Sunday, August 10, 2014

Picking a Toolkit

And some power tools

All blog posts to date
Introduction Acquisition Analysis
Introduction Imaging an Android Device Examining the image
Picking a Toolkit Live imaging an Android device Some hidden artifacts in a physical image
Why not load ClockworkMod or TWRP to image a device? Using Autopsy to examine an Android image
Identifying your Userdata Partition Some artifacts in the /data/system/ directory
Some non-root methods to learn about a device Viewing SQLite Databases
A quick note on imaging newer Android devices Facebook for Android Artifacts
Using Windows to Live Image an Android device Interpreting data from apps
Obtaining all files in the data partition without a physical image Waze for Android forensics
App Reversing Other Topics
Reverse Engineering an Android App File The differences between a physical image and a logical extraction
Fun with Apktool Dirty cow
Deep dive into an app Imaging and examining an Android car stereo
Unpacking boot and recovery kernels
My dad is a handyman. He is a handyman around the house, in the garage, in the yard, and he even has renovated and sold four houses, one of which was in decrepit shape and required a complete overhaul. Like a good father does, he taught me all I need to know to be a handyman around the house and in the garage. Did I retain it all? Debatable. One thing I absolutely learned is that I need a good set of tools.

When I was growing up, he had two entire walls of the garage covered in tools, including an impressive set of mechanic's wrenches, a drill press, several handheld power drills including a 1970's era drill in perfect condition that would still take your arm off if you hold it wrong, a good table saw, a radial arm saw, sanders, paint brushes, rollers, more screwdrivers than I know how to count, all matters of screws, nails, bolts, and other hardware, and the list just keeps going. So what defines a good set of tools? Here's some criteria …
  • appropriate for the jobs at hand. It's great to have a top of the line lawnmower, but it won't do you much good if the current task is to replace drywall.
  • high quality. There's a reason I buy good tools by the best brands. They hold up best and get the job done most efficiently.
  • collected and maintained throughout the years. While it is natural to replace tools with better ones when needed, some of the best tools are the ones you bought for a job a decade or more ago. Any handyman has some especially old tools and can tell you exactly what job he was doing which required him to buy a specific tool and some success stories which would not be possible without that specific tool.
  • organized in a way that makes sense for you and you alone. You should create a toolkit and continually add to it and keep it organized in a way that allows you to find whatever tool you need quickly and store it in a place that just seems right. I can’t tell you the number of times my family has said that my tool bench makes no sense, but it works for me. I use no tool more frequently than my good power drill, so it is the easiest thing for me to grab.

In the world of digital forensics, every examiner develops a toolkit. The toolkit includes all kinds of forensic tools, cables, kits, and of course a forensic computer. The forensic computer, where the examiner acquires a digital image, examines it to find files which are considered of value, analyzes evidence found (from the digital media being examined and also relationally with evidence from other sources), and saves all findings and analyses in a report. And of course, a good examiner documents all along the way.

A forensic computer needs an operating system (OS). Before diving into tools, I need to discuss operating systems. As I said previously, a good toolkit should be organized in a way that makes sense for you, so in that vein, I will not specify an exact operating system. However, all of the tools I will be going over are either Windows or Linux, so you will need access to both a Windows machine and a Linux machine. You can run either or both of these in virtual machines (VMs) if you wish, or you can do what I do and have a computer with multiple hard drives and choose an operating system at boot.

Linux comes in a lot of varieties. A common variant of Linux is Ubuntu ( and is an excellent OS to use if you are new to Linux. There are distributions of Linux designed for specific purposes, ranging from penetration testing to multimedia production. Believe it or not, there are even versions of Linux designed specifically for mobile forensics. Two great ones are Santoku ( by the group ViaForensics out of Chicago, and Open Source Android Forenics (OSAF) ( Both of these distributions come loaded with all kinds of good mobile forensic tools. I personally use Santoku for my OS in my main computer.

I’m not here to recommend on OS over another. Try out whatever Linux variant you care to try, and pick whatever you like. Santoku and OSAF both come loaded with much of what I will be going over in this blog, so if you pick another OS you will need to download and install the tools I demonstrate. Again, I’m not here to recommend any OS and am not a representative of any OS distribution effort.

Getting started
To get started, you’re going to need your toolkit, and your toolkit starts with an OS. For what I will demonstrate on this blog, you will need both a Linux environment and a Windows environment. You can install either or both in VMs or on physical machines.

You also will need a method to transfer files, possibly particularly large files, from your Linux to your Windows environment and perhaps vice versa. Please be advised, if you use external storage, like a flash drive or external hard drive, and you have formatted it FAT32, the max file size you can copy to the drive is 4 gigabytes, and chances are you’ll be creating larger files than that.

You will also need some tools. I will go over more of these as I go on, but for now I will highlight two that I use all the time.

  • FTK Imager for Windows. Great and free tool for examining a digital image. It also has some other great uses, including imaging a volume or a physical drive, but I don’t intend to go over those capabilities. It is on this page:
  • Android SDK for Linux. - download the link that says Linux 32 & 64 bit and follow the instructions to install at (Note, this is included in the distributions I highlighted.)
  • You can also set up the SDK in the Windows environment if you like. I personally prefer to interact with the phone in Linux because the way I will demonstrate how to live image uses Linux tools.

  • You'll need both a Linux and a Windows environment
  • Pick a Linux distribution you like, and I've recommended a couple
  • Go ahead and download and install both FTK Imager for Windows and the Android SDK for Linux

That’s all for now. Next page introduces imaging a device.

Questions, comments, suggestions, or experiences?  House projects you may be working on right now?  Leave a comment below, or send me an email.


Post a Comment