Pages

Saturday, April 27, 2019

Magnet Forensics App Simulator


And Avengers


All blog posts to date
Introduction Acquisition Analysis
Introduction Imaging an Android Device Examining the image
Picking a Toolkit Live imaging an Android device Some hidden artifacts in a physical image
Why not load ClockworkMod or TWRP to image a device? Using Autopsy to examine an Android image
Identifying your Userdata Partition Some artifacts in the /data/system/ directory
Some non-root methods to learn about a device Viewing SQLite Databases
A quick note on imaging newer Android devices Facebook for Android Artifacts
Using Windows to Live Image an Android device Interpreting data from apps
Obtaining all files in the data partition without a physical image Waze for Android forensics
Magnet Forensics App Simulator
App Reversing Other Topics
Reverse Engineering an Android App File The differences between a physical image and a logical extraction
Fun with Apktool Dirty cow
Deep dive into an app Imaging and examining an Android car stereo
Unpacking boot and recovery kernels
MTPwn
Introduction
I'm back! Sorry it's been a while. No, I did not turn to dust, nor did I get stuck in the quantum realm. And I also didn't violate the Sokovia Accords. Instead, I am now a dad! My wife and I have a little daughter now which means my spare time is gone and replaced instead with the joys of parenthood.

Being a dad, I will always try to guide her in a good direction. Maybe I will be like Howard Stark and encourage her to be pursue the newest technology at every step. Maybe I will be like Odin and raise her into royalty. She already is a princess. Just as long as I don't become a celestial, or an evil living planet.

And also ... there's this movie that just hit the theaters.


Avengers: Endgame. The result of 11 years of building up this cinematic universe, which has become an unprecedented cultural phenomenon. Already rewriting the box office record books. Have I seen it? Of course not! I'm a dad. I don't have time for movies anymore! So don't spoil it for me because I will see it sometime in the near future.

So the point of this post. Magnet Forensics just released a new tool called the App Simulator. This post will walk through using the tool and why such a thing is useful.

But as for me. New forensics tool?




And do I want to use it?



Magnet Forensics App Simulator
The app simulator is essentially a virtualized Android device, running in Oracle VirtualBox, with automated methods to emulate an app, and its data as retrieved from an image, in the way the user saw it. Magnet has developed a clean, intuitive, and streamlined method, which is why I am detailing their tool specifically.

So let's say you are an analyst for Strategic Homeland Intervention Enforcement and Logistics Division (SHIELD) and you are analyzing a device belong to a Hydra operative. You have successfully imaged the phone. Great. You have acquired all the data on the device.

Now you are analyzing the data and you come across an app. You suspect the app may contain useful data. However, the data files and difficult to analyze. In this example, the app is WhatsApp, the messaging app. How do you expect to find meaningful data out of this?


The above is a hex view of the main database for WhatsApp. And it is encrypted. I see no meaning of any kind there. But if I ask one character, I know what he'll say of what he sees.


"I am Groot!" Very helpful there, thanks.

Here's the thing. I don't know off the top of my head how to decrypt a WhatsApp database. My laptop was made by Dell. It is not Wakandan. It does not have the processing power to brute force an encrypted database file.

And I could reverse engineer the WhatsApp application and deduce the decryption logic. But that would take going through possibly millions of lines of code. That is frustrating. And heavens help me if I had this guy's anger problems:



So one way I can examine the WhatsApp data is to emulate it. I extract the associated WhatsApp data, along with the app itself, and install it on an Android Virtual Machine (VM). The VM acts just like an Android device. It will install the app, accept the data, and behave just as if it were the Hydra operative's phone. The WhatsApp app file knows how to decrypt all this encrypted data, just as it does on the phone itself. Then I can scroll through the installed instance of WhatsApp and see the data just as the Hydra operative saw it. And that right there is the very point of the App Simulator by Magnet Forensics. Pretty nifty, huh?

How to use the tool
First, go download the tool. It is free! It takes registering an email address.

Follow the download and install instructions. You have to download two different files and follow two different installations. You first install Oracle VirtualBox, and then you install an Android VM.

Once all done, open your Magnet App Simulator and follow the instructions. It will first ask you to run the Android VM. Make sure that is online. Here is what the emulator looks like.



It looks very similar to any normal instance of Android. This emulator runs Android 8.1.

Then pick out your Android install file (WhatsApp.apk, found in /data/app of the image of my device):




And then add associated data. For me, I extracted /data/data/com.whatsapp for Application Data, and /sdcard/WhatsApp for SD Card data.



And then hit next. And in a snap, you'll be ready to analyze.



In no time WhatsApp gets installed.



And then all the data gets loaded into WhatsApp in the proper location and given the proper permissions, all without you having to do a thing. When all done, you can browse through the app data, decrypted and readable, and use it all as part of your investigation into Hydra activities.



And another nice feature. You can create a snapshot. That is, save the state of your VM. That way if you want to manipulate some data for any reason, you can restore to a known state. It is about like having your own time loop.


Now this technique is actually not that new. I have been emulating app data like this for many years and have often considered doing a blog post on the technique. However, my process is extremely manual. Instead of a nice user interface, it takes using Android Debug Bridge to push all the files in the right place and change permissions. And it historically relied upon the Android Virtual Device included with the Android Software Development Kit. If you've ever used that, you know how slow and clunky that is. Going from my old method to the new Magnet tool is about like going from this:



to this:



And that's about all I have for this tool. It is excellent and should be part of your examination kit, along with a gauntlet to hold the Infinity Stones should the need arise. As for what I do next, I'm not sure. Just remember, in all things in life, Maximum Effort!


Oh wait, wrong universe.

Summary
  • Go ahead and download the Magnet Forensics App Simulator.
  • The app simulator can load up an app's data straight from an acquired image and present it the same way the user saw it before acquisition.
  • If data is encrypted or otherwise obfuscated, this can be a workaround. Instead of figuring out the hard way how to interpret data, let the app do what it was designed to do, but in your own virtualized environment instead of a suspect's device.

Questions, comments? Favorite Avengers movie (NO SPOILERS)? Leave a comment below, or send me an email.