Sunday, August 16, 2015

How to forensically examine an Android device with AFLogical OSE on Santoku Linux

What you will need:

  • Santoku – Alpha 0.1 (or later)
  • AFLogical OSE (already installed in Santoku)
  • An Android device (with adb enabled)

AFLogical OSE Background

AFLogical OSE was released in December 2011 and is now hosted on GitHub. The app provides a basic framework for extracting data from Android devices using Content Providers and then saves the data to the SD Card of the device including:
  • Contacts
  • Call Logs
  • SMS
  • MMS
  • MMS Parts
  • Device info
AFLogical OSE has been successfully tested on Android 1.5 through 4.1 (Jelly Bean) and across many non-standard Android devices.

Installing and running AFLogical OSE

First, let’s get a terminal prompt in the correct directory by navigating to Santoku –> Device Forensics –> AFLogical OSE.
To install AFLogical OSE, connect your Android device over USB and if you are running Santoku CE in a VM, make sure you pass the USB connection through. You can run the following command to verify Santoku can communicate with your Android device:
adb devices

which should return your device serial number.
santoku@santoku-vm:/opt/santoku/af-logical$ adb devices
        * daemon not running. starting it now on port 5037 *
        * daemon started successfully *
        List of devices attached 
        01653EF81C00510F device

If you do not see something similar to this, you need to resolve this issue first.
Next, you need to push AFLogical OSE to your Android device:

For Santoku 0.4 and later

Install the application to your device:
aflogical-ose
You should receive a success message as follows:
634 KB/s (28794 bytes in 0.044s)
         pkg: /data/local/tmp/AFLogical-OSE_1.5.2.apk
        Success
        
        Starting: Intent { cmp=com.viaforensics.android.aflogical_ose/com.viaforensics.android.ForensicsActivity }
        
        Press enter to pull /sdcard/forensics into ~/aflogical-data/
Again, if you receive an error, you need to resolve the issue.
Next, on your target device, select the data you want to extract and click “Capture”:
AFLogical at work extracting physical data
In your AFLogical-ose terminal window in Santoku, press enter to pull the data from your SDCard to the location “~/aflogical-data”. Santoku will automatically pull all the data recovered from your device to that location.
To view the data, open a terminal window and type:
$ cd ~/aflogical-data/
        $ ls
        20131028.1039
The data is stored under a folder labeled with the date and time of the acquisition. In this example, it was 2013-10-28 at 10:39 local time.
You can then open the “~/aflogical-data” directory in Nautilus and browse any images as well as the extracted data (such as contacts, call logs, mms/sms, and device info) in CSV format:
aflogical-data

For Santoku 0.1 to 0.3:

First, install the application to the device:
adb install AFLogical-OSE_1.5.2.apk
You should receive a success message as follows:
santoku@santoku-vm:/opt/santoku/af-logical$ adb install AFLogical-OSE_1.5.2.apk
        574 KB/s (28794 bytes in 0.048s)
         pkg: /data/local/tmp/AFLogical-OSE_1.5.2.apk
        Success
Again, if you receive an error, you need to resolve the issue.

Run AFLogical on your Android device:

To run AFLogical OSE, , navigate to it through Applications –> AFLogical OSE:
AFLogical in an Android's app menu
Then select the data you want to extract and click “Capture”:
AFLogical at work extracting physical data
AFLogical OSE will then save the extracted data on the SD Card of the device. You can now uninstall AFLogical OSE with the following command:
adb uninstall com.viaforensics.android.aflogical_ose

which will close the app (if still running) and remove from the device:
santoku@santoku-vm:/opt/santoku/af-logical$ adb uninstall com.viaforensics.android.aflogical_ose
        Success

Pull and examine the extracted data:

AFLogical OSE creates a folder on the SD Card called forensics and then a subfolder with the date and time of the extraction. The easiest way to copy the data to Santoku is with the recursive “adb pull” command:
adb pull /mnt/sdcard/forensics

which will extract all data under that directory (so, if you reuse a removable SD Card, you might have multiple subfolders with data). Here’s some example output (truncated for space):
santoku@santoku-vm:/tmp$ adb pull /mnt/sdcard/forensics
        pull: building file list...
        pull: /mnt/sdcard/forensics/20120912.0741/Contacts Phones.csv -> ./20120912.0741/Contacts Phones.csv
        pull: /mnt/sdcard/forensics/20120912.0741/SMS.csv -> ./20120912.0741/SMS.csv
        pull: /mnt/sdcard/forensics/20120912.0741/MMSParts.csv -> ./20120912.0741/MMSParts.csv
        pull: /mnt/sdcard/forensics/20120912.0741/MMS.csv -> ./20120912.0741/MMS.csv
        pull: /mnt/sdcard/forensics/20120912.0741/CallLog Calls.csv -> ./20120912.0741/CallLog Calls.csv
        pull: /mnt/sdcard/forensics/20120912.0741/info.xml -> ./20120912.0741/info.xml
        pull: /mnt/sdcard/forensics/20120912.0741/Photo0284.jpg -> ./20120912.0741/Photo0284.jpg
        
        11 files pulled. 0 files skipped.
        499 KB/s (893180 bytes in 1.746s)

You can then open the directory in Nautilus and browse any images as well as the extracted data (such as contacts, call logs, mms/sms, and device info) in CSV format:
AFLogical results

0 comments: