Android Forensic Tools

There are commercial tools, some of which have free versions available for download, and open source tools. Most popular commercial tools are:

Open source license means that software is freely redistributable, access to the source code is provided, allows the end user to modify the source code at will, and doesn’t restrict the software’s end use. Some open source tools:

The last four, LiME, Volatility, The Sleuth Kit and bulk extractor, are forensic tools that are not only used for Android forensics, but also for forensics of other computer systems.

Comparison of some android forensic tools

  • Oxygen forensic was installed on the forensic workstation with a registration key provided by the company. It requires the mobile device to be in USB debugging mode while connecting to the workstation. Oxygen forensic extracted all of the contacts, call logs, images, files and system information, but of 64 audio files it extracted only 39. It also didn’t produce the SMS/MMS list. In the final report produced by the tool SMS/MMS section was noted as ‘Section not found’.
  • MOBILedit, he worked with was lite version, downloaded from the Internet. MOBILedit needs to have the USB debugging mode enabled in the mobile phones, like Oxygen forensic. Phones can be connected to computer with cable or through wireless connection. This tool installed a small application on the mobile phone to pull the data. MOBILedit extracts the contacts, system-info, call logs and messages, but several contacts and call logs were missed in this test.
  • AFLogical Open Source Edition was the next tested tool. This tool is an open source version of AFLogical. It’s the lightweight software with no graphical front end, used from the command line, unlike the tools tested before. The Android phones were connected to the forensic workstation with enabled USB debugging mode. SD card has to be removed before extraction because ViaForensic warns that the contents may be deleted in the process. AFlogical needs ADB to communicate with the Android devices. The AFlogical was accurate in displaying the contacts, call lists, and messages in a nice readable csv format, however, there is no support for other data.
  • Manually extracting data is different from the way how the previous software tools for Android forensics do it. He created images of the SD cards in dd file format using FTK imager, then opened them in the hex editor and searched for various keywords. The idea was to find out the system informations from the images, but manual extraction of data didn’t give expected outcome. Keyword search resulted in no image files and documents. More number of images were found using manual search. This method was the most time consuming of all for him, but I’m not sure is that because of imaging SD cards or searching for keywords.

Analysing the result presented above, it can be concluded that Oxygen forensic was able to extract most of the actual data, while MOBILedit was the worst. But, we must take into account that the Oxygen tool in this testing was full version and MOBILedit and viaForensic both were lite versions.

Android Forensics With Santoku Live Disk Part 3

Use AFLogical OSE for Logical Forensics of an Android Device

Make sure your device is connected to your machine. If you’re using Santoku in VirtualBox, go to Devices –> USB Devices. Make sure there’s a checkmark next to your device.

If in VMWare Player, go to VM –> Removable Devices –> <your_device_name>and click “Connect”.

Enable USB debugging on your device. For Android 3.x and below, go to Settings –> Applications –> Development, then check ‘USB debugging’.
On Android 4.x and above go to Settings –> Developer Options, then check ‘USB debugging’.

In Santoku, open AFLogicalOSE: Santoku –> Device Tools –> SDK Manager.

Extract Data from your Device:

Push the AFLogical-OSE_1.5.2.apk to your device.

$ ls -l
total 72
-rw-r--r-- 1 santoku-user santoku-user 28794 Dec 19  2011 AFLogical-OSE_1.5.2.apk
-rw-r--r-- 1 santoku-user santoku-user 35819 Dec 19  2011 GPL
-rw-r--r-- 1 santoku-user santoku-user  1236 Dec 19  2011 README.txt

$ sudo adb devices
[sudo] password for santoku-user:
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
List of devices attached
aDf1357867	device

$ adb install AFLogical-OSE_1.5.2.apk
296 KB/s (28794 bytes in 0.094s)
	pkg: /data/local/tmp/AFLogical-OSE_1.5.2.apk
Success


On your Android device, open the AFLogical OSE application, choose what data you want to extract, and follow the prompts to extract the data.
Note: You must have an SD card installed on your device (or a built in SD card) to extract the data.

Next, pull the data from your SD card to your Santoku machine.

$ mkdir ~/Desktop/AFLogical_Phone_Data

$ adb pull /sdcard/forensics/ ~/Desktop/AFLogical_Phone_Data
pull: building file list...
pull: /sdcard/forensics/20120720.1833/Contacts Phones.csv -> /home/santoku-user/Desktop/AFLogical_Phone_Data/20120720.1833/Contacts Phones.csv
...< snip >...
40 files pulled. 0 files skipped.
410 KB/s (3880025 bytes in 9.229s)

Your extracted data is in your ~/Desktop/AFLogical_Phone_Data directory.

Android Forensics Part 2

WARNING: The application is an work in progress so please log any bugs here. Also, feel free to mail any suggestions or requests my email is given in the sidebar

Android Forensic Toolkit allows you to extract SMS records, call history, photos, browsing history, and password from an Android phone. It currently uses adb to pull the databases and photos from the phone and the rest of the processes are performed by python.

Announcements

Nothing for now, but keep checking this space.

Forensic Artefacts

Artefact Status Remarks
Accounts Implemented Passwords are available as plaintext only till Android version 2.3, current versions have hashed passwords
Browsing History Implemented History only from the default browser, will add support for other browsers in later versions
Browser bookmarks Implemented Same as above
Search history Implemented Search history for searches done through Google. Will update with details of other search engines support later.
Browser Saved Passwords In Progress Only supports the default browser for now
Call Logs In Progress Code will be updated by end of the day
SMS History In Progress Code will be updated by end of the day
Contacts In Progress Code will be updated by end of the day hopefully. This is a hard database to decipher.
Social Networks Planned Planned support for the default apps from Facebook, Twitter, Google+ and Foursquare
Email Planned Initial support only for the default email client
Google Wallet Planned Not sure when I will be able to support this as I don’t have either the Nexus S or the Nexus Galaxy. If anyone can help out with this, please contact me.

The table will be updated with further details as and when I add a new functionality.

The databases extracted from the device will be present in the databases folder and can be viewed using SQLite Database Browser  orSQLiteSpy  (I personally prefer the SQLiteSpy as SQLite Database Browser hasn’t been updated in a long time).

A detailed explanation on what each database contains will soon be available in the wiki.

Supported Devices

I don’t own an Android device, so if anyone tests it please mail me the details (device, OS version, rooted or not, and whether you are running an custom or stock ROM along with the ROM details)

Device OS Version Rooted ROM Details
Virtual Machine 2.3.3 N/A N/A

Bugs & Oddities

  • Python 2.7.2 comes with sqlite3 version 2.6.0 while Andriod 2.3.7 uses sqlite3 version 3.7.2, which causes it to return a “DatabaseError: file is encrypted or is not a database” error. Will be updating the PySqlite module and verifying whether it works as soon as I set up the new development environment.
  • Start the adb server separately (use adb start-server) before you use the script. Added code to check and start it automatically before rest of the code is executed but it doesn’t seem to work.

Acknowledgements

The ADB implementation is from Ryan Brady’s python-adb  code.

Source Link : https://code.google.com/p/aft/

Android Forensics Toolkit

Description

Welcome to OSAF! The OSAF-Toolkit was developed, as a senior design project, by a group of IT students from the University of Cincinnati, wanting to pioneer and pave the way for standardization of Android malware analysis. The OSAF-Toolkit is built from Ubuntu 11.10 and pre-compiled with all of the tools needed to rip apart applications for code review and malware analysis. Our primary goal with the toolkit is to be able to make application analysis as easy as possible. We also wanted to create a community where security professionals, analysts, developers and newcommers can learn, discuss and share methodologies with one another.

Features

  • Hello everyone, sorry for the hiatus. Our team has been busy acquiring new jobs and starting our careers post graduation. However, we will be maintaining the project and updating the toolkit as much as we possibly can. We plan on creating an x64 version of the toolkit and we may drop the x86 version and focus our time on a high performing toolkit. Keep a lookout for updates on our site. BTW you guys are awesome! We are almost at 1000 downloads so far. Thanks for your support!
  • UPDATE!!! OSAF-TK RC2 is now available for download.. Click the download button up top ^^^^^^^^^^^^^^
  • IMPORTANT NEWS !!! As of 03/31/12 , OSAF-TK RC2 is complete. We will upload as soon as we have access to faster internet. Thanks for everyone’s support.. Check back soon to download the latest version!!
  • Thanks to viaForensics for allowing us to distribute their free Android forensics tools in OSAF-TK RC2. You guys rock!
  • OSAF-TK RC2 will be available in the next week or so!!! Keep a look out for the latest release!!
  • updated the android sdk to latest version, updated dex2jar to latest version, working on getting androguard to play nice with the sdk to view dynamic processes.. If anyone has any requests or tools to add to the toolkit feel free to comment under user reviews.
  • Making changes to OSAF-TK. adding native alias’ to the .bashrc file under the root account.. this allows the users to quickly open up programs without cd’ing into directories.
  • READ Carefully: I am not promoting the tool that i am about to describe, however, it can be useful to people who want to analyze applications without using an actual device, but rather through an Android Virtual Device. Go to this link (http://codekiem.com/2012/02/24/apk-downloader/) and find out what this tool does…

 

Download Link

Android Forensics Information Part 1

Android

Android is the world’s most popular mobile platform.
Android gives you a world-class platform for creating apps and games for Android users everywhere, as well as an open marketplace for distributing to them instantly.

Red More Android Web Link: –

Main Feature 0f Android
· Open source Operating System
· Easily Find Android Application Software in “Android Market”
· Easily Application Software Remove & Install
· Android Forensics Supported (Open source Tools & Commercial Tool) Available
· Android Compared Blackberry, Windows mobile Os & iPhone
· Best Internet Share System
· Best Google Map & Navigation System
· SD Card, Screen, Application & Face Unlock Security Available
· Google Developers behind android system
· Multi-Touch support system

Storage location information on Android phones

We investigated several well-known apps from the Android market with respect to the amount of location data stored. Some of these apps, their corresponding databases as well as the location data retrieved can be found in the following table.

App Storage Location Content
system cache.cell last 50 mobile telecommunication cells
system cache.wifi last 200 wifi routers
camera JPG pictures latitude and longitude of picture location
browser CachedGeopositions.db latitude, longitude, accuracy and timestamp
twitter author_id.db -> statuses latitude and longitude of status message
twitter author_id.db -> search_queries latitude, longitude and radius of location search queries
facebook fb.db -> user_statuses latitude and longitude of status message
facebook fb.db -> user_values latitude, longitude and timestamp of last checkin
google maps da_destination_history latitude and longitude of navigation start and destination

Android Application Test With BlueStacks   in Windows system 

BlueStacks App Player lets you run your favorite mobile apps fast and fullscreen in your browser and on PC or Mac

 

 

Download & Use