Lock screens are the most challenging aspect of Android forensic examinations. Frequently, the entire investigation depends on the examiner's ability to gain access to a locked device. While there are methods to bypass them, this can be highly dependent on the OS version, device settings, and technical capabilities of the examiner. There is no magical solution that will work every time on every device. Commercial forensics tools such as Cellebrite and XRY have fairly robust bypass capabilities, but are far from infallible. This chapter will show how an examiner can increase their odds of bypassing locked devices with free tools and methods.
An examiner should never attempt to guess a Pattern/PIN/Password on the device. Many manufacturers implement a setting that will wipe the device after a number of failed attempts. Many also allow the user to lower that number.