For anyone interested in Android Encryption like me and interested in teaching me a lesson :D:
I am playing around with Android full disk encryption (FDE) on various operating systems and I have found that Android 4, with its introduction of Scrypt, is fairly underwritten and I cannot find a clear solution for how the keys are stored. I have pasted here enter code here(https://pastebin.com/qbszUSa3) a 16KB footer from the userdata partition of my encrypted Samsung S4 mini running Android 4.4.4 starting with the magic 0xC5B1B5D0.
I have tried relentlessly to decipher the format of the footer so that I may pull out the keys, but the hash/padding/salt structure doesn't appear to be there and even as a scrypt footer, which as I understand it, is the key derivation function introduced in Android 4.0, I cannot see what I need. I have tried the Santoku-Linux brute-force python script: (https://github.com/santoku/Santoku-Linux/blob/master/tools/android/android_bruteforce_stdcrypto/bruteforce_stdcrypto.py) to try and recognise the keys but it only pulls back zero's.
I hope someone on this forum may recognise the footer's format and has some insight or experience of this type of encryption.
