How to master Android Forensics?

How to perform a logical acquisition using Santoku Linux using AFLogical? Android

AFLogical is another method that extracts Android devices’ data besides adb. Content providers are used in this process, saving the extracted data into the device’s SD card. Such data contains contacts, call logs, SMS, Multimedia Messaging Service (MMS), MMS parts, and device info.

  1. Open the terminal window inside Santoku. Then, type the command “aflogical-ose”, where “OSE” abreviates Open Source Edition.
  2. Next, type the root password. If the password is correct, pressing Enter through your computer’s keyboard will pull /sdcard/forensics into ~/aflogical-data/
    Pull/sdcard/forensics into ~/aflogical/data/
  3. Select the desired data for extraction before eventually pressing “Capture” then “Ok” to confirm the completion of data extraction.
  4. In order to continue, press Enter using your computer’s keyboard.
  5. Now, the location of ~/aflogical-data has the pulled data from SDCard. All the pulled data which are recovered will be saved into that location from the emulator.
  6. In order to confirm the above, just open a terminal window to type the following command inside it: “cd ~/aflogical-data/” for the sake of changing the directory where the work is now to that location. The next step is to type “ls” for the sake of viewing the created file.
    cd ~/aflogical-data/
    ls
    the following will display
    20160213.0649
  7. One can now simply browse any extracted images –or files or data –. All such files containing contacts, call logs, MMS/SMS, and device info will be having an extension of .csv
  8. One could easily view the aforementioned SMS table, showing all SMS.
  9. Note that SQLite databases are the most common means of storing such valuable information or data. Throughout the very following lines, I will mention the file name and the path that stores some evidence.
    a. \data\data\com.android.providers.contacts\ databases\contacts2.db is where the phone book mainly resides

    1. We could easily extract such database for example through harnessing “adb pull” command.
      Adb pull 
      /data/data/com.android.providers.contacts/databases/contacts2.db/home/infosec/ContactDB/contacts.db
    2. In genereal, one could browse SQLite by making use of the Sqliteman utility. A command of “sqliteman” followed by the path where the database resides and then eventually the name of database.db.
      Sqliteman /home/infosec/ContactDB/contacts.db
    3. There are 20 tables inside such database like _sync_state and calls.
    4. Calls history or even any other valuable data could be simply be got after querying a specific table in a database. One can accomplish this through the next command: “select * from calls) for instance.

b. \data\data\com.android.providers.telephony\ databases\mmssms.db is where the SMS, MMS messages exist

c. \data\com.android.providers.calendar\databases\ calendar.db is where the Calendar lies.

d. \data\com.sec.android.provider.logsprovider\ databases\logs.db is the place where Log exists.

e. \data\system\users\accounts.db is the location of User’s data

f. Web browser data is essentially located in \data\data\com.android.browser\databases\ browser2.db

g. \data\user\comc.android.providers.userdictionary\ databases\user_dict.db is where Dictionary resides.

How to make sure that devices are connected?

  1. Open the terminal window and make use of the command “adb devices”
  2. This shall list all of the connected devices and then any created emulator should be considered as an attached running device.
  3. In case you cannot see the real device, you attached to the workstation –if you actually did so—then make sure that the phone enables USB debugging. If it doesn’t enable it, then one should enable to be able to see it there.
Adb devices
Then the output would be:
List of devices attached
Emulator-5554 device

How to get a shell using adb?

  1. Getting a shell is also pretty straightforward. Simply open the terminal and type the following command “adb shell”. The shell should open thereafter.
  2. If both an emulator and a real device are connected, then opening a shell on the emulator requires the following command instead “adb -e shell”
  3. While both an emulator and a real device are connected, then opening a shell on the real device requires the following command instead “adb -d shell”
  4. If several emulators and/or real devices are connected together, then opening a shell on a specific target requires the following command instead “adb -s” followed by the device’s name.

How to list the packages?

  1. Open the terminal and start a shell as shown in the last point in this article using “adb shell”
  2. Use the “pm” API which has the capability to display all the installed packages on the screen. For your information, pm stands for package manager in the first place. The command needed for this task is as follows “pm list packages”
Adb shell pm list packages

How to push files onto the device?

  1. Open the terminal then type a command of the following format: “adb push” followed by the name of the file existent on the local machine and then the location of such file on the device.
  2. In order to illustrate this point much clearer, create a file inside the current working directory. Make it as a text file and inside it, create a sample content as in the following code.
    echo "sample file" > test.txt
    cat test.txt
    then the output is
    sample file
  3. Move the file to the emulator using the push command adb push test.txt /data/local/tmp” where such directory is write-able on Android.
    Adb push test.txt /data/local/tmp

How to pull files from the device?

  1. Open the terminal and make use of the following command “adb pull” followed by the name of the file on the device.
  2. Delete the newly created text.txt from the current working directory
    Rm test.txt
    Cat test.txt
    The output is as follows:
    Cat: test.txt: No such file or directory
  3. Finally, pull the file inside the “/data/local/tmp” directory using this command: “adb pull /data/local/tmp/test.txt”. Now the file is pulled back to the current working directory.
Adb pull /data/local/tmp/test.txt
Cat test.txt
The output is:
Sample file

How to make an adb connection troubleshooting?

  1. One can face problems at any time while working with adb. Therefore, the ability to deal with such problems is a must.
  2. Examples of such problems are to have an emulator not recognized or discovered by adb while being running and up.
  3. One could utilize the following comand “adb kill-server” in order for the adb to recognize the devices again.
  4. Finally, try to list all the devices again using “adb devices”Adb kill-server Adb devices The output: List of devices attached * daemon not running. Starting it now on port 5037 * * daemon started successfully * Emulator-5554 deviceTry Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References

http://resources.infosecinstitute.com/android-forensics-labs/

http://resources.infosecinstitute.com/android-forensic-logical-acquisition/

https://en.wikipedia.org/wiki/Android_(operating_system)#Open-source_community

https://en.wikipedia.org/wiki/Digital_forensics

https://en.wikipedia.org/wiki/Emulator#In_new_media_art

https://en.wikipedia.org/wiki/Logical_disk

https://en.wikipedia.org/wiki/System_partition_and_boot_partition

https://santoku-linux.com/about-santoku/

http://resources.infosecinstitute.com/getting-started-android-forensics/

http://resources.infosecinstitute.com/android-forensics-labs/

https://developer.android.com/studio/run/managing-avds.html

Avatar

This post was written by hsamanoudy