LockUp app
LockUp is an Android application that will monitor the device for signs for attempts to image it using known forensic tools like the Cellebrite UFED. Here is a blog I wrote.
- Proof-of-Concept. Not meant as an in-depth defense
- Android API 28, Does not require root
- Relies on RECEIVE_BOOT_COMPLETED to start a Service and AccessibilityService
- Monitors USB events through ACTION_USB_DEVICE, package installations, and known exploit staging locations on the filesystem
- Detects Logical Extractions, File System Extractions, and Physical Extractions leveraging ADB
- Will automatically respond with a factory reset with DeviceAdminReceiver
- Beginning steps to researching more robust anti-forensic techniques
Signature Detection:
- Exploit staging directories and known filenames
- Known file hashes
- Application names and certificate metadata