94d5b71225e1+^+]3617777111701302822
-rw------- 1 keystore keystore  824 2022-02-13 21:50 10087_USRCERT_unstable+^c7202ece89390c490b1b94d5b71225e1+^1127810549181744279
-rw------- 1 keystore keystore  825 2022-02-13 21:50 10087_USRCERT_unstable+^c7202ece89390c490b1b94d5b71225e1+^116472976498382090
-rw------- 1 keystore keystore  295 2022-02-13 21:50 10087_USRPKEY_unstable+^825349ac930c2370b39f30e7d789963b+^2
-rw------- 1 keystore keystore  284 2022-02-13 21:50 10087_USRPKEY_unstable+^c7202ece89390c490b1b94d5b71225e1+^+]3617777111701302822
-rw------- 1 keystore keystore  284 2022-02-13 21:50 10087_USRPKEY_unstable+^c7202ece89390c490b1b94d5b71225e1+^1127810549181744279
-rw------- 1 keystore keystore  284 2022-02-13 21:50 10087_USRPKEY_unstable+^c7202ece89390c490b1b94d5b71225e1+^116472976498382090
-rw------- 1 keystore keystore  190 2022-02-13 21:50 1010_USRPKEY_MacRandSecret
-rw------- 1 keystore keystore  190 2022-02-13 21:59 10121_USRPKEY_SignalSecret

Does anybody see something that could explain it?

P.S Tbh i'm looking fore the SignalSecret private key :3

Solution

  • EDIT:

    After digging a bit more into the code of the new KeyStore introduced in Android 12, I found that there's literally a new way to store keys. Now everything is inside /data/misc/keystore/persistent.sqlite DB file. Storing stuff in /data/misc/keystore/user_<user-id>/ directory is a legacy way and everything from there is automatically migrated inside persistent.sqlite DB file.

    Try to upload that DB file into a SQL Lite reader (ex. https://sqliteonline.com/) and query all entries from keyentry table:

    SELECT * FROM keyentry

    You can spot there entries with which you're familiar already, like: "MacRandSecret", "SignalSecret", "synthetic_password<HEX>" etc.). Each entry has also a BLOB that previously was a file.

    Original WRONG answer:

    On Android 12 there's now two keystore variants: `keystore` and `keystore2`. The `keystore2` has a legacy part, so most likely your ROM is not using the right one that's why the `/data/misc/keystore/user_#` directory is empty.

    Check logcat for keystore errors.

    Ref: https://android.googlesource.com/platform/system/security/+/refs/heads/android-s-beta-4