tag:blogger.com,1999:blog-67485552748357064502024-03-27T01:42:59.891-07:00Free Android ForensicsMark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.comBlogger28125tag:blogger.com,1999:blog-6748555274835706450.post-14230818165094769562020-02-04T20:18:00.000-08:002020-02-04T20:18:39.876-08:00The Iowa Caucus App<br />
<h3 style="text-align: center;">
A Rant</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="font-family: "times new roman";">
<b>Introduction</b>
</div>
<div style="font-family: "times new roman";">
I am a football nut and follow stats like it is my job. Something I've found in common between my nerdiness with technology, movies, video games and sports, is they require some degree of dedication in following stories, along with a high degree of analysis to predict what is going to happen next.<br />
<br />
So it should come as little surprise that I am, at least to a degree, interested in politics. I'm not a political super-nerd, I'm no hyper opinionated thought leader, I don't get into Twitter battles, and I follow no political ideology as if it were a cult. That's not my game. But the stories in the news, the polling data, the strategy of campaigns, and the back-stabbing associated with politics all require the same mindset to follow as sports and pop culture.<br />
<br />
Note: this post will be about a political story, but it will not be of political opinion. I don't care to publish to the whole world my political opinions for two reasons. One, I don't want to lose readers, and two, much of my viewership is outside of the United States where other political stories are more relevant.<br />
<br />
So here we go. A post on an Android forensics blog about the political world, with potentially world event altering consequences. (I never thought I'd say that one).<br />
<br />
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "times new roman"; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div style="margin: 0px;">
<b>What happened last night in Iowa?</b><br />
<div>
As I post this, about 24 hours ago the caucus sites in Iowa closed. It is the beginning of the presidential election cycle, occurring every four years. Come early November, the citizens of the United States will flock to polling places to cast their votes for President of the United States of America. And though November is nine months away, the whole process has started. Because before citizens can vote, there must be a nominee. And last night in Iowa, the first state in the nation to have a say in selecting a nominee, there were caucuses to determine the state's choices for Republican and Democratic nominees for president.</div>
<div>
<br /></div>
<div>
(A caucus, if you are unaware, is different from a primary. A primary vote is like any other vote where you put select your candidate of choice on a ballot. A caucus is more of a community event and involves actual social interaction as part of the process. And each caucus has a party official to manage the event and report the vote tally. I'm not going to get too much into the caucus process because it isn't relevant here, but it is a fun process.)</div>
<div>
<br /></div>
<div>
In general, the caucus results should be known quickly. But not until nearly 24 hours after the caucus sites closed did Iowa finally had some results. And why is that?</div>
<div>
<br /></div>
<div>
A mobile app.</div>
<div>
<br /></div>
<div>
The Democratic Party of Iowa elected to try some new technology to get the caucus results faster. Each caucus leader would download an app to their mobile phones and use the app to report the caucus results. Those results would be gathered to a central server and tabulated. The idea is the whole world could know nearly instantaneously who won the Iowa Democratic caucus. And I'll give some credit where credit is due, that is a novel idea. But the devil is in the implementation.</div>
<div>
<br /></div>
<div>
As you may well have heard, that <a href="https://www.wsj.com/articles/iowa-caucus-results-delayed-by-apparent-app-issue-11580801699">mobile app was an utter disaster</a>. The app crashed, those results either did not come at all to the central server or came delayed, and the results were declared "inconsistent". Over a day later, we still don't know who won Iowa.</div>
<div>
<br /></div>
<div>
<b>What went wrong?</b><br />
<div>
Not a whole lot is actually known about the app, so I'm just going to report what I know. Please comment and correct me if I get any of this wrong.<br />
<br />
The developer of the app is a small firm in Washington, DC. The app was not widely distributed, so I don't have access to it. I've heard it was developed for both iOS and Android, though I can't confirm this.<br />
<br />
The Democratic Party's cyber security chief saw problems coming and advised not going forward with the app. That advice was not heeded, and as anyone advising on cyber risk knows, that is a common outcome.<br />
<br />
The app is not widely available, has not been made open source, the security (and more specifically cryptography) algorithms used are not known, the general process for authenticating is not known, nobody knows what data the app stores on the phone, and the security community at large has not vetted this app. I'm going to go through some of these main points in detail, and lest we forget the importance of the outcome of this caucus (more on that later). But before that, here is nearly accurate footage of me hearing about this fiasco:<br />
<br />
<center>
<br />
<iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/e0eZal9AHoI?start=87" width="560"></iframe>
<br />
</center>
<br />
<br />
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "times new roman"; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; margin: 0px; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<b>Open source</b></div>
I am an open source proponent in general. When we are talking about anything security related, open source is important because it invites scrutiny from the security community. The encrypted chat apps <a href="https://github.com/DrKLO/Telegram">Telegram</a> and <a href="https://github.com/signalapp/Signal-Android">Signal</a> are open source, and the <a href="https://github.com/WickrInc/wickr-crypto-c">cryptography for WickR</a> is open source, and I am sure there are many other such open source encrypted call and chat apps.<br />
<br />
Now I am not saying the developer should have open sourced the app. They presumably spent a lot of man-hours on the app. However, at least documenting the cryptography used would be good security practice. Even for the closed-source encrypted chat apps, the developers generally have white papers detailing cryptography algorithms used. I know of no such for the Iowa Democratic Caucus app. If this information were made available, the security community could have reviewed the information and raised concerns.<br />
<br />
<div style="margin: 0px;">
<b>Authentication</b><br />
<div>
I've heard the method for even downloading the app is rather convoluted. So I have no idea what the method is for authenticating a user.</div>
<div>
<br /></div>
<div>
The user should be the Democratic party official reporting on the results from the caucus. How does the user authenticate that they are genuinely the one reporting data? I presume there is a password. Is there a second form of authentication, such as the Google Authenticator app? How are passwords secured? Can the authentication session be hijacked, allowing an attacker to masquerade as the official and feed false results?</div>
<div>
<br /></div>
<div>
We don't know the answer to any of these questions. And that is a problem. Lest we forget about the importance of accurately reporting results (more on this later).</div>
<div>
<br /></div>
<div>
<b>Vetting</b><br />
<div>
I've heard the app was independently vetted, but we've not heard by what security firm and what tests were attempted. We've also heard it was not publicly vetted by the US government.</div>
<div>
<br /></div>
<div>
App vetting is a big deal. The process involves attempting various network attacks, on-device attacks, and attacks tailored to the exact app use case. What was the vetting process? Now I don't expect anyone to publish flaws that were found and fixed as that would not be good security practice, but it would be nice to say who vetted it and what they attempted.</div>
<div>
<br />
<b>Possible scenarios</b></div>
<div>
As of me writing this post, we still don't have results. So I'm going to go over some best and worst case scenarios that could happen, and I'm also going to put on the hypothetical hat here for some really bizarre and awful scenarios that could happen.</div>
<div>
<br /></div>
<div>
For a best case scenario, the caucus results are counted accurately using a backup method involving physical records, which appears to be the case right now. The result is the winner is officially announced, but late. And that really is a problem because in politics, timing is everything. At this point, all the Democratic candidates have shifted their efforts away from Iowa and are off to New Hampshire for the upcoming primary. Whoever ultimately wins Iowa has been denied their prime-time moment to give a nationally televised, dramatic speech to a massive national audience watching the Iowa results. Instead, there will be a delayed announcement for the winner who will set up an impromptu speech and campaign party in New Hampshire, with a smaller national audience who only associates the Iowa primary with a failed mobile app. All those volunteers from the winning campaign in Iowa have been denied their right for a well-earned party complete with personal gratitude from the winning candidate.</div>
<div>
<br /></div>
<div>
But let's imagine some worst case scenarios here. As a forensics guy, I have developed a knack for thinking worst case.</div>
<div>
<br /></div>
<div>
There's the obvious worst case of inaccurate results. Between unvetted security in transit and unknown authentication methods, there could be inaccurate results fed to the central server. The wrong candidate gives a rousing speech to supporters and a massive national television audience. The actual winner never knew that he or she was cheated out of a win in Iowa and the television spotlight, along with all the campaign momentum. And this should serve as a warning for why physical records in voting are so important.</div>
<div>
<br /></div>
<div>
But there's another worst case scenario. And this is where that forensic mindset is important. Let's say there was no physical records from the caucuses, or those were destroyed. The caucus result data never made it from the app to the central server. All those apps on all those devices stored the only known sources of caucus results. And to make this more complicated, all those mobile phones used by party officials are personally owned. In this worst case scenario, the only way to get caucus data would be to acquire the data from personally owned phones. Would these officials voluntarily hand over their devices to be imaged? Can they be seized? What if the device is stolen, lost, or damaged? Those caucus results could be gone forever. Nobody would ever know who actually won Iowa. Again, a warning for why physical records in voting are so important.<br />
<br />
Overall, it does look like we're getting the best case scenario. We'll still figure out who won Iowa. And everybody learned a thing or two about this uncharted territory of reporting vote results via app.<br />
<br />
Regardless, there already is a major result. We've all heard about foreign interference in the 2016 election, with the goal being to sow doubt and distrust into the US election process. Well, there's already doubt and distrust in the 2020 election, and it required no Russian influence. Unless you count the vodka we all need after this debacle.<br />
<br />
<div>
<b>The bigger picture</b></div>
<div>
There's a bigger picture to all of this that needs to be considered, which is really the point of this post. And that is engineering consequences.<br />
<br />
Automotive engineers design cars. They may imagine new elegant or comfortable features, or more aerodynamic designs to add an extra tenth of a mile per gallon. But automotive engineers never forget that they are designing vehicles that carry people at speeds exceeding 60 miles per hour. That is a weighty concern. Poor engineering in cars has led to deaths and will continue to, but good engineering, which is exceedingly more prevalent than poor engineering, has led to incredible safety features that have saved far more lives.<br />
<br />
Medical engineers design surgery equipment and devices. These keep people alive during surgery. These devices must be sterile. They must function or else a patient can die. In an open heart surgery, there is crucial equipment necessary to maintain circulation through the body. People have died due to poorly engineered products. But exceedingly more have lived longer lives due to well engineered devices.<br />
<br />
In software engineering, we so often lose sight of real world consequences. A job of mine before entering the world of forensics involved writing an asset tracking system for a mid-sized manufacturing company. It rarely dawned on me that actual company products were being shipped from site to site and to end customers. That thought rarely occurred to anyone on the team. We were so focused on developing a usable system that on occasion our manager would have us walk through the factory to see the manufacturing process and speak with the factory employees about the need for better asset tracking.<br />
<br />
Digital forensics is one of the few disciplines within technology where real life circumstances are intrinsically interwoven. If your realm is incident response, the real life ramification of your work is identifying the theft of perhaps millions of dollars worth of corporate intellectual property and preventing future attacks. If you are a criminal investigator, the real life ramification is the life and liberty of a suspect. There is a story I heard once about a teenage girl who ran away. Her mother called the police who examined the home computer and found evidence of the girl chatting with a "boyfriend", who turned out to be an adult male and a child abductor. The real world ramification of this work was catching the man en route to a meet with the girl, and protecting the girl from exploitation at the hands of a truly sick individual.<br />
<br />
In this case of the Iowa caucus app, the real world ramification is the election of the leader of the free world. Whoever wins the Iowa Democratic race gains incredible momentum going into future state races. That winner can very well be the nominee for the party and run against the current President of the United States. The winner of that election will be the commander in chief of the greatest fighting force the world has ever known, at the head of the world's largest economy, will have a greater influence on world affairs than any other person on the planet, and will have the entire world's attention with every action, every inaction, and every word.<br />
<br />
Do you really want to leave all of that to a mobile app?<br />
<br /></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div style="font-family: "times new roman";">
<b>Summary</b>
</div>
<ul style="font-family: "times new roman"; font-weight: normal;">
<li>Vet your apps</li>
<li>Open source, or at least document as well as you can, your crypto for the security community to review</li>
<li>Never forget real life ramifications of digital work</li>
</ul>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
Questions, comments? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email</a>. And if there are any politically charged nonsense comments, they'll be deleted.</div>
</div>
</div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com1tag:blogger.com,1999:blog-6748555274835706450.post-54714344410209715712019-04-27T06:25:00.000-07:002019-04-28T08:58:41.268-07:00Magnet Forensics App Simulator<br />
<h3 style="text-align: center;">
And Avengers</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="font-family: "times new roman";">
<b>Introduction</b>
</div>
<div style="font-family: "times new roman";">
I'm back! Sorry it's been a while. No, I did not turn to dust, nor did I get stuck in the quantum realm. And I also didn't violate the Sokovia Accords. Instead, I am now a dad! My wife and I have a little daughter now which means my spare time is gone and replaced instead with the joys of parenthood.<br />
<br />
Being a dad, I will always try to guide her in a good direction. Maybe I will be like Howard Stark and encourage her to be pursue the newest technology at every step. Maybe I will be like Odin and raise her into royalty. She already is a princess. Just as long as I don't become a celestial, or an evil living planet.<br />
<br />
And also ... there's this movie that just hit the theaters.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHBMWpPK_CevQ-_Exl5QSSvyS8OHmmBSN_thvvTO2AhEu6KMIpKH2C1uSPueI0WmWUentTeLPDEDzx1MeYpSVYGZhIAKsof6HplDDb2eL_7XK4MtrDkWvdgk-7z6vZQUjzzDF7GJJNpu03/s1600/avengers-endgame-poster-square-crop.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1051" data-original-width="1092" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHBMWpPK_CevQ-_Exl5QSSvyS8OHmmBSN_thvvTO2AhEu6KMIpKH2C1uSPueI0WmWUentTeLPDEDzx1MeYpSVYGZhIAKsof6HplDDb2eL_7XK4MtrDkWvdgk-7z6vZQUjzzDF7GJJNpu03/s320/avengers-endgame-poster-square-crop.jpg" width="320" /></a></div>
<br />
Avengers: Endgame. The result of 11 years of building up this cinematic universe, which has become an unprecedented cultural phenomenon. Already rewriting the box office record books. Have I seen it? Of course not! I'm a dad. I don't have time for movies anymore! So don't spoil it for me because I will see it sometime in the near future.<br />
<br />
So the point of this post. Magnet Forensics just released a new tool called the <a href="https://www.magnetforensics.com/resources/visualize-mobile-apps-in-a-virtual-environment-with-the-magnet-app-simulator/">App Simulator</a>. This post will walk through using the tool and why such a thing is useful.<br />
<br />
But as for me. New forensics tool?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIr8LHFEyFUxKy5OkXN_VoN6Wph5y8QeZhw4qF7tde9ONcrOJuYXaxl0ZvB3EQ3f1HMBNfoL5likIy8qErAJJ68Yl1m7eCy_2xMAYtsmmfMJ6pHyogzCAVvDtfcJCNmkW_L8cNXkLvPqga/s1600/RocketGif.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="250" data-original-width="600" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIr8LHFEyFUxKy5OkXN_VoN6Wph5y8QeZhw4qF7tde9ONcrOJuYXaxl0ZvB3EQ3f1HMBNfoL5likIy8qErAJJ68Yl1m7eCy_2xMAYtsmmfMJ6pHyogzCAVvDtfcJCNmkW_L8cNXkLvPqga/s400/RocketGif.gif" width="400" /></a></div>
<br /></div>
<div style="font-family: "times new roman";">
<br />
And do I want to use it?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuAvRYkfUd4pnBMcAyGeb5lD6ysFpmCxiETqZs5FcaQgGBoTEwR2972BaSEJ3OJ2pKXzHQrzlVgc4IGql_pfx_SDjp-oP_szbDcDedkLCxahRsftoip9I28UlhWAmHjhroBcScd0m8nHHU/s1600/BringMeThanos.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="250" data-original-width="597" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuAvRYkfUd4pnBMcAyGeb5lD6ysFpmCxiETqZs5FcaQgGBoTEwR2972BaSEJ3OJ2pKXzHQrzlVgc4IGql_pfx_SDjp-oP_szbDcDedkLCxahRsftoip9I28UlhWAmHjhroBcScd0m8nHHU/s400/BringMeThanos.gif" width="400" /></a></div>
<br />
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "times new roman"; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div style="margin: 0px;">
<b><br /></b></div>
<div style="margin: 0px;">
<b>Magnet Forensics App Simulator</b></div>
</div>
The app simulator is essentially a virtualized Android device, running in Oracle VirtualBox, with automated methods to emulate an app, and its data as retrieved from an image, in the way the user saw it. Magnet has developed a clean, intuitive, and streamlined method, which is why I am detailing their tool specifically.<br />
<br />
So let's say you are an analyst for Strategic Homeland Intervention Enforcement and Logistics Division (SHIELD) and you are analyzing a device belong to a Hydra operative. You have successfully imaged the phone. Great. You have acquired all the data on the device.<br />
<br />
Now you are analyzing the data and you come across an app. You suspect the app may contain useful data. However, the data files and difficult to analyze. In this example, the app is WhatsApp, the messaging app. How do you expect to find meaningful data out of this?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwaCioIwGVv0vMmL9oDXhfmfjmhD3K6Ne-GU0uoy0Efj6iYREhjJonJtkTTw8XnxbY6Rvmou4L-ewh9LOa1CNK3p6EDKNbYXvWNg4WL594ZmANM-wXtkIzCeD1Dm_qWeP24xwVrY4nJ_OP/s1600/db_hex.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="300" data-original-width="520" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwaCioIwGVv0vMmL9oDXhfmfjmhD3K6Ne-GU0uoy0Efj6iYREhjJonJtkTTw8XnxbY6Rvmou4L-ewh9LOa1CNK3p6EDKNbYXvWNg4WL594ZmANM-wXtkIzCeD1Dm_qWeP24xwVrY4nJ_OP/s400/db_hex.jpg" width="400" /></a></div>
<br />
The above is a hex view of the main database for WhatsApp. And it is encrypted. I see no meaning of any kind there. But if I ask one character, I know what he'll say of what he sees.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrCAQClK_SUrL3XV7v7mVmtVDLFjcrELHbRsc7W0BKq60GYo3C02tATVr98w9T6wLzZ21uAGqUX3IsJph1LPGjGkBWTRpV6Qiby2iIo-fYSUwffR3EbCsnVBV9ADw8IaaH44sab6cbAImW/s1600/babyGroot.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="800" data-original-width="1200" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrCAQClK_SUrL3XV7v7mVmtVDLFjcrELHbRsc7W0BKq60GYo3C02tATVr98w9T6wLzZ21uAGqUX3IsJph1LPGjGkBWTRpV6Qiby2iIo-fYSUwffR3EbCsnVBV9ADw8IaaH44sab6cbAImW/s320/babyGroot.jpg" width="320" /></a></div>
<br />
"I am Groot!" Very helpful there, thanks.<br />
<br />
Here's the thing. I don't know off the top of my head how to decrypt a WhatsApp database. My laptop was made by Dell. It is not Wakandan. It does not have the processing power to brute force an encrypted database file.<br />
<br />
And I could reverse engineer the WhatsApp application and deduce the decryption logic. But that would take going through possibly millions of lines of code. That is frustrating. And heavens help me if I had this guy's anger problems:<br />
<br />
<iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/udKE1ksKWDE?start=108" width="560"></iframe>
<br />
<br />
So one way I can examine the WhatsApp data is to emulate it. I extract the associated WhatsApp data, along with the app itself, and install it on an Android Virtual Machine (VM). The VM acts just like an Android device. It will install the app, accept the data, and behave just as if it were the Hydra operative's phone. The WhatsApp app file knows how to decrypt all this encrypted data, just as it does on the phone itself. Then I can scroll through the installed instance of WhatsApp and see the data just as the Hydra operative saw it. And that right there is the very point of the App Simulator by Magnet Forensics. Pretty nifty, huh?<br />
<br /></div>
<div style="font-family: "times new roman";">
<b>How to use the tool</b></div>
<div style="font-family: "times new roman";">
First, go <a href="https://www.magnetforensics.com/resources/visualize-mobile-apps-in-a-virtual-environment-with-the-magnet-app-simulator/">download the tool</a>. It is free! It takes registering an email address.<br />
<br />
Follow the download and install instructions. You have to download two different files and follow two different installations. You first install Oracle VirtualBox, and then you install an Android VM.<br />
<br />
Once all done, open your Magnet App Simulator and follow the instructions. It will first ask you to run the Android VM. Make sure that is online. Here is what the emulator looks like.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaikDRdExjmxAYsw8loWAaT_f9bI5Mcs-6RqTVaa7zBh4YZTkBq8Uo5vj7NfZPthbWJVoMtyelxmwUeodj7V8obds7VG4tRvcNv89qu-sh0KKG2KiHcAm381YfIRmGkdC1rPMwwrVfvPUm/s1600/emulator.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="815" data-original-width="1024" height="254" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaikDRdExjmxAYsw8loWAaT_f9bI5Mcs-6RqTVaa7zBh4YZTkBq8Uo5vj7NfZPthbWJVoMtyelxmwUeodj7V8obds7VG4tRvcNv89qu-sh0KKG2KiHcAm381YfIRmGkdC1rPMwwrVfvPUm/s320/emulator.jpg" width="320" /></a></div>
<br />
<br />
It looks very similar to any normal instance of Android. This emulator runs Android 8.1.<br />
<br />
Then pick out your Android install file (WhatsApp.apk, found in /data/app of the image of my device):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnp_0lKKL8Bta2L-HhD58iI9jILepw9K5tMQl6CDugvdXRX9uNZV7P5uFeIjk8ykp-SKIWu5lpsZcwEKnLiUbzxpaQ9TlzTqLGVQaA08M6ArJbZc8wZEyjvvXHANddGtm-j10oFPZA_tK9/s1600/SelectAPK.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="617" data-original-width="1066" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnp_0lKKL8Bta2L-HhD58iI9jILepw9K5tMQl6CDugvdXRX9uNZV7P5uFeIjk8ykp-SKIWu5lpsZcwEKnLiUbzxpaQ9TlzTqLGVQaA08M6ArJbZc8wZEyjvvXHANddGtm-j10oFPZA_tK9/s400/SelectAPK.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
And then add associated data. For me, I extracted /data/data/com.whatsapp for Application Data, and /sdcard/WhatsApp for SD Card data.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6hESNz9sypl0jywFUNeGAnwsYHyHMAqgYd0V6gzWURr85z0w-azjiAxu_ViECaH_CaMo-ahKS6kBykTi6qVwCyzyBXW881PCg113yswSYWc6qTSVaZ9Vrlf4rPLzWnU0bFCu-zxr_ifaa/s1600/add_data.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="617" data-original-width="1066" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6hESNz9sypl0jywFUNeGAnwsYHyHMAqgYd0V6gzWURr85z0w-azjiAxu_ViECaH_CaMo-ahKS6kBykTi6qVwCyzyBXW881PCg113yswSYWc6qTSVaZ9Vrlf4rPLzWnU0bFCu-zxr_ifaa/s320/add_data.jpg" width="320" /></a></div>
<br />
<br />
And then hit next. And in a snap, you'll be ready to analyze.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHHuz1Yt0nX6XHzmS0pgMXbmmTe9Pk7hrAE45Ln9RHA5QfXztevfqTRiGqdGwm-wkiO4_X_Gvysf_Jl-4Kcyazopm2UEs-PF2zM6buel0zWf8Js-_Yoc0Op1FuK878HJ-Qm5G_JYeNLskI/s1600/snap.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="322" data-original-width="640" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHHuz1Yt0nX6XHzmS0pgMXbmmTe9Pk7hrAE45Ln9RHA5QfXztevfqTRiGqdGwm-wkiO4_X_Gvysf_Jl-4Kcyazopm2UEs-PF2zM6buel0zWf8Js-_Yoc0Op1FuK878HJ-Qm5G_JYeNLskI/s320/snap.gif" width="320" /></a></div>
<br />
<br />
In no time WhatsApp gets installed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWY1rNP5Y60cSxJ2rgROa3ni0SGKBZqiS9TndILCiFXdjaLFSEiSOehu-tRaUddSM5xwke7VjGc9F2c3PRwWx84abf4_4Z3yhZbjCkX1CuvgN78bceSUaBvntvVdswpkVaBpzyw_nlblCq/s1600/WhatsAppInstalled.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="813" data-original-width="1021" height="254" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWY1rNP5Y60cSxJ2rgROa3ni0SGKBZqiS9TndILCiFXdjaLFSEiSOehu-tRaUddSM5xwke7VjGc9F2c3PRwWx84abf4_4Z3yhZbjCkX1CuvgN78bceSUaBvntvVdswpkVaBpzyw_nlblCq/s320/WhatsAppInstalled.jpg" width="320" /></a></div>
<br />
<br />
And then all the data gets loaded into WhatsApp in the proper location and given the proper permissions, all without you having to do a thing. When all done, you can browse through the app data, decrypted and readable, and use it all as part of your investigation into Hydra activities.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYTr5mC1dp9XYhBKThXc_KPVxBh8dZbSOuLSxZKUPDqEYqPF7IFtYJJsWl25VFNmPEFfw1vUcfP7ySE-2jMYQXaeSwvGgvfkQkfGr9WqtbgDBD9tdtLiEYxtgJrl4nLpe882kXDTaOTt_I/s1600/msgs1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="809" data-original-width="1023" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYTr5mC1dp9XYhBKThXc_KPVxBh8dZbSOuLSxZKUPDqEYqPF7IFtYJJsWl25VFNmPEFfw1vUcfP7ySE-2jMYQXaeSwvGgvfkQkfGr9WqtbgDBD9tdtLiEYxtgJrl4nLpe882kXDTaOTt_I/s400/msgs1.jpg" width="400" /></a></div>
<br />
<br />
And another nice feature. You can create a snapshot. That is, save the state of your VM. That way if you want to manipulate some data for any reason, you can restore to a known state. It is about like having your own time loop.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXAOuV41Lor-njXNJclTQjKqa272gz3ym3SKzBvbD3Yc2_RsgKTgv5kjzkbf1p0P_6AlCwwdKBgPRxwzWC8DiwbjsmjJpeqllQcMSS59gBnz_jswLYTCdWBm7HFQrLPZhEGGxEuzbN3CSn/s1600/Strange_Time.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXAOuV41Lor-njXNJclTQjKqa272gz3ym3SKzBvbD3Yc2_RsgKTgv5kjzkbf1p0P_6AlCwwdKBgPRxwzWC8DiwbjsmjJpeqllQcMSS59gBnz_jswLYTCdWBm7HFQrLPZhEGGxEuzbN3CSn/s400/Strange_Time.jpg" width="400" /></a></div>
<br />
Now this technique is actually not that new. I have been emulating app data like this for many years and have often considered doing a blog post on the technique. However, my process is extremely manual. Instead of a nice user interface, it takes using Android Debug Bridge to push all the files in the right place and change permissions. And it historically relied upon the Android Virtual Device included with the Android Software Development Kit. If you've ever used that, you know how slow and clunky that is. Going from my old method to the new Magnet tool is about like going from this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq5sUyP-clflskBA1KAfiGlER-jiR4qFyOIGQfvbYfoRsxUV9PpIcRr6C_NoVg-0ZMeGuNiAL5ZFepb7lkvw9tfGup_K1aoKyojUAHO7OPJMBoAfSJPKoWQ6LI1cNAk_FvzDK3LUYkIjT5/s1600/Mark0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="680" data-original-width="1200" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq5sUyP-clflskBA1KAfiGlER-jiR4qFyOIGQfvbYfoRsxUV9PpIcRr6C_NoVg-0ZMeGuNiAL5ZFepb7lkvw9tfGup_K1aoKyojUAHO7OPJMBoAfSJPKoWQ6LI1cNAk_FvzDK3LUYkIjT5/s400/Mark0.png" width="400" /></a></div>
<br />
<br />
to this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH6iZUSzihXDX027cVag4xhPgrlySDbQA2TL1-jDnqEjY9vMhtVXC1ntv0KvG1o4cSXE2EGeWHqwWBmu0ScgO58McwBYufjyjh5dHJQObelaru_rdyauOXcudoLlyEVB1xDa_MW5ELIcpv/s1600/CivilWarSuitUp.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="250" data-original-width="435" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhH6iZUSzihXDX027cVag4xhPgrlySDbQA2TL1-jDnqEjY9vMhtVXC1ntv0KvG1o4cSXE2EGeWHqwWBmu0ScgO58McwBYufjyjh5dHJQObelaru_rdyauOXcudoLlyEVB1xDa_MW5ELIcpv/s400/CivilWarSuitUp.gif" width="400" /></a></div>
<br />
<br />
And that's about all I have for this tool. It is excellent and should be part of your examination kit, along with a gauntlet to hold the Infinity Stones should the need arise. As for what I do next, I'm not sure. Just remember, in all things in life, Maximum Effort!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm5TQv4pusUsMDy_fxED91C0i6SyJnafFV33Rgghyphenhyphen6q_wq9Iu1R9012tpKN8KevKB-tNea14gVLPphkNe_1eVsKl75TPMyMCczWo62HseYzWodzoXINQHiLgD1gBBrPq0U0IUkmfcQQL1x/s1600/Deadpool.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="433" data-original-width="768" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm5TQv4pusUsMDy_fxED91C0i6SyJnafFV33Rgghyphenhyphen6q_wq9Iu1R9012tpKN8KevKB-tNea14gVLPphkNe_1eVsKl75TPMyMCczWo62HseYzWodzoXINQHiLgD1gBBrPq0U0IUkmfcQQL1x/s400/Deadpool.jpg" width="400" /></a></div>
<br />
Oh wait, wrong universe.<br />
<br />
<b>Summary</b>
</div>
<ul style="font-family: "times new roman"; font-weight: normal;">
<li>Go ahead and download the Magnet Forensics App Simulator.</li>
<li>The app simulator can load up an app's data straight from an acquired image and present it the same way the user saw it before acquisition.</li>
<li>If data is encrypted or otherwise obfuscated, this can be a workaround. Instead of figuring out the hard way how to interpret data, let the app do what it was designed to do, but in your own virtualized environment instead of a suspect's device.</li>
</ul>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
Questions, comments? Favorite Avengers movie (NO SPOILERS)? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a>
</div>
</div>
</div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com1tag:blogger.com,1999:blog-6748555274835706450.post-55798065720175265272018-04-06T13:43:00.000-07:002019-04-27T06:34:44.560-07:00Obtaining all files in the data partition without a physical image<br />
<h3 style="text-align: center;">
And why it can be a good call</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="font-family: "times new roman";">
<b>Introduction</b>
</div>
<div style="font-family: "times new roman";">
In my <a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">previous post</a>, I made a major announcement. Spoiler alert, I'm going to be a dad!
</div>
<div style="font-family: "times new roman";">
I have since learned, well, a lot. If I were to boil down everything I've learned so far, it would be as follows:
</div>
<ul style="font-family: "times new roman";">
<li>The words "crib", "pack 'n play", and "bassinet" are not synonymous.</li>
<li>Strollers are in fact fashion items for parents, not vehicle for children, and are priced accordingly.</li>
<li>There are many brands of baby bottles. And they are different. And your baby decides which one he or she likes, regardless of how many of a different brand you have purchased.</li>
<li>Baby monitor systems are nothing short of security camera marvels. And as a security person, I am leery of every claim made regarding wireless security.</li>
<li>Kids don't come pre-programmed to sleep through the night. And there is no golden guide to expediting the learning process.</li>
<li>Consignment shops are great places to buy baby stuff. So long as you don't think about drool from other children.</li>
<li>A bouncer is not just a big guy outside of a bar.</li>
<li>A rocker is not just a cool guy with a guitar.</li>
<li>Rockers either go left to right or front to back. And babies only want one or the other, regardless of which one you have already purchased. Or sometimes they want both.</li>
<li>Car seats are like food. They have expiration dates. And you don't want to buy them used.</li>
</ul>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
So as you can imagine, this has been quite the learning curve! I wish somebody would write a good guide to this whole parenting thing meant for us computer guys, except I know us computer guys never read manuals. Unless they are short.
</div>
<div style="font-family: "times new roman";">
So on that note, here's a nice short post on obtaining all the user data files from an Android device instead of a physical image. And why you may do such a thing.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
<b>Why would I want to do such a thing?</b>
</div>
<div style="font-family: "times new roman";">
So in what scenario would you want to skip the process of physically imaging an Android device in lieu of a file system dump? Well first, what exactly am I talking about?
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
A physical image is a file (or set of files) representing the beginning to end of a storage volume, such as a hard drive, or in this case, an Android device. It contains every bit of data, stored just as stored on the device itself. Done properly, a physical image is an authentic duplicate of the device in question.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
A file system dump is a copy of all the files in a specific volume. It contains just files. No deleted records, no slack space, just files.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
In Android, all user data is stored in a partition called userdata. If you only had to pick out one area of the device to image, you would pick userdata, every single day. That is where all databases, user activity, installed apps, all app data, and logs are stored. And assuming there is no external SD card, it is also where photos, videos, and other media files are stored. So this post is about acquiring all the files from userdata. Not slack, just files.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
So why would we do that? Here are some possible reasons:
</div>
<ul style="font-family: "times new roman";">
<li>You are in a rush</li>
<li>This is not a criminal case, it is only for research</li>
<li>You already obtained a physical image but are having a hard time parsing a file system (more on that later)</li>
</ul>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
<b>How do we do it?</b>
</div>
<div style="font-family: "times new roman";">
Now that I've explained what we are doing and why, let's get it done. First, just like in <a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">obtaining a physical image</a>, your device needs to be rooted, and you also need busybox installed. Hook up your rooted Android device to your Linux or Mac computer.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
Now we are going to use multiple terminals the way we do in live imaging a phone. Open up two terminals.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
Terminal 1 will be for interacting with the device. We are going to port forward, effectively making a network connection between the computer and the device over the USB cable. We will create the archive file and pass it over that USB cable to the computer.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
Port forward to create that network.</div>
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">adb forward tcp:8888 tcp:8888</span></blockquote>
<div style="font-family: "times new roman";">
Open up an adb shell with your phone using the following command:
</div>
<blockquote class="tr_bq" style="font-family: "times new roman"; font-weight: normal;">
<span style="font-family: "courier new" , "courier" , monospace;">adb shell</span></blockquote>
<div style="font-family: "times new roman";">
Once shelled in, gain root.
</div>
<blockquote class="tr_bq" style="font-family: "times new roman"; font-weight: normal;">
<span style="font-family: "courier new" , "courier" , monospace;">su</span></blockquote>
<div style="font-family: "times new roman";">
Then we will begin making the archive.
</div>
<blockquote class="tr_bq" style="font-family: "times new roman"; font-weight: normal;">
<span style="font-family: "courier new" , "courier" , monospace;">busybox tar -cvz /data | busybox nc -l -p 8888</span></blockquote>
<div style="font-family: "times new roman";">
If all goes well, the screen should freeze. This command copies all of /data into an archive file and passes it over the USB wired network connection to whoever is listening. Which leads us to Terminal 2.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
Terminal 2 will be for interacting with the computer and receiving the archive file. First, go to the directory you want the archive to arrive.
</div>
<blockquote class="tr_bq" style="font-family: "times new roman"; font-weight: normal;">
<span style="font-family: "courier new" , "courier" , monospace;">cd /path/to/desired/location</span></blockquote>
<div style="font-family: "times new roman";">
Now use netcat to listen to the USB network connection and receive the archive.
</div>
<blockquote class="tr_bq" style="font-family: "times new roman"; font-weight: normal;">
<span style="font-family: "courier new" , "courier" , monospace;">nc 127.0.0.1 8888 > data.tar.gz</span></blockquote>
<div style="font-family: "times new roman";">
If all goes well, the screen should freeze. This command listens to local port 8888, as set up previously with the adb forward command, and passes whatever comes out to the file data.tar.gz.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
You can optionally open a third terminal for monitoring progress. Navigate to the same location as terminal 2 and use ls -l to check the file size.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
When all is done, you will have the file data.tar.gz, containing all the user files. No slack, just files.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
<b>f2fs</b>
</div>
<div style="font-family: "times new roman";">
And finally, a note on f2fs, or <a href="https://en.wikipedia.org/wiki/F2FS">Flash Friendly File System</a>. f2fs is an alternate file system to ext4. f2fs seems to perform far faster than ext4 and may someday be the default on Android devices. As is, only a few devices have f2fs support. But I know this is problematic because I have received several emails asking for f2fs assistance. To that, I say two things. One, thank you for letting me know. This post is largely because of calls for f2fs support. Such emails keep me posted on what all issues are out there. And two, f2fs support forensically is currently not good.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
FTK Imager does not have f2fs support as of right now. Neither does Autopsy. Some of the pricey tools have f2fs support, but the free tools are lacking. There is <a href="https://packages.ubuntu.com/search?keywords=f2fs-tools">Linux support for f2fs</a>, but I've had limited success.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
So, if you are trying to image device where userdata is formatted f2fs, my suggestion is as follows. Use this post to obtain a file system dump of the data partition. Then if you would like, obtain a physical image for searching through slack.
</div>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
<b>Summary</b>
</div>
<ul style="font-family: "times new roman"; font-weight: normal;">
<li>You can obtain a file system dump of an Android device's data partition, and in some circumstances, this is just what you are looking for.</li>
<li>The process is similar to obtaining a physical image.</li>
<li>Without good f2fs support, consider this process if you are working with an f2fs-enabled device.</li>
</ul>
<div style="font-family: "times new roman";">
<br /></div>
<div style="font-family: "times new roman";">
Questions, comments? Dad advice? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a>
</div>
</div>
</div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com0tag:blogger.com,1999:blog-6748555274835706450.post-4878678323281000192018-02-22T19:02:00.000-08:002019-04-27T06:34:57.066-07:00Deep dive into an app<br />
<h3 style="text-align: center;">
And an announcement</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
First, I have a major announcement to make regarding this myself and this blog going into the future. The announcement is at the end of the post. If you don't want to read a whole bunch about reversing, feel free to skim over this post and get to the bottom.</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
I've done posts before on reverse engineering apps. I've always covered the commands, so I wanted to do something different. I wanted to do some actual reversing and post the findings. Sounds like fun, right?</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Well, yes and no. Yes, reversing is fun (and frustrating). No, reversing may not always be, say, legal. Which leads me to a problem. I would have loved to reverse a major well known app and post the findings here. The problem is something nice called an "End User License Agreement" (EULA). An EULA is a contract between the user of software and the producer of the software. Normally you just skip over the EULA, but I decided to read some on Android apps. Here's a nice little sample from an actual EULA from a major app by a major publisher, under a section called "GENERAL PROHIBITIONS":</div>
<blockquote class="tr_bq" style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Attempt to decipher, decompile, dissassemble or reverse engineer any of the software used to provide the Services or Collective Content.</blockquote>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Basically, no reverse engineering or we'll send our lawyers after you. Lawyers, they just take all the fun out of life, don't they? (I have multiple lawyers in the family and I guarantee they are laughing right now).</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
So seeing as this blog is called "Free Android Forensics" and there are absolutely no ads, I do not make any money here. I have a PayPal link and I use donations there to maintain my equipment. I would rather not ask for donations to pay my legal bills.</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
So, scratch that plan. Instead, I decided to reverse ...</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Solitaire</b></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Yes, this post is going to be on reversing a Solitaire app. You know, the one player card game packaged with every Windows operating system ever. Well, I found an open source version of Solitaire for Android on a free and open git site. I downloaded it, played it, pulled the compiled APK from my tablet, and reversed it. Why open source? So that way I can't get in any trouble for reversing it! The source is already online.</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Here's also why. I want to show the process of reversing, some basic findings, and some makeups of an app. We've all played Solitaire, we all know the makeup of a deck of cards and the game logic, so I figured this would be a good app to show reversing. Everybody should be familiar with Solitaire, so when I show some reversed app source, the logic should hopefully make some sense.</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Getting the APK</b></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
So let's pretend I didn't download source code and compile an Android app. Let's pretend I am pulling an app I installed on my device from the Google Play Store to my computer to reverse it. First step, get the APK (the actual app file) from the Android device to my computer. And I'll show a lazy way.</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Download <a href="https://play.google.com/store/apps/details?id=com.estrongs.android.pop&hl=en">ES File Explorer</a> (or some other file manager of your choice) to your device. ES File Explorer allows you to copy installed APKs to your SD card. I opened ES File Explorer, went to the app manager, and backed up the Solitaire app. It appeared in a directory on my device at /sdcard/backups. Then I plugged the device into my computer and retrieved the APK using adb.</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">adb pull /sdcard/backups</span></blockquote>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Within the pulled files was the Solitaire app. That was easy.</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Getting the Android manifest and app version</b></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
My first step in reversing an app is always to obtain the manifest and the version of the app. The manifest is the unique name of the app. The version number is just as it sounds. When you have the manifest and the version of an app, you have a unique way of differentiating that app from others. There are many Solitaire apps out there, but only one with a given package name and version number. I have two ways, two different tools to obtain the manifest and version.</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
First, aapt. If you have the Android SDK installed on your computer, navigate to the build-tools directory and look for the file aapt. Open your terminal and type the following:</div>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">/path/to/aapt l -a /path/to/apk > /path/to/manifest.txt</span></blockquote>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
That command runs the tool aapt against the apk file and sends the output to the file manifest.txt. Open the txt file and look for the following:</div>
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">A: android:versionName(0x0101021c)="1.12.2" (Raw: "1.12.2")</span><span style="font-family: "courier new" , "courier" , monospace;">A: package="com.exubero.solitaire" (Raw: "com.exubero.solitaire")</span></blockquote>
<div style="color: black; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
These two lines describe the version number (1.12.2) and package name (com.exubero.solitaire).</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Second method, apktool. <a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">I've done a post on apktool</a>. Feel free to read over it. I downloaded the newest version of apktool, placed it in the same directory as the Solitaire APK, and ran it against the app using the following command:</div>
<div>
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">java -jar apktool_2.3.1.jar d solitaire.apk</span></blockquote>
</div>
<div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
The result is a directory called "solitaire" containing a fully dumped version of the app. There is the smali code (Java byte code), all the xml files within the app, all the native libraries used, and all the images/videos/audio clips/any other resource file required.</div>
<div>
<br /></div>
<div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Within the directory "solitaire" there is a file AndroidManifest.xml. The package name is there. There also is a file called apktool.yml. The version is there.</div>
<div>
<span style="font-family: "times new roman";"><br /></span></div>
<div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: bold; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Resources</b></div>
<div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
By resources, I mean media files, custom fonts, dictionaries, or other extraneous files required to present the app to the user. We can get to resources one of two ways. First, the apk is just a zip file. We can unzip the apk and retrieve resources. Second, we can use apktool as described above to view resources.</div>
<div>
<span style="font-family: "times new roman";"><br /></span></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
I used apktool. Within the solitaire directory is a directory "res" and within that "drawable". I'll highlight a few interesting images for this demonstration. First, a single image containing the font on all the black cards:<br />
<span style="font-family: "times new roman";"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtFhIMYz6jDVETR6IhPGas60RTme_btpvQYV_UaK8E25wq1R4CFCBauQnjmEdn99svAnbtwx09IFdjruR2TFsPTjaow6GazoABx1W_3MzrQyAzeZa5BQs1WOwP1VDPJi6J0F0_TXGGMhUl/s1600/bigblackfont.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="15" data-original-width="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtFhIMYz6jDVETR6IhPGas60RTme_btpvQYV_UaK8E25wq1R4CFCBauQnjmEdn99svAnbtwx09IFdjruR2TFsPTjaow6GazoABx1W_3MzrQyAzeZa5BQs1WOwP1VDPJi6J0F0_TXGGMhUl/s1600/bigblackfont.png" /></a></div>
<div>
<span style="font-family: "times new roman";"><br /></span>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
There's a red one also. Next, the suit icons.<br />
<span style="font-family: "times new roman";"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh2AKmnl4LmQ4bdM5-oYqoCrv7UlzWlqnJMY41e01CR4nhLU2cQUX0S78mHSk7fV3EwCHf_sDnWBC9_YJnCQ_56rLI_W5MS7g4_oqzj1lmBqv5vbahEFcQdw8iWRd571Xq9yHt2njrhJ2F/s1600/bigsuits.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="25" data-original-width="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh2AKmnl4LmQ4bdM5-oYqoCrv7UlzWlqnJMY41e01CR4nhLU2cQUX0S78mHSk7fV3EwCHf_sDnWBC9_YJnCQ_56rLI_W5MS7g4_oqzj1lmBqv5vbahEFcQdw8iWRd571Xq9yHt2njrhJ2F/s1600/bigsuits.png" /></a></div>
<div>
<span style="font-family: "times new roman";"><br /></span>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Here's the logo on a red king card.<br />
<span style="font-family: "times new roman";"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuULJ5TF5NQ0SZHlyHy1PdV6clFO2i8aYLXEf8bBhUa3NPfw-wlWg91QOgpw-NpPRdS1J-zkr0Ocwg8eRzrLbG8Gl670q4IkkzUSvPIdeRKoBWEg6YQcHOzuA4zaZ3jrS7GMH-x0ttsRf5/s1600/redking.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="27" data-original-width="31" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuULJ5TF5NQ0SZHlyHy1PdV6clFO2i8aYLXEf8bBhUa3NPfw-wlWg91QOgpw-NpPRdS1J-zkr0Ocwg8eRzrLbG8Gl670q4IkkzUSvPIdeRKoBWEg6YQcHOzuA4zaZ3jrS7GMH-x0ttsRf5/s1600/redking.png" /></a></div>
<div>
<span style="font-family: "times new roman";"><br /></span>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
There's similar for other face cards. And finally, the actual logo for the app you would see in your device launch tray.</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br />
<span style="font-family: "times new roman";"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivrN_AZ8RYkKnkerl1D4z8p6pSy1zNEXi2-0Ko3wyBQOWs570HtQ3aj2HYdK0xjP7QRy2sK48MaHRZef1n3mMKOzsNiGt7y8ja2tOuv472aOGktlLjcihZD8Dt-P16OVTQxf_gkDezYj3O/s1600/solitaire_icon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="64" data-original-width="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivrN_AZ8RYkKnkerl1D4z8p6pSy1zNEXi2-0Ko3wyBQOWs570HtQ3aj2HYdK0xjP7QRy2sK48MaHRZef1n3mMKOzsNiGt7y8ja2tOuv472aOGktlLjcihZD8Dt-P16OVTQxf_gkDezYj3O/s1600/solitaire_icon.png" /></a></div>
<div>
<span style="font-family: "times new roman";"><br /></span>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Solitaire is a simple app. Complicated apps could have way more images. There also could be audio and video.<br />
<span style="font-family: "times new roman";"><br /></span>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
There also is a directory within res called "layout". This directory contains xmls describing any given screen the user could see. If you've ever written an Android app in either the old Eclipse or the current Android Studio, you may have played with the app layout editor. When you create a layout for a screen, you actually are creating an xml file. Here is an entry in the file stats.xml, which describes the stats screen you can see of your game usage.</div>
<div>
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;"><TextView android:textSize="20.0sp" android:gravity="center" android:id="@id/text_best_time" android:focusable="true" android:layout_width="fill_parent" android:layout_height="wrap_content" android:text="@string/solitaire_layout_text_text" /></span></blockquote>
<span style="font-family: "times new roman";">This line describes a text box called "text_best_time", which would presumably display the best playing time the user has ever achieved in Solitaire.</span><br />
<span style="font-family: "times new roman";"><br /></span>
<span style="font-family: "times new roman";">Note on the xml files. The compilation process of an app also compiles the xml files. If you want to see the decompiled xml files from an APK, you have to use apktool. If you unzip the APK and try to look at any xml file, including the manifest, you get junk.</span><br />
<span style="font-family: "times new roman";"><br /></span>
<span style="font-family: "times new roman";"><b>Source code</b></span><br />
<span style="font-family: "times new roman";">apktool decompiles the apk to smali, which is java byte code. It is tougher to read than actual java. So let's decompile the app to java. I am using Santoku, a custom version of Linux developed for free by the company NowSecure which contains built-in mobile forensics tools. It contains dex2jar and jd-gui. I'll describe both as I use them for the Solitaire app. You also can Google these tools and download them. They can run in Linux and Windows. I prefer Linux personally. I also <a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">previously wrote a post on this process</a>.</span><br />
<span style="font-family: "times new roman";"><br />First, let's use dex2jar. Within an Android apk file is a file called classes.dex. That file is the compiled source code. It is the actual executable part of an app. It contains all the logic that makes the app run and codes the app's behaviors. dex2jar converts the classes.dex into a Java JAR (Java Archive) file, which you can decompile using your Java decompiler of choice. The syntax for dex2jar is as follows:</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">d2j-dex2jar solitaire.apk </span></blockquote>
<span style="font-family: "times new roman";">The result is a file called </span><span style="font-family: "times new roman";">solitaire-dex2jar.jar. Note, you also can unzip the apk, retrieve the file classes.dex, and run dex2jar against classes.dex.</span></div>
<div>
<br />
Now we use a decompiler to view the resultant jar file. I use JD GUI as it is built in to Santoku. The line to open the jar in JD GUI is as follows:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">jd-gui <span style="font-family: "times new roman";">solitaire-dex2jar.jar</span></span></blockquote>
<span style="font-family: "times new roman";">Then the tool JD GUI opens up to view the Java source. Pretty nifty.</span><br />
<span style="font-family: "times new roman";"><br /></span>
<span style="font-family: "times new roman";">Here are some quick findings. First, the coder defined what a card is. So there is an object called "Card."</span><br />
<span style="font-family: "times new roman";"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhujV39U097EVBWX0ewZ3F4E7ZAAKXZAw8jM-xXSta8eWBbogJKrc3BxO3YCmy33fK5TDs_awU1DY6Rn5d_6Onu1gHQz2aA4UZDpeqcrLQ8qiHefovtOxA1o_ZZkTGrRrOXwoB92h5HU5iq/s1600/card_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="195" data-original-width="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhujV39U097EVBWX0ewZ3F4E7ZAAKXZAw8jM-xXSta8eWBbogJKrc3BxO3YCmy33fK5TDs_awU1DY6Rn5d_6Onu1gHQz2aA4UZDpeqcrLQ8qiHefovtOxA1o_ZZkTGrRrOXwoB92h5HU5iq/s1600/card_1.png" /></a></div>
<br />
As you can see, the developer defined all four suits (hearts, diamonds, clubs, and spades) and the face value cards (jack, queen, king, and ace).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4q0dwyOCj1ldtSif3YSJZjZZgIC6_9SBfUwOw9vlhJPVddi9LEdkVxDiVuo3RymvICrZjzP7W8y8Zn2tlbhvX2Bhx9tBWFiewT-PIcqpwDSgsfYP8r6vNWBrArUyfBsYjX8rqNqi3VBjz/s1600/card_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="177" data-original-width="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4q0dwyOCj1ldtSif3YSJZjZZgIC6_9SBfUwOw9vlhJPVddi9LEdkVxDiVuo3RymvICrZjzP7W8y8Zn2tlbhvX2Bhx9tBWFiewT-PIcqpwDSgsfYP8r6vNWBrArUyfBsYjX8rqNqi3VBjz/s1600/card_2.png" /></a></div>
<br />
Above are public functions getSuit and getValue. Other classes can call these functions within the class Card to do logic based on what card it is.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ-x0Z8PVHYSSt34H6JFNjDhLyvRD8lGgDsXXldXVZW9bvJYyrBBT32htOzLPOMheEnIkXjwyuBx8oQkGYKkij455BhXkmS3PNGzqv6UQTf6mK5UjhbjO7aHFAFIQELvgT69xJrzWKYeDd/s1600/deal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="121" data-original-width="436" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ-x0Z8PVHYSSt34H6JFNjDhLyvRD8lGgDsXXldXVZW9bvJYyrBBT32htOzLPOMheEnIkXjwyuBx8oQkGYKkij455BhXkmS3PNGzqv6UQTf6mK5UjhbjO7aHFAFIQELvgT69xJrzWKYeDd/s400/deal.png" width="400" /></a></div>
<br />
Here is logic that is part of dealing. There are seven stacks of cards to move around in order to reveal the hidden cards and ultimately move all the cards into four stacks of face values. The logic above has seven card "anchors" where a card can be added.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8nfa4XPMNzQb_4SX5ZORn5F7J2EyHsJ0446Ej4TSEKhdIyw4XA_tTqd1ZCQqiQ7XQpCv1JYLcJ4uv5EMeKC4awGXWaebU9nwsVoDH-SWj8p2pvf_iFudSgEX6_xhbZdxUkeNQJDew94d0/s1600/init.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="222" data-original-width="593" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8nfa4XPMNzQb_4SX5ZORn5F7J2EyHsJ0446Ej4TSEKhdIyw4XA_tTqd1ZCQqiQ7XQpCv1JYLcJ4uv5EMeKC4awGXWaebU9nwsVoDH-SWj8p2pvf_iFudSgEX6_xhbZdxUkeNQJDew94d0/s640/init.png" width="640" /></a></div>
<br />
Speaking of dealing, there's shuffling. The deck is shuffled three times to ensure randomness.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLrwwTI7Rh1xzojI7ZfYOtIAL6qSiy8sCiX1cZN1FCdULxGXJ6Tx7AiuVNGMM0jRSd8ZRuTfpRg5_TOSihX5FzsEgBW-VnvC4FepX7qZcwF_PEoFPHK_8-1tsdXyMmdyBIVSoNgthhStRD/s1600/shuffle.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="213" data-original-width="289" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLrwwTI7Rh1xzojI7ZfYOtIAL6qSiy8sCiX1cZN1FCdULxGXJ6Tx7AiuVNGMM0jRSd8ZRuTfpRg5_TOSihX5FzsEgBW-VnvC4FepX7qZcwF_PEoFPHK_8-1tsdXyMmdyBIVSoNgthhStRD/s1600/shuffle.png" /></a></div>
<br />
And above is the actual shuffling logic.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMqwE0aUbJMu0MraUZeewcFPCg77RJ11UlbqhW6FTFPmNIOAOFgoBxoHkCVNCzvrBlP8-dCdPp6BoQuzpFKNwxGLrr5wbo8d_NT2Y54duWb8OhxL-_hulUoVzxd9tIZHsNPhzN7OfEaqcJ/s1600/suitlogic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="356" data-original-width="569" height="350" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMqwE0aUbJMu0MraUZeewcFPCg77RJ11UlbqhW6FTFPmNIOAOFgoBxoHkCVNCzvrBlP8-dCdPp6BoQuzpFKNwxGLrr5wbo8d_NT2Y54duWb8OhxL-_hulUoVzxd9tIZHsNPhzN7OfEaqcJ/s640/suitlogic.png" width="560" /></a></div>
<br />
The above shows some important functions. As you know in Solitaire, when you are moving cards among the seven stacks, you can put a red card onto a black or a black onto a red. But you can not put a black onto a black or a red onto a red. You see a function called "isSuitsOppositeColours". And the objective is to get four stacks of the face values - all thirteen hearts in a stack, all thirteen diamonds, etc. So there is a function called "isSuitsEqual". These functions are called to compare two cards to see if they can be stacked on top of each other for a given context.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB7FAPBWxdib5vPESzipEyj9jUceRBqnBZrDAzblPNOI36EKVdSDFYO9y7oYS_erLHRMiK6hYMa42bsRv1bvmq3ze5v-3ZfrQLlvfMb2axzYOAwftXdqzpqHkO3vq0aKk88LTcuCYrU_y9/s1600/win.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="200" data-original-width="446" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB7FAPBWxdib5vPESzipEyj9jUceRBqnBZrDAzblPNOI36EKVdSDFYO9y7oYS_erLHRMiK6hYMa42bsRv1bvmq3ze5v-3ZfrQLlvfMb2axzYOAwftXdqzpqHkO3vq0aKk88LTcuCYrU_y9/s1600/win.png" /></a></div>
<br />
When the user wins, the above edits a file to update the statistics. In the app's directory within /data/data, there is a file SolitairePreferences.xml in the shared_prefs directory. The code above has an integer called j. This gets the fastest time as stored in the SolitairePreferences.xml file. The line as follows:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">if ((j == -1 || (this.elapsed < j))</span></blockquote>
checks to see if the win just now took less time than the fastest as recorded in the xml file. Or if the fastest recorded is -1, that means the win just now was the first win.<br />
<br />
My tablet is rooted, so I was able to retrieve the app's data files. Here is what that xml file looks like:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;"><?xml version='1.0' encoding='utf-8' standalone='yes' ?></span><span style="font-family: "courier new" , "courier" , monospace;"><map></span><span style="font-family: "courier new" , "courier" , monospace;"> <boolean name="SolitaireDealThree" value="false" /></span><span style="font-family: "courier new" , "courier" , monospace;"> <boolean name="PlayedBefore" value="true" /></span><span style="font-family: "courier new" , "courier" , monospace;"> <boolean name="SolitaireSaveValid" value="false" /></span><span style="font-family: "courier new" , "courier" , monospace;"> <int name="SolitaireNormalDeal1Score" value="0" /></span><span style="font-family: "courier new" , "courier" , monospace;"> <int name="LastType" value="1" /></span><span style="font-family: "courier new" , "courier" , monospace;"> <int name="SolitaireNormalDeal1Attempts" value="19" /></span><span style="font-family: "courier new" , "courier" , monospace;"> <int name="SolitaireNormalDeal3Score" value="0" /></span><span style="font-family: "courier new" , "courier" , monospace;"> <int name="SolitaireNormalDeal1Wins" value="10" /></span><span style="font-family: "courier new" , "courier" , monospace;"> <int name="SolitaireNormalDeal1Time" value="213768" /></span><span style="font-family: "courier new" , "courier" , monospace;"></map></span></blockquote>
<div>
The entry "SolitaireNormalDeal1Time" is the fastest time (in milliseconds). So if the value this.elapsed, or the time required to win the game in milliseconds, is smaller than 213768, the new value of SolitaireNormalDeal1Time will be the current time.elapsed.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCb0sWdCtxFN6l_RtNcct6a1abF_iUlGtnKiV00XdMmTTXXT3AxW_GcerD-0iUnb9yFCHzzdL4M3wuSlPIXKshP3sA8UZXoNlpWNTEJGYtmkDGZzfyqDQkz9JaZmxVJE-Nn1SJ0knPb2VG/s1600/shared_prefs2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="173" data-original-width="597" height="184" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCb0sWdCtxFN6l_RtNcct6a1abF_iUlGtnKiV00XdMmTTXXT3AxW_GcerD-0iUnb9yFCHzzdL4M3wuSlPIXKshP3sA8UZXoNlpWNTEJGYtmkDGZzfyqDQkz9JaZmxVJE-Nn1SJ0knPb2VG/s640/shared_prefs2.png" width="640" /></a></div>
<div>
<br /></div>
<div>
If you remember above, I mentioned there was a stats.xml file which describes the layout of the stats screen. The logic above fills in the best time time. The integer k is the fastest time as read from the SolitairePreferences.xml file. The value i1 will be the number of minutes and n will be seconds. This logic can take the fastest time from the xml file (213768) and turn it into minutes and seconds (3 minutes 33 seconds). <br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNEEtVJ3BgZY9MgV6_eTTnp5j-8TGB29lvDHl0q7r0_3o7X2_uwgV0OzH7wOtmkacnnfPdkVqUys01yFLnZCpajjUovmH7xXJ54GGkhb-yDgbktIjD0eGgGbf-wcl0852PDVoWozXx3mx0/s1600/Screenshot_20180123-215320.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1000" data-original-width="1600" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNEEtVJ3BgZY9MgV6_eTTnp5j-8TGB29lvDHl0q7r0_3o7X2_uwgV0OzH7wOtmkacnnfPdkVqUys01yFLnZCpajjUovmH7xXJ54GGkhb-yDgbktIjD0eGgGbf-wcl0852PDVoWozXx3mx0/s400/Screenshot_20180123-215320.png" width="400" /></a></div>
<div>
<br /></div>
<div>
And there's a screenshot of my stats view. Don't judge.</div>
<div>
<br /></div>
<div>
And there's lots more you could find by reversing the app. Reversing is a rabbit hole. It always keeps getting deeper.</div>
<div>
<br /></div>
<div>
<b>Big picture</b></div>
<div>
So admittedly reversing a game is not very useful. If you are conducting an investigation and you spend your time reversing somebody' solitaire game, you are probably wasting a lot of time.</div>
<div>
<br /></div>
<div>
Here's the thing. If you are investigating a device and you see some data associated with an app that could be interesting but you cannot explain the meaning of that data, you may need to do some reversing. The processes, tool, and techniques in this post can work on any app out there. You can take an APK file, reverse it to source using dex2jar and a decompiler such as jd-gui, and then go hunting through the Java to find logic that creates said interesting data. You can use apktool to get the xml files to compare against the Java source code. Then you can figure out what that data means. Just expect way harder to find results and way more time spent than in a simple Solitaire app. The methods are straight forward. The analysis can be quite advanced. And frustrating.</div>
<div>
<br /></div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Announcement</b></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
So here's my announcement, and it is a major one. I often talk about my wife, and sometimes my cat. That's my family. Well, that's all changing. My wife is pregnant! We're going to be parents!</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
So what does that mean going forward? Well, lots. Everything in my life is going to be changing. What does that mean for this blog? I do this blog in my free time. My free time is right now spent approximately as follows:<br />
<ul>
<li>playing video games</li>
<li>hacking around with phones and computers</li>
<li>playing video games</li>
<li>going for bike rides and runs</li>
<li>playing video games</li>
<li>watching football</li>
<li>playing video games</li>
<li>spending time with my wife which often involves ...</li>
<li>playing video games</li>
<li>working on my car</li>
<li>playing video games</li>
</ul>
I suspect that free time is soon going to look more like the following:<br />
<ul>
<li>changing diapers</li>
<li>freaking out about everything sharp or poisonous in my house thus baby proofing everything</li>
<li>changing diapers</li>
<li>attempting to get an hour or two of sleep</li>
<li>changing diapers</li>
<li>cleaning up barf</li>
<li>changing diapers</li>
<li>checking on a crying child which often will lead to ... </li>
<li>changing diapers</li>
<li>taking pictures of absolutely everything</li>
<li>changing diapers.</li>
</ul>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Point is, I may not have as much time to devote to this blog as normal going forward. No I'm not retiring, no this blog is not going away, and yes you'll still be able to reach me for questions. I just will probably be around a bit less.</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Exciting news!</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<b>Summary</b></div>
<ul style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<li>There are many tools out there for reverse engineering Android apps</li>
<li>Check out the app's code and correlate findings with files in the res/ directory and data files created by the user</li>
<li>Code review can help make sense of user-generated files</li>
<li>The process for reverse engineering a simple app is the same as a complicated app</li>
</ul>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
Questions, comments? Good parenting advice? <span style="font-family: inherit;">Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a></span></div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
</div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com3tag:blogger.com,1999:blog-6748555274835706450.post-86488975804524077182018-01-06T10:44:00.003-08:002019-04-27T06:35:08.709-07:00MTPwn<br />
<h3 style="text-align: center;">
You know better than to trust a strange computer</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b><br />
My wife and I travel a lot. We have visited four of the seven continents, many countries, hiked in amazing places, eaten all kinds of foreign and exciting foods, taken in many cultures different from our own, and seen some unforgettable sights. And we've also had some bizarre moments, like being offered cooked snake and scorpion on a skewer. We said no.<br />
<br />
We have loads of travel stories. And we're glad to share some. Just ask! <br />
<br />
So naturally, we spend a lot of time in airports. So the first time we traveled together when I saw something like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBMligaBxw5855HnpprOd7qHt5t-9n3irniR4d1ShG8YZyF2sX_BghM0db6u0MjEVbKuVtsYZmv5xNaH3ixkcOo5WZ1bBGTEZwLkrzhaGmysu8DfzrwbKRv9lQVTuQduWT5MfBgc2qqUG6/s1600/USBcharger.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="400" data-original-width="600" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBMligaBxw5855HnpprOd7qHt5t-9n3irniR4d1ShG8YZyF2sX_BghM0db6u0MjEVbKuVtsYZmv5xNaH3ixkcOo5WZ1bBGTEZwLkrzhaGmysu8DfzrwbKRv9lQVTuQduWT5MfBgc2qqUG6/s320/USBcharger.jpg" width="320" /></a></div>
<br />
or this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQQ8BeNdUSxx6TS8j8YvSO7zeusaBlAOmDUrQEH7Zvh70SnlY5Qohr44mlhV-Vgl3LJLhS3tQ4IFesh4JWwiNqnNO59bq3APyQOWInLgkSFD6FnB-E2vs1aB-m8LaQuRod8kx1yCCBK-Lm/s1600/USBcharger_plane.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1200" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQQ8BeNdUSxx6TS8j8YvSO7zeusaBlAOmDUrQEH7Zvh70SnlY5Qohr44mlhV-Vgl3LJLhS3tQ4IFesh4JWwiNqnNO59bq3APyQOWInLgkSFD6FnB-E2vs1aB-m8LaQuRod8kx1yCCBK-Lm/s320/USBcharger_plane.jpg" width="320" /></a></div>
<br />
I respectfully declined and instead used my one of these:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsoAfj8bSs44dberPjYvHvqGyvZsOOnneSqKcBbYHYIxljlRWUgBgF1wLDQOytLivJOdHFasyyh2EnFEZp6C5GbYst5Ig5EP1zX9PxnbwLfvCEPjrUINFBV5kWtS5SVxImmGgmS7cNsn04/s1600/SamsungUSBcharger.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="408" data-original-width="500" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsoAfj8bSs44dberPjYvHvqGyvZsOOnneSqKcBbYHYIxljlRWUgBgF1wLDQOytLivJOdHFasyyh2EnFEZp6C5GbYst5Ig5EP1zX9PxnbwLfvCEPjrUINFBV5kWtS5SVxImmGgmS7cNsn04/s320/SamsungUSBcharger.jpg" width="320" /></a></div>
She asked why, and so I explained my reasoning, quoting C-3PO: you know better than to trust a strange computer.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkamSD3PvqmFz-Twg01T6Ctu-cx4YCDYoCbi_pLb_pMgY-xD_Bi-qUIpArnE3ksCHnnj57X0RTo6TfRQGWzqjVkNp_TcUJHnhGBrwj6KlraxsGKFbRofTrewRb79LCaAlH3cdTKBFSXWR-/s1600/R2D2_fried.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="650" data-original-width="980" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkamSD3PvqmFz-Twg01T6Ctu-cx4YCDYoCbi_pLb_pMgY-xD_Bi-qUIpArnE3ksCHnnj57X0RTo6TfRQGWzqjVkNp_TcUJHnhGBrwj6KlraxsGKFbRofTrewRb79LCaAlH3cdTKBFSXWR-/s400/R2D2_fried.jpg" width="400" /></a></div>
<br />
You can't see what's behind that USB port. Is it just drawing power? Or is it also attempting a data connection? You don't know, so it will do you good to not trust it. <br />
<br />
Very recently, GitHub developer Salvatore Mesoraca unveiled a proof of concept exploit called MTPwn. This post is about MTPwn, what the exploit is, forensic implications, and also proof of why you should always only trust your own computing equipment.<br />
<br />
<b>MTPwn</b><br />
<a href="https://en.wikipedia.org/wiki/Media_Transfer_Protocol">Media Transfer Protocol</a>, or MTP, is the protocol that allows you to easily connect your Android phone to your computer and copy bidirectionally files, including photos and videos. When you plug your Android phone into your Windows computer, you may see something like this on your phone:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfc9jkNs18__oxt3W5r2boz_98cXwiG4QbXuXLI7bcW6PLiIaV5iL5JQdNeduEgusD5J08KB9jDtRiaZ0-vf5b1haDJ11Ww2LRi1j8hRCnDT1owZ-oJn0mawcZlFPIC4ulPAEP67njrZae/s1600/MTP_Samsung.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="713" data-original-width="1170" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfc9jkNs18__oxt3W5r2boz_98cXwiG4QbXuXLI7bcW6PLiIaV5iL5JQdNeduEgusD5J08KB9jDtRiaZ0-vf5b1haDJ11Ww2LRi1j8hRCnDT1owZ-oJn0mawcZlFPIC4ulPAEP67njrZae/s320/MTP_Samsung.png" width="320" /></a></div>
<br />
And this on your Windows computer:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqJnSIAQ7HNITpQj54pbsXck9vy36m9jekwcV97rCWaVvw0eitxS2jFznZPUcQ2mIGDJ05l4IRIBUW8LInEZtFQNJy2MT8qGgfDFqwq_PMZqk9hlT-cvSee_sq95a-H1Kjpm3RQ2s9vYsN/s1600/MTP_windows.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="371" data-original-width="650" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqJnSIAQ7HNITpQj54pbsXck9vy36m9jekwcV97rCWaVvw0eitxS2jFznZPUcQ2mIGDJ05l4IRIBUW8LInEZtFQNJy2MT8qGgfDFqwq_PMZqk9hlT-cvSee_sq95a-H1Kjpm3RQ2s9vYsN/s400/MTP_windows.png" width="400" /></a></div>
<br />
So long as this connection gets set up properly, you can now transfer files back and forth.<br />
<br />
The files you transfer back and forth are in the phone's SD card or internal SD card directory. You can't access app data or other protected data. You need root privileges to access such data. MTP only gets access to "unprotected" files.<br />
<br />
And you also know that if your phone is locked with a PIN, you need to unlock the phone first to allow the computer to access contents via MTP. Well, not anymore, thanks to MTPwn.<br />
<br />
MTPwn is an exploit in MTP. You can plug a locked Samsung Android phone into a computer, keep it locked, and still access contents. You can only get contents MTP can access, so no root access. You still need to root the phone to gain a physical image or access protected contents.<br />
<br />
Just to say again, this is a Samsung-specific exploit as far as I know.<br />
<br />
<b>Using MTPwn</b><br />
MTPwn is very easy to set up. Use a Linux computer and <a href="https://github.com/smeso/MTPwn">download the repository from GitHub</a>. All credit goes to the developer Salvatore Mesoraca for this awesome work.<br />
<br />
The page has excellent instructions. I won't rehash the build instructions there. Go ahead and build the tool.<br />
<br />
Now plug in your locked Samsung Android phone. Then run MTPwn. I prefer to redirect output to a file for easy reading.<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">$ ./mtpwn > mtpwnout.txt</span> </blockquote>
It may take some time, as the GitHub page notes. You will see some information about the device. And then when done, all the available file names are printed on the screen, or redirected to a file if you prefer as I do.<br />
<br />
So I checked out the file mtpwnout.txt, and indeed it is a whole list of available files, including a list of all my photos taken.<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">...</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Galaxy S6/10001/DCIM/Camera/20171107_223803.jpg<br />Galaxy S6/10001/DCIM/Camera/20171107_223805.jpg<br />Galaxy S6/10001/DCIM/Camera/20171107_223807.jpg<br />Galaxy S6/10001/DCIM/Camera/20171107_223815.jpg<br />Galaxy S6/10001/DCIM/Camera/20171107_223818.jpg<br />Galaxy S6/10001/DCIM/Camera/20171110_121840.jpg<br />Galaxy S6/10001/DCIM/Camera/20171110_121857.jpg<br />Galaxy S6/10001/DCIM/Camera/20171111_104623.jpg<br />Galaxy S6/10001/DCIM/Camera/20171118_225736.jpg<br />Galaxy S6/10001/DCIM/Camera/20171124_203841.jpg<br />Galaxy S6/10001/DCIM/Camera/20171124_203902.jpg<br />...</span></blockquote>
And so on and so forth.<br />
<br />
Additionally, MTPwn both places a file on the device and pulls a
random one. It pulled a random photo off my phone of a woodpecker we saw in southern Chile. This photo was extracted from my locked Samsung Galaxy S6 phone,
plugged into my computer in what I thought was only charge mode, where I did not authorize a connection.<br />
<br />
Obviously
if the exploit can pull one file, it can pull all of them. You could
customize the code and use this tool to extract all the available files
to your computer without authorizing such on the phone.<br />
<br />
Pretty cool, huh?<br />
<br />
<b>Forensic implications</b><br />
Android device security is getting better and better. Examiners use tools to beat security on devices in order to obtain data and conduct investigations in a legal manner. The nightmare scenario for an examiner is a locked encrypted Android device. The examiner cannot get in, and cannot decrypt the phone. If the examiner tries some dead forensic imaging process like chipoff, the result would be encrypted and useless contents. There's not much you can do.<br />
<br />
Well, now you can do something if that phone is a Samsung. You can customize the exploit as mentioned above to pull all the camera-taken photos and videos, screencaps, other media files, and anything else that may reside in the /sdcard directory of the device. That may not be an exhaustive look at the device, but it is way more than nothing. And you never know: there may be something truly important found.<br />
<br />
<b>Security implications</b><br />
Back to my traveling as mentioned above. Don't plug your phone into any random USB port to charge. If that USB port is doing more than just powering, if it is plugged into a computer, it could potentially be extracting all your photos. It is feasible. Bring your own charger. As always, do not trust somebody else's equipment for sake of convenience. Good security often is inconvenient, but that is just the truth.<br />
<br />
The newest update available on most newer phones patches this vulnerability. Make sure your phone is updated. Or be like me and have an intentionally out-of-date phone for hacking.<br />
<br />
And in closing, I just have to relay a funny story. At the beginning of this post, when I was searching for all those images, I came across an image of a USB charger. I was about to use that image until I read the webpage it was on. The charger actually had a built-in microphone and would save audio to a hidden SD card. So while not exactly the topic presented here, it is close. Use your own charging equipment.<br />
<br />
<br />
<b>Summary</b><br />
<ul>
<li>MTPwn can obtain a list of all files in the /sdcard directory of a locked Samsung device without permission. The exploit can feasibly be updated to pull all said files also.</li>
<li>If you are investigating a locked Samsung Android device and have no way to obtain any files, give this exploit a chance. You may obtain something useful.</li>
<li>Think security. Keep your devices updated. Don't trust other computer equipment. Don't charge off random USB outlets.</li>
</ul>
<br />
Questions, comments? Fun travel stories? <span style="font-family: inherit;">Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a></span><br />
<br /></div>
</div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com5tag:blogger.com,1999:blog-6748555274835706450.post-9831097521429498182017-12-22T20:14:00.004-08:002019-04-27T06:35:24.236-07:00Unpacking boot and recovery kernels<h3 style="text-align: center;">
<br class="Apple-interchange-newline" />Is that nerdy enough?</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b></div>
It may come as a surprise to you that I am an enormous Star Wars fan.<br />
<br />
Yes, that may be surprising. I mean, I only run a blog on Android forensics (nerdy), I hack around in my spare time (nerdy), I track football stats like it is my job (nerdy), and I collect watches (nerdy). So you may be quite surprised to know that I am a Star Wars fan.<br />
<br />
And you may have heard that a certain movie came out last week. Of course my wife and I saw Star Wars: The Last Jedi on opening night. No spoilers: I loved it. It is a complex movie that addresses some themes not previously explored in Star Wars. Normally Star Wars is black and white, good and evil. This one is more subtle. It is awesome.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgauLRe3jrBX7zpzG6ndikjqMul2p5pPeNQDOEZ6huYFmJMj2A5EjIIiwlgTxrtp-OObHVaIjIF1-kRgu36DQRiLsOWjukG2Nlmds1D-56KbupuVfbcXZO6BZJKWZ6Qvi8nQM5Qu5TeBRAL/s1600/The_Last_Jedi_poster.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="1600" data-original-width="1081" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgauLRe3jrBX7zpzG6ndikjqMul2p5pPeNQDOEZ6huYFmJMj2A5EjIIiwlgTxrtp-OObHVaIjIF1-kRgu36DQRiLsOWjukG2Nlmds1D-56KbupuVfbcXZO6BZJKWZ6Qvi8nQM5Qu5TeBRAL/s400/The_Last_Jedi_poster.jpg" width="270" /></a></div>
<br />
<br />
And of course there is some outstanding action. I won't give anything away but I'll say there is a close-quartered battle in the movie that might be the series' best action scene. There is good emotion and character development going on in that scene, and of course the visuals of the fighting. Excellent scene.<br />
<br />
There are so many things in the movie that I just haven't seen before in a Star Wars movie. And with that, I love that they brought back some weirdness. Star Wars needs to be weird. When the original came out in 1977, everybody probably thought Chewbacca and that entire cantina scene was weird. Now that Star Wars is such a staple of pop culture, it's not weird; it is just accepted. So this one brought some weird back and it was a perfect fit.<br />
<br />
Overall, I haven't enjoyed a movie in the theater this much since <a href="https://www.sbnation.com/2015/5/15/8611525/MAD-MAX-FURY-ROAD-REVIEW-CANT-STOP-SCREAMING-AHHHHHHH">Mad Max: Fury Road</a>.<br />
<br />
I could keep going on and on but I'm afraid I'll get into spoiler territory, which I will not do.<br />
<br />
So why, you may ask, do I open with a Star Wars commentary in a post on unpacking kernels? Honestly, I've got nothing. Just wanted to talk some Star Wars.<br />
<br />
On we go.<br />
<br />
<b>What is a kernel?</b><br />
The kernel is the core of an operating system. Check out <a href="https://en.wikipedia.org/wiki/Kernel_(operating_system)">this Wikipedia article</a> if you would like to know more. The kernel has the core services of an operating system. It has the programs that allow a device to even run in a usable state.<br />
<br />
In Android, the kernel is not part of the system partition. It is a separate part of the device and you can retrieve it using forensic tools such as FTK Imager. There additionally is a recovery kernel.<br />
<br />
The boot kernel is what boots up when you run normal Android. The recovery kernel is what runs when you are in recovery mode.<br />
<br />
I previously said the kernel is the core operating system. It does not contain default apps, like the phone app, web browser, and other core apps. Those are in the system partition. The kernel instead has much more low level utilities.<br />
<br />
<b>What does unpacking a kernel even mean?</b><br />
Unpacking the kernel means extracting files from within it. Pretty straightforward. And surprisingly easy, which leads me to the next section.<br />
<br />
<b>How to do it?</b><br />
Head on over to <a href="https://forum.xda-developers.com/showthread.php?t=633246" style="font-family: inherit;">this XDA site</a>. All credit goes to user dsixda for developing this awesome tool, the Android Kitchen. This is a very useful tool for making custom Android ROMs with the ability to automatically do many of the functions needed to make your own Android build. We're using it for forensics, but if you are developer, definitely check this tool out. The tool's development has been done for quite a while, but the Android Kitchen remains an immensely useful tool.<br />
<br />
Now before anything, make a physical image of your device. Follow the instructions on any of my posts on imaging a device and image the device's /dev/block/mmcblk0. Then open the image in FTK Imager and extract out the boot and/or recovery images. The following screenshot of FTK Imager shows what I mean.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg13PaILawueAUGhRORqKByeD5iYuUapWvPRfVu6mB7p2vxk-Jm7eHLoFodmjT4n_ghsTrsL4oifrA7Qd5cTBMERRsbd21cHwGm6Ts8RZRZxBXFVZ_RfKPkkmOVojdzxXKAmkPfxBllYlkg/s1600/FTKImager_boot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="271" data-original-width="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg13PaILawueAUGhRORqKByeD5iYuUapWvPRfVu6mB7p2vxk-Jm7eHLoFodmjT4n_ghsTrsL4oifrA7Qd5cTBMERRsbd21cHwGm6Ts8RZRZxBXFVZ_RfKPkkmOVojdzxXKAmkPfxBllYlkg/s1600/FTKImager_boot.png" /></a></div>
<br />
<br />
Alternatively, if you have downloaded a factory image to flash to the device, you can extract the boot and recovery images out and analyze them. Depending upon the device type, you might need to run some process on the image before proceeding to the next step. You can reach out to me if you're in this type of situation.<br />
<br />
Download the kitchen in a Linux or Mac environment (it says it also works in Windows with cygwin but I've never personally tried), and just unpack the zip. That's it. (You need to install Java but chances are you already have it set up).<br />
<br />
Now open a terminal window and cd to the directory where you unpacked the Kitchen zip and enter the following:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">./menu</span></blockquote>
This launches the Kitchen menu. Then type "0" for "ADVANCED OPTIONS", and then "12" for "Tools for boot image (unpack/re-pack/etc.)". And then "a" for "Extract kernel+ramdisk from boot.img/recovery.img in any folder".<br />
<br />
At this point you see the following message:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">Creating folder /<path to kitchen>/Android-Kitchen-0.224/bootimg_<timestamp> ...<br />---> Place boot.img/recovery.img into the folder mentioned above <--<br />Press Enter to continue</span></blockquote>
<br />
Assuming you have already extracted your boot or recovery from your image using FTK Imager or from a factory flash image, rename the extracted partition boot.img or recovery.img (whichever is appropriate for what you extracted) and copy the file to the location specified by the Kitchen. Then in the terminal screen, hit enter.<br />
<br />
The Kitchen then does all the unpacking, and it does it fast. When done, navigate to the directory. You'll likely see two entries: a directory called boot.img-ramdisk, and a file called zImage. The file is the actual kernel program. This is the core program of the operating system. It is a native executable, so it can be analyzed but that is a topic outside the scope of this blog.<br />
<br />
The directory is the RAM disk. The kernel mounts all the contents of this directory in RAM, and there are all kinds of findings there. There are various scripts with filenames that start with init. These are scripts that run on boot. If you've ever wanted to know what happens when you start your device and you have some basic command line knowledge, check these out. For example, I have a Nexus 7 boot image and I see the following early in the init.rc script:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">mkdir /system<br />mkdir /data 0771 system system<br />mkdir /cache 0770 system cache<br />mkdir /config 0500 root root</span></blockquote>
<br />
These lines create important root directories. Browse around these scripts. You might gain some insight into your device.<br />
<br />
Check out the directory sbin, if you have one. This directory stores command line programs, or native executables, that are part of the operating system. For example, mine has the file adbd, which is the ADB daemon, which activates when you interact with your device via ADB. Without this file, just about nothing on this blog would be possible. This file is stored in the kernel and lives in RAM during device operation.<br />
<br />
I also unpacked my recovery kernel. It is laid out much the same way, which may raise an obvious question: why? When booted into Android, you have a full user experience rich with time-wasting apps (my wife is currently addicted to a mobile game and no comment on my gaming habits), but in recovery mode, you have a basic user interface. Why is the kernel so similar? The reason is this is a kernel: the core of the operating system, the functionality that allows the device to actually do something useful. So the functionality required to power the device on, use the screen, use the buttons, and capture input is the same, whether we are talking about a modern mobile operating system or a basic recovery mode.<br />
<br />
Anyways, that recovery kernel is pretty similar, but there are some other interesting findings. My recovery mode is TWRP, so it is advanced. There is a directory called twres, and within that images. I suppose twres stands for TW resources. The images directory stores a bunch of images used in navigating TWRP. For anyone that uses TWRP, the following images might look a bit familiar.<br />
<br />
<br />
<br />
<table style="width: 100%;">
<tbody>
<tr>
<th><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-hqdYp0vVfY96N3j7ZrNxzmk5tkg_s0j2DoC81ss0FaPMxMs0MY-zug9Bv0_czZbAweujuu-0wr8ow94RxyM7oU_Yqsu7NE6tzaCHKXRN86iisgsL4nNnonjIOS_kBMDCMvJmnbOBTbT5/s1600/splashlogo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="250" data-original-width="250" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-hqdYp0vVfY96N3j7ZrNxzmk5tkg_s0j2DoC81ss0FaPMxMs0MY-zug9Bv0_czZbAweujuu-0wr8ow94RxyM7oU_Yqsu7NE6tzaCHKXRN86iisgsL4nNnonjIOS_kBMDCMvJmnbOBTbT5/s200/splashlogo.png" width="100" /></a></th>
<th><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhffgdKc5jI_uaVDmrGvmZaIj7fGmmKtA6foQLRmKzZqxZOPwuXL5lL6Y7PrFI0eAaA-ctEEcAfMb8-UhczsaLM1dAwb39nczjk4M-CjnuPtbKFHcOFZTOfAC0H5Qr9QvqK-K_t27kAOA5C/s1600/unlock_icon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="225" data-original-width="172" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhffgdKc5jI_uaVDmrGvmZaIj7fGmmKtA6foQLRmKzZqxZOPwuXL5lL6Y7PrFI0eAaA-ctEEcAfMb8-UhczsaLM1dAwb39nczjk4M-CjnuPtbKFHcOFZTOfAC0H5Qr9QvqK-K_t27kAOA5C/s200/unlock_icon.png" width="76" /></a></th>
<th><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX5TNqCX0QL17GkKOC71mdEDysM6pcNf7u5zkn8rDNihlZypXQU5RDAQroUWMyLbmqURBSOc_rYcrHck1zdUDvnohY4BKpN8sg5dHw5_kDVepf9xUNmOAqYvxrw37DGjtIJ-zhM2z8AqPi/s1600/slider_touch.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="96" data-original-width="144" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhX5TNqCX0QL17GkKOC71mdEDysM6pcNf7u5zkn8rDNihlZypXQU5RDAQroUWMyLbmqURBSOc_rYcrHck1zdUDvnohY4BKpN8sg5dHw5_kDVepf9xUNmOAqYvxrw37DGjtIJ-zhM2z8AqPi/s200/slider_touch.png" width="100" /></a></th>
</tr>
</tbody></table>
<br />
<br />
All found right there. Now when booting to normal Android, you will not see images packed into the boot kernel. User interface images will be stored in the system partition. Images are packed into recovery mode kernel for a few reasons:
<br />
<ul>
<li>the images are small</li>
<li>other partitions may not be mounted, so images stored there may be inaccessible</li>
<li>updating recovery mode would also require updating other partitions if it is dependent upon files stored in other partitions</li>
</ul>
<br />
I mentioned the sbin directory previously. The TWRP recovery mode kernel also has an sbin directory ... and it is packed with files, notably busybox. If you've read my <a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">post on live imaging devices</a>, you know that busybox is an insanely useful tool that gives all kinds of extra Linux-style functionality to Android. This also explains why you are able to <a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">image your device in custom recovery mode</a>, because custom recovery mode can include busybox and a full Android shell. This sbin directory is full because TWRP includes loads of extra functionality.<br />
<br />
Honestly, I could do a full post on breaking down the TWRP kernel. But I'd put most of my readers to sleep (those that weren't already asleep after reading my geeky writing).<br />
<br />
<b>Why?</b><br />
This is all fun and dandy, but why would you ever want to unpack your boot or recovery kernel? I'll give you a few quick reasons:<br />
<ul>
<li>A sense of curiosity. You're on this blog, so you naturally have that already.</li>
<li>To understand the core Android OS. If you're an advanced type, this might be up your alley.</li>
<li>To see what your custom recovery mode or custom kernel is actually doing. You never know - you might want to see if there's anything fishy going on.</li>
<li>If this is a forensic investigation and the owner of the device is a highly advanced user, there's a slight possibility there's some funny business in the kernel worth checking out. Faint possibility but worth considering.</li>
</ul>
<br />
<br /></div>
</div>
<div>
<div style="color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<div>
<b><span style="font-family: inherit;">Summary</span></b></div>
<div>
</div>
<ul>
<li><span style="font-family: inherit;">At the core of your Android usage is a kernel, and it is possible to split open the kernel and see what is inside.</span></li>
<li><span style="font-family: inherit;">Every Android kernel has a RAM disk. You can see the init scripts and some native executables, along with possibly other resource files.</span></li>
<li><span style="font-family: inherit;">Maybe this will be useful for an investigation. Or maybe it is just fun to do.</span></li>
</ul>
<div>
<br /></div>
<span style="font-family: inherit;">Questions, comments? Last Jedi reviews? (No spoilers please!) Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a></span><br />
<div style="font-family: "times new roman"; font-size: medium;">
<a href="mailto:freedroidforensics@gmail.com"><br /></a></div>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
</div>
</div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com1tag:blogger.com,1999:blog-6748555274835706450.post-62426278897083659802017-08-19T16:54:00.004-07:002019-04-27T06:35:36.062-07:00Imaging and examining an Android car stereo<br />
<h3 style="text-align: center;">
And road trips</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
I love road trips.</div>
<br />
<br />
Be it road trips for football games, road trips with family, road trips with friends, road trips for skiing, or road trips to just get away for a little while. So often, the destination is great, but the top memories from the trip are memories from driving.
<br />
<br />
So last year, the musical Hamilton was all the rage. The musical tells the story of Alexander Hamilton, one of the nation's founding fathers who founded the Department of Treasury, who was a royal pain to many of the other founding fathers, and the musical is told largely through the eyes of Aaron Burr, one of the nation's first vice presidents and also the man who shot and killed Hamilton in a duel. The musical has a hip-hop soundtrack and tells the story of Hamilton and some of the virtues of the founding fathers in a fun and semi-educational manner. The top thing my wife wanted was to go to Broadway in New York and see Hamilton. So for her birthday, I surprised her with Hamilton tickets.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3nVnJUpGe5zg66Vpj-TlA7Uqd2gCXFrqu9x3wQHGhiOAjTPB-HJemvQwGfr_rv-56ZsDB0VP0yDWzsLazpKH3dp4h-BE5rWloFc7peRlMNWO932T5DbFqAmo_gwRiZ1zWaJ9N2V5jK5PN/s1600/hamilton.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="262" data-original-width="192" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3nVnJUpGe5zg66Vpj-TlA7Uqd2gCXFrqu9x3wQHGhiOAjTPB-HJemvQwGfr_rv-56ZsDB0VP0yDWzsLazpKH3dp4h-BE5rWloFc7peRlMNWO932T5DbFqAmo_gwRiZ1zWaJ9N2V5jK5PN/s400/hamilton.jpg" width="293" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
We drove to New York, saw the show (it was outstanding), ate at a New York deli, drank beer at a New York bar, had a great time celebrating my wife's birthday. You know what else is great? The Hamilton soundtrack.
<br />
<br />
You know what's not great? The Hamilton soundtrack on loop for the entire drive. You see, my car has a stereo that runs Android, because of course the guy who runs an Android forensics blog would have a thing like that. I set up the Amazon Music app, and my wife figured out how to play music of her choice in the car.
<br />
<br />
<blockquote class="tr_bq">
"The world's gonna know your name. What's your name, man?"</blockquote>
After about eight times, I certainly know your name.<br />
<blockquote class="tr_bq">
"Alexander Hamilton, my name is Alexander Hamilton"</blockquote>
Yup, got it.<br />
<blockquote class="tr_bq">
"And there’s a million things I haven’t done, but just you wait, just you wait..."</blockquote>
Still got it. And yes, I've waited several times now.
<br />
<br />
So anyways, great road trip. Having a stereo that can access the limitless libraries of music, podcasts, and broadcasts on the Internet sure beats old road trips where I was limited to whatever radio station I could pick up until the bandwidth faded and all I got was static.
<br />
<br />
This post will be about my cool Android stereo. Be ready for me to geek out a bit. (You've probably read enough of this blog to already expect me to geek out.)
<br />
<br />
<b>The stereo</b>
<br />
<a href="http://www.autopumpkin.com/android-7-1-car-stereo/pumpkin-7-inch-double-din-android-7-1-universal-car-stereo-radio-audio.html">Here's the stereo I have</a>. It is by a company called AutoPumpkin. Now I don't have the Android 7.1 version, though I could upgrade. Mine is a couple years old and runs (don't laugh) Android 4.4.
<br />
<br />
Note: this is not <a href="https://www.android.com/auto/">Android Auto</a>. Android Auto is probably more secure and more difficult to image than what I'm showing and may not store as much data. My stereo essentially is a standard Android device with all the hookups needed for a car stereo.
<br />
<br />
I had to order a stereo harness for my car. Once I received the harness, I soldered the harness wires to the corresponding AutoPumpkin head unit wires. I prefer soldering over any other splicing technique just because it is more secure. On the car itself, I had to open up the dashboard, remove the OEM stereo, and install the AutoPumpkin. Additionally, I wired the new stereo up to the car's microphone so I can make phone calls easily while driving. I also did some extra wiring to the car's steering wheel buttons so I can control volume and calls via the existing buttons on the steering wheel. Pretty nifty.
<br />
<br />
The stereo has WiFi. So I set up my phone as a WiFi hotspot, and just like that, my stereo is online.
<br />
<br />
The stereo comes with the Google Play store installed, so if you set up your Google account with the device online, you can download anything. On the stereo itself, I have Google Play Music, Amazon Music, Pandora, Stitcher (podcasts), and of course I can stream anything from my phone to the stereo for unlimited audio options. It makes long trips go quickly.
<br />
<br />
Now something I feel I have to say here. You can technically with these stereos play movies. You can install and use just about any Android app, which means you genuinely can play Netflix or other streaming movie services. As in, you technically can have video playing on a screen which would naturally distract you from driving. I will say this once and I hope I never have to say it again: don't. It may be illegal where you live to play movies while driving, but regardless it is distracting. Just don't.
<br />
<br />
Now that's out of the way. This is a forensics blog, isn't it? Let's have some fun!
<br />
<br />
<b>Imaging the stereo</b>
<br />
Yes, I'm going to image an Android stereo. As you may recall from <a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">previous posts</a>, live imaging an Android device requires three things: a data connection between the imaging computer and the device, an exploit, and an imaging command. We're going to do things a little differently here.
<br />
<br />
The imaging computer will be the device itself. I'm sure I could hook my laptop up to the stereo, but that's just a bit cumbersome. We're going to instead hook up a USB stick (the stereo includes two USB cables) and image the device onto that stick.
<br />
<br />
So next, we need an exploit. We need to root the stereo. It turns out, that's the easiest step of all. And I can take no credit for it. Check out <a href="https://forum.xda-developers.com/wiki/Hui_Fei_Type">this awesome XDA</a> site on these types of stereos.
<br />
<br />
Open Settings, go to Factory Settings, and you get a prompt for a password. Type in the following:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">*#hct#root#</span></blockquote>
And just like that, the device is rooted and now includes Superuser settings.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJbmejoh2mmLTSrvleKf5Uq-tK027QRwJHlSS2vslo3QGHc5tniVgq7vOlvzCgQgAk4W3AJe9FhIItDNWRUMQLjtD6Zl8nCq2pv8pBneDOPcllvebPf4U58pLa3D6J49KnesuxPsYW1W8A/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJbmejoh2mmLTSrvleKf5Uq-tK027QRwJHlSS2vslo3QGHc5tniVgq7vOlvzCgQgAk4W3AJe9FhIItDNWRUMQLjtD6Zl8nCq2pv8pBneDOPcllvebPf4U58pLa3D6J49KnesuxPsYW1W8A/s400/1.jpg" width="400" /></a></div>
<br />
Now with the USB connected, download an Android terminal app. I use the <a href="https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en">Terminal Emulator for Android</a> app. Open up the terminal and type su to gain root.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd0k0p-X7UwkDtjAGOa7UiaOeocSJgptWaYjZqEzFxEOGrf8jnHLbfl9hDeUwTTHSQCXRqxotULW7MklIVCot8MIy7GFymyToPE472aOW_MDnP__hgkp2_oadJN9REoeSIndgUKh8QhWZa/s1600/2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd0k0p-X7UwkDtjAGOa7UiaOeocSJgptWaYjZqEzFxEOGrf8jnHLbfl9hDeUwTTHSQCXRqxotULW7MklIVCot8MIy7GFymyToPE472aOW_MDnP__hgkp2_oadJN9REoeSIndgUKh8QhWZa/s400/2.jpg" width="400" /></a></div>
<br />
Then type mount to see your partitions<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBrKWX6DjH19su395wvVDJ8cGDJ7W90HNLeE0i1tmp5jYBMRC03KDt9PEexJWplFFPTx7HGp-Hxybb6LAoQbeQcNbMkuWDTjTNjhq0oXDP_14Bl_H7umvseXC1ZsrB3SZn3bZ-ep1XkWSF/s1600/3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBrKWX6DjH19su395wvVDJ8cGDJ7W90HNLeE0i1tmp5jYBMRC03KDt9PEexJWplFFPTx7HGp-Hxybb6LAoQbeQcNbMkuWDTjTNjhq0oXDP_14Bl_H7umvseXC1ZsrB3SZn3bZ-ep1XkWSF/s400/3.jpg" width="400" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEije5bMf3R-kCus5_GqmlmkZPsVaGN0TmTHZ2YCPJROOArRa1o4MlFjPbGCCAIhD9wQYpKUaXzXNKxs21eFlo1jD59Q6EUTmuX-xDr4KSXpqZksKb6JlC2d1cGfx6UNbsr7FIo27SzN4XGB/s1600/4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEije5bMf3R-kCus5_GqmlmkZPsVaGN0TmTHZ2YCPJROOArRa1o4MlFjPbGCCAIhD9wQYpKUaXzXNKxs21eFlo1jD59Q6EUTmuX-xDr4KSXpqZksKb6JlC2d1cGfx6UNbsr7FIo27SzN4XGB/s400/4.jpg" width="400" /></a></div>
<br />
<br />
In the above images, you see the userdata block and the USB stick destination.<br />
<br />
So with all this done, it's time to image userdata. Enter the following into the terminal, and hopefully you're not as clumsy as me with the keyboard and make a few less typos.<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">dd if=/dev/block/mtd/by-name/userdata of=/mnt/usb_storage2/userdata.dd</span></blockquote>
And feel free to image any other block as above.<br />
<br />
<b>Examining the image</b><br />
<br />
I unplugged the USB stick, brought it to my computer, and opened up the userdata image in FTK Imager. And it looks like an Android image.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0avpZvuogEBj7aAnabdE4FbVpddUbAo1zSUTbk7SEIOxVQsCadRMFYSZcxSuAA26sVxNH4Jixk9rh2WEXbRmEVOVkLA8RT77w7x2MYo3SoVsvnj8VNe24SViZKHKv28xM75me9PXKimYQ/s1600/ftkimager.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="417" data-original-width="300" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0avpZvuogEBj7aAnabdE4FbVpddUbAo1zSUTbk7SEIOxVQsCadRMFYSZcxSuAA26sVxNH4Jixk9rh2WEXbRmEVOVkLA8RT77w7x2MYo3SoVsvnj8VNe24SViZKHKv28xM75me9PXKimYQ/s400/ftkimager.jpg" width="287" /></a></div>
<br />
<br />
Want to check out Google Maps history? /data/com.google.android.apps.maps/databases in the userdata image and check out the individual databases.<br />
<br />
Data from the Amazon Music app is located under /data/com.amazon.mp3. Check out what I found in /data/com.amazon.mp3/cache/images/ALBUM:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnF4LUk3fwDZmiJr8rwMnJczuZfjomCqvo33D9g2yEU1lZJR17ugzKLVatVQuqeu1y5jn2twYy02Hb5V3r0dY402jSOSbawQqgIh1-d3PoNxzxT9fCWQ84ntk1Ly3uzqB6QTVPhJcpAI68/s1600/FTK_hamilton.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="459" data-original-width="594" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnF4LUk3fwDZmiJr8rwMnJczuZfjomCqvo33D9g2yEU1lZJR17ugzKLVatVQuqeu1y5jn2twYy02Hb5V3r0dY402jSOSbawQqgIh1-d3PoNxzxT9fCWQ84ntk1Ly3uzqB6QTVPhJcpAI68/s400/FTK_hamilton.jpg" width="400" /></a></div>
<br />
<br />
And check out what I found in /data/com.amazon.mp3/files/.lyrics:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9pXuyOGa4i8wgKBA1FeGZpLHQih13WkccDlxq2NwIFrEzXN4IEGBdvZc1QpZ0e0ihyxCe7wFx4WlPZE2lfTPgfhZGwkoeB7sEjzbPo_421dFPiER7Snua3YobWvlXtB6rR8r0dbZEeyWR/s1600/Lyrics_cabinet.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="378" data-original-width="1039" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9pXuyOGa4i8wgKBA1FeGZpLHQih13WkccDlxq2NwIFrEzXN4IEGBdvZc1QpZ0e0ihyxCe7wFx4WlPZE2lfTPgfhZGwkoeB7sEjzbPo_421dFPiER7Snua3YobWvlXtB6rR8r0dbZEeyWR/s640/Lyrics_cabinet.jpg" width="640" /></a></div>
<br />
(If you're unsure what that is, check out the following video)<br />
<br />
<div style="height: 0; padding-bottom: 56.25%; position: relative;">
<iframe allowfullscreen="" frameborder="0" height="360" src="https://www.youtube.com/embed/mBmTdJ4XTfs?ecver=2" style="height: 100%; left: 0; position: absolute; width: 100%;" width="640"></iframe></div>
<br />
<br />
And check out what I found in /data/com.amazon.mp3/databases/recently_played.db:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4Vm2WTy_6eS-3ARPFoA157mpoUF4yEFiUMxfWPR79cGMy6octt9jD14EsvZ_9Cg9-X2lNcIpLF5139Fpuj3sdB0d86Y5q_MIwAfJlWpY1zMup_MC0-wAz9sOFFA6KxychBrakc_mW2dSB/s1600/db.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="96" data-original-width="621" height="61" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4Vm2WTy_6eS-3ARPFoA157mpoUF4yEFiUMxfWPR79cGMy6octt9jD14EsvZ_9Cg9-X2lNcIpLF5139Fpuj3sdB0d86Y5q_MIwAfJlWpY1zMup_MC0-wAz9sOFFA6KxychBrakc_mW2dSB/s400/db.jpg" width="400" /></a></div>
<br />
<br />
Did I mention my wife really likes Hamilton?
<br />
<br />
<b>The big picture</b>
<br />
So these stereos are really cool. I have fun with mine, and they make road trips faster and more entertaining. And they are easy to image and examine. Depending upon what apps the user installs, there may be navigation apps to tell about the user's locations of interest. That's a goldmine for any investigation involving a car stereo. I mentioned Google Maps above. I've also used Waze in the past and <a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">found my navigation history</a>.
<br />
<br />
Now I showed a way to live image the device. I suppose it also can be done with chipoff. You could probably physically remove the chip, read it, and get the same results. There's probably a good way to image it by connecting a laptop via USB. Just for fun, I imaged it over WiFi once.
<br />
<br />
Point is, if you're having fun with your own of these devices, you can image it easily. If you are an investigator and evidence could include an Android stereo like the one I have, there could be seriously valuable data there.
<br />
<br />
<b>Summary</b>
<br />
<ul>
<li>There are fun Android car stereos out there and they are easy to set up with a little bit of curiosity and a lot of Google-ing.</li>
<li>These stereos are easy to image and store data like any other Android device.</li>
<li>If you are running an investigation where the scope includes a smart car stereo, think navigatio history.</li>
</ul>
<br />
Questions, comments? Any other Hamilton fans? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com2tag:blogger.com,1999:blog-6748555274835706450.post-7223319663800086292017-07-30T11:00:00.002-07:002019-04-27T06:35:47.018-07:00Using Windows to Live Image an Android device<br />
<h3 style="text-align: center;">
It works but I do not recommend it</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
In a post from a few years ago on <a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">live imaging an Android device</a>, I showed how to use Mac or Linux to image your Android device using three main steps: data connection between the computer and the device, an exploit, and an imaging command. The final step requires netcat, which is built in to both Mac and Linux. I have never showed a Windows method because netcat is not native in Windows, or it is not included by default.<br />
<br />
The problem is <a href="https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0">everybody in the world uses Windows</a>, except apparently the 2.36% of us geeks who use Linux and the 3.49% of people who have enough spare money to afford a Mac (not me). So many people have emailed me throughout the years asking for a Windows alternative, and I've always recommended using a Linux VM in Windows to get the job done. And funny story, when I was in grad school studying the geeky subject of Cyber Forensics, I often had a laptop in class (that is when I was in class and not at football games, researching, grilling steaks, paper writing, or drinking way too much coffee). Around half of us in class with laptops used Linux. So when I say that it is geeks who use Linux, that is true. And I often use Linux at home around my wife, who has no idea how to get around my computer, but it is always funny to watch her try.<br />
<br />
A while back, someone commented on one of my pages a link to a Windows build of netcat. So I've played around using that netcat tool to image devices in Windows. And yes, it works. You can make a dd image similar to the Linux/Mac methods but via Windows. This post will show you how to use Windows to image a device. I also have caveats and why I genuinely recommend Linux or Mac, and I'll explain why.<br />
<br />
<br />
<b>How to image the device</b>
<br />
First, review my <a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">post on live imaging an Android device</a>. I wont' rehash that post here, but it would be good do understand the content. This post will be showing the Windows equivalent.<br />
<b><br /></b>
<b>Netcat for Windows</b><br />
There is a non-native netcat for windows, built into the wireless scanning tool nmap. Here's a <a href="https://nmap.org/ncat/">quick writeup on nmap's inclusion of netcat</a>. That writeup includes a link for downloading and compiling just netcat if you wish. If you'd rather not compile anything, follow <a href="https://nmap.org/download.html">this link</a> to download ready-to-go nmap, including netcat. I would recommend downloading the "latest stable command-line zipfile" and unzip that file to someplace you'll remember.<br />
<br />
<br />
<b>Imaging in Windows</b>
<br />
The steps to image a device are the same in Windows as in Linux or Mac. Open two command line windows. One for interacting with the Android device via adb (cd to whatever directory has your adb if you need to locally call it), and one for outputting the image to your computer locally (cd to wherever you plan to save the file). Additionally open a Windows Explorer window for checking on the progress, at the same directory you plan to save the file.<br />
<br />
Connect your Android device (and of course root it and install busybox), enable adb, and go to Window 1. Ensure the Windows computer can see the device by entering adb devices.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">C:\Users\MarkL>adb devices</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">List of devices attached</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">* daemon not running. starting it now on port 5037 *</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">* daemon started successfully *</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">08****7d device</span><br />
<br />
<br />
As the above output shows, I can see my device via adb.<br />
<br />
Now port forward as normal, and just for kicks I'm going to change around the port number from my normal 8888:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;">C:\Users\MarkL>adb forward tcp:9876 tcp:9876</span><br />
<br />
And now we do the normal steps:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">C:\Users\MarkL>adb shell</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">shell@flo:/ $ su</span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"></span><br />
<span style="font-family: "courier new" , "courier" , monospace;">root@flo:/ # dd if=/dev/block/mmcblk0 | busybox nc -l -p 9876</span><br />
<br />
Now open Window 2. This should be at the location where you want the image to be saved. Enter the following command:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">\path\to\where\you\saved\nmap\ncat.exe 127.0.0.1 9876 > image_name.dd</span><br />
<br />
Here's how it actually looks for me, using real paths:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">C:\Users\MarkL\Desktop\imaging_in_windows_demo>C:\Users\MarkL\Downloads\nmap-7.50\ncat.exe 127.0.0.1 9876 > mmcblk0.dd</span><br />
<br />
And if all goes well, the terminal will stop responding. I've heard some people say they get a missing dll warning for some dlls using this build of ncat.exe. I did not get any such issues,but I also have installed so many tools throughout the years that I most likely have all the required dlls. If you have such an error, just google the dll name and you'll be able to find it. Download the dll and place it in the directory with ncat.exe and you will be good to go.<br />
<br />
Open your Windows Explorer window, which should be at the same location as Window 2 Use the refresh button to ensure the image file is increasing in size. If so, you're good to go. Pretty straightforward.<br />
<br />
<b>Issue</b><br />
So why do I not recommend using Windows? Simply, there are some issues, one in particular. The issue is ncat.exe is not default on Windows. I've had many times where I've started up an image and it has not completed successfully for unknown reasons. I did not touch the device to ruin the USB connection, I did not let the computer sleep, I did not in any way impede the connection between the computer and the device, and somehow the imaging process fails and I'm stuck with an image file representing the first few gigs of a 32 gig device, or an imcomplete image. In Window 2, I get the following error message:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;">close: Result too large</span><br />
<br />
And oddly enough, if the image is successfully made, I get the same error message. And yes, the image often is made just fine. I've successfully imaged 32 gig and larger devices using this method.<br />
<br />
If I had to take a guess at the cause of the error, it is this: netcat is generally meant for passing files along networks, either of ethernet cables or wireless networks. nmap is a network scanning tool, so it makes sense to include netcat. So this specific build of netcat, an addition to and not native to Windows, was built to be part of a network scanning suite for a specific network related function. It was not built with USB-based networks passing gigabytes and gigabytes in mind over a USB cable while at the same time running a different protocol (adb). So we're severely overextending its intended usage. But that's just my guess.<br />
<br />
So there are errors. This is problematic. More problematic is I cannot explain the genesis of the errors or develop a reliable workaround.<br />
<br />
I'm briefly going to go back to grad school and put on my theoretical hat, thus removing my technical geek hat.<br />
<br />
If forensic evidence is being presented in court, the evidence must be admissible. Admissibility is ruled in federal courts and many state courts by <a href="http://www.forensicsciencesimplified.org/legal/daubert.html">the Daubert Criteria</a> . One of the requirements is the criteria is if the method has a known error rate.<br />
<br />
Let's say this method of using Windows ncat.exe as part of an imaging process were to go through a Daubert test. I would seriously question the error rate. I personally do not know the error rate; I do not know how often or why the imaging process fails. That issue in an of itself leads me to not recommend using Windows command line methods to live image an Android device.<br />
<br />
If you want to use this method, more power to you. I'd just use it with caveats: it may error out while imaging, it may not be reliable in court, and the guy telling you about this method isn't a big fan and would rather recommend Linux or Mac as your imaging system. But if you're imaging a device for fun or for your own research, go for it.<br />
<br />
Putting my tech hat back on now.<br />
<br />
<br />
<b>Summary</b>
<br />
<ul>
<li>There is a Windows method to live image an Android device, using a build of netcat found in the nmap tool</li>
<li>The netcat tool sometimes fails, and I cannot explain why</li>
</ul>
Questions, comments, suggestions, or experiences? Old grad school stories? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a>
<a href="mailto:freedroidforensics@gmail.com"><br /></a>
</div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com4tag:blogger.com,1999:blog-6748555274835706450.post-45629032793393608352017-05-30T17:44:00.000-07:002019-04-27T06:35:56.829-07:00A quick note on imaging newer Android devices<br />
<h3 style="text-align: center;">
Actually a quick note</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
I was on the phone with a good friend of mine earlier this week. He called me long-winded. According to my wife, my family, my friends, and my coworkers, the statement was accurate. So I'll make this one not so long-winded.
<br />
<br />
<a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">In a previous post</a>, I demonstrated how to make a physical image of a device. So let's say you have a rooted newer device, like Android 7.0 or newer, and you follow that guide and image /dev/block/mmcblk0. You open the image in FTK Imager or any other viewer of choice, and it all looks good until you get to the userdata partition. You get the dreaded "cannot read filesystem" or "unknown file system" or other such error. You get ticked off because you just spent an hour plus imaging the device, and now it looks like the most important partition by a long shot imaged wrong. So you go back and do it again and receive the same results. Now you've wasted two plus hours. I'm here to save you from wasting further hours.
<br />
<br />
<b>File by file encryption</b>
<br />
By default, many newer builds of Android include <a href="https://source.android.com/security/encryption/file-based">file-based encryption </a> on the userdata partition. The long and short of it is the entire partition is not encrypted, but each file is. So if you capture the partition with no attempt to decrypt or otherwise circumvent the encryption, you will not be able to view the data.
<br />
<br />
Now users can set up more complicated encryption. If that's the case, I don't think the method below is going to work. I'm talking about devices where the user just uses a simple pin or fingerprint lock, not a fully-encrypted device.
<br />
<br />
So when you image /dev/block/mmcblk0, you image the entire internal storage, beginning to end. The problem here is imaging that entire internal storage grabs an encrypted version of userdata. So we need to image a decrypted version.
<br />
<br />
Check out my <a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">previous post on identifying your userdata partition</a>. In the post, I explain how to use the "mount" command to find the block mounted at /data. That block is your userdata, and if you image that, you get just the userdata partition.
<br />
<br />
As it works out, that same method can bypass the Android 7.0 file based encryption (again, so long as the device is not fully encrypted).
<br />
<br />
So if you have such a device, adb shell into it and type the following command:
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">mount</span></blockquote>
You will see a list of all mounted partitions. One of them might look something like this (mind the edits for making it a bit generic) ...<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">/dev/block/platform/something/dm-0
/data ext4
rw,bunch of other mount commands</span></blockquote>
<br />
Point is, find the one mounted at /data. Image just that one. See if you get a cleaner version of the userdata partition.
<br />
<br />
I fully expect that if you were to do a <a href="http://www.forensicswiki.org/wiki/Chip-Off_Forensics">chip-off forensic imaging process</a> of a newer device, you would get the same garbled output as you would if you imaged /dev/block/mmcblk0. So if you get newer devices, chip-off probably won't do you any good. Can anyone out there confirm? Once you've got the chip removed, it is difficult if not impossible to put it back in place. Chip-off is a rather one-way method.
<br />
<br />
Note: I can do a screenshot demo of the above, or maybe even a video demo. However, I currently do not have an Android 7.0 capable "hack-around" phone or tablet. I had been using a Nexus 7 (2013) and a Nexus 5 as hack devices. The Nexus 7 is no longer supported on new Android versions, and the Nexus 5 has ... seen better days. Those were pretty cheaply manufactured phones and 3.5 years of daily use did little good. So if you'd like to see some demos, consider clicking on the PayPal link on the right side and making a small donation to help offset the cost of a newer hack-around device.
<br />
<br />
See? Not so long winded, huh?
<br />
<br />
<b>Summary</b>
<br />
<ul>
<li>Many newer devices likely include file-based encryption, resulting in garbled user data if you image the entire device</li>
<li>Use the mount command to find the right partition and you should be in good shape</li>
<li>Don't jump straight to chip-off. You might end any real chance at imaging the userdata partition</li>
</ul>
Questions, comments, suggestions, or experiences? Surprised at my brevity? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a></div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com6tag:blogger.com,1999:blog-6748555274835706450.post-44449777704764487672017-03-22T18:23:00.004-07:002019-04-27T06:36:07.182-07:00Fun with Apktool<br />
<h3 style="text-align: center;">
Or a potential headache</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
Opening night, my wife and I saw the movie "Logan" on the big screen. I have to say, the movie was incredibly violent and it took a while for the shock to wear off. But the shock has since worn off and I've had plenty of time to think about it, and I've come to a singular conclusion: the film was outstanding.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<img alt="https://i0.wp.com/media2.slashfilm.com/slashfilm/wp/wp-content/images/logan-imax-poster.jpg" class="shrinkToFit" height="648" src="https://i0.wp.com/media2.slashfilm.com/slashfilm/wp/wp-content/images/logan-imax-poster.jpg" width="437" /></div>
<br />
<br />
The film focused on strong characters that I have grown to love. Hugh Jackman first came on to the scene as Logan and Patrick Stewart first brought such elegance to the role of Charles Xavier nearly 20 years ago. I have grown to love these characters, seeing all of the movies they are in, even that terrible embarrassment X-Men Origins: Wolverine. "Logan" is amazingly emotional, dealing with the difficult topic of time; both Logan and Charles know the last tick of their clocks cannot be far away. Charles, the man with the most powerful mind ever known, is losing his mind; Logan, with the unbeatable body, is losing his body. They could simply cower away and live out the remainder of their lives in reclusion, but events happen which lead these two men to endure great sacrifice in order to help a girl they do not know in a desperate situation.<br />
<br />
So you're probably wondering right now, why on earth am I talking about an awesome character-driven action film on a forensics blog? Well, here goes. In the film, Logan (spoiler alert) hacks a lot of things and people to pieces, and (spoiler alert) the X-Men franchise sometimes involves cloning. In this post, we will be hacking around with apps and cloning apps.<br />
<br />
OK, OK, OK, I'll admit, that's a pretty weak tie-in. Truthfully, I just loved the film and wanted to talk about it. So here goes.<br />
<br />
<b>Apktool</b><br />
Android apps are packaged as apk files. These files are essentially zip files. For a quick guide on Android app files, check out this <a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">previous post I wrote on reverse engineering apps</a>. <br />
<br />
Apktool is a free, open source tool for decompiling and rebuilding apps. <a href="https://ibotpeaches.github.io/Apktool/">Here's the main page</a>. The tool reverses the app's code to smali, it extracts embedded images and XML files, and it properly decodes the Android manifest. It is an excellent tool for reverse engineering.<br />
<br />
Now what is smali? Smali is reverse-engineered Android app code. Android apps are written in Java. The Java code is compiled into machine-readable code. The guide I wrote on decompiling Android apps involves converting the app into a Java jar and then decompiling the jar. This is a fine way to do it but is honestly not the most "accurate" way. The most accurate way is to decompile the app code itself, and that app code is decompiled into smali, which is almost like assembly code. Here is <a href="https://forum.xda-developers.com/showthread.php?t=2193735">an excellent writeup on smali</a>. <br />
<br />
Now understanding smali is a pain. I'm not the best at it, which is why I decompile apps the way I do by converting the app to a Java jar and decompiling the jar. If you want to learn some smali, <a href="http://androidcracking.blogspot.com/search/label/smali">here is a blog with some excellent posts</a> that can serve as great starting point. <br />
<br />
Apktool allows you do decompile an app for reverse engineering. There also is now a tool which allows you to use the decompiled code for debugging an app. The tool is called <a href="https://github.com/JesusFreke/smali/wiki/smalidea">SmalIdea</a> and it acts as a plugin for the Android Studio development environment. I will not go into detail now on SmalIdea - that would be a detailed post in and of itself.<br />
<br />
Apktool also allows you to rebuild an app from the decompiled output. You can decompile the app, make some edits as you see fit, and repackage it. Legal disclaimer: you can reverse engineer an app for your own personal interests or understandings, but absolutely do not repackage an app and attempt to profit from it. Do not distribute the repackaged app and absolutely do not sell it. If you sell somebody else's intellectual property, that is intellectual theft.<br />
<br />
<b>Forensics</b><br />
So where does the topic of forensics come in play with Apktool? Any tool that can be used for reverse engineering is useful for forensics. So let's do a quick decompile.<br />
<br />
In the film Logan, the main characters go on a road trip. Anybody who has ever been on a long road trip knows highway rest areas can be a lifesaver. So I downloaded a rest stop locater and reversed it.<br />
<br />
I pulled the app off my Android device and renamed it on my local computer "restarea.apk". Then I downloaded the newest version of apktool and renamed it "apktool.jar". So here's the line to decompile:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">java -jar apktool.jar d restarea.apk</span></blockquote>
Apktool is a jar so it must be run in Java. The "d" means "decompile", and then you give it an app to decompile, or in this case, restarea.apk. Once the tool runs, there is a directory called "restarea".<br />
<br />
Within the restarea directory, there are three specific items of note:<br />
<ul>
<li>AndroidManifest.xml: this is the Android manifest, describing the app, permissions, screens, and included files. Here is the documentation for the manifest https://developer.android.com/guide/topics/manifest/manifest-intro.html</li>
<li>res: this is a directory containing images and text files which are part of the app. The app icon is in here, any image buttons are in here, and many hard-coded text values are in here.</li>
<li>smali: this is a directory containing all the decompiled smali code.</li>
</ul>
As an examiner, all of these can be useful. Knowing the package name from AndroidManifest.xml will help you find data associated with the app. Knowing text values will help you understand the behavior of the app. And an understanding of the smali code will allow you to know the implementation of the app.<br />
All useful.<br />
<br />
<b>Cloning an app</b><br />
Apktool can allow you to edit and repackage an app. Let's use that same rest area locater app. First, let's change the package name around.<br />
<br />
Here is the beginning of the AndroidManifest.xml file:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><?xml version="1.0" encoding="utf-8" standalone="no"?><br /><manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.omecha.restarea"></span><br />
<br />
The package name is com.omecha.restarea. I edited that around to customize a rest stop finder for Logan. Now the beginning of the manifest is as follows:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><?xml version="1.0" encoding="utf-8" standalone="no"?><br /><manifest xmlns:android="http://schemas.android.com/apk/res/android" package="claws.omecha.restarea"> </span><br />
<br />
So now the app's package name is claws.omecha.restarea. This will be notable later in the demonstration.<br />
<br />
Next, I changed around the app's name as it appears in the loader. In the file res/values/strings.xml in the decompiled directory, there is an entry app_name, which is as follows:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><string name="app_name">Rest Area Locator</string> </span><br />
<br />
I edited that line to the following:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><string name="app_name">Claws-Safe Rest Area Locator</string> </span><br />
<br />
After all, if a rest area is not safe for someone with claws, Logan should skip the rest area, right?<br />
<br />
If I wanted to, I could have changed around the app's icon. All the image files are in the res/drawable directories. And if I really wanted to be adventurous, I could have gone into the smali directory and edited around the decompiled smali code to change functionality, but I'll admit I'm just not good enough at smali to do anything of significance.<br />
<br />
Now, it's time to recompile the app. Navigate back to the directory with apktool.jar and execute the following:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">java -jar apktool.jar b restarea </span> </blockquote>
<br />
The "b" stands for "build", and "restarea" is the decompiled and edited output. Once the build is done, there is a directory called dist with a file restarea.apk. That is the built apk.<br />
<br />
It cannot be installed on an Android device just yet. It needs a new app signature. Just follow the instructions on <a href="http://stackoverflow.com/questions/14994166/android-run-apk-file-after-edited-using-apktool-get-error-install-parse-fai">this Stack Overflow post</a> and the app has a new self-signed signature that allows you to install the app on your own device.<br />
<br />
Then I installed the app and, well, check out these screenshots:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrgOovyP9zHFTk9OZ8VRBZZfGJDoBqf_EySCWHcG6Lqa3B96wDWu-xKl1qATg3o711bfr8wmdAIZgn59te2eNTCPdRm1eJ9HZziJHTZ4fSNNs_yW2czqv0Py42mNJy80O8wP6kKFGp9LOp/s1600/apps_1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrgOovyP9zHFTk9OZ8VRBZZfGJDoBqf_EySCWHcG6Lqa3B96wDWu-xKl1qATg3o711bfr8wmdAIZgn59te2eNTCPdRm1eJ9HZziJHTZ4fSNNs_yW2czqv0Py42mNJy80O8wP6kKFGp9LOp/s320/apps_1.jpg" width="320" /></a></div>
<br />
<br />
and<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZvD_CCliUNdAtqs9QDsXu_UKVE0D0uZV1Hg4kf6Q_7n0fRK3dnLhESGDsAK4nlvnSg1LqwMNCzacLMVznaQmGN3gHcxtPylewfRKYVjGzn63u3l-T-6RzVYexRD_OqQM8wh_Ye4RTZECl/s1600/apps_2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZvD_CCliUNdAtqs9QDsXu_UKVE0D0uZV1Hg4kf6Q_7n0fRK3dnLhESGDsAK4nlvnSg1LqwMNCzacLMVznaQmGN3gHcxtPylewfRKYVjGzn63u3l-T-6RzVYexRD_OqQM8wh_Ye4RTZECl/s320/apps_2.jpg" width="291" /></a></div>
<br />
<br />
<br />
What we've got now is the original app and a cloned, or maybe I should say mutated, version of the app.<br />
<br />
If you navigate to the device's /data/data/ directory, you see app data. And in that directory, you see entires for both com.omecha.restarea and claws.omecha.restarea. These directories store data associated with the apps. <a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">More on the topic here</a>. Each directory has a databases directory with a database of user data, each directory has a shared_prefs directory with xml files, etc. And if you create some user data in the com.omecha.restarea version, that data will not show up in the claws.omecha.restarea because these are two different apps.<br />
<br />
And again I have to say, feel free to experiment around as I have shown here simply for personal study. Absolutely do not steal somebody else's work and attempt to pass it off as your own. That is dishonest and dishonorable. And I should not have to say this but I will. Do not make a modification like this and then attempt to make money off of it. That is illegal. <br />
<br />
<b>What's the big deal?</b><br />
So why does cloning an app matter as a forensic investigator? That's the big question. And here's the answer.<br />
<br />
Let's say you are examining an Android device. You run some automated tools at the device image and you find nothing of any real interest. Those automated tools may look for data within specific apps. For example, as I noted in <a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">my post on Facebook app forensics</a>, the app has two different package names, com.facebook.katana and com.facebook.orca; the first is the main Facebook app, the second is the Messenger app.<br />
<br />
Now let's say the user is an advanced user who has the knowledge to clone and mutate an app, or the user knows such an advanced user. Let's say the Facebook app has been modified and cloned and is now renamed a different package name, like mutated.facebook. That automated tool that is looking for Facebook data in com.facebook.katana or com.facebook.orca could go right past this mutated app and miss out on conversations. Mutating an app is effectively a data hiding technique.<br />
<br />
How do you find such data? Just examine data in all third party apps. Examine the databases and if you find something of investigative value, such as conversation messages or call logs, flag that app as interesting. Examine the data closely. You might have found an app you've never heard of, or you might have found a cloned version of a real app.<br />
<br />
<br />
<b>Summary</b>
<br />
<ul>
<li>Apktool is an excellent tool for reverse engineering apps in order to understand functionality. Learn some smali and there is no limit to your understanding of an app's mechanisms</li>
<li>You can use Apktool to mutate an app, changing package names, images, and even functionality</li>
<li>Mutating an app can be an effective data hiding technique. Over-reliance on automated tools can lead to missing out on important data</li>
</ul>
Questions, comments, suggestions, or experiences? Seen Logan? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a><br />
<br /></div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com13tag:blogger.com,1999:blog-6748555274835706450.post-57272989355839333062017-02-25T14:34:00.001-08:002019-04-27T06:36:45.394-07:00Waze for Android forensics<br />
<h3 style="text-align: center;">
Lots of Location Information</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
Many years ago, I spent an evening at my grandparents' house before taking off for a day-long there-and-back trip across state lines to my soon-to-be university. The trip was just before I started grad school at the university and I was interviewing for a graduate assistantship, which I earned. I had been to the campus a few times, but I can't say I was overly familiar with the turf and I had never driven there from my grandparents' house. So my grandfather gave me an old US atlas of his. An old Rand McNally US highway atlas that Wal-Mart published every year. Remember those? They would publish a new highway atlas each and every year in the off-chance that Main Street might get up and move between this year and next.
<br />
<br />
Anyways, I used that atlas to navigate. I'm a natural with maps - I grew up backpacking and therefore relying upon trail maps - so I found my way there and back. And of course, this was towards the beginning of the smartphone era, so I did not have a digital device for navigation. Paper was just fine.
<br />
<br />
I kept that atlas around for other trips. One year, a friend of mine and I drove from the Midwest down to Alabama and back for a football game. It was an awesome trip, including a stop at the Louisville Slugger factory and museum and another at the Space and Rocket Center in Huntsville. That friend of mine also is old-school like me, not needing an LCD screen to get from point A to point B. I kept that same old atlas around for other road trips, for football games, skiing, and so forth.
<br />
<br />
Where is that old atlas now? It's been cut up and turned into a Christmas present. No, I'm not kidding. My dad is a marathon runner, aiming to run a marathon in all 50 states, so my wife and I made a little scrapbook for him to document each run, photos and such, against a map of each state. And why was I willing to sacrifice that atlas? Because, you know, who uses an atlas anymore?
<br />
<br />
<b>Waze</b>
<br />
There are several maps and navigation apps out there for Android. I find Waze to be such a novel app in that it is a combination of navigation and social networking. Meaning app users report road incidents so other users can be aware of accidents, construction, roadkill, traffic jams, and other slowdowns. Waze effectively crowdsources traffic information.
<br />
<br />
You can use Waze as a GPS navigation app, for communicating slowdowns, for sharing your location and trips with friends, and I've found it has an incredibly loyal following. Waze-ers seem to never flip back to Google maps. Point is, as a this app gives you, the forensic examiner, locations, times, and a social network. That is gold for an investigation if the target uses Waze.
<br />
<br />
So I populated a phone with Waze, imaged it, and disected the data. There's a lot of geo-location there, and it is quite easy to comprehend. So ... here we go.
<br />
<br />
<b>user.db</b><br />
The package name for the app is com.waze. So once you've got your image, check out the directory com.waze within the data app of the userdata partition.
<br />
<br />
The main file to check out is user.db - in that directory com.waze, not in any subdirectory. The database has a bunch of tables. I will highlight the ones of interest. This is a SQLite database. I did a post a while back on <a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">viewing SQLite databases</a>.
<br />
<br />
First, the table PLACES. This one stores places the user has searched for and selected as a navigation destination. Here's the columns of interest:
<br />
<ul>
<li>name: Name of the destination, such as "Home", or "Safeway"</li>
<li>street: Street address of the destination</li>
<li>city: City of the destination</li>
<li>state: State of the destination</li>
<li>country: Country of the destination</li>
<li>house: Apartment or other unit number</li>
<li>longitude: Longitude, multiplied by 1,000,000. Add a decimal accordingly</li>
<li>latitude: Latitude, also multiplied by 1,000,000</li>
<li>created_time: Epoch time it was searched.</li>
</ul>
I was going to screencap the database, but it would not be worth much after I would black out all the personal sensitive data, which is all of it. I'm not about to let the Internet know where I live, where I work, and when I go to where!
<br />
<br />
This is all plain text. All you need to do is an epoch time conversion and you've got a listing of when each destination was searched for, exactly where on the planet it is, and the street address. This table alone can be a goldmine for an examiner.
<br />
<br />
Next the table PEOPLE. With Waze, you can connect people via Facebook, and then you can share your location and coordinate travel. Here's the columns of interest:
<br />
<ul>
<li>waze_id: The Waze ID of the user in order to link to the right Waze user. More on the device's Waze ID later.</li>
<li>facebook_id: Facebook's ID of the contact in order to link to the right person.</li>
<li>first_name: First name of the contact</li>
<li>last_name: Last name of the contact</li>
<li>create_time: Epoch time the contact was added</li>
<li>modified_time: Epoch time the contact was modified last</li>
</ul>
So far, Waze has provided your location search history and your contact history.
<br />
<br />
Next, the table SHARED_PLACES. This table includes locations the user has shared, which may mean the location is of significance. Really there are only a few columns of interest, so check out the created time, the place name, and the share time. Pretty self explanatory.
<br />
<br />
There are some other interesting tables in the database. Feel free to browse around and see if anything else is of interest.
<br />
<br />
<b>XML Files </b><br />
Next up, check out the directory shared_prefs. This includes some xml files. I'll highlight two of interest.<br />
<br />
First, the file com.waze.appuid.xml . I previously mentioned the Waze ID. Here it is. Linking the Waze ID of one device in this XML file to another device in the user.db, table PEOPLE, indicates these two users know each other.<br />
<br />
Second, com.waze.parked.xml. Here's what mine looks like:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: small;"><?xml version='1.0' encoding='utf-8' standalone='yes' ?><br /><map><br /> <string name="dest_lon">[REDACTED]</string><br /> <string name="dest_name">[REDACTED]</string><br /> <string name="dest_venueId">[REDACTED]</string><br /> <string name="dest_lat">[REDACTED]</string><br /></map></span></span>
<br />
<br />
When you finish a Waze trip, which should naturally end with parking the car, this file is created. It stores where the car is and when the trip ended. Nifty, huh?
<br />
<br />
<b>Log</b><br />
Finally, go back up a directory and check out the file waze_log.txt. This is a massive log file with some decent goodies.
<br />
<br />
There are geo-coordinates which represent different stops along the way on a trip. I also found information about routes from point A to point B. Of interest, there is a list of each route of highlights along the way - anything from airports to groceries to gas stations. This may be of interest. There are all kinds of businesses listed that are near the route - which may also be of interest.
<br />
<br />
This was a rather simple app study - and I did not go all too deep into the app data. If you have a specific app you would like me to do a deep dive, let me know. I may be up for it. Additionally, the data in this post could be easily transformed into a simple forensic parser. If you would like a simple Python script to parse all this data, let me know. It shouldn't take me too long.
<br />
<br />
<b>Another blog </b>
<br />
As an influential member of the mobile forensics community, I believe in promoting each other's work. There is a blog from a few years ago that appears to still be valid today. Apps change and so sometimes findings for one version of an app are invalid when the app upgrades. These findings look good on current versions of the app. The blog was a capstone project for undergrad on this topic. <a href="http://wazeforensics.blogspot.com/">Check out this link for some excellent Waze work.</a><br />
<br />
<br />
<b>Summary</b>
<br />
<ul>
<li>Waze stores a good amount of geo-history in easily accessible plain text, mostly in a single database</li>
<li>An XML file stores the last place and when the car parked at the end of a Waze trip</li>
<li>The waze_log.txt file has a lot of data and I've barely checked it out</li>
</ul>
Questions, comments, suggestions, or experiences? Fun road trips? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a>
</div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com7tag:blogger.com,1999:blog-6748555274835706450.post-83811570020939198352016-12-08T17:03:00.000-08:002019-04-27T06:36:55.480-07:00Dirty Cow<h3 style="text-align: center;">
<br class="Apple-interchange-newline" />A potential game changer in forensics</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
<br />
About two and a half years ago, I wrote a post on <a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">live imaging an Android device</a>. Based on the view stats I see on this blog, it seems like this post has a lot of popularity.<br />
<br />
Fast forward some time and several operating system revisions, and the post is now quite obsolete. The post relied upon <a href="https://towelroot.com/">TowelRoot</a>, which is an exploit that has been patched for over two years.<br />
<br />
Now what is not obsolete is the general method. Data connection between the forensic computer and the device, exploit, imaging command. These concepts are still the same. The problem is, I don't have an exploit for new Android devices.<br />
<br />
<b>Dirty Cow</b>
<br />
<br />
Enter <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195">cve-2016-5195</a>, or "Dirty Cow". The link in the previous sentence is to the official documented exploit. In short, it is a Linux exploit that is also in the Android kernel. It could potentially be used as a root vulnerability.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://upload.wikimedia.org/wikipedia/commons/thumb/1/1b/DirtyCow.svg/895px-DirtyCow.svg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://upload.wikimedia.org/wikipedia/commons/thumb/1/1b/DirtyCow.svg/895px-DirtyCow.svg.png" style="text-align: center;" width="346" /></a></div>
<br />
<br />
<br />
<a href="https://github.com/timwr/CVE-2016-5195">Several</a> <a href="https://github.com/dirtycow">developers</a> have released open source versions of Dirty Cow for Android, but all as proof-of-concepts. To the best of my knowledge, nobody has released a version of Dirty Cow specifically for rooting devices. I have tried several techniques on my personal phone and still no root shell. The source is open in C and can be compiled using the <a href="https://developer.android.com/ndk/index.html">Android NDK</a>. Now I personally have C experience, but the last time C was my primary language, the top selling phone worldwide was the <a href="https://en.wikipedia.org/wiki/Motorola_Razr">Motorola Razr</a> and Barack Obama was a little known senator from Illinois. And the world still hated Tom Brady and the Patriots, so I guess some things never change. Didn't I mention in <a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">my previous post</a> that I'm officially a dinosaur?
<br />
<br />
<b>Implications</b>
<br />
<br />
If anybody gets Dirty Cow working on Android like Towel Root, meaning a do-all root program, then suddenly we as forensic examiners can use the live imaging guide to image any current Android device, or at least until Dirty Cow is patched and the patch is wide spread.<br />
<br />
As I am using a Galaxy S6 running 6.0, I have not rooted my phone. That may come as a shock to many. The reason is I do not have a way to root my phone without tripping the <a href="http://android.stackexchange.com/questions/115526/why-i-should-i-care-about-knox-warranty-can-i-still-root-my-s5">Knox warranty bit</a>. I would like to keep that intact but still gain a root shell.<br />
<br />
And of course, where there are forensic implications, there are also security implications. If I can image anyone's phone, then so can anyone else. And anyone can access and take privileged information from a device.<br />
<br />
<br />
<b>Community Work</b>
<br />
<br />
So here comes the point of this post. Who out there is working on Dirty Cow or other new exploits? If anyone reading this is interested in Android forensics and is working on gaining root shells, I'd sure like to hear about it, whether you are using Dirty Cow or something else entirely. If you are able to, please share. I am happy to collaborate or point you in the direction of someone who can collaborate as well.
<br />
<br />
And, have you had any success with Dirty Cow or any other current exploit? If so, how did you do it, what device, any troubles, etc?
<br />
<br />
I personally would be very interested in getting an exploit for newer Android phones up and running. The purpose here is for forensic research so I can share with the digital forensics community community continuing results.
<br />
<br />
<b>Summary</b>
<br />
<ul>
<li>TowelRoot is obsolete.</li>
<li>Dirty Cow is a a possible way to gain an equivalent root shell on newer devices.</li>
<li>Collaboration?</li>
</ul>
Questions, comments? Any research you wish to share? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a></div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com1tag:blogger.com,1999:blog-6748555274835706450.post-86577089633089660832016-06-25T14:13:00.002-07:002019-04-27T06:37:05.638-07:00Interpreting data from apps<h3 style="text-align: center;">
<br class="Apple-interchange-newline" />Lots of apps means lots of data</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
<br />
In Android, just about all the data you care about will be app data. Text messages? App data from the SMS app. Phone logs? App data from the phone app. Facebook chats? App data from the Facebook app.
<br />
<br />
Now I think of myself as being a young guy. At least, I'm not old, or too old. I am a millennial. So you could imagine the surprise when I heard the following comment from a college-aged family member:
<br />
<blockquote class="tr_bq">
Mark, you still text? You are such a dinosaur.</blockquote>
<br />
Yes, I am a dinosaur for still texting. Now I can remember literally laughing out loud when I first received a text from my father. He had finally graduated from placing a phone call for even the simplest of messages to convey to sending a short message over SMS. Fast forward a few years and I am a dinosaur for not graduating beyond texting. But graduating to what?<br />
<br />
Well, that college-aged family member said he and all his peers use apps to message each other. Facebook, <a href="https://www.whatsapp.com/">WhatsApp</a> (which is now owned by Facebook), and I'm sure others. C'mon, I asked him, what's wrong with texting?
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<img height="171" src="https://www.sciencenews.org/sites/default/files/main/articles/ls_shutterstock_105146921_free.jpg" width="320" /></div>
<br />
<br />
<br />
<br />
And why use Facebook instead of texting?
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<img height="133" src="https://upload.wikimedia.org/wikipedia/en/d/d7/Walking_with_Dinosaurs_Gorgosaurus.jpg" width="320" /></div>
<br />
<br />
<br />
Can you send photos over these apps the way I do with MMS?<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz2ZqcHuMHowfJGYiITpgemeaLuyo_hCh87yMgm2s-mylTJcYzohlbWEQmmaHMk_5Ubrbu3lA1KOswecyD6X0KLjI38jkZiGDNHg-bO67GuSO6HE5RoV9lv8lXpxfz3T4cKRKm27Z9lDM3/s1600/bones.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="479" data-original-width="920" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz2ZqcHuMHowfJGYiITpgemeaLuyo_hCh87yMgm2s-mylTJcYzohlbWEQmmaHMk_5Ubrbu3lA1KOswecyD6X0KLjI38jkZiGDNHg-bO67GuSO6HE5RoV9lv8lXpxfz3T4cKRKm27Z9lDM3/s320/bones.jpg" width="320" /></a></div>
<br />
<br />
And what exactly is WhatsApp?
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<img height="240" src="https://umad.com/img/2015/9/toy-story-rex-wallpaper-3860-4068-hd-wallpapers.jpg" width="320" /></div>
<br />
<br />
<br />
Now beyond the young kids who dance on their elders' fossils for using a technology which my elders only recently began using (poorly), there are others who, for better or worse, use apps for communicating. For a dramatic example, the terrorist organization ISIS famously uses the app <a href="https://telegram.org/">Telegram</a> for <a href="http://www.businessinsider.com/telegram-isis-app-encrypted-propagandar-2015-11">spreading propoganda</a>. Now you may think that the owners of Telegram may consider it a responsibility to shut down ISIS usage. And Telegram has in fact made an effort to ban terrorist usage of their app, but that was only after laughing off the notion with the following line: <a href="https://www.washingtonpost.com/news/morning-mix/wp/2015/11/19/founder-of-app-used-by-isis-once-said-we-shouldnt-feel-guilty-on-wednesday-he-banned-their-accounts/">I propose banning words. There’s evidence that they’re being used by terrorists to communicate.</a>
<br />
<br />
Also sadly in the news was the app <a href="https://www.kik.com/">Kik</a> In the recent <a href="http://abcnews.go.com/US/virginia-tech-student-inappropriate-relationship-13-year-murder/story?id=36747652">tragic murder and kidnapping at Virginia Tech</a>, the perpetrators <a href="http://www.nytimes.com/2016/02/06/us/social-media-apps-anonymous-kik-crime.html?_r=0">used the app Kik to lure in their prey</a>. The story is horrifying on so many levels.
<br />
<br />
Now what about other apps? Games, sharing apps, social media, etc. Might those apps store some significant data too? This post is all about how to parse and interpret data from third-party apps. Why is this significant? If you get all the SMS and call logs and other traditional evidence, you may have missed the device owner's primary method of communication.
<br />
<br />
Now this post will not be a specific how-to-parse-this-app post. Instead, this is a generic guide for parsing that may be of help. I hope to convey methods apps store data and how to access and read this data. I believe the challenge of parsing and interpreting app data is or will soon become more tedious than imaging devices.
<br />
<br />
<b>Where do apps store data?</b><br />
First, Android security prohibits users from accessing the userdata partition, which is where all apps store their data. (Some apps may also store some data on the SD card, but this is "unprotected" data. Not the "good stuff.") You either need an image of the device (and you can create an image using my post on <a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">live imaging an Android device</a>) or you need root access. In this post, I am working from an image of a device.
<br />
<br />
Android by default stores user data in the /userdata partition in the directory /data. The below screenshot is from a screenshot of FTK Imager looking at the data directory.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSOqFUS-Siy7Gx40y5_5qTCTLSVT16VHmNr3cAcnWDxJEbZ0Rkb34yq5KTMMHSQpfunJYGoCSkHXHDuUZMbeRPcwk0oDP4oRUK5uvvtnCrL33UfB4iVsugLmyjcSLkgXa-t5J-_cX6rk1Z/s1600/data_dir.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSOqFUS-Siy7Gx40y5_5qTCTLSVT16VHmNr3cAcnWDxJEbZ0Rkb34yq5KTMMHSQpfunJYGoCSkHXHDuUZMbeRPcwk0oDP4oRUK5uvvtnCrL33UfB4iVsugLmyjcSLkgXa-t5J-_cX6rk1Z/s1600/data_dir.jpg" width="367" /></a></div>
<br />
<br />
You'll see that within the data directory are directories containing package names. The directory air.WatchESPN stores user data associated with the WatchESPN app. The directory com.google.android.youtube stores data associated with the YouTube app. The directory com.android.chrome will story web history and other data associated with the Chrome browser.
<br />
<br />
<b>What kinds of data?</b><br />
By default, most user data is stored in SQLite databases. For a writeup on viewing SQLite data, check out my <a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">previous post on SQLite databases</a>.
<br />
<br />
Most apps use SQLite in some fashion or another. And if the app you are trying to parse stores all its data in SQLite with no encryption of any kind, you are good to go.
<br />
<br />
Other types of data can also be found. The following is a screenshow of the YouTube app's storage:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzOsonKdzWmY3ArwIZEYDlLjBV-UMlcfjZTeFaVG8ZKqprvdLBZo_L18sNAlPQ0axTwKpANNyapyTOLlTJXQ4Q_NoAO5meD5kERSwhmdVUwj4Z89Vu9zWPvoUVGekD57J-P8NCbm5iYDrG/s1600/youtube_dir.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzOsonKdzWmY3ArwIZEYDlLjBV-UMlcfjZTeFaVG8ZKqprvdLBZo_L18sNAlPQ0axTwKpANNyapyTOLlTJXQ4Q_NoAO5meD5kERSwhmdVUwj4Z89Vu9zWPvoUVGekD57J-P8NCbm5iYDrG/s1600/youtube_dir.jpg" width="320" /></a></div>
<br />
All of the directories above store data associated with the YouTube app. The databases directory will contain SQLite databases. The directory shared_prefs stores XML files which may be interesting or not. Depending upon the app, the XML files may store data about the user, such as usernames or maybe even passwords if the developer has a poor grasp on security. The XMLs can also be pretty much useless. XMLs can be opened in any text editor of choice.
<br />
<br />
There also is a "files" directory. This directory can store anything. A developer can store images, videos, text, or even more databases in the files directory.
<br />
<br />
So if your app stores only databases in a nice SQLite format, some user information in XMLs in shared_prefs, and some images or other interesting files in the files directory, you can easily interpret all of this data. But what about challenging data? I will highlight two challenges to consider with app parsing.
<br />
<br />
<b>Encryption</b><br />
<br />
Many apps use encryption to store sensitive data. In some cases, you open a SQLite database and are parsing through and you get to a table with nothing but random-looking junk stored in rows. If you come across such a finding, you may have found some encryption. This is an example of encrypted content within a database. And if you find such content, you will need to find a way to decrypt the data to make any sense of it. I am no crypto expert, so I would consult one if I came across such a finding.<br />
<br />
And a side note. If you come across a string that looks like the following:<br />
TWFyaywgYXMgaW4gdGhhdCBuZXJkIHdobyB3cml0ZXMgaHR0cDovL2ZyZWVhbmRyb2lkZm9yZW5zaWNzLmJsb2dzcG90LmNvbSwgaXMgc3VjaCBhIGRpbm9zYXVyIQ==
<br />
<br />
you have come across Base64 encoded text. This is not encryption and can easily be decoded. Base64 encodes anything into a random set of uppercase, lowercase, numbers, and some symbols, and if padding is required, the string ends with equals signs. Here is a <a href="https://en.wikipedia.org/wiki/Base64">Wikipedia page on Base64</a>. You can come across Base64 in databases, XML files, URLs, or just about anyplace.
<br />
<br />
Some apps also encrypt their databases entirely. WhatsApp, for example, encrypts their entire database. If you come across an app that you know is storing a good amount of data on the device and yet you cannot find a database but you find entire files of random-looking data, you may have found encrypted databases. Again, consult a crypto expert.
<br />
<br />
<b>Non-standard data storage</b>
<br />
<br />
App developers are developers, and developers like to develop things. What do I mean? I mean that developers often get tired of using built-in functions, like SQLite, and so they choose to implement a different database format, or they make their own. I have plenty of jokes to make at my engineer friends' expenses about over-engineering everything.
<br />
<br />
So while SQLite is a nice and easy format to parse, there are other database formats out there for Android. Here is a <a href="http://www.andevcon.com/news/10-android-database-libraries">list of ten known and available non-SQLite database formats</a>. If you come across an app with a non-SQLite database, you will need to find a way to interpret all the data. If there is not a parser available, you can use a hex editor to simply view the database and make sense of it, or you can (or have a developer) write a parser so that next time you come across such a database, you will be ready.
<br />
<br />
<b>Strategies</b>
<br />
<br />
So big picture. What do you do when you find an app on a device and you are unfamiliar with it? Here is a list of steps you can do to make sure you get all the possible data.
<br />
<ul>
<li>Examine all the data files. View SQLite databases. Open XMLs in a text editor. Open unknown files in hex editors. View any media. Make sure you view everything.</li>
<li>Check out the file /data/system/packages.xml. This is a file which stores information about all apps installed on the device, including device permissions. See any permissions that stand out? If you see camera permissions, be on the lookout for photos associated with the app. In a <a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">previous post</a>, I detailed the file.</li>
<li>Reverse engineer the app. Look at the source. It may help you understand what the app does and how it stores data. Here is a <a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">previous post on reverse engineering</a>.</li>
<li>Once you have made sense of the data, report it in a standardized and readable format.</li>
<li>If you think you may come across this app again, consider writing a program to parse through data based on your findings so you can do this process automatically.</li>
</ul>
<br />
<b>Resources available</b>
<br />
<br />
There are plenty of resources available for interpreting data from the diverse apps out there. I will list out a few.
<br />
<ul>
<li>Mobile forensic tool vendors. I was recently at <a href="http://www.technosecurity.us/">Mobile Forensics World</a> in South Carolina. There were many vendors presenting similar information to this post. Everybody in the mobile forensics community is dealing with all these third party apps. For example, the company <a href="https://www.magnetforensics.com/">Magnet Forensics</a> sometimes releases findings of different third party apps. Here is an <a href="https://www.magnetforensics.com/wp-content/uploads/2014/04/Skype-Forensics-Analyzing-Call-and-Chat-Data-From-Computers-and-Mobile-Magnet-Forensics.pdf">excellent writeup on data within the app Skype</a>.</li>
<li><a href="https://github.com/pxb1988/dex2jar">dex2jar</a>. In my post on reverse engineering, I show how to use this program to reverse an app to a Java jar.</li>
<li>Java Jar decompilers. With the Java jar from dex2jar, a decompiler can interpret the jar as Java source for reverse engineering.</li>
<li>Wireshark. Especially with chatting or social apps, you may need to understand data coming over the air to the device. Wireshark can help you capture data in transit.</li>
<li><a href="https://www.pnfsoftware.com/">JEB</a>. An app decompiler. This is most definitely not free software. If you need to decompile and debug an Android app to see from the "app's perspective" how data on the device is created, JEB can do the trick.</li>
</ul>
<br />
<br />
<b>Summary</b>
<br />
<ul>
<li>There are so many apps out there which store important data on the device. If you only look at SMS and call logs, you may miss the most important conversations on the device.</li>
<li>Apps store data in the userdata partition. You need either an image of the device or root access to get at it.</li>
<li>Data can be stored in challenging format. If you come across encryption and you are not a crypto expert, you may need to call one in.</li>
<li>There are resources out there. Everybody in the community is dealing with this challenge.</li>
</ul>
Questions, comments? Any other dinosaurs out there? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a>
</div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com8tag:blogger.com,1999:blog-6748555274835706450.post-38521427326419725192016-02-27T21:38:00.000-08:002019-04-27T06:37:15.001-07:00Some non-root methods to learn about a device<h3 style="text-align: center;">
<br class="Apple-interchange-newline" />Sometimes you cannot image or root a device</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br /><br />
This post will be a bit of a change of gears. Most of the rest of my posts involve imaging the device in question and examining the image. And of course, <a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">imaging requires three things</a>: <br />
<ul>
<li>Data connection between the device and the computer</li>
<li>Exploit</li>
<li>Imaging command</li>
</ul>
Now what if you cannot or choose not to exploit (root) your device? This is a real situation. So long as you have the ability to adb shell into the device, there still are some ways to get useful data from the device. This post is all about some simple ways to gain some insight into the device.
<br /><br />
<b>Determine if the device has been compromised</b><br />
A common fear with Android devices is that the device can be rooted without the user knowing. This is a legitimate concern, and it can be addressed with an adb shell to the device. Also this takes a couple little pieces of knowledge:<br />
<ul>
<li>The system partition, mounted at /system, is mounted read only</li>
<ul>
<li>Normal users cannot modify anything in this partition without a root exploit</li>
</ul>
<li>The root binary, su, is typically found in the system partition</li>
<li>Which all means that if the device is compromised, there is most likely evidence of it found in /system</li>
</ul>
<br />
Shell into the device and cd to /system. Then do an ls -al. The -l part of ls will get a listing of all the files and directories at the /system directory including last modified times, and the -a will list any hidden files so you do not miss anything. Here are the results from my Nexus 5:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "courier new" , "courier" , monospace;">shell@hammerhead:/ $ cd /system<br />shell@hammerhead:/system $ ls -al<br />drwxr-xr-x root root 1970-11-15 06:44 app<br />drwxr-xr-x root shell 1970-11-15 06:44 bin<br />-rw-r--r-- root root 4065 2015-04-17 13:34 build.prop<br />drwxr-xr-x root root 2015-06-25 22:10 etc<br />drwxr-xr-x root root 2015-04-17 13:34 fonts<br />drwxr-xr-x root root 2015-04-17 13:34 framework<br />drwxr-xr-x root root 1970-11-15 06:44 lib<br />drwx------ root root 1969-12-31 19:00 lost+found<br />drwxr-xr-x root root 2015-04-17 13:34 media<br />drwxr-xr-x root root 2015-04-17 13:34 priv-app<br />-rw-r--r-- root root 89346 2015-04-17 13:34 recovery-from-boot.p<br />drwxr-xr-x root root 2015-04-17 13:34 usr<br />drwxr-xr-x root shell 2015-04-17 13:34 vendor<br />drwxr-xr-x root shell 2015-06-25 22:10 xbin</span></span><br />
<br />
As the timestamps show, most directories were last altered 2015-04-17, which is when I last flashed a version of Android onto my device. Yes, I am behind the times. Intentionally. I like Android 5.1.1 and I'm sticking with it for now.<br />
<br />
But you will also see some oddities. Namely two directories that were updated two months later on 2015-06-25. What is going on with etc and xbin? Let's find out.<br />
<br />
So I cd to etc and do another ls -al.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">shell@hammerhead:/system $ cd etc</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">shell@hammerhead:/system/etc $ ls -al<br />-rw-r--r-- root root 2 1970-11-15 06:44 .installed_su_daemon</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">-rw-r--r-- root root 1472 2015-04-17 13:34 DxHDCP.cfg<br />-rw-r--r-- root root 277097 2015-04-17 13:34 NOTICE.html.gz</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">(A bunch more files ....)<br />-rw-r--r-- root root 38 2015-06-25 22:10 resolv.conf<br />(A bunch more files ....)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">drwxr-xr-x root root 2015-04-17 13:34 updatecmds<br />drwxr-xr-x root root 2015-04-17 13:34 wifi<br />shell@hammerhead:/system/etc $ </span><br />
<br />
You will see that the file resolv.conf, which can only be read and written but not executed (explanation found here), was last modified 2015-06-25. So what is in that file and should I care?<br />
<br />
I also can see that the file is only 38 bytes. Small file. So I just cat it.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">shell@hammerhead:/system/etc $ cat resolv.conf <br />nameserver 8.8.4.4<br />nameserver 8.8.8.8<br />shell@hammerhead:/system/etc $ </span><br />
<br />
The contents of the file are pretty simple. For an explanation of what "nameserver 8.8.4.4" means, quite literally <a href="https://developers.google.com/speed/public-dns/">consult Google</a>.<br />
<br />
So on the one hand, you have a file which basically just says use Google for DNS, so nothing of real significance. On the other hand, why was that file modified when it was? If you remember, at the same date and time that the resolv.conf file was modified, the /system/xbin partition was modified. Let's cd to that and get an ls -al.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">shell@hammerhead:/system/etc $ cd ../xbin<br />shell@hammerhead:/system/xbin $ ls -al<br />lrwxrwxrwx root root 2015-06-25 22:10 [ -> /system/xbin/busybox<br />lrwxrwxrwx root root 2015-06-25 22:10 [[ -> /system/xbin/busybox<br />lrwxrwxrwx root root 2015-06-25 22:10 acpid -> /system/xbin/busybox</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">.....</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">-rwxr-xr-x root root 1095836 2015-06-25 22:10 busybox<br />.....</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">-rwxr-xr-x root root 75364 1970-11-15 06:44 su-rwxr-xr-x root root 75364 1970-11-15 06:44 sugote<br />-rwxr-xr-x root root 157412 1970-11-15 06:44 sugote-mksh<br />.....</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">lrwxrwxrwx root root 2015-06-25 22:10 zcat -> /system/xbin/busybox<br />lrwxrwxrwx root root 2015-06-25 22:10 zcip -> /system/xbin/busybox<br />shell@hammerhead:/system/xbin $ </span><br />
<br />
So what does this all mean? It means that on 2015-06-25 at 22:10 EST, I installed busybox on my device. Busybox installed all these logical links at /system/xbin which point to busybox, and busybox additionally changed the /system/etc/resolv.conf to point to Google.<br />
<br />
Additionally, you can see that on November 15, 1970, I rooted my device as you can see the su binary.<br />
<br />
Wait, what? In 1970, neither the device nor me existed. Google didn't exist, cellular connectivity didn't exist, computers used punch cards as input, and bell bottom jeans were hot fashion<br />
<br />
No, most likely, I rooted my phone in June 2015. However, I rooted my phone via recovery mode, which does not use the Android clock, so all activity appears to take place in 1970. I hate to disappoint you all, but I am in fact not a time traveler. Additionally, this explains the file /system/etc/.installed_su_daemon as seen above, also modified in 1970.<br />
<br />
So quick takeaways. If you are worried that your phone might be compromised, do an ls -l in /system and see if anything looks like it was modified at strange times. Additionally, see if /system/xbin/su exists.<br />
<br />
Now some caveats:<br />
<ul>
<li>The system clock can be changed. Easily.</li>
<ul>
<li>A smart attacker can change the clock around and do changes so that a simple analysis as seen above will not uncover changes made. </li>
</ul>
<li>The su binary need not be called su and placed in /system/xbin</li>
<ul>
<li>It could be elsewhere and called something else. As long as it has the right permissions, the file can be placed anywhere on the device with execute privileges.</li>
</ul>
</ul>
As always, if you are concerned there is some advanced attacking going on against your device which may employ some clock modification or a hidden root, you can contact me for further assistance with your device.<br />
<br />
<br />
<b>See what apps have been installed and if there are any you do not recognize</b>
<br />
You install apps on your phone and you know what you've installed. Or you install so many apps that you forgot what you've installed but the fact is you did personally install the app and you can account for it.<br />
<br />
But what if somebody else gets their paws on your phone and installs something? We've all read articles about scares over spyware on phones, and we've all seen those movies where the bad guy gets the good guy's phone and installs something nasty which lets the bad guy listen on and everything the good guy is doing. The truth is the Android development environment can be exploited to allow such apps to run.<br />
<br />
So what if you think somebody has "tapped" your phone? There is a good chance that if your phone has not been rooted and yet somebody put something on your phone, the little gift they left for you is an app. It may be hidden, but it can be found with some simple command lines.<br />
<br />
I'll give a quick and simple method which gets a list of all user-installed apps and then another method which tells details of all apps on the device.<br />
<br />
So the quick way first. Adb shell into your phone and type the following command:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: small;">pm list packages -3<br /></span></span>
<br />
pm is a command which stands for "package manager". It does just as you may think - it manages packages, or apps, on the device. The command above lists all third party apps, or user-installed apps. The output from my phone is as follows:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">shell@hammerhead:/ $ pm list packages -3<br />package:stericson.busybox<br />package:com.redfin.android<br />package:com.weather.Weather<br />... a bunch more third party apps ...<br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">package:com.google.android.apps.chromecast.app<br />package:com.lookout<br />package:com.fandango<br />package:com.hp.android.printservice<br />shell@hammerhead:/ $ <br /></span>
<br />
If any of the apps listed look like something you do not recognize, perhaps you should look into it. I personally recognize all the apps installed. stericson.busybox is a shortcut way to install busybox. I care about the weather, hence a weather app. My wife and I went to go see Deadpool last week, hence the Fandango app.
<br /><br />
Now let's say you want to look into a specific app. You can use the dumpsys command, which accesses all types of system logs. For example, let's do a look into the WatchESPN app. I may be a massive nerd, but I love my sports.
<br /><br />
I enter the following line ...
<br /><br />
<span style="font-family: "courier new" , "courier" , monospace;">dumpsys package air.WatchESPN </span>
<br /><br />
And I get the following info about the WatchESPN app
<br /><br />
<span style="font-family: "courier new" , "courier" , monospace;">shell@hammerhead:/ $ dumpsys package air.WatchESPN <br />... a bunch of developer related activity at the top ...</span>
<span style="font-family: "courier new" , "courier" , monospace;">Packages:<br /> Package [air.WatchESPN] (2f619c56):<br /> userId=10111 gids=[3003, 1028, 1015]<br /> pkg=Package{2ab5f4d7 air.WatchESPN}<br /> codePath=/data/app/air.WatchESPN-2<br /> resourcePath=/data/app/air.WatchESPN-2<br /> legacyNativeLibraryDir=/data/app/air.WatchESPN-2/lib<br /> primaryCpuAbi=armeabi<br /> secondaryCpuAbi=null<br /> versionCode=2100103 targetSdk=22<br /> versionName=2.4.1<br /> splits=[base]<br /> applicationInfo=ApplicationInfo{36a34671 air.WatchESPN}<br /> flags=[ HAS_CODE ALLOW_CLEAR_USER_DATA ALLOW_BACKUP ]<br /> dataDir=/data/data/air.WatchESPN<br /> supportsScreens=[small, medium, large, xlarge, resizeable, anyDensity]<br /> timeStamp=2015-10-31 08:03:15<br /> firstInstallTime=2015-10-10 15:09:36<br /> lastUpdateTime=2015-10-31 08:03:16<br /> installerPackageName=com.android.vending<br /> signatures=PackageSignatures{155cf1c4 [2bd4d8ad]}<br /> permissionsFixed=true haveGids=true installStatus=1<br /> pkgFlags=[ HAS_CODE ALLOW_CLEAR_USER_DATA ALLOW_BACKUP ]<br /> User 0: installed=true hidden=false stopped=false notLaunched=false enabled=0<br /> grantedPermissions:<br /> android.permission.INTERNET<br /> android.permission.READ_EXTERNAL_STORAGE<br /> android.permission.READ_PHONE_STATE<br /> android.permission.ACCESS_NETWORK_STATE<br /> android.permission.WRITE_EXTERNAL_STORAGE<br /> android.permission.ACCESS_WIFI_STATE<br />shell@hammerhead:/ $ </span>
<br /><br />
So what does all this mean? Let's break down some important highlights.
<br />
<ul>
<li>codePath=/data/app/air.WatchESPN-2</li>
<ul>
<li>The apk is in the /data/app/air.WatchESPN-2/ directory </li>
</ul>
<li>legacyNativeLibraryDir=/data/app/air.WatchESPN-2/lib</li>
<ul>
<li>Any native libraries are in /data/app/air.WatchESPN-2/lib/ </li>
</ul>
<li>dataDir=/data/data/air.WatchESPN </li>
<ul>
<li>Data associated with the app is stored in /data/data/air.WatchESPN - though you need to be root to access that data</li>
</ul>
<li>firstInstallTime=2015-10-10 15:09:36</li>
<ul>
<li>I installed the app in October 2015. I'm guessing it was to <a href="http://www.bgsufalcons.com/news/2015/10/10/FB_1010153729.aspx?path=football">watch this game</a>. My Bowling Green Falcons put on a show on offense. </li>
</ul>
<li>lastUpdateTime=2015-10-31 08:03:16</li>
<ul>
<li>The app was last updated on Halloween 2015. The update must have been scary. </li>
</ul>
<li>installerPackageName=com.android.vending</li>
<ul>
<li>The app was installed by the standard method, not by ADB or other manual methods </li>
</ul>
<li>grantedPermissions</li>
<ul>
<li>The app has the following permissions: </li>
<ul>
<li> android.permission.INTERNET</li>
<li> android.permission.READ_EXTERNAL_STORAGE</li>
<li> android.permission.READ_PHONE_STATE</li>
<li> android.permission.ACCESS_NETWORK_STATE</li>
<li> android.permission.WRITE_EXTERNAL_STORAGE</li>
<li> android.permission.ACCESS_WIFI_STATE</li>
</ul>
</ul>
</ul>
<br />
So this app is obviously legit. And if this information looks awfully familiar, it is because the same information shows up in the <a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">packages.xml file</a>.
<br /><br />
You can also type the following command:
<br /><br />
<span style="font-family: "courier new" , "courier" , monospace;">dumpsys package</span>
<br /><br />
and you will get a similar listing for every app installed on the device. Now I would recommend catting this all out to a file. The way to do that is get out of your adb shell and cat the output to a file on your computer. It would look like the following, and note that I am shelled into my computer, not my phone:
<br /><br />
<span style="font-family: "courier new" , "courier" , monospace;">adb shell dumpsys package > dumpsyspackage.txt</span>
<br /><br />
You will have a file on your computer called dumpsyspackage.txt with a full listing of every app on your device.
<br /><br />
Now let's say I found something in the listing for the WatchESPN app that bothered me. I may want to <a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">reverse engineer the app</a>. I can pull the app without root access. Here would be the line to pull the app onto the local computer:
<br /><br />
<span style="font-family: "courier new" , "courier" , monospace;">adb pull /data/app/air.WatchESPN-2/base.apk</span>
<br /><br />
Based on the output above, the app is in the directory /data/app/air.WatchESPN-2/, and I happen to know the apks for third party apps in Android 5 get installed in that directory as the file base.apk. The above command pulls that file to your local computer.
<br /><br />
Continuing with that nifty dumpsys command ...
<br /><br />
<b>Fun with dumpsys</b>
<br /><br />
As I said before, dumpsys is a command which accesses system logs. It can tell you a whole lot more than just what apps are installed.
<br /><br />
Now if all you want to do is obtain an entire system log, do a similar command as the previous command to dump all package logs to a single file. Type the following command ...
<br /><br />
<span style="font-family: "courier new" , "courier" , monospace;">adb shell dumpsys > dumpsys.txt</span>
<br /><br />
<span style="font-family: "courier new" , "courier" , monospace;"></span>
<br /><br />
... and go grab a drink because it will run for a while.
<br /><br />
The resulting file dumpsys.txt will be quite large, unorganized, and difficult to prod through. So let's get a finer view of it. ADB shell into the device and type the following:
<br /><br />
<span style="font-family: "courier new" , "courier" , monospace;">dumpsys -l</span>
<br /><br />
I get the following output:
<br /><br />
<span style="font-family: "courier new" , "courier" , monospace;">shell@hammerhead:/ $ dumpsys -l<br />Currently running services:<br /> DockObserver<br /> SurfaceFlinger<br /> accessibility<br /> account<br /> activity<br /> alarm<br /> android.security.keystore<br /> appops<br /> appwidget<br /> assetatlas<br /> audio<br /> backup<br /> battery<br /> batteryproperties<br /> batterystats<br /> bluetooth_manager<br /> ... a bunch more services ...</span>
<span style="font-family: "courier new" , "courier" , monospace;"> voiceinteraction<br /> wallpaper<br /> webviewupdate<br /> wifi<br /> wifip2p<br /> wifiscanner<br /> window<br />shell@hammerhead:/ $ </span>
<br /><br />
It is a list of all running services that can be dumped. So let's say I want to find out about my wifi. I can enter the following command from the computer, similar to previously dumping all app info.
<br /><br />
<span style="font-family: "courier new" , "courier" , monospace;">adb shell dumpsys wifi > dumpsyswifi.txt</span>
<br /><br />
And I will get an output about what WiFi I am connected to, packet usage, etc. You can do the same for any of these running services. Want to know what your bluetooth is up to? You know what to do now.
<br /><br />
dumpsys is a good tool to play around with and it works on live running devices. This is not something you can do to an image. An image is just a file, a dead, flat file. A device is a live, running computer that you can interact with, or in the above cases, interrogate.
<br /><br />
<b>Summary</b>
<br />
<ul>
<li>There are some ways to get useful information from a live device, even without rooting or imaging.</li>
<li>Looking at files in your system partition by timestamp can be an indicator if your device has been compromised, though remember that timestamps can be faked with relative ease.</li>
<li>Dumpsys is a useful tool.</li>
<li>You can use dumpsys to learn about what apps are installed on a device, and you can use an adb pull to remove the app and examine if you wish.</li>
</ul>
Questions, comments? Sports memories? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a><br />
<br />
</div>Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com2tag:blogger.com,1999:blog-6748555274835706450.post-810395445132597122015-10-08T18:13:00.003-07:002019-04-27T06:37:25.119-07:00Identifying your Userdata Partition<h3 style="text-align: center;">
<br class="Apple-interchange-newline" />In case you only want to image one partition</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
<br />
For starters, I'm sorry I haven't posted anything in a long time. And really, there is a main reason. You, the reader, may also be able to help.<br />
<br />
The reason I haven't posted in a long time is because I have not come up with many great posting topics. I look for several qualifications in a topic ...<br />
<br />
<ul>
<li>A topic which which is consistent with other topics on my blog</li>
<li>A topic which is not overly well covered and known on the Internet</li>
<li>A topic which somebody with some good Linux and mobile knowledge can do. In other words, a topic which does not require a mobile forensics expert to do.</li>
</ul>
<br />
<br />
So if you have a topic you would like me to cover, please <a href="mailto:freedroidforensics@gmail.com">reach out to me</a>. Crowd-sourcing is very popular these days!<br />
<br />
Anyways, this topic comes from a question I field often. A lot of people reach out to me wanting help imaging specifically the userdata partition. In my post on <a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">live imaging an Android device</a>, I said to reach out to me to find the exact block to image if you want to image userdata.<br />
<br />
This posts presents a general way to find the right block to image. This post is NOT meant to be a replacement for reaching out to me with imaging questions. If you are working on imaging your Android device and are having issues or have questions, go ahead and send me an e-mail.<br />
<br />
<b>Imaging your entire device vs Imaging your Userdata partition</b><br />
First, do you want to image the entire device, do you want to image just your userdata partition, or do you not know?<br />
<br />
If you create an image of your entire device, the result will be a file representing your entire internal storage. This image file will contain your boot image, recovery image, radio software, system partition, userdata partition, and depending upon the make and model can have a lot more blocks too. Check out a full image of a Samsung Galaxy S5 sometime if you want to be overwhelmed with partitions and blocks!<br />
<br />
If you create an image of your userdata partition, you will have a file representing one partition of the device from beginning to end. This partition is the "userdata" partition, which contains evidence of user activity. It contains call and SMS records, contacts, user-installed apps, app data, settings, and so-on-and-so-forth. In most newer phones, it also is likely to contain photos and videos and other user-generated files unless an external SD card is present.<br />
<br />
And if you want to image an external SD card, I would recommend a good ol' fashioned write blocker and traditional forensic techniques. If you need more information on this, reach out to me. My skill set is not restricted to Android forensics!<br />
<br />
If you do not know which type of image you want to create, go for the full image. It takes more space because the image file contains all the device partitions instead of just one. The full image will give you a greater insight into the device - and you may learn a thing or two about how Android devices work!<br />
<br />
<b>How to image the entire device</b><br />
If you've not checked out my post on <a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">live imaging an Android device</a>, go ahead and check it out. This current post will probably not make a whole lot of sense without the knowledge on the live imaging page.<br />
<br />
I said on my live imaging post that you should image a block on the device and the command you enter via adb shell to the device looks something like this ...<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">dd if=/dev/block/mmcblk0 | busybox nc -l -p 8888</span></blockquote>
<br />
This line reads all of the contents of the block /dev/block/mmcblk0 and passes it to the computer via netcat. And as you saw on the post, this command only works if the device is rooted and busybox is installed.<br />
<br />
The block /dev/block/mmcblk0 in most cases refers to the very first sector of the device. By reading this block, you read the entirety of the device's internal storage. Imaging this block gets you a physical image of the entire device.<br />
<br />
Note: I did not say in all cases the block /dev/block/mmcblk0 refers to the very first sector of the device. All it takes is one device to have a different naming convention to make a liar out of me if I said the block /dev/block/mmcblk0 is the first sector of the device in all Android devices.<br />
<br />
<b>How to image the userdata partition</b><br />
If you only want to image the one partition, you need to know what block to read. We do this with the mount command.<br />
<br />
Open an adb shell to the device. Type the following:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">mount</span></blockquote>
<br />
You will get several lines of output. Each of these lines represents mounted partitions. On my Nexus 5, I receive the following as output of the mount command:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">rootfs / rootfs ro,seclabel,relatime 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">proc /proc proc rw,relatime 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">sysfs /sys sysfs rw,seclabel,relatime 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">debugfs /sys/kernel/debug debugfs rw,relatime 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">none /acct cgroup rw,relatime,cpuacct 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">none /sys/fs/cgroup tmpfs rw,seclabel,relatime,mode=750,gid=1000 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">tmpfs /mnt/asec tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">tmpfs /mnt/obb tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">none /dev/cpuctl cgroup rw,relatime,cpu 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,nomblk_io_submit,noauto_da_alloc,errors=panic,data=ordered 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,nomblk_io_submit,noauto_da_alloc,errors=panic,data=ordered 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 rw,seclabel,nosuid,nodev,relatime,nomblk_io_submit,nodelalloc,errors=panic,data=ordered 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">/dev/block/platform/msm_sdcc.1/by-name/modem /firmware vfat ro,context=u:object_r:firmware_file:s0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=cp437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">/dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,noexec,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0</span></blockquote>
<br />
Look specifically at the following line:
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,nomblk_io_submit,noauto_da_alloc,errors=panic,data=ordered 0 0</span></blockquote>
<br />
This line indicates that the block /dev/block/platform/msm_sdcc.1/by-name/userdata is mounted read/write (as opposed to read only) at the directory /data and the partition is formatted ext4.<br />
<br />
That means the block /dev/block/platform/msm_sdcc.1/by-name/userdata is my userdata block. I can substitute /dev/block/platform/msm_sdcc.1/by-name/userdata for /dev/block/mmcblk0 in my imaging command.<br />
<br />
Now I fully understand that typing /dev/block/platform/msm_sdcc.1/by-name/userdata is a bit cumbersome. There is a shortcut. I can enter the following command (and you might need to be root):<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">ls -l /dev/block/platform/msm_sdcc.1/by-name/userdata</span></blockquote>
<br />
I get the following output:
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">lrwxrwxrwx root root 1971-03-18 07:17 userdata -> /dev/block/mmcblk0p28</span></blockquote>
<br />
You may notice a timestamp from the year 1971. That is nothing to be concerned over - I am in fact not a time traveler. That timestamp is an artifact of <a href="https://en.wikipedia.org/wiki/Unix_time">Linux timestamp convention</a>.<br />
<br />
This output indicates that the block /dev/block/platform/msm_sdcc.1/by-name/userdata is a reference to /dev/block/mmcblk028.
<br />
So, I can substitute /dev/block/mmcblk0p28 for /dev/block/mmcblk0 in my imaging command.
<br />
If I want to image just the user partition, the imaging command I enter in an adb shell to the device would look like this:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">dd if=/dev/block/mmcblk0p28 | busybox nc -l -p 8888</span></blockquote>
<br />
I hope this all makes sense. Feel free to <a href="mailto:freedroidforensics@gmail.com">reach out</a> to me if you need further assistance.
<br />
<b>And now some frequently asked questions</b><br />
Seeing as this post started with answering a FAQ, I will answer a couple more FAQs.<br />
<br />
<blockquote class="tr_bq">
"Can I use the live imaging technique in Windows?"</blockquote>
Not without some serious hacking around. The technique I show is a Linux technique that also works on Mac. This is because the technique relies upon the netcat utility. Netcat is on both Linux and Mac; it is not on Windows.<br />
<br />
Now maybe you are familiar with <a href="https://www.cygwin.com/">Cywgin</a>. Cygwin allows you to run Linux commands in Windows. I have never tried this imaging technique out on a Cygwin-enabled Windows computer using the Cygwin version of netcat. If anybody out there tries this out, let me know! I'd love to know the results.<br />
<br />
<br />
<blockquote class="tr_bq">
"I found this specific rooting technique for this specific device. I have not tested it out yet. Will it work?"</blockquote>
Sometimes I get asked if a rooting technique works on a certain phone. And I always look into it and will provide the best answer I can. The trick is, whatever the phone is, I probably do not have one conveniently laying around to try the technique out myself.<br />
<br />
The issue with rooting is sometimes you can accidentally wipe device data you plan to image. Example: the most common method for rooting Nexus devices is to unlock the bootloader and install ClockworkMod and root through CWM. This technique works great except for one minor little detail: as a security feature, unlocking the bootloader on a Nexus device wipes all user data on the device. I would not exactly call that forensically sound.<br />
<br />
Similarly, some techniques on newer Samsung phones can result in flipping the warranty bit. If you root your Samsung phone and then see the following in the bootloader interface:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixyxneUHdXf2AH2hjbLJNQKmcNMN6k9mkTPmrobaM8r1eXxN3bM4VwTmCU1qQbnFMluKNjj1uBhe6y5O_n3IyFcouCtzl2TqubAAFIwsWwLkh5X_taSRuavE4N8UG3x_BY1BSr2-XNrWv5/s1600/warranty_bit.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixyxneUHdXf2AH2hjbLJNQKmcNMN6k9mkTPmrobaM8r1eXxN3bM4VwTmCU1qQbnFMluKNjj1uBhe6y5O_n3IyFcouCtzl2TqubAAFIwsWwLkh5X_taSRuavE4N8UG3x_BY1BSr2-XNrWv5/s1600/warranty_bit.jpg" /></a></div>
<br />
Then the warranty on the device is void. If you have a problem with the device, service centers are likely to turn it away. That may or may not matter to you. However, without that warranty bit, the device can never have a Knox container. Again, this may or may not matter to you. However, I would generally avoid flipping the warranty bit.<br />
<br />
So when I get these questions, I research what I can to determine if your rooting technique is likely to safely work. But as I said on my live imaging post, I am not liable if you harm your device.<br />
<br />
<br />
<blockquote class="tr_bq">
"I am interested in a career in digital forensics. How can I start?"</blockquote>
First, this is a fun career! It is challenging because technology changes all the time, but there are great rewarding opportunities if the curious minds out there. If you are thinking of university education in the field, I can point out some great programs - and there are new programs opening every year it seems because we need digital forensics experts.
But if you are not sure and want to explore around before truly going down this career path, I can give you a few pointers ...
<br />
<ul>
<li>Learn command line. I cannot stress this enough. In any area of computer science / technology, being comfortable in a command line interface is such an asset</li>
<li>Learn Linux. Whether you install Ubuntu and use it to browse the web or you go low level with Linux and do some fun hacks, Linux is good to know.</li>
<li>Download the free tools. Try FTK Imager and Autopsy. Learn how they work. Try examining your own computer. Try using a Linux live environment by booting from disk and image your drive onto an external. Just do anything you can to learn using the tools you already have.</li>
<li>Read. There is a great academic community in digital forensics publishing some cutting-edge research. But before getting into the new stuff, read about the basics. I can point you in the direction of some good papers. If you are thinking about a BS or MS in this field, you will certainly read academic papers and do research of your own, so reading academic work beforehand can only help.</li>
<li>Mobile device forensics specific: hack around with your own phone. Or preferably, if you have an old phone, don't sell it - hack around with it. </li>
<li>Android forensics specific: Root the device and learn how it works. Flash ClockworkMod and adb into the device in recovery mode. Just hack around with the phone and don't be afraid to take risks, especially if it is not your day-to-day phone. And don't hack around with somebody else's phone without their permission! That can get you into trouble!</li>
<li>Write. In any field, the ability to do the work and obtain results is of course of great importance. What so often sets apart leaders in a field is the ability to effectively communicate work and results. Our universal way of communicating in just about any field is writing. So write your work in a journal as you go. Practice writing reports. If you do not have a template to work from, create your own template. Polish your writing style. I know this bullet point sounds on the un-technical side but I cannot stress the importance of writing and effective communications enough.</li>
</ul>
<br />
<br />
<blockquote class="tr_bq">
"Do you consult?"</blockquote>
Yes. If you have a need for digital forensics services (Android or not, mobile or not) or other Android/mobile related needs and you feel based off this blog I am a person you would like to work on the problem, e-mail me. I do not take every case as I do this in my side time, but I take side work from time to time. I can discuss privately how I work, needs you have, and my terms.<br />
<br />
<br />
<blockquote class="tr_bq">
"Can you do speaking engagements / guest lectures?"</blockquote>
Yes, if scheduling works. I have done guest lectures and simple Q&As at universities, including remotely over Skype. I enjoy connecting with the academic community.<br />
<br />
<br />
<b>Summary</b>
<br />
<ul>
<li>If you are not sure whether to image a device's entire internal storage or just the userdata partition, image the entire device</li>
<li>Use the mount command to find the block to image if you plan to image just the userdata partition</li>
</ul>
Questions, comments, suggestions, or experiences? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a><br />
<br /></div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com15tag:blogger.com,1999:blog-6748555274835706450.post-69345000765779056292015-04-02T13:42:00.002-07:002019-04-27T06:38:12.296-07:00Why not load ClockworkMod or TWRP to image a device?<h3 style="text-align: center;">
<br class="Apple-interchange-newline" />Alternate recovery modes are useful, but maybe not for imaging a device</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
<br />
This post comes from a question I've fielded a few times. A lot of people, like me, who hack around with their Android devices install a custom recovery mode in place of the default recovery mode. So the question is, why not install ClockworkMod or another custom recovery mode on a device and use the custom recovery mode as a method to image the device?
<br />
<br />
So, let's get some terminology out of the way because I threw a lot of information in that first paragraph which you may or may not understand. Part of the Android architecture is recovery mode. The user can boot into recovery mode instead of Android in order to perform some basic recovery operations, including installing official updates and factory resets. Recovery mode is a small operating system with a basic kernel. The source is <a href="https://android.googlesource.com/platform/bootable/recovery/">available online</a> if you would like to browse.
<br />
<br />
Users can install a custom recovery mode, such as <a href="https://www.clockworkmod.com/">ClockworkMod</a> or <a href="http://teamw.in/">Team Win Recovery Project (TWRP)</a>. These custom recovery modes are also operating systems and the user can boot into this alternate recovery mode instead of Android in order to access recovery functionality. Extra functionality within these alternate recovery modes allow users to backup their devices, recover from backup, install non-official operating systems, and other advanced features.
<br />
<br />
Recovery mode runs by default as root. Recovery options must run as root or else they would not have the proper permissions to execute. In the stock recovery mode, the user cannot use these root privileges to image the device. However, the alternate recovery modes allow the user to access a full shell as root privileges via ADB. As I mentioned in my post on imaging a device, you need a root exploit to image the device. You can treat an alternate recovery mode as a root exploit, then boot into recovery mode and image the device while the Android operating system is not even running.
<br />
<br />
This all sounds great, right? So do I recommend install ClockworkMod or TWRP in place of the default recovery mode in order to image a device? It depends upon why you want to image the device. In this post, I'll show how to install alternate recovery modes, how to image a device using an alternate recovery mode, and why this method of imaging may or may not be appropriate.
<br />
<br />
<b>How to install an alternate recovery mode</b>
<br />
<br />
Installing an alternate recovery mode is very device specific. Honestly, the best way to figure out how to install an alternate recovery mode is to Google it. Here are a few search terms:
<br />
<ul>
<li>clockworkmod nexus 5</li>
<li>clockworkmod galaxy s5</li>
<li>twrp htc one</li>
</ul>
For example, here is <a href="http://wiki.cyanogenmod.org/w/Install_CM_for_hammerhead">how to install ClockworkMod on a Nexus 5</a>. Note that unlocking the bootloader results in all user data gone. Note and remember for later in this post.
<br />
<br />
Here is a <a href="http://twrp.me/devices/samsunggalaxys4internationalqualcomm.html">guide for more advanced users for installing TWRP on a Galaxy S4</a>.<br />
<br />
In short, I can't guide how to install ClockworkMod or TWRP on each and every device. It is a device specific project. Search online to find how to install an alternate recovery mode on your own device, and you can always contact me for help.
<br />
<br />
<b>How to image in recovery mode</b>
<br />
<br />
Now let's say you've got ClockworkMod installed on your device. My personal device is a Nexus 5, so I'll use my phone as a guide device.
<br />
<br />
<i>Disclaimer: you can cause big problems on your device if you do some of these steps wrong. I am not liable for any damages done to any devices as a result of reading this page or any other pages on this blog.</i>
<br />
<br />
First, boot the device into recovery. If you're not sure of how to do that, search online. If your device is booted into Android and you have adb enabled, you can try the following command
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;">adb -d reboot recovery</span></blockquote>
<br />
Your device should reboot into recovery. Then if you enter<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;">adb devices</span></blockquote>
<br />
you should get a response along the lines of ...
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;">03xxxxxxxxxxxx17 recovery</span></blockquote>
<br />
If you get a strange response with a bunch of question marks, try entering the following
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: small;">adb kill-server</span></span></blockquote>
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo adb start-server</span></blockquote>
<br />
And then try adb devices again and see if you get a better response.
<br />
<br />
In my <a href="http://freeandroidforensics.blogspot.com.br/2014/08/imaging-android-device.html">post on imaging Android devices</a>, I said you need the following three things<br />
<ol>
<li>Data connection between the computer and the device</li>
<li>Exploit</li>
<li>Imaging command</li>
</ol>
If you've followed along so far, we've got all three satisfied<br />
<ol>
<li>You can communicate with the device in an alternate recovery mode over ADB</li>
<li>The alternate recovery mode gives full root access to the device</li>
<li>Imaging command below</li>
</ol>
Next, you'll need netcat, or nc, in the recovery mode. I mentioned before that recovery mode is its own operating system. As an alternate recovery mode allows a shell to the device, the alternate recovery mode operating system contains commands the user can use. ClockworkMod and TWRP should both have netcat installed as they both should include busybox. To make sure, open an ADB shell to the device in recovery mode and type the following:
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;">busybox nc</span></blockquote>
<br />
If the output includes something along these lines:
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;">Usage: nc [-iN] [-wN] [-l] [-p PORT] [-f FILE|IPADDR PORT] [-e PROG]</span></blockquote>
<br />
Then you are set. If not, contact me and I'll help you get netcat installed.
<br />
<br />
Now, just like on my <a href="http://freeandroidforensics.blogspot.com.br/2014/08/live-imaging-android-device.html">post on live imaging an Android device</a>, we'll image the device using netcat. I'll go over the instructions again. Note, I'm basically just copying and pasting from the post on live imaging.
<br />
<br />
To image the device, you need to do some commands in two different sessions: one shell session to the device, and one shell session to your computer. Open up a terminal window and adb into your device. Then open up a new terminal window (it will open as a shell to your computer, not your phone) and navigate to the directory where you intend to store your image. Note: if you create the image in a volume formatted FAT32, the maximum file size is 4 gigabytes, so imaging the device would require splitting the file. For ease sake, I suggest imaging to a volume formatted ext or NTFS. Also, make sure the volume has enough space for the device image, which will be as large as the device's storage. For my phone, I need 32 gigabytes of storage to image.<br />
<br />
<br />
Now, in the shell to your computer in the directory of your choosing, type the following:
<br />
<blockquote class="tr_bq">
<span style="font-size: small;"><span style="font-family: "courier new" , "courier" , monospace;">adb forward tcp:8888 tcp:8888</span></span></blockquote>
<br />
This command allows adb to communicate via netcat on port 8888.
<br />
<br />
Next, in the shell to your phone, type the following:
<br />
<br />
<blockquote class="tr_bq">
<span style="font-size: small;"><span style="font-family: "courier new" , "courier" , monospace;">dd if=/dev/block/mmcblk0 | busybox nc -l -p 8888</span></span></blockquote>
<br />
<br />
This command reads the contents of /dev/block/mmcblk0 (the head block of my device) and writes it via port 8888 across adb using netcat.
<br />
<br />
Finally, back in the shell to the computer, type the following:
<br />
<blockquote class="tr_bq">
<span style="font-size: small;"><span style="font-family: "courier new" , "courier" , monospace;">nc 127.0.0.1 8888 > device_image.dd</span></span></blockquote>
<br />
This command saves the output of the contents across port 8888 (which will be the results of reading /dev/block/mmcblk0 on the device, or the complete image of the device) to the file device_image.dd.
<br />
<br />
If there's no errors, you are imaging the device. The window will “freeze”, or not allow any more commands because it is busy executing this command. When the imaging process is done, you will be able to type commands into this shell window again. To confirm, open a new terminal window, navigate to the directory where you are saving the image, and type ls -l. This will get a file listing, including file size. If the size of your file is increasing, you are successfully imaging your device.<br />
<br />
<br />
A quick note on crypto. If the device's data is encrypted, the image will be of encrypted junk. You are imaging the device while the data partition is inactive. If the image appears to be encrypted, you'll need to acquire data while the device is live.
<br />
<br />
Now that I've explained how to image a device using recovery mode, I'll go over whether or not it is a good idea.
<br />
<br />
<b>Why recovery mode to image a device can be a good idea</b>
<br />
<br />
Digital forensics is a big community containing many realms. Digital forensics can be involved in law enforcement, federal government, research, and IT security. Digital forensics can also be practiced by individuals wanting to learn more about how their devices operate. What I'm saying here is the purpose of imaging the device dictates whether or not using recovery mode to image your device is a good idea.
<br />
<br />
If you are an advanced Android user, you may very well have an alternate recovery mode on your device. I have ClockworkMod or TWRP on all of my personal devices. If you are imaging your device in order to do some research on some files or a process, then using an alternate recovery mode is a great idea. You can image the device while it is not booted into Android, the data partition is not actively in use while imaging.
<br />
<br />
If you are a security researcher working on mobile work, I definitely recommend installing a custom recovery mode (unless doing so interferes with research). You may have good uses for some of the advanced functionality which the alternate recovery mode offers. So if I've described your job and you need to image a device, I recommend the method on this page.
<br />
<br />
If you are imaging a device where the device is evidence in a case and the device already has an alternative recovery mode loaded, then you can use the alternative recovery mode to image the device. In doing so, the device is not booted into Android so no user data on the device is changing or even loaded when imaging. I say this paragraph with a caveat: users can write their own alternative recovery modes, and it is conceivable that an advanced user could bake some special sauce into recovery mode to, say, wipe the device. While I find such a scenario unlikely, it is conceivable. And this caveat works as a perfect segue into my next section.
<br />
<br />
<b>Why recovery mode to image a device can be a bad idea</b>
<br />
<br />
I said before that the purpose of imaging the device determines whether or not installing a custom recovery mode is a good idea. I'm going to detail why installing the custom recovery mode can be a bad idea.
<br />
<br />
If you are imaging a device where the device is evidence in a case and the device does not already have an alternative recovery mode loaded, I definitely do not recommend installing an alternative recovery mode. If you do choose to install one, you are doing so at your own risk. There are two reasons why I do not recommend this action.
<br />
<br />
<ol>
<li>Installing an alternative recovery mode involves overwriting the previous recovery mode. If it appears that the stock recovery mode is installed, it is most likely not a problem to overwrite the recovery mode. Users by default cannot access the recovery mode to store data there. I would not call replacing a stock recovery mode (which you can download easily from the Internet) a material change. However, it is conceivable that an advanced user could write their own recovery mode to include some extra data or functionality and make it appear identical to the stock recovery mode. In the unlikely but possible case where you have such a device, overwriting recovery mode means overwriting important data.</li>
<li>And this one is just a minor detail. Installing a new recovery mode often involves factory resetting the device, or wiping all user data. As in, deleting all case data from the device. This process is what I would call an RGE, or a Resume Generating Event. Minor detail, right?</li>
</ol>
<br />
So to sum up the above points, if you are imaging a device because you need to retain the data on the device as you found it, I absolutely do not recommend installing an alternative recovery mode to image the device.
<br />
<br />
<b>Summary</b>
<br />
<ul>
<li>Alternative recovery modes, such as ClockworkMod or TWRP, are useful for Android hackers like myself</li>
<li>Alternative recovery modes provide the user a root shell so imaging the device using an alternative recovery mode is a very similar process to live imaging a device</li>
<li>It may or may not be recommended to use this method to image a device. If it is essential to maintain the data on the device as you found it, such as in an investigation, do not use this method for imaging a device. Live image the device or use a commercial forensic tool</li>
</ul>
Questions, comments, suggestions, or experiences? Any RGEs you care to (or not care to) share? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a>
</div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com12tag:blogger.com,1999:blog-6748555274835706450.post-19989495810001630552015-02-09T14:40:00.001-08:002019-04-27T06:38:20.345-07:00Facebook for Android Artifacts<br />
<h3 style="text-align: center;">
A Cache of Personal and Communication Information</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
<br />
First, a disclaimer. This post will detail lots of artifacts on the Facebook for Android app which can be useful from a forensic perspective. These findings regard personal information about the user and the user's communications with contacts. My goal with this post is to educate, inform, and possibly assist people working on cases involving Facebook data on mobile devices. My goal is not to scare the reader away from using Facebook.
<br />
<br />
I am not writing this post with the goal of getting you, the reader, to remove Facebook from your phone. I use Facebook on my phone, so I obviously am not too worried about the incredible amount of personal information stored in an unprotected manner on my phone.
<br />
<br />
So ... if this post disappears at any point, go ahead and assume I received a cease and desist note from Mark Zuckerberg!
<br />
<br />
Now ... back to the post. I use Facebook. My wife occasionally uses Facebook. Her friends and my friends use Facebook. My siblings, parents, cousins, aunts, and uncles use Facebook. I have a grandmother who uses Facebook. I have a friend from grad school who has a Facebook page for her cat.
<br />
<br />
Facebook launched over ten years ago as a collegiate social network and this mega-popular website revolutionized social networking. Facebook evolved from a set of unconnected profiles to a place to share status updates and thoughts of the day to one of the largest (if not the largest) collection of photographs of people in the world. I'm now of the age that whenever I log onto Facebook, I swear Facebook is nothing except a website for parents to upload cute picture of their kids.
<br />
<br />
As with any other new technology, Facebook can also attract criminal activity. Facebook stalking is a real thing and can lead to in-life stalking and worse (even if <a href="https://www.youtube.com/watch?v=6FahBBnfHAQ">this video</a> makes it look humorous). In Facebook's early days, <a href="http://web.archive.org/web/20051031084848/http://www.wral.com/news/5204275/detail.html">some universities used Facebook photos</a> of underage students drinking as evidence of university policy violations. Facebook posts have <a href="http://www.nbcchicago.com/news/local/Prosecutors-Disturbing-Facebook-Post-Kelli-OLaughlin-274818811.html">admitted as evidence in criminal trials before</a> and depending upon applicable state law, Facebook posts and messages <a href="http://www.journal-news.com/news/news/social-media-posts-admissible-in-court/nSWR3/">may be admissible in court</a>.
<br />
<br />
If you are examining an image of an Android phone for a criminal case and Facebook is installed, there may be good reason to examine data associated with the Facebook app. This post will detail some of the Facebook data that can be stored on the device and how to interpret it. And again, please don't uninstall Facebook just because some guy on some Android forensics blog said the Facebook app is creepy!<br />
<br />
<b>Where is the data?</b><br />
<br />
First, how do you access this Facebook data? The Facebook app is an app, so app data is protected by permissions. I'd recommend reading my previous post on <a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">viewing SQLite Databases</a> before diving into this post. In short, you'll need a rooted device or an image of a device to access Facebook data.<br />
<br />
There are two Facebook apps that I'll detail in this post. The first is the main Facebook app. The package name is com.facebook.katana, so the data associated with this app will be stored in the data partition in the directory data/com.facebook.katana. The version of the app on my device is 26.0.0.22.16. The second is the messenger app. The package name is com.facebook.orca, so the data associated with this app will be stored in the data partition in the directory data/com.facebook.orca. The version of the app on my device is 20.0.0.19.13. Depending upon the version of Facebook installed on the device, data may be slightly different than what I present in this post. If you have any questions about where data is, you can always contact me.<br />
<br />
So yes, if you install both the main app and the messenger app on your device, you have a killer whale (orca) and Michonne's sword from the Walking Dead (katana).<br />
<br />
If you've already imaged the device you are investigating, go ahead and copy these directories away from the image to your forensic computer.<br />
<br />
<b>Information about Facebook Friends</b><br />
<br />
First, we'll look at the com.facebook.katana app, or the main Facebook app. Check out the directory com.facebook.katana/databases. This directory predictably stores database files.<br />
<br />
In my previous post on <a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">viewing SQLite Databases</a>, I showed how to open a SQLite database file to browse data. Explore the file contacts_db2. This file stores a database of Facebook friends. Within the file is a table called contacts. There are several columns in this table to be aware of:<br />
<ul>
<li>first_name: self explanatory</li>
<li>last_name: self explanatory</li>
<li>display_name: self explanatory</li>
<li>small_picture_url: A URL to a small version the user's profile picture. More on that later.</li>
<li>big_picture_url: A URL to a big version the user's profile picture. More on that later.</li>
<li>huge_picture_url: A URL to a huge version the user's profile picture. More on that later.</li>
<li>communication_rank: A number representing how often the user communicates with this particular contact. This number is calculated using some Facebook formula. Communications include messages, posts, likes, comments, etc. A 0 in this column means no communication. The higher the number, the more communication. From a forensic perspective, this number is a way of determining how often the user interacts with another user.</li>
<li>is_messenger_user: A true/false field. True indicates that the user uses a mobile messenger app (such as the com.facebook.orca app for Android).</li>
<li>data: A long string of data describing user profile information. More on this later</li>
<li>bday_day: Birthday.</li>
<li>bday_month: Birthday.</li>
</ul>
For some of the points above, I indicated that I would discuss more later. It is later now.<br />
<br />
There are entries for small_picture_url, big_picture_url, and huge_picture_url. Here is what a huge_picture_url string looks like for a friend of mine: https://fbcdn-<redacted>_n.jpg?oh=<more_redacted>eea. (I redacted most of the URL for privacy reasons.) And when I entered the URL into a browser, I found this image:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXmfZ8LarRv2V0LFgSVWTLbzMeMeDurGV0QwRJswQSEDzZp-LsLEZ9phBZUQ_LA84bQXwSWNvW5om6WqJE9kDmjvq1obo83Eo2_igjzrPlpDKwe0rBPOEk_Bo6S5LZ8LQnRqRhyphenhyphenGY8lmcW/s1600/huge_picture_url.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXmfZ8LarRv2V0LFgSVWTLbzMeMeDurGV0QwRJswQSEDzZp-LsLEZ9phBZUQ_LA84bQXwSWNvW5om6WqJE9kDmjvq1obo83Eo2_igjzrPlpDKwe0rBPOEk_Bo6S5LZ8LQnRqRhyphenhyphenGY8lmcW/s1600/huge_picture_url.jpg" width="320" /></a></div>
<br />
(I chose this specific friend of mine for the sake of anonymity. No face in this Facebook profile picture). Yes, this friend of mine is an Oregon Ducks fan. Don't be too hard on him after the college football national championship game.<br />
<br />
Notice how there is no protection, no encryption, no login required to access these Facebook photos. While there is no public index page that I am aware of to associate a URL with a user, it still bears mentioning that photos are stored without protection online.<br />
<br />
There is an entry above for "data". I said that this is a blob of user data text. Here is what one of the blobs looks like (with redactions):<br />
<blockquote class="tr_bq">
{"contactId":"Y2<redacted>k2","profileFbid":"62<redacted>09","graphApiWriteId":"contact_20<redacted>96","name":{"firstName":"<redacted>","lastName":"<redacted>","displayName":"<redacted>"},"phoneticName":{},"smallPictureUrl":"https://fbcdn-profile-a.<redacted>a40","bigPictureUrl":"https://fbcdn-profile-a.<redacted>26e","hugePictureUrl":"https://fbcdn-profile-a.<redacted>eea","smallPictureSize":160,"bigPictureSize":320,"hugePictureSize":466,"communicationRank":0.03445798,"withTaggingRank":0.3325288,"phones":[{"id":"62978<redacted>259","label":"Mobile","displayNumber":"(6xx) 9xx-xxxx","universalNumber":"+16xx9xxxxxx","isVerified":true}],"nameSearchTokens":["<redacted>","<redacted>"],"canMessage":true,"isMobilePushable":"YES","isMessengerUser":true,"messengerInstallTime":1417438579000,"isMemorialized":false,"isOnViewerContactList":true,"addedTime":1419017431000,"friendshipStatus":"ARE_FRIENDS","subscribeStatus":"IS_SUBSCRIBED","contactType":"USER","timelineCoverPhoto":{"focus":{"x":0.5,"y":0.39435146443515},"photo":{"image_midres":{"uri":"https://fbcdn-sphotos-h-a.<redacted>201","width":320,"height":179},"image_lowres":{"uri":"https://fbcdn-sphotos-h-a.<redacted>817","width":500,"height":281}}},"nameEntries":[],"birthdayDay":<redacted>,"birthdayMonth":<redacted>,"cityName":"<redacted>, Ohio","isPartial":false}</blockquote>
Obviously this blob is hard to read, but it is a nice treasure trove of useful information about the individual. I'll space this out to make it a little more readable:<br />
<blockquote class="tr_bq">
contactId: Y2<redacted>k2<br />
profileFbid: 62<redacted>09<br />
graphApiWriteId: contact_20<redacted>96<br />
name:<br />
firstName: <redacted><br />
lastName: <redacted><br />
displayName: <redacted><br />
phoneticName: <br />
smallPictureUrl: https://fbcdn-profile-a.<redacted>a40<br />
bigPictureUrl: https://fbcdn-profile-a.<redacted>26e<br />
hugePictureUrl: https://fbcdn-profile-a.<redacted>eea<br />
smallPictureSize: 160<br />
bigPictureSize: 320<br />
hugePictureSize: 466<br />
communicationRank: 0.03445798<br />
withTaggingRank: 0.3325288<br />
phones<br />
id: 62978<redacted>259<br />
label: Mobile<br />
displayNumber: (6xx) 9xx-xxxx<br />
universalNumber: +16xx9xxxxxx<br />
isVerified: true<br />
nameSearchTokens: ["<redacted>","<redacted>"]<br />
canMessage: true<br />
isMobilePushable: YES<br />
isMessengerUser: true<br />
messengerInstallTime: 1417438579000<br />
isMemorialized: false<br />
isOnViewerContactList: true<br />
addedTime: 1419017431000<br />
friendshipStatus: ARE_FRIENDS<br />
subscribeStatus: IS_SUBSCRIBED<br />
contactType: USER<br />
timelineCoverPhoto:<br />
focus:<br />
x: 0.5<br />
y: 0.39435146443515<br />
photo:<br />
image_midres: <br />
uri: https://fbcdn-sphotos-h-a.<redacted>201<br />
width: 320<br />
height: 179<br />
image_lowres: <br />
uri: https://fbcdn-sphotos-h-a.<redacted>817<br />
width: 500<br />
height: 281<br />
nameEntries: []<br />
birthdayDay: <redacted><br />
birthdayMonth: <redacted><br />
cityName: <redacted>, Ohio<br />
isPartial: false</blockquote>
The entry for a contact's "data", as you can see, can contain all kinds of personal information, ranging from birthday to cell phone number, and I've even seen people's addresses in this entry before. Two takeaways: one, be careful what you put online, and two, all of this sensitive information is stored on your phone without encryption.<br />
<br />
<b>Facebook Messages</b><br />
<br />
Facebook has the ability to send private messages to other users. These messages are stored on Facebook's servers, and they also can be stored on your phone. The file com.facebook.katana/databases/threads_db2 stores messages the user has sent and received, and they are all stored in the table messages. As before, I'll point out columns of interest.<br />
text: the actual text of the message<br />
sender: the user who sent the message. You can use this column to tell if the message was sent or received<br />
timestamp_ms: the date and time of the message in epoch time<br />
attachments: any attachments with the message. The attachment may include a link to a photo<br />
coordinates: if the user sent the message using a mobile device and allowed access to device location, the location of the device when the message was sent.<br />
source: whether the message came from a computer or a device or any other source.<br />
<br />
Here is an example of the sender field: {""email"":""20<redacted>86@facebook.com"",""user_key"":""FACEBOOK:20<redacted>86"",""name"":""Mark Lohrum""}. This field is formatted similarly to the data field in the contacts table as I mentioned above. You can see a field for email, which is basically the numerical user ID @facebook.com. You can try sending an email to this address from your GMail; for me, the message forwarded to my email address where I receive Facebook notifications. But you can see my name in the sender field, so you know that the message in this entry is from me.<br />
<br />
You probably noticed above an entry for coordinates. This entry stores latitude and longitude as reported by the device at the time the message was sent. Yes, you can determine where a person was, or where their device was, when a message was sent. That can be rather useful information because you have determined where the device was when a message was sent at a specific time. If you can be sure that the user and not another individual was holding the device and sending the message, then you know where the person was at a specific time when sending a message. Note, on Android it is <a href="https://play.google.com/store/apps/details?id=com.incorporateapps.fakegps.fre&hl=en">very</a> <a href="https://play.google.com/store/apps/details?id=com.lexa.fakegps&hl=en">easy</a> to spoof location.<br />
<br />
<b>Cached Images</b><br />
<br />
The Facebook app stores a whole lot of data on the device. Much of this data is cached images.<br />
<br />
For example, on my device, there is a file com.facebook.katana/cache/image//v2.ols100.1/99/8vNUdrezcgt0__oST83Rc5g0QIE.cnt. (I don't know what the .cnt extension means, but all of the cached images have this extension.) Obviously there is no context in this filename what the file is, but the file was 102 KB so I was interested. Here is what the file looks like in a Hex editor:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaHtJmATLh-PIZ32NNOOVoG5TDl2pWkIGZqtaL-GQdbl8kRmSEemDeXhGiuAV4YLbw4frhjzbdyzpnSERdnaL-Ia7XgHbBU5RhI038zphJsaWCjs4CS0X2sxV1Py7X3g5wB1o-Ewau83C4/s1600/hex.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaHtJmATLh-PIZ32NNOOVoG5TDl2pWkIGZqtaL-GQdbl8kRmSEemDeXhGiuAV4YLbw4frhjzbdyzpnSERdnaL-Ia7XgHbBU5RhI038zphJsaWCjs4CS0X2sxV1Py7X3g5wB1o-Ewau83C4/s1600/hex.jpg" /></a></div>
<br />
<br />
You can see that the file header includes JFIF, so clearly this is a JPG file. I renamed the file to include a .jpg at the end and opened it as an image and here is what I found:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6s24toB0rNortRV2ipvaHj3FTxcMk4aRXwrDwD37nULGEB5D_V_rNztq8uR9AAPd5K-53_hkRvwMbnFSoU-tXDEnhxPbEjKilQq-B2bIB-1cZC-C0qIe9WYeIHqG7xhN5tMYDvDB0eKEr/s1600/8vNUdrezcgt0__oST83Rc5g0QIE.cnt.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6s24toB0rNortRV2ipvaHj3FTxcMk4aRXwrDwD37nULGEB5D_V_rNztq8uR9AAPd5K-53_hkRvwMbnFSoU-tXDEnhxPbEjKilQq-B2bIB-1cZC-C0qIe9WYeIHqG7xhN5tMYDvDB0eKEr/s1600/8vNUdrezcgt0__oST83Rc5g0QIE.cnt.jpg" width="400" /></a></div>
<br />
<br />
Yes, I am a big football fan.<br />
<br />
Now how useful are these cached images? To be honest, not horribly. These are images from the timeline that my device saved. In other words, these are public pictures that a user posted online. It is not horribly useful, just interesting.<br />
<br />
That's all the data I'll cover for now from the com.facebook.katana app. If there's anything else you would like me to cover, comment or contact me and I'll take a look.<br />
<br />
<b>com.facebook.orca data</b><br />
<br />
The com.facebook.orca app is just a messenger app. Basically there is also a threads_db2 file within the databases directory just like with com.facebook.katana. These database files store basically the same information, so I won't cover it again. The important thing to know is that if the com.facebook.orca app is present, the user uses Facebook messenger for Android.<br />
<br />
That is all I will cover for now. Did I cover everything that Facebook stores? No. Here's a few more artifacts worth noting that the app stores:<br />
<ul>
<li>Facebook posts by the user</li>
<li>Facebook pictures and videos uploaded by the user</li>
<li>Places the user has been</li>
</ul>
Now something I haven't covered yet is important. The device stores a lot of data, but Facebook is ultimately a cloud service, meaning all Facebook data is ultimately stored on a remote server. If you are in law enforcement and you need data associated with a user from Facebook's servers and you have a court order allowing access to these records, there is an avenue to get this. Check out <a href="https://www.facebook.com/safety/groups/law/guidelines/">this link</a> for more information. I am not law enforcement so I have no personal experience in this avenue, but I do know this avenue exists if needed.
<br />
<br />
<b>Summary</b>
<br />
<ul>
<li>Facebook stores lots of data on Android devices if the user uses Facebook</li>
<li>Private messages and personal friend information can be retrieved from the device in an investigation</li>
<li>There exists a method for law enforcement to retrieve Facebook records should they be needed. The procedure requires a court order</li>
</ul>
Questions, comments, suggestions, or experiences? Walking Dead or college football fan chat? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a><br />
<br /></div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com18tag:blogger.com,1999:blog-6748555274835706450.post-89732291376294718182015-01-05T15:06:00.000-08:002019-04-27T06:38:41.291-07:00Viewing SQLite Databases<h3 style="text-align: center;">
How to view user data</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
<br />
Android apps by default use <a href="http://www.sqlite.org/">SQLite</a> databases to store user data. When you think Android apps, you may think about Netflix and Pandora and ask yourself why you care about user data associated with those apps. The reason you care about user data associated with apps is because nearly all user interaction with the device is user interaction with an app. Have you ever made a phone call on an Android phone? The phone dialer is an app, and that app stores call logs. Have you ever sent a text message on an Android phone? The SMS interface is an app, and the app stores text message history.<br />
<br />
SQLite is a lite implementation of a Structured Query Language (SQL) database. I could go into detail about how SQL works and how the file is formed, but I'll skip the low level details and instead focus on Android relevant SQL information. This post will cover two main topics:<br />
<br />
<ul>
<li>The locations of SQLite databases, including a few keys ones</li>
<li>How to read a SQLite database from an Android device</li>
</ul>
<br />
<b>Finding a SQLite database</b>
First, Android security prohibits users from accessing the userdata partition, which is where SQLite databases storing user data associated with apps are stored. You either need an image of the device (and you can create an image using my post on <a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">live imaging an Android device</a>) or you need a rooted device. In this post, I am working from an image of a device.<br />
<br />
Android by default stores user data in the /userdata partition in the directory /data. The below screenshot is from a screenshot of FTK Imager looking at the data directory.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSOqFUS-Siy7Gx40y5_5qTCTLSVT16VHmNr3cAcnWDxJEbZ0Rkb34yq5KTMMHSQpfunJYGoCSkHXHDuUZMbeRPcwk0oDP4oRUK5uvvtnCrL33UfB4iVsugLmyjcSLkgXa-t5J-_cX6rk1Z/s1600/data_dir.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSOqFUS-Siy7Gx40y5_5qTCTLSVT16VHmNr3cAcnWDxJEbZ0Rkb34yq5KTMMHSQpfunJYGoCSkHXHDuUZMbeRPcwk0oDP4oRUK5uvvtnCrL33UfB4iVsugLmyjcSLkgXa-t5J-_cX6rk1Z/s1600/data_dir.jpg" width="367" /></a></div>
<br />
(Note: some older devices store userdata in a separate location. I've seen both older Samsung and Motorola devices that have a partition called dbdata. This partition would store user databases. But newer devices are pretty standard at this point. Look to the userdata partition in the data directory first.)<br />
<br />
You'll see that within the data directory are directories containing package names. The directory air.WatchESPN stores user data associated with the WatchESPN app. The directory com.google.android.youtube stores data associated with the YouTube app.<br />
<br />
In fact, let's drill into YouTube for now. The below screenshot is from the directory /(userdata partition)/data/com.google.android.youtube. <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzOsonKdzWmY3ArwIZEYDlLjBV-UMlcfjZTeFaVG8ZKqprvdLBZo_L18sNAlPQ0axTwKpANNyapyTOLlTJXQ4Q_NoAO5meD5kERSwhmdVUwj4Z89Vu9zWPvoUVGekD57J-P8NCbm5iYDrG/s1600/youtube_dir.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzOsonKdzWmY3ArwIZEYDlLjBV-UMlcfjZTeFaVG8ZKqprvdLBZo_L18sNAlPQ0axTwKpANNyapyTOLlTJXQ4Q_NoAO5meD5kERSwhmdVUwj4Z89Vu9zWPvoUVGekD57J-P8NCbm5iYDrG/s1600/youtube_dir.jpg" width="320" /></a></div>
<br />
Within this directory, you'll see a directory called databases. Within the databases directory below ...<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieXxvl7jKgcj99SuQMYoM4yhz-yVyF-lCfDviA-CeTPjycWqomHKF0lhAxu6MFHQSAUFEk1-9x7RymaiEOz6qj78vIVDi9kRWL2Spiaxd1vEg7ynJhDSkvX-dS2Rv1UW02Fm2dQGLnbSiA/s1600/databases_dir.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieXxvl7jKgcj99SuQMYoM4yhz-yVyF-lCfDviA-CeTPjycWqomHKF0lhAxu6MFHQSAUFEk1-9x7RymaiEOz6qj78vIVDi9kRWL2Spiaxd1vEg7ynJhDSkvX-dS2Rv1UW02Fm2dQGLnbSiA/s1600/databases_dir.jpg" width="320" /></a></div>
<br />
.... you can see 14 files. These files represent the databases associated with YouTube. I'm willing to bet that the file history.db contains YouTube history. I extracted this history.db file from the image and opened it in a SQLite browser (more on how to do that below), and I see a table called "suggestions" containing five columns (and in parentheses what I interpret each column to represent):<br />
<ul>
<li>_id (an auto-generated id for each entry in the database)</li>
<li>display1 (the stored search suggestion based off user input)</li>
<li>display2 (contains nothing)</li>
<li>query (the actual text the I typed into the YouTube app to search for a video)</li>
<li>date (epoch date / time stamp of the time I searched for a given video)</li>
</ul>
Here is a sample row from this database:
"1","hobbit battle of five armies trailer",,"hobbit battle of five armies trailer","1406574949951"
<br />
<ul>
<li>_id in the above example is "1", which I'm going to say is the least recent search in this database</li>
<li>display1 is "hobbit battle of five armies trailer" is the stored search suggestion based off a search I made. Apparently I was interested in seeing the Hobbit movie in December 2014 but as of my writing this I have not seen the movie</li>
<li>display2 is blank</li>
<li>query is the actual text, which is "hobbit battle of five armies trailer"</li>
<li>date is stored as epoch time. 1406574949951 correlates to Mon, 28 Jul 2014 19:15:49 GMT, which I converted using <a href="http://www.epochconverter.com/">an online epoch time stamp converter</a></li>
</ul>
Well there you go. This database file appears to contain the user's YouTube search history, along with the date and time of each search. Nifty, huh?
<br />
I could deep dive into a few other databaes on the device, but instead I'd rather let you, the reader, explore. So ... if you have an Android device image to explore, check out the following files:
<br />
<ul>
<li>/(userdata partition)/data/com.android.email/databases/EmailProvider.db</li>
<li>/(userdata partition)/data/com.android.email/databases/EmailProviderBody.db</li>
<li>/(userdata partition)/data/com.android.providers.calendar/databases/calendar.db</li>
<li>/(userdata partition)/data/com.android.providers.contacts/databases/contacts2.db (a bit difficult to parse through this one but incredibly useful)</li>
<li>/(userdata partition)/data/com.android.providers.downloads/databases/downloads.db</li>
<li>/(userdata partition)/data/com.android.providers.settings/databases/settings.db</li>
<li>/(userdata partition)/data/com.android.providers.telephony/databases/mmssms.db (also check out the directory /(userdata partition)/data/com.android.providers.telephony/app_parts</li>
<li>/(userdata partition)/data/explore the entire com.facebook.katana/databases directory if the Facebook app is installed</li>
<li>/(userdata partition)/data/explore the entire com.facebook.orca/databases directory if the Facebook Messanger app is installed</li>
</ul>
As always, if you have any specific questions about how to read user data, such as text messages, call logs, calendar entries, or more, do not hesitate to contact me.
<br />
<b>Reading a SQLite database file</b><br />
In the above section, I showed where SQLite databases may be on the device. You can find and extract a SQLite database either from a rooted device or from an image of a device. Now, how do you actually explore the database file? It is actually incredibly easy.<br />
<br />
First, you'll need the SQLite database file extracted away from your image or you rooted device and stored on your computer in a location you will remember.<br />
<br />
There are a few Windows and Linux applications to read SQLite databases. Autopsy also includes SQLite functionality, so if you are using Autopsy to examine an image, you can use the built-in SQLite plugin. You can read more about using Autopsy to analyze Android images on a previous post on Autopsy.<br />
<br />
My personal favorite method of reading SQLite databases is a plugin for Firefox. I will demonstrate this plugin tool in this post, but if requested I can show other tools also. The <a href="https://addons.mozilla.org/en-US/firefox/addon/sqlite-manager/">SQLite Manager</a> is a free download for the Firefox web browser. If you <a href="https://addons.mozilla.org/en-US/firefox/addon/sqlite-manager/">browse to this page page</a> in firefox you can download and add the add-on to your browser.<br />
<br />
NOTE: The SQLite Manager add-on is a developer tool. The intended audience is developers, not forensic examiners. This tool has the ability to both read and write to SQLite database files. Now we are working with an extracted version of the file. This file is extracted from an image or from a device, so the original is intact even if the file you extracted is altered. If you choose to use the SQLite Manager tool and need to prove that you have not altered data, it would be wise to create an MD5 or SHA hash of the the database file in the original image before extracting and take another hash of the extracted file on your computer after you examine it in SQLite Manager. Or, if you are in such an environment where using a non-forensic tool is unacceptable, I would personally recommend opening the image of the device in Autopsy and using the built-in SQLite reader to read your database files.<br />
<br />
Once the SQLite Manager add-on is installed, open your Firefox browser and go to the add-ons list. The SQLite Manager will be there.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLSmivu_fVCn3-x88wo9GQ6DbgGL7NaOai-7QpRFvklZFuwT5C-XiERDuDPynNtACFdnS6yTbJkTmb111n5ZWeXOohvqHr7lFoWwca2rBcAjX0D75qpYwZrs60PDUFYHTa_5a2EmCYvVCq/s1600/addons_list.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLSmivu_fVCn3-x88wo9GQ6DbgGL7NaOai-7QpRFvklZFuwT5C-XiERDuDPynNtACFdnS6yTbJkTmb111n5ZWeXOohvqHr7lFoWwca2rBcAjX0D75qpYwZrs60PDUFYHTa_5a2EmCYvVCq/s1600/addons_list.jpg" width="208" /></a></div>
<br />
Click SQLite Manager. If you have used SQLite Manager before, you may get this annoying pop-up:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7UcuHSrRy6Uav4fFoiwqy52ql93Gt4Y9wRFWDM13zuUFQDer9npHRFjvko5rZ3Q7c-TqrVkGAW2gSgDudi19VXGtHFMT3ZWwQ07ULjtHYmzyTb1vGhQ27ZJ3w7DdvFBsS7YVTYG2eoFba/s1600/2015-01-05-162656_427x161_scrot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7UcuHSrRy6Uav4fFoiwqy52ql93Gt4Y9wRFWDM13zuUFQDer9npHRFjvko5rZ3Q7c-TqrVkGAW2gSgDudi19VXGtHFMT3ZWwQ07ULjtHYmzyTb1vGhQ27ZJ3w7DdvFBsS7YVTYG2eoFba/s1600/2015-01-05-162656_427x161_scrot.png" width="320" /></a></div>
<br />
I always click on Cancel because if you click OK you open the last opened database file. Once the add-on is active, click the open icon. If you browse over the icon, the text "Connect Database hovers." In the choose file window, make sure you view all files instead of just SQLite files because most Android SQLite database files have the extension .db. Browse to where you are storing your extracted SQLite database file and open it. SQLite Manager will now show a list of all tables associated with the database. In the below screenshot, I opened /(userdata partition)/data/com.android.providers.telephony/databases/mmssms.db, which stores SMS and MMS messages.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5RhQ-mjGO1jUoxHB8A1mWFwEnNx3iKlqpCS7O7L5PGEOky1TzoTI4ohcaYMg3q1D6PkpVkcHU8L_sGUFVW8AO0E_p6-EI2bg8VnLqF7n_NvoCEwswJq3Z6Qn2oZJD7-Ww8rhGAZP4V2lY/s1600/tables_list.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5RhQ-mjGO1jUoxHB8A1mWFwEnNx3iKlqpCS7O7L5PGEOky1TzoTI4ohcaYMg3q1D6PkpVkcHU8L_sGUFVW8AO0E_p6-EI2bg8VnLqF7n_NvoCEwswJq3Z6Qn2oZJD7-Ww8rhGAZP4V2lY/s1600/tables_list.jpg" width="400" /></a></div>
<br />
On the left side of the interface is a clickable list of tables. Click on one. I will be exploring the table sms. The table then opens up so you can see the data stored in this database file's table.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzWWOMPKDWDyMOe0JXeTfp-PK0DNAdHujOxS3L4rdkVxOsV60WoQyQl95wmbYEemrtB-ltRkoD8FUFb1QS0PChViRcKCxVTvLCLmI18vEq9zfHEjbuOloXj98n2f-nGMrq6lmP8IVhCfJi/s1600/sms_table.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzWWOMPKDWDyMOe0JXeTfp-PK0DNAdHujOxS3L4rdkVxOsV60WoQyQl95wmbYEemrtB-ltRkoD8FUFb1QS0PChViRcKCxVTvLCLmI18vEq9zfHEjbuOloXj98n2f-nGMrq6lmP8IVhCfJi/s1600/sms_table.jpg" width="320" /></a></div>
<br />
<br />
As you can see, I've blacked out data, but there are three columns in the screenshot of interest:<br />
<ul>
<li>thread_id (The thread, or conversation. This ID is a number which references the table "threads" in the same database)</li>
<li>address (The phone number with which I am texting)</li>
<li>date (The date in epoch time of the message)</li>
</ul>
Out of the current screenshot is another column called "body". This column stores the actual text of the message. There are other columns which indicate the status of the message (draft, sent, received, etc) and if the message has been read or not (only applicable to "received" messages).
<br />
SQLite Manager allows you to export a table. Check out the drop down menu Table -> Export Table. You can export the table you are currently exploring as a .CSV file, which you can open in Excel if you prefer that interface.
<br />
And that's how to explore a SQLite database. It is straightforward. Now have fun browsing around user data!
<br /><br />
<b>Summary</b><br />
<ul>
<li style="font-size: medium; font-weight: normal;">Android stores user data from apps, including phone logs and SMS, in SQLite databases</li>
<li style="font-size: medium; font-weight: normal;">You need to pull SQLite files from an image of a device or a rooted device in order to see the contents</li>
<li style="font-size: medium; font-weight: normal;">SQLite database files can be viewed using free viewers</li>
</ul>
Questions, comments, suggestions, or experiences? Hobbit movie reviews? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a><br />
<br /></div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com7tag:blogger.com,1999:blog-6748555274835706450.post-40607626321895023172014-11-21T13:24:00.000-08:002019-04-27T06:38:52.453-07:00Some artifacts in the /data/system/ directory<h3 style="text-align: center;">
A few nice artifacts</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
<br />
In a previous post, I demonstrated how to <a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">image an Android device</a> and then I made <a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">two</a> <a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">different posts</a> on how to examine the image. You can see by examining an image that your device is divided into partitions.<br />
<br />
Android devices are partitioned, and the following partitions should be in every image:<br />
<br />
<ul>
<li>data - the partition with user-related data, which may also include a directory representing an SD card</li>
<li>system - pre-loaded apps, libraries, settings, images, and more</li>
<li>boot - the Android system kernel</li>
<li>recovery - the Android recovery kernel</li>
</ul>
<br />
And other devices may have all kinds of other partitions. Try imaging a Galaxy S4 and see how many partitions FTK Imager and Autopsy recognize.<br />
<br />
As you may have reasoned, the data partition is where an investigator will be examining the most. This partition contains data about the user. Within the data partition will be a few directories of note:<br />
<br />
<ul>
<li>data - data related to installed apps, including the user's text message history, web browsing history, call logs, contacts, Facebook messages, calendar events, etc.</li>
<li>app - apps which the user installed. This directory will contain the actual apk files which the user downloaded or sideloaded and installed</li>
<li>media - older devices may not have this directory, but newer Android devices will contain the media directory, which represents an SD card. This directory will contain photos, unless there is an external SD card in the device, and may contain all kinds of user files. This directory also includes files the user downloaded using a web browser.</li>
</ul>
<br />
As you also may have reasoned, the data directory is where an investigator will be spending a lot of time.<br />
<br />
This post focuses on another directory within the data partition. This directory is system, which contains more information about user behavior. This directory contains useful logs that the user is unlikely aware of yet can say a good amount about the user. I will detail just a few artifacts. There are far more artifacts than these, but I will detail some useful ones and can field questions about others.<br />
<br />
To get to these artifacts, you'll either need to have an image of the device, or you will need root access. Non-root users cannot access these files through a shell.<br />
<br />
<br />
<b>List of installed apps</b>
<br />
Check out the file /data/system/packages.xml. (Note: The device I used here runs Lollipop, or a newer version of Android. The packages.xml may contain different data for older versions of the operating system, like Gingerbread and older.) This file contains a list of all apps installed, plus some extra information about each app. Here is the entry for <a href="https://play.google.com/store/apps/details?id=com.estrongs.android.pop&hl=en">ES File Explorer</a> in my /data/system/packages.xml file.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"><package name="com.estrongs.android.pop" codePath="/data/app/com.estrongs.android.pop-2.apk" nativeLibraryPath="/data/app-lib/com.estrongs.android.pop-2" flags="4767300" ft="146b6659890" it="14346b1705b" ut="146b665d076" version="212" userId="10109" installer="com.android.vending"></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <sigs count="1"></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <cert index="77" key="3082(bunch of hex ...)733f" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> </sigs></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <perms></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.READ_EXTERNAL_STORAGE" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="com.android.launcher.permission.INSTALL_SHORTCUT" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.CHANGE_WIFI_MULTICAST_STATE" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.SET_WALLPAPER" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.WRITE_EXTERNAL_STORAGE" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.ACCESS_WIFI_STATE" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="com.android.launcher.permission.UNINSTALL_SHORTCUT" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.READ_PHONE_STATE" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.ACCESS_SUPERUSER" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.BLUETOOTH" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.INTERNET" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.WRITE_SETTINGS" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.CHANGE_WIFI_STATE" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.VIBRATE" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.BLUETOOTH_ADMIN" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.WAKE_LOCK" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <item name="android.permission.ACCESS_NETWORK_STATE" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> </perms></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <signing-keyset identifier="3" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <signing-keyset identifier="5" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <signing-keyset identifier="4" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <signing-keyset identifier="2" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <signing-keyset identifier="1" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <signing-keyset identifier="6" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"></package></span><br />
<br />
There will be such an entry for every installed app. I'll go over what some of these entries mean.<br />
<br />
<ul>
<li><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">package name="com.estrongs.android.pop"</span><span style="font-family: inherit;"> - This is the package name of the app. Here is quick documentation on what the <a href="http://tools.android.com/tech-docs/new-build-system/applicationid-vs-packagename">package name is</a>.</span><span style="font-family: "courier new" , "courier" , monospace;"> </span></li>
<li><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">codePath="/data/app/com.estrongs.android.pop-2.apk"</span><span style="font-family: inherit;"> - This is the path to the APK, or the application install file. If you need to investigate an app, or </span><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">reverse engineer the app</a><span style="font-family: inherit;">, here is the file you should be examining.</span></li>
<li><span style="font-family: "courier new" , "courier" , monospace; font-size: small;">nativeLibraryPath="/data/app-lib/com.estrongs.android.pop-2"</span><span style="font-family: inherit;"> - This is the path to a directory containing native libraries which the app uses. In my phone, the directory /data/app-lib/com.estrongs.android.pop-2 contains two native library files. If you are interested in reversing native executables, you can reverse these files and examine.</span></li>
<li><span style="font-family: "courier new" , "courier" , monospace; font-size: small;"><item name="android.permission.READ_EXTERNAL_STORAGE" (and a bunch more) /></span><span style="font-family: inherit;"> - There are a bunch of entries of Android permissions. This app contains 17 permissions, ranging from reading and writing to external storage to Internet access to using the vibrate function. If you ever browse through the packages.xml file and find an app with an extraordinary amount of permissions or some permissions that just seem odd, like a game that has the permission to send and receive SMS, then you might want to take a close look.</span></li>
</ul>
<br />
The packages.xml file is a useful file to see what all files the user has installed on the device. This file also lists associated permissions with each app which can be a useful hint to malicious apps, and each app entry also includes a path to the actual APK file so you can reverse the app if you need.<br />
<br />
<br />
<b>Log of last usage of an app</b>
Next, look at the file usagestats/usage-history.xml. This file contains log entries with the last time a user used an app. Here is the entry in my phone for the Chrome app. Note: I imaged my phone in late October 2014.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"><pkg name="com.android.chrome"></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <comp name="com.google.android.apps.chrome.ChromeTabbedActivity" lrt="1414545913713" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <comp name="com.google.android.apps.chrome.bookmark.ManageBookmarkActivity" lrt="1398440159237" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <comp name="com.google.android.apps.chrome.ManageBookmarkActivity" lrt="1391453561436" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"> <comp name="com.google.android.apps.chrome.Main" lrt="1414545745091" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace; font-size: small;"></pkg></span><br />
<br />
<br />
What you see here are four different activities within the app. <a href="http://developer.android.com/guide/components/activities.html">Activities</a>, in Android lingo, are basically different screens allowing for user activity. Each activity above also contains a timestamp in Epoch time of the last time the activity ran. <a href="http://en.wikipedia.org/wiki/Unix_time">Here's a handy writeup on Epoch time</a>, in case you are unfamiliar, and <a href="http://www.epochconverter.com/">here is a nifty Epoch converter</a>.<br />
<br />
Based on the log, here is the last time I used each of these activities before I imaged the phone:<br />
<br />
<ul>
<li>com.google.android.apps.chrome.ChromeTabbedActivity: Wed, 29 Oct 2014 01:25:13 GMT</li>
<li>com.google.android.apps.chrome.bookmark.ManageBookmarkActivity: Fri, 25 Apr 2014 15:35:59 GMT</li>
<li>com.google.android.apps.chrome.ManageBookmarkActivity: Mon, 03 Feb 2014 18:52:41 GMT</li>
<li>com.google.android.apps.chrome.Main: Wed, 29 Oct 2014 01:22:25 GMT</li>
</ul>
<br />
Apparently I do not use bookmarks very often! Note, these timestamps are all in GMT. You'll need to convert this timestamp to the local timezone.
<br />
The usage-history.xml file is a useful file. It will not let the investigator know the complete history for an app, but it will indicate the last time each activity was used. If a user indicates that he/she has never used an app yet the usage-history.xml file indicates that the app was used yesterday, you may want to investigate some.
<br />
<b>Database of accounts on the device</b>
Finally, open the file system/users/0/accounts.db in a SQLite browser. (I intend to at some point do a post on SQLite databases but have not yet. If you're not sure how to open a SQLite database file, contact me and I'll help you out.) Here's what the "accounts" table of my accounts.db file looks like in a SQLite browser (with personal information blacked out):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtI8oGMth5jcDE58HFzvub3iL28UQn1PnJQCYteADukQLBuvI5bFH5oGq2-Gfv2lDkRxiWYfG-0lMCMOF5hB2_MVQA9J4vUNvH8l4GgTS73eOiRmfxNwSmr7vN8S7zo0TIA3WF91urDNJ_/s1600/accounts.db.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtI8oGMth5jcDE58HFzvub3iL28UQn1PnJQCYteADukQLBuvI5bFH5oGq2-Gfv2lDkRxiWYfG-0lMCMOF5hB2_MVQA9J4vUNvH8l4GgTS73eOiRmfxNwSmr7vN8S7zo0TIA3WF91urDNJ_/s1600/accounts.db.jpg" width="400" /></a></div>
<br />
This database file includes a table called "accounts", which is a list of accounts associated with the device. The three accounts seen above are a Google account, a Facebook account, and a LinkedIn account.<br />
<br />
Each entry has three columns of data: name, type, and password. Name is the username associated with the account, and in all three cases above the username is an email address. The type is the account provider. You can see above that my accounts are clearly Google, Facebook, and LinkedIn. And the password contains a hashed version of the password. The actual password in plaintext is not included.<br />
<br />
This file is a useful list to see what services a user frequently uses. I can't say I am on LinkedIn all that frequently, but I use Google and Facebook frequently.<br />
<br />
<br />
<b>Other artifacts</b>
There are all kinds of other useful artifacts - battery stats, process states, network states, the wallpaper image, and some more. If you are an Android enthusiast, I highly enjoy exploring the /data/system directory further. You may find some more useful artifacts.<br />
<br />
Finally, do you have some insights into useful artifacts in /data/system? If so, comment below. I'd be happy to field questions and I also am always eager to learn more.<br />
<br />
<b>Summary</b>
<br />
<ul>
<li style="font-size: medium; font-weight: normal;">The /data/system directory includes useful logs about the user and user behavior</li>
<li style="font-size: medium; font-weight: normal;">The file /data/system/packages.xml contains a list of installed apps including the APK path and a list of permissions</li>
<li style="font-size: medium; font-weight: normal;">The file /data/system/usagestats/usage-history.xml contains logs of the last time a user used an app</li>
<li style="font-size: medium; font-weight: normal;">The file /data/system/users/0/accounts.db contains a list of accounts and associated usernames and service providers</li>
</ul>
Questions, comments, suggestions, or experiences? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a><br />
<br /></div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com3tag:blogger.com,1999:blog-6748555274835706450.post-15022259641600473782014-11-06T06:38:00.003-08:002019-04-27T06:39:03.790-07:00Using Autopsy to examine an Android image<h3 style="text-align: center;">
A solid, open source tool</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
<br />
<a href="http://www.sleuthkit.org/autopsy/">Autopsy</a> is an open source digital forensics tool by <a href="http://www.basistech.com/homepage/">Basis Technologies</a>. This is a powerful free tool with many of the same capabilities as the expensive tools (FTK, EnCase). Some people in the digital forensics community will debate until they are blue in the face over whether open source forensics software is better or if paid software is better. This is a debate from which I will spare my readers, but I'll say this: Autopsy is a fantastic tool.<br />
<br />
I've had all kinds of success with Autopsy before. There have been several times where FTK Imager did not properly load an image. Errors included not recognizing the image as an image or missing partitions. In all cases where FTK Imager has made these sorts of mistakes, Autopsy has come through for me.
<br />
And on top of the above statement, I was using an old version of Autopsy which did not include specific Android functionality. I was using a version of Autopsy which was reading a disk image as a disk image, not as specifically an Android image. Autopsy's file system engine does an incredible job at identifying partitions and file systems. This has been a tool which I have used with all kinds of success.
<br />
In this post, I will load an image of my personal Nexus 5 into Autopsy and will show some of the useful functionality for investigations. I created the image using the same method in my post on live imaging an Android device.
<br />
<b>Getting started</b>
Download and install the newest version of Autopsy from <a href="http://www.sleuthkit.org/autopsy/">this link</a>. (Note: the downloads are for Windows. You can download the source for Autopsy and compile it for Linux. I have not done this yet but intend to soon.)
<br />
Once the software is installed, open Autopsy and create a new case. Fill in the basic info. The entry for "Base Directory" is where you intend to store data related to cases. This directory is not necessarily where you store an image you intend to examine and analyze, but it stores information and analyses about the image. Be advised, this directory can get filled up quickly. My phone is 32 gigabytes, and my base directory now contains 7 gigabytes of data.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaonbZ11_I1Gn9mtbFiUyupedNypICrTZyOJgC4ozNOutuxDlffYjWHz3gHfrTOVqV1nw3NKXXwNMvE6tXELGYsDB6X1Ch0J9149_45VWDbqVxmUpFcDwRgbf-ctHLgjHybq5_NvyOf_T0/s1600/new_case_info.jpg" imageanchor="1" style="font-size: 18.8888893127441px; margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaonbZ11_I1Gn9mtbFiUyupedNypICrTZyOJgC4ozNOutuxDlffYjWHz3gHfrTOVqV1nw3NKXXwNMvE6tXELGYsDB6X1Ch0J9149_45VWDbqVxmUpFcDwRgbf-ctHLgjHybq5_NvyOf_T0/s1600/new_case_info.jpg" width="400" /></a></div>
<br />
<br />
Next, add your Data Source, or your image.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiISNxrpc1em9x33De2-OpRfGhZRyeHIGukGIZL_tlmcYv-jACdtQOKVwhEn1YX0eeZNhxShxCCeg5lDUDz4tTt2milGOASJoOALZde4gZu5H17Qum9hnB2GxcM0LvqrMNAymyg0G2KF0E1/s1600/add_data_source.jpg" imageanchor="1" style="font-size: 18.8888893127441px; margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiISNxrpc1em9x33De2-OpRfGhZRyeHIGukGIZL_tlmcYv-jACdtQOKVwhEn1YX0eeZNhxShxCCeg5lDUDz4tTt2milGOASJoOALZde4gZu5H17Qum9hnB2GxcM0LvqrMNAymyg0G2KF0E1/s1600/add_data_source.jpg" width="400" /></a></div>
<br />
<br />
Autopsy has several "ingest modules" built in for analysis. These ingest modules identify files and extract known data as records, such as emails or time-based data. You can select or deselect whatever modules you want. The more ingest modules you select, the more time and disk space the analysis will take, but you also may find more insight about the image with more modules. Do be sure to select the "Android Analyzer" module when analyzing an Android image.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwzYSxcGCKZNRk6a8k9JHeXdEDtluqg0yVEPTGBLzAbWkzuuhhUo0XBKmduXb8Vx8NTpXi3VWwD3WeyxrlYmJCjl53O9YiaYa5Rv654mhCTAqOQkza7EpOoS4Wnr2nUGflZ5zPHUOzA4j8/s1600/modules.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwzYSxcGCKZNRk6a8k9JHeXdEDtluqg0yVEPTGBLzAbWkzuuhhUo0XBKmduXb8Vx8NTpXi3VWwD3WeyxrlYmJCjl53O9YiaYa5Rv654mhCTAqOQkza7EpOoS4Wnr2nUGflZ5zPHUOzA4j8/s1600/modules.jpg" width="400" /></a></div>
<br />
<br />
You can also optionally give a case number or an investigator name. Yes, you are an investigator, so take credit.<br />
<br />
Once the case is created, you can see the main Autopsy interface.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfxQX-hrJBlXH45kv8Qe9_LoStSMZdtlirwx6YVVXv5BS-WkVlO9oEEPrwtmoZAZx_AD61pAX9ZL6qOTJWzlNfZhi9xaJegWG1pcQyUi17IB4EE55ti8PPajqz06RX4JIlCW7xVl1mYxQN/s1600/main_interface.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfxQX-hrJBlXH45kv8Qe9_LoStSMZdtlirwx6YVVXv5BS-WkVlO9oEEPrwtmoZAZx_AD61pAX9ZL6qOTJWzlNfZhi9xaJegWG1pcQyUi17IB4EE55ti8PPajqz06RX4JIlCW7xVl1mYxQN/s1600/main_interface.jpg" width="400" /></a></div>
<br />
<br />
At this point, analysis will be ongoing. The ingest modules each pass through the image to find relevant data. In the bottom right corner there is a status bar which you can click on to see analysis status. In the below shot, there are three different ingest modules working simultaneously.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmiNgYy0XQrNkRbdI_3Q3_sTcUcsdrk7Xbyn5Fr_bqyfmikAP1Z7XfHjPQoGA1E4eZ7b7Gg7mwyjGxVCRKYCiGH_w0bccZyFLOxk9XaZ99zf59-HvdQgUqEPmsJGOSV4AJA0nfQuWqkPoi/s1600/processing_status_bar.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmiNgYy0XQrNkRbdI_3Q3_sTcUcsdrk7Xbyn5Fr_bqyfmikAP1Z7XfHjPQoGA1E4eZ7b7Gg7mwyjGxVCRKYCiGH_w0bccZyFLOxk9XaZ99zf59-HvdQgUqEPmsJGOSV4AJA0nfQuWqkPoi/s1600/processing_status_bar.jpg" width="400" /></a></div>
<br />
<br />
Depending upon how big the image is, how many files are in the image, how many modules you select, how much disk storage space you have, how fast your computer's processor is, and how much RAM you have, analysis may take a while. I'm running Autopsy on a Windows netbook and analyzing an image of a 32 gigabyte phone took around an hour. You can browse around the image and do some investigation before the ingest modules are done, but you will be viewing incomplete results. For example, there is a great tool for timeline analysis which I will show later in this post. If you try to do a timeline analysis before the modules are complete, there will be evidence missing from the timeline.<br />
<br />
You also can always wait for the analysis to complete before getting started.<br />
<br />
<b>Android Analyzer module</b><br />
I indicated above to enable the Android Analyzer module. This module will identify files containing contact data and communications records. I said above that ingest modules will extract records and present them to the investigator. The below screenshot indicates that Autopsy identified Call Logs, Contacts, and more. I can tell you that the Android Analyzer ingest module is to credit for these finds. You can click each of these and see what data was collected.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhckyMGlgYoZgPy2VPIELNvyGRb2a2PayXybqh4PTQcluI3EjWW3OQSMLmQlgwr5C9uZLFxnel9eYDF2Lzw0vY3sWh8VZ17xtnG0g8Q6sIdiblNAYng_ONzDUYVM2OBVLEoCz7AkppVuAsL/s1600/extracted_content.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhckyMGlgYoZgPy2VPIELNvyGRb2a2PayXybqh4PTQcluI3EjWW3OQSMLmQlgwr5C9uZLFxnel9eYDF2Lzw0vY3sWh8VZ17xtnG0g8Q6sIdiblNAYng_ONzDUYVM2OBVLEoCz7AkppVuAsL/s1600/extracted_content.jpg" width="364" /></a></div>
<br />
<br />
<br />
Android by default stores your text messages in a SQLite database in the file <span style="font-family: "courier new" , "courier" , monospace;">/data/data/com.android.providers.telephony/databases/mmssms.db</span>, and you can load this file into a SQLite database viewer to see the SMS.(Note: one of these days I intend to do a post on viewing SQLite database files. The long and short of it is Android apps, including SMS and phone dialer and contacts, use SQLite databases to store data. The apps present data in their own ways, such as SMS conversations, but you can always view the raw data stored as it is stored in a SQLite database viewer.)<br />
<br />
Below is how Autopsy presents SMS.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4IylUTFnicNyFpUobyA8QWmFICZE7gAWL6GQJRU5NtaNcH5EaBMDcDLJ7NagVvGkiGb3QUniPhJ4pXo3cD3n7dLh-dyTLkqUg0aAmvLsuD50BpWOnDYYz6X3jyx2tKB3tbXQEw5zYWB7Y/s1600/messages.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4IylUTFnicNyFpUobyA8QWmFICZE7gAWL6GQJRU5NtaNcH5EaBMDcDLJ7NagVvGkiGb3QUniPhJ4pXo3cD3n7dLh-dyTLkqUg0aAmvLsuD50BpWOnDYYz6X3jyx2tKB3tbXQEw5zYWB7Y/s1600/messages.jpg" width="400" /></a></div>
<br />
<br />
(Black boxes inserted for privacy.)<br />
<br />
Convenient?<br />
<br />
Here is the call log ...<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7msrxDt_-FRxCEgDmUSGpiVHMdGTTvhKRrPuXtbHmn9-tJXun7xOXWHn0YM6ilUpTIZ4ERB8jvbS2UvwgB3w1ph6CuGBuj8Bt6CAWpDgY5tNLhHpB7ZIiLvvcpptC_oktwAuLXw0h0xMu/s1600/call_log.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7msrxDt_-FRxCEgDmUSGpiVHMdGTTvhKRrPuXtbHmn9-tJXun7xOXWHn0YM6ilUpTIZ4ERB8jvbS2UvwgB3w1ph6CuGBuj8Bt6CAWpDgY5tNLhHpB7ZIiLvvcpptC_oktwAuLXw0h0xMu/s1600/call_log.jpg" width="400" /></a></div>
<br />
<br />
... and here is the contacts list.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZYV32Chu0H5ibmKTQwwKaQtHuBE5aWkoV0V7p6qcJGhPN5b2pyFbBnI8q6bIxntAoSuwrULFYaUU6YtGp6eNr9M93Rb0YyD6sXsZqgjxefuX5Qeuc2hL2iRH1N09WLcguV8Ft8Gn15Gle/s1600/contacts.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZYV32Chu0H5ibmKTQwwKaQtHuBE5aWkoV0V7p6qcJGhPN5b2pyFbBnI8q6bIxntAoSuwrULFYaUU6YtGp6eNr9M93Rb0YyD6sXsZqgjxefuX5Qeuc2hL2iRH1N09WLcguV8Ft8Gn15Gle/s1600/contacts.jpg" width="400" /></a></div>
<br />
<br />
<b>Browsing the image</b><br />
Autopsy allows you to browse through the image. The below screenshot shows all of the partitions which Autopsy identified. You can see the userdata partition, which will store most of the data about the user.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwNnGWN80SDydPLGx54-a16PkWaRI7U45Qd-7T2cAxJFZ9px9FbC5dvGzwYLH0x1RvAdMM6qt3iMtN4dLUElG7Kq-KP_oB70TTii8CfomPgDMTrNahCQze2oCHPNf4WFls74o8NvxD5RLW/s1600/volumes.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwNnGWN80SDydPLGx54-a16PkWaRI7U45Qd-7T2cAxJFZ9px9FbC5dvGzwYLH0x1RvAdMM6qt3iMtN4dLUElG7Kq-KP_oB70TTii8CfomPgDMTrNahCQze2oCHPNf4WFls74o8NvxD5RLW/s1600/volumes.jpg" width="318" /></a></div>
<br />
<br />
And then you can browse through the individual partitions.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp7qFcCXh5WItAsgiNSzUUXbiE3Y6QX4oWq_Yt4M0f9h56O5izwo0-N5V7T_D-p8JMUaE7YsxCSccFT23UG-zfP_2Qi6k-Ed8p0bUbV9O983ixve21KCeZCJ1sQPJ9xdkvEHLkCc8lgBJW/s1600/data_dir.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp7qFcCXh5WItAsgiNSzUUXbiE3Y6QX4oWq_Yt4M0f9h56O5izwo0-N5V7T_D-p8JMUaE7YsxCSccFT23UG-zfP_2Qi6k-Ed8p0bUbV9O983ixve21KCeZCJ1sQPJ9xdkvEHLkCc8lgBJW/s1600/data_dir.jpg" width="322" /></a></div>
<br />
<br />
You can view individual files as text or hex. You can also see extracted strings and metadata about the file. And picture files load as pictures.<br />
<br />
<b>Timeline</b><br />
One of Autopsy's best features is the timeline. Autopsy will find events associated with a date and time, such as text messages or call logs or any other time-based events, and make a timeline of events. As an investigator, I always like to create a timeline of events which a digital device has recorded because all of these events ultimately tell the story about a person using the device.<br />
<br />
To create a timeline, go to Tools -> Timeline. (Wait for all ingest modules to finish first.) Then wait for a bit, and when the timeline is ready it opens in a new window.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWHH2xid1GZit2g5U1TaRxDW0YLgVhyBnQ_U6KUdB7B-r-3YpaoXXJqWRuwYQ00vTCRe4LRcUcyany4FkqtEbY3kiF1VyPjFTDv2kxEhvx4QxKPClmpgp2DfSia94iiDjB2SALgZnoSgcq/s1600/timeline.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWHH2xid1GZit2g5U1TaRxDW0YLgVhyBnQ_U6KUdB7B-r-3YpaoXXJqWRuwYQ00vTCRe4LRcUcyany4FkqtEbY3kiF1VyPjFTDv2kxEhvx4QxKPClmpgp2DfSia94iiDjB2SALgZnoSgcq/s1600/timeline.jpg" width="400" /></a></div>
<br />
<br />
The timeline clearly indicates a lot of activity in 2013-2014. But you may also see a weird anomaly around 1970. Do not worry about those or the odd 2008 files as those are Linux and Android artifacts, respectively, and they deal with "Unix time" or "epoch time." For a quick explanation on how Linux keeps time, check out <a href="http://en.wikipedia.org/wiki/Unix_time">this Wikipedia page</a>.<br />
<br />
You can zoom in to see detailed events. The following is my phone events from October 10-23 2014.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrV__iIhekuS47KqB8G7EmUiBCr4AHnOJB0TtRn09GyoMF2zILzIk3BfoKWCKl_u5_vMmg5llGDsShFTITXXVOox9cx10NmXrPceV8BePWx0vE26hAYYoljlLAe1pLnoszLeBFqUi3kOIq/s1600/timeline_zoom.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrV__iIhekuS47KqB8G7EmUiBCr4AHnOJB0TtRn09GyoMF2zILzIk3BfoKWCKl_u5_vMmg5llGDsShFTITXXVOox9cx10NmXrPceV8BePWx0vE26hAYYoljlLAe1pLnoszLeBFqUi3kOIq/s1600/timeline_zoom.jpg" width="318" /></a></div>
<br />
<br />
The bar colors represent different events as seen in the legend on the timeline.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcxryGynzoxunEXEzos3NtisT3y9ZBNJW5kZTSorPGN7H6RmWrV6oFzaodxO60p-O_zkdyXmsDxcnYwyW4ZXxWFKWkW86CR6K0g7uKVYm3ozPOjMYIV07iqBlzZ1gqK4eexITxHekSWi16/s1600/timeline_legend.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcxryGynzoxunEXEzos3NtisT3y9ZBNJW5kZTSorPGN7H6RmWrV6oFzaodxO60p-O_zkdyXmsDxcnYwyW4ZXxWFKWkW86CR6K0g7uKVYm3ozPOjMYIV07iqBlzZ1gqK4eexITxHekSWi16/s1600/timeline_legend.jpg" /></a></div>
<br />
<br />
You can choose to view "Details" instead of "Counts" which allows you to see what events occurred.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4oH_ol1mKvfRQRrXZFPyz1OOIjtKIlyVH8_5GGBWHCfhPwzKoMsfvpONbu29yqymCLqr8v2hDTGZWY0md6QBlCHjnKi7h4qeLikF0Zbg8thqWPM8VtyyKQvR0gzv_8H7Vppx-WSSmrevV/s1600/timeline_detail.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4oH_ol1mKvfRQRrXZFPyz1OOIjtKIlyVH8_5GGBWHCfhPwzKoMsfvpONbu29yqymCLqr8v2hDTGZWY0md6QBlCHjnKi7h4qeLikF0Zbg8thqWPM8VtyyKQvR0gzv_8H7Vppx-WSSmrevV/s1600/timeline_detail.jpg" width="365" /></a></div>
<br />
<br />
And then you can also zoom in for more details. I see that there is an SMS event, so I chose to see details of the event. (SMS message blacked out for privacy.)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBO0PxM22vIPM2-17A-zOnzqat3ZaX3IsCmXaQYN_mDgMZWLKvsExtosoMdf5OT0jXbBJ1NSKLC8XXj_RnZigwuI4eWEBWdfRssFa-MCGFQOq9f1OUXjwDwuSkK-0qofxgY9yUE1m6Qp9Q/s1600/timeline_sms_detail.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBO0PxM22vIPM2-17A-zOnzqat3ZaX3IsCmXaQYN_mDgMZWLKvsExtosoMdf5OT0jXbBJ1NSKLC8XXj_RnZigwuI4eWEBWdfRssFa-MCGFQOq9f1OUXjwDwuSkK-0qofxgY9yUE1m6Qp9Q/s1600/timeline_sms_detail.jpg" /></a></div>
<br />
<br />
<br />
The timeline is just an incredibly useful tool. And it is a tool that the more you use it, the more uses you find with it.<br />
<br />
<b>More features</b><br />
Autopsy has many more features which I'll let you explore. But just to list a few that I've used before:<br />
<br />
<ul>
<li>Plugins</li>
<ul>
<li>You can download plugins to act as further ingest modules or even develop your own</li>
</ul>
<li>Extract files</li>
<ul>
<li>You can extract files to analyze them with other tools, such as a hex editor of choice or an advanced media file analysis tool</li>
</ul>
<li>Report</li>
<ul>
<li>Like with other forensic tools, you can tag files of interest and generate a report highlighting important files and other findings</li>
</ul>
<li>Known hashes</li>
<ul>
<li>If you have a list of hashes of known files you are interested in finding, you can load this hash set into Autopsy and it will let you know if it found these files</li>
</ul>
<li>Carving</li>
<ul>
<li>Autopsy includes Scalpel for data carving</li>
</ul>
</ul>
<br />
<br />
<b>Summary</b><br />
<ul>
<li style="font-size: medium; font-weight: normal;">Autopsy is an awesome tool. This point deserves an individual bullet</li>
<li style="font-size: medium; font-weight: normal;">You can browse an image like in FTK Imager but I've had cases where FTK Imager fails to load an image properly and Autopsy has correctly loaded the image</li>
<li style="font-size: medium; font-weight: normal;">Ingest modules process through evidence and extract useful records</li>
<li style="font-size: medium; font-weight: normal;">The Android Analyzer ingest module can extract contacts, SMS, Calls, and more</li>
<li style="font-size: medium; font-weight: normal;">Autopsy's timeline tool is incredibly useful in investigations</li>
</ul>
Questions, comments, suggestions, or experiences? Open source vs paid forensic software debate? Leave a comment below, or <a href="mailto:marklbgsu@gmail.com">send me an email.</a><br />
<br />
<h3 style="text-align: center;">
<ul>
</ul>
</h3>
</div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com8tag:blogger.com,1999:blog-6748555274835706450.post-1667937284154814582014-10-20T12:27:00.004-07:002019-04-27T06:39:13.293-07:00Some hidden artifacts in a physical image<h3 style="text-align: center;">
Always get a physical image</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
In my previous post, I discussed the differences between a physical image and the results of a basic Android forensics tool. This post is a dive into some artifacts of a physical image which a logical extraction tool will not find. Note: this is a basic dive, not a deep dive. The results should not be too surprising, but this post demonstrates some good reasons to obtain a physical image and browse the image in depth.<br />
<br />
<br />
<b>Initialization</b>
<br />
<br />
For ease sake, I used an Android emulator instead of a physical device. If anybody would like, I can redo the process on a physical phone. Just let me know if that is important to you and I'll get on it.<br />
<br />
I loaded the following PNG picture to the phone's /sdcard partition at the root.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi92RbpmINt9Ji6C6VrGkzN7Cz-__IZt_6ruXJ2V8G-70ZVCZwww4yIkskH2XW4aHMHXAARjpfq_E-2-NPZ2rYIqpL0biGuRvbebtCfnb8X3TfB4z7B4fJ7mKNEUg3MvwMME5kMN8ZQY43O/s1600/pirate_android.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi92RbpmINt9Ji6C6VrGkzN7Cz-__IZt_6ruXJ2V8G-70ZVCZwww4yIkskH2XW4aHMHXAARjpfq_E-2-NPZ2rYIqpL0biGuRvbebtCfnb8X3TfB4z7B4fJ7mKNEUg3MvwMME5kMN8ZQY43O/s1600/pirate_android.png" width="320" /></a></div>
<br />
Pirate Android!!<br />
<br />
And then I sent a text message. (This is an emulator, so the message doesn't actually go anywhere, but the emulator will store data just the same way regardless.)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcz-l3lfJEZSf6WCPkkMFzXUzQpreDPlxxwnk2iGhT_yALGsnIch-FBd2ne2FcxF1zOM3XP2Me5AmyimHY04MyLTmIYHhQxa-Ava6HuH495RImYD0UAaJ4ditMuI51J53Mk4HDOjwNIvou/s1600/SMS_screenshot.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcz-l3lfJEZSf6WCPkkMFzXUzQpreDPlxxwnk2iGhT_yALGsnIch-FBd2ne2FcxF1zOM3XP2Me5AmyimHY04MyLTmIYHhQxa-Ava6HuH495RImYD0UAaJ4ditMuI51J53Mk4HDOjwNIvou/s1600/SMS_screenshot.jpg" width="192" /></a></div>
<br />
<br />
I deleted the Pirate Android image, and then I deleted the text message.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgBsRmj1189cy9HzQ_Jb9-kqG44tFPhyphenhyphen7pS6guU2KD3wwbXkTrTA9wplfN18ScdhKvtlOWQ-USCu3WTQoz_QiWmMCVIBqqcJusuceh5chXNDTj3PgjEXcKr3N8W92395N0t5_g4WKHIqD3/s1600/SMS_deleting.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgBsRmj1189cy9HzQ_Jb9-kqG44tFPhyphenhyphen7pS6guU2KD3wwbXkTrTA9wplfN18ScdhKvtlOWQ-USCu3WTQoz_QiWmMCVIBqqcJusuceh5chXNDTj3PgjEXcKr3N8W92395N0t5_g4WKHIqD3/s1600/SMS_deleting.jpg" width="192" /></a></div>
<br />
<br />
<br />
<br />
<br />
<b>Extractions</b>
<br />
<br />
I performed some basic extractions. First, I ran the Open Source Edition of viaForensics' viaExtract tool, which is included free with Santoku. viaExtract is a basic logical extraction tool that can extract SMS.<br />
<br />
Then I used the Android shell to browse through the Android emulator to see what files exist and do not exist.<br />
<br />
And finally, I emulated a physical image of the device. What I mean by an emulated physical image is I copied the files which represent the emulator's storage and viewed them with a hex editor. On Linux, these files are stored at <span style="font-family: "courier new" , "courier" , monospace;">/home/<username>/.android/avd/</span><br />
<br />
The above extractions represent a logical extraction, logical browsing, and a physical extraction.<br />
<br />
<br />
<b>Results</b>
<br />
<br />
The viaExtract tool did not detect the deleted text message. viaExtract uses device APIs to extract data and stores the extracted data in CSV files. The below image is the CSV file containing discovered SMS messages, which in this case is none. (And for what it is worth, I have run this tool on emulators before and I can confirm that viaExtract can successfully extract SMS from an Android emulator, so the results from viaExtract do not represent an error.)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheIOeGWQ83vNRbqVh6AcBWpybsh2d8TA7P-P8d0-sT9cwunz6uReU5fYDh7UwquJVt058BnH4wP9plzClNMMKQxn3LBwCLI_uDH6dwjF9bZm9HKmHCg7CYJ4EGnZscCH184BgLG2WIlwkI/s1600/viaExtract_SMS.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheIOeGWQ83vNRbqVh6AcBWpybsh2d8TA7P-P8d0-sT9cwunz6uReU5fYDh7UwquJVt058BnH4wP9plzClNMMKQxn3LBwCLI_uDH6dwjF9bZm9HKmHCg7CYJ4EGnZscCH184BgLG2WIlwkI/s1600/viaExtract_SMS.jpg" width="640" /></a></div>
<br />
<br />
When browsing through the emulator's SD card, the Pirate Android file is gone, predictably, as I deleted the file previously.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXnYMzEg_EPapK9NxGxspnp6TsAyacJGdOqalks9VFxW3pyeGxceykScrN4VBzpauDPXZjGB7CWLnKkpbrQUPFj986FLtTfVnv4m0Oe8csVac0_jUDMmSTmCycwURCgNA1bhTBLa30ltL5/s1600/shell_screenshot.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXnYMzEg_EPapK9NxGxspnp6TsAyacJGdOqalks9VFxW3pyeGxceykScrN4VBzpauDPXZjGB7CWLnKkpbrQUPFj986FLtTfVnv4m0Oe8csVac0_jUDMmSTmCycwURCgNA1bhTBLa30ltL5/s1600/shell_screenshot.jpg" width="640" /></a></div>
<br />
<br />
The physical image contained some more interesting results. First, I used a hex editor to explore the userdata partition and found in slack space the deleted SMS.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghBVEQgcEZfCGE2x8UJR1OiBZZWXwK8UY0Q3SIR-Tl4hfFDfTHA_56bbci3h840QeGp2LE4KmyI2jpnvGq78wqo1OW-5OQ8Br7N0SaCHtyYrQupmcDdpqnzBSSRgXmNci0JgjP8Sry7EJp/s1600/hex_deleted_SMS.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghBVEQgcEZfCGE2x8UJR1OiBZZWXwK8UY0Q3SIR-Tl4hfFDfTHA_56bbci3h840QeGp2LE4KmyI2jpnvGq78wqo1OW-5OQ8Br7N0SaCHtyYrQupmcDdpqnzBSSRgXmNci0JgjP8Sry7EJp/s1600/hex_deleted_SMS.jpg" /></a></div>
<br />
The deleted message clearly contains the deleted text ("You will never find this message!" and the "recipient" ("678-9").<br />
<br />
I also found a PNG image in the image of the SD card.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEpGqZg3QQxuCY-E22-h9rwLXvuzhm9w29XouWxYNdFuaEIMLh3N_J7faGrUuGJT9pBia6iDsvamUoG1UVVEOJIrncv815NLxTOgqp8ijoDWJMhguUdKNmVvsY8K06VQrJENGjHnQA0203/s1600/hex_deleted_PNG.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEpGqZg3QQxuCY-E22-h9rwLXvuzhm9w29XouWxYNdFuaEIMLh3N_J7faGrUuGJT9pBia6iDsvamUoG1UVVEOJIrncv815NLxTOgqp8ijoDWJMhguUdKNmVvsY8K06VQrJENGjHnQA0203/s1600/hex_deleted_PNG.jpg" /></a></div>
<br />
<br />
So I copied the beginning to the end of the PNG file I found in slack to a new file and opened the resulting file as a graphical file and ...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIBbXPGk_loJOTFNO9cCuRV1dbCvRz3mOwMJ1Nu_bCyGp0ZNLnBIZYTTIUukDwDbtL7QXB8w6WFhlKHhMN3alXf8EHed4W_egJGtCiSkznbt2GRj7HK1v_bLu5Hc8luG_4P6lHx3dycFSj/s1600/recovered_image.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIBbXPGk_loJOTFNO9cCuRV1dbCvRz3mOwMJ1Nu_bCyGp0ZNLnBIZYTTIUukDwDbtL7QXB8w6WFhlKHhMN3alXf8EHed4W_egJGtCiSkznbt2GRj7HK1v_bLu5Hc8luG_4P6lHx3dycFSj/s1600/recovered_image.png" width="320" /></a></div>
<br />
Pretty cool, huh?<br />
<br />
<b>Discussion</b><br />
<br />
So what can explain all of these results, and what does it all mean?
<br />
<br />
viaExtract is a basic logical extraction tool and relies upon device APIs to extract data. The device presents an API to extract SMS messages, but there is no API to extract deleted messages. There is no way that any logical extraction tool will be able to leverage only device APIs to extract deleted SMS.<br />
<br />
Note: the tool from viaForensics is a basic logical extraction tool. viaForensics has some true experts who can do the dive demonstrated in this post and way, way better. The folks at viaForensics are definitely experts in mobile forensics. I personally respect the company greatly. I chose the viaExtract tool because it is a basic logical extraction tool and it is free with Santoku.
<br />
<br />
It should not be a surprise that a deleted file does not show up when shelling into the emulator. As seen above, the Pirate Android image is not in the device according to the shell. A device shell can only display what files the file system knows exist, and the file system knows that the Pirate Android image is deleted.
<br />
<br />
So why was I able to recover a deleted text message and a deleted picture? The reason is simple: the deleted text message and the deleted picture were not overwritten or destroyed. As long as data is not overwritten, it can be found in a physical image using a hex editor.
<br />
<br />
The big picture of this post is that you really want a physical image, and you also really need to examine the image using a hex editor. It can be hard to find artifacts, but these artifacts are there. A digital forensics expert should be proficient with a hex editor.
<br />
<br />
There are some ways automate finding artifacts, such as file carving. I recommend using a variety of automated tools, and I have a relevant example here. I used scalpel, an open source file carving tool, and scalpel actually did not recover the Pirate Android image. I would bet that if I tried several other file carving tools, at least one tool would have recovered the Pirate Android. Not all tools work all the time, but the more tools you try, the better results you will get. But of course, you can always use a hex editor and take a lot of time to find as many artifacts manually as you can.
<br />
<br />
<b>Summary</b>
<br />
<br />
<ul>
<li>Logical extraction tools rely upon device APIs which limits their effectiveness</li>
<li>Obtain a physical image of the device if you can</li>
<li>All kinds of artifacts can lie in the hex of an Android device</li>
<li>Use automated tools but do not rely on just one</li>
</ul>
Questions, comments, suggestions, or experiences? Pirate Android fan mail? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a><br />
<br /></div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com2tag:blogger.com,1999:blog-6748555274835706450.post-55368220897326275732014-09-25T15:34:00.005-07:002019-04-27T06:39:21.573-07:00The differences between a physical image and a logical extraction<h3 style="text-align: center;">
There's a reason we want a physical image</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
This post is a request from a reader. Thanks for the request! If you, the reader, ever have a topic you would like to see me dive into, message me.
<br />
<br />
The question was what data do you have when you obtain a physical image instead of a logical extraction. Great question. First, to define a couple of working terms here. A physical image will be the image you would obtain when following <a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">this guide on a previous blog post</a> or using a similar tool, such as a Cellebrite UFED Physical. A logical extraction of data is a set of data extracted using a forensic app. For this blog, I'll reference AFLogical by viaForensics, which is a free tool you can find <a href="https://viaforensics.com/resources/tools/android-forensics-tool/">here</a> and you can follow instructions for using it <a href="https://santoku-linux.com/howto/mobile-forensics/howto-forensically-examine-android-aflogical-santoku">here</a>.<br />
<br />
(Please note. In no way am I trying to bash viaForensics here. viaForensics is a great company and I admire their work. I'm referencing this tool as a free logical extraction tool you can download and use while pointing out the weaknesses of using logical extractions. The fact that the tool is free should be an indication that this tool is not their premiere tool. They have far more powerful tools and their professional services are among the best in the industry.)<br />
<br />
So with all of the above out of the way, here we go ...<br />
<br />
<b>Data obtained with a physical image</b><br />
<br />
The answer is everything in storage on the device. You get every file, every database, every picture, plus also all of the slack. For a writeup on slack space, check out <a href="https://viaforensics.com/computer-forensic-ediscovery-glossary/what-is-slack-space.html">this page by viaForensics</a>. Simply with a physical image, you get everything in storage.<br />
<br />
There is a good reason why we always want a physical image. Examining a physical image takes specialty tools, and I go over the basics in this blog post. If you want to look at data records, such as text messages, you do not have a simple file to examine with all of the records. You need to find the file storing these records, which is most likely a database, and examine the database file. The examination process is not straightforward, but you obtain the most data.<br />
<br />
What you do not obtain is live running memory. Sometimes live running memory can contain important data, including decrypted data if the data in storage is encrypted. I do not intend to go over how to image live memory simply because it is a very complicated process which sometimes does not work.<br />
<br />
<b>Data obtained using a logical record extraction tool</b><br />
<br />
A logical record extraction tool is an app which installs on the device. As I discussed in my post on live imaging, the imaging process requires an exploit. In that previous post, the exploit allows for root privileges. Root access is required to image the device, and root access is also required to read files in the /data partition, which is where user records are stored. A logical record extraction tool does not require root access. A logical record extraction tool uses Android APIs to extract records from the device and save them to external storage. These APIs allow a programmer to write an app to request certain records. The APIs do not return the actual database files but they do return the records. For a guide on this process, check out <a href="http://stackoverflow.com/questions/848728/how-can-i-read-sms-messages-from-the-inbox-programmatically-in-android">this programming guide on how to programatically read SMS from the inbox</a>. Look specifically at this code snippet (from the website, I cleaned it up some to make it more readable):<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">if (cursor != null)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">{</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> try</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> count = cursor.getCount();</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> if (count > 0)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> cursor.moveToFirst();</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"> long messageId = cursor.getLong(0);</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> long threadId = cursor.getLong(1);</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> String address = cursor.getString(2);</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> long contactId = cursor.getLong(3);</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> String contactId_string = String.valueOf(contactId);</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> long timestamp = cursor.getLong(4);</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"> String body = cursor.getString(5);</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"> if (!unreadOnly)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> count = 0;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> }</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"> SmsMmsMessage smsMessage = new SmsMmsMessage(</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> context, address, contactId_string, body, timestamp,</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> threadId, count, messageId, SmsMmsMessage.MESSAGE_TYPE_SMS);</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"> return smsMessage;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> }</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> }</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">}</span><br />
<br /></blockquote>
<br />
<br />
This source code has permissions to read the SMS database. The program goes through the database row by row and extracts the message ID, thread ID, address, contact ID, and timestamp. All of this data goes into an “SmsMmsMessage” object. A programmer can use this object to save the message ID, thread ID, address, contact ID, and timestamp to a file, which effectively means all SMS records are retrieved and exported.<br />
<br />
Here is the problem. The APIs will give you a certain set of data. There may be more data associated with these records which the APIs do not return. The above code, for example, does not return any location related data associated with the message or any metadata associated with the contact or the phone number. These extra data records will be in the database file which you can read if you obtain a physical image of the device.<br />
<br />
The APIs also will not return any deleted records. When an SMS message is deleted, the database file no longer retains the message. However, if you have a physical image, you may be able to find the deleted message in slack space. The APIs only return what records they are programmed to return; they cannot return records floating in slack space.<br />
<br />
The logical record extraction process is incapable of extracting files in the /data partition. You need root access to extract the actual files. The APIs only return the records, not the files.<br />
<br />
Also, there may not be APIs available to return data from third party apps, ranging from Facebook to third party messaging apps to web browsing apps. If there is not an API, the data can not be retrieved using a logical record extraction app. With a physical image, you can examine the database files associated with these apps and examine the database files.<br />
<br />
<br />
<b>Conclusion</b><br />
<br />
In summation, you want a physical image. The logical extraction tool is a good tool to use if you need a quick look at text messages or call logs, and it also is a good tool to use if you are unable for whatever reason to obtain a physical image of the device. If you are doing a detailed examination of the device, you will need a physical image.<br />
<br />
The logical extraction tools have their purposes. I am not here to denigrate those tools by any means. I am here to point out their limitations.<br />
<br />
Thank you to one of my readers for suggesting this post. If you, the reader, have a good topic you would like to see a full post on, shoot me a message and I'd be glad to oblige.<br />
<br />
Questions, comments, suggestions, or experiences? Requests for posts? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a><br />
<br /></div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com4tag:blogger.com,1999:blog-6748555274835706450.post-12074936065618019492014-09-25T14:14:00.000-07:002019-04-27T06:40:30.020-07:00Reverse Engineering an Android App File<h3 style="text-align: center;">
It is okay to be frustrated</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
<br />
The Android operating system has all
kinds of great apps. I use Netflix, YouTube, Facebook, and the
Chrome browser all the time. The development environment for writing
Android apps is easy and free, so it attracts some great developers
and all kinds of innovation.
<br />
<br />
The problem is, great developers and
all kinds of innovation are not all that the development environment
attracts. It depends on which report you go with (<a href="http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-mobile-security-threat-report.pdf">this one</a>, <a href="http://www.forbes.com/sites/gordonkelly/2014/03/24/report-97-of-mobile-malware-is-on-android-this-is-the-easy-way-you-stay-safe/">this one</a>, <a href="http://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf">this one</a>, or many other excellent reports by trusted security firms), but every security researcher who looks at mobile malware
agrees on one thing: the Android operating system is the number one
mobile operating system for malware. Malware may be spyware which
steals personal data, ransomware which “locks” the device until
the user forks over money to some hacker, or a particularly annoying
variant which uses up expensive services like premium text messages
or large volumes of data and forces the user to pay exorbitant fees
to their service provider.
<br />
<br />
So how do you know if an app is
malware? There are malware scanners out there which work with
varying effectiveness. (By the way, I totally suggest if you use
Android you download a virus scanner, just in case. I personally use
Lookout because one of the nice features is a find-my-phone feature,
which sometimes is quite handy in the morning when I can't hardly
find anything. If only there were a find-my-keys app …)
<br />
<br />
If you desire, you can reverse engineer
an app install file to its source code to determine if there is any
malware present. Obviously pouring over code requires programming
experience, or at least programming knowledge. If you have it, you
may enjoy this exercise.
<br />
<br />
<b>Introduction to Android app install
files</b><
<br />
<br />
Android app install files are packaged
with the extension .apk. If you have downloaded an app, the .apk
file is on your phone in the directory /data/app. You can retrieve
it in a few ways:
<br />
<br />
<ul>
<li>if you've imaged the phone, retrieve
it from the image using FTK imager</li>
<li>if you are root, you can copy the
file from /data/app to /sdcard</li>
<li>you can install a file manager, like
Astro File Manager or ES File Manager, and use the built in app
management to backup the app to your /sdcard directory. I personally
use ES File Manager for this functionality.</li>
</ul>
<br />
<br />
System apps, like Gmail, Browser,
Calendar, and other default apps, are in the system partition at
/system/app. The easiest way to retrieve those, in my opinion, is to
use adb. You can use adb shell to navigate to /system/app and find
the name of the file you wish. Exit the adb shell and return to your
computer and type the following:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">adb -d pull
/system/app/<filename>.apk</span></blockquote>
This command pulls the file to your
working directory.
<br />
<br />
APK files are just zip files. Once the
APK file is on your computer, you can rename the file to include a
.zip extension and navigate around.
<br />
<br />
Within the APK file is a file
classes.dex. This is the actual app binary. If you navigated
through the system/app directory, you may have noticed a bunch of
files with the .odex extension. These are the classes.dex file from
the associated APK file optimized for the version of the Android OS.
If you've ever done a factory reset or installed an update, you know
upon the first boot that you have to wait for a while as you see a
screen indicating that all of your apps are being optimized. The app
optimization process results in creating these .odex files.
<br />
<br />
Also within is a directory called res.
This is the resources directory, including images and other files
used by the app.
<br />
<br />
Another directory in APK files is
META-INF. Within here is the digital signature of the app. When the
app is compiled, it is digitally signed for authenticity.
<br />
<br />
When a developer writes an Android app,
there is a file called the Android Manifest. Now you'll see there
there is a file called manifest.xml, but if you load it in a text
editor you won't be able to read much. The manifest includes details
about the app, including intents called, broadcast signals sent, and
permissions called. The permissions are very important. For
example, if you have a simple app, such as a simple game, but the app
has the permission to record audio or send text messages, something
could be fishy here. Of course, it is possible that the game can
take voice commands and send your high score to your friends to brag,
so you never know. If there are odd permissions in an app, that
should raise some red flags.
<br />
<br />
There's a ton more you can learn about
Android apps than this. What is important to know for now is how to
retrieve an app, what the classes.dex file is, and what the manifest
is.
<br />
<br />
<b>Reverse engineering the manifest</b>
<br />
<br />
So you have an app file. The first
thing I like to do is retrieve the manifest. Copy the app to a
working directory in your Linux machine and navigate there in a
shell. Type the following:
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">aapt l -a filename.apk >
manifest.txt</span></blockquote>
<br />
<br />
aapt is a debug tool included with adb. If adb is not included in your system path, neither will aapt most likely.
The command above translates the unreadable manifest.xml file in the
APK file to a human readable format and outputs it to the
manifest.txt file. Note: what you get out of this is NOT the
original manifest. You will need the original source code to
retrieve the manifest as it was prior to compiling.
<br />
<br />
Open the manifest.txt file in a text
editor. Look for your permissions. You can do a text search for
permissions. You'll see entries along the lines of the following:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;"> E: uses-permission (line=1238) A: android:name(0x01010003)="android.permission.BATTERY_STATS" (Raw: "android.permission.BATTERY_STATS") E: uses-permission (line=1239) A: android:name(0x01010003)="android.permission.ACCESS_NETWORK_STATE" (Raw: "android.permission.ACCESS_NETWORK_STATE") E: uses-permission (line=1240) A: android:name(0x01010003)="android.permission.ACCESS_WIFI_STATE" (Raw: "android.permission.ACCESS_WIFI_STATE")</span>
</blockquote>
If you see any suspicious permissions, take note.
<br />
<br />
<b>Reverse engineering the classes.dex
file to source</b>
<br />
<br />
To reverse engineer the classes.dex
file and read it, you'll need a couple of programs which are both
installed in Santoku. If you are using Santoku Linux, you're good.
Otherwise, download and install dex2jar and JD GUI. Dex2jar is a
tool which converts an Android classes.dex file to a Java JAR archive
file, and JD GUI allows you to read the JAR file as Java source.
Install links are <a href="http://code.google.com/p/dex2jar/">here</a> and <a href="http://jd.benow.ca/">here</a>. Install these both.
<br />
<br />
In the terminal, type the following:
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">d2j-dex2jar filename.apk</span> </blockquote>
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">jd-gui filename-dex2jar.jar</span></blockquote>
<br />
The first line creates your jar file,
and the second opens the jar file in JD GUI.
<br />
<br />
In JD GUI, you'll see how the app
source is organized. If you have no java experience, you'll probably
be lost navigating around, but if you have java experience you'll
figure this out quickly. Regardless of your java experience, reverse
engineering app source is a royal pain.
<br />
<br />
Now let's say you see something like
this:
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxlnQX15J3RIFI2WIk7ysXTLl-z3A2yzBKsKr_IR3RBgpZITM_f-Hz_1b0quBilJGRwACZlVo_HHxPSZrJ-L6GaOpD60rF9bsJkycyfCnNFUSwbMS06rqMoDE_YOa7OePxdxcvNTsidfm0/s1600/Netflix_1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxlnQX15J3RIFI2WIk7ysXTLl-z3A2yzBKsKr_IR3RBgpZITM_f-Hz_1b0quBilJGRwACZlVo_HHxPSZrJ-L6GaOpD60rF9bsJkycyfCnNFUSwbMS06rqMoDE_YOa7OePxdxcvNTsidfm0/s1600/Netflix_1.jpg" width="213" /></a></div>
<br />
<br />
or this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU9u34155ip5L18Z3LYE5HOE1hL8DVOxzj33nBdMZeqgcxqRS-oSwYXYk-ZVgAeuvjuyPZEgbCQ79FXrSGS7w4xVdudyu4hSRZ4ATBFLzHPsEZB4tDNCjzZSxILhFEBJ1ZJ1ZOJfwoQY7p/s1600/Netflix_2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU9u34155ip5L18Z3LYE5HOE1hL8DVOxzj33nBdMZeqgcxqRS-oSwYXYk-ZVgAeuvjuyPZEgbCQ79FXrSGS7w4xVdudyu4hSRZ4ATBFLzHPsEZB4tDNCjzZSxILhFEBJ1ZJ1ZOJfwoQY7p/s1600/Netflix_2.jpg" width="320" /></a></div>
<br />
<br />
The screenshots are from JD GUI and a major commercial app. Anyone who knows much about programming knows that a,
b, c, d, e, and such make terrible class and variable names.
Variables and classes should be descriptive. What happened here is
the developers use code obfuscation. Before the app is
compiled, a tool goes through the source and renames variables and
classes to useless names like a, b, c, and such. They do this as a
service to you, just in case you didn't think reverse engineering was
already frustrating. When you see obfuscation like this, often your
best indication of what is going on are functions you cannot rename
(like getCacheDir and getAbsolutePath), and strings. The code
obfuscation does not change the functionality of the app, but if the
obfuscation changes the text of strings, then functionality is
altered.
<br />
<br />
<b>Strategy</b>
<br />
<br />
So what strategies do I suggest in
reverse engineering source? Honestly I do not suggest a strategy. I
suggest figuring things out and finding what works well for you. It
can be frustrating but extremely insightful. I've reverse engineered
apps before and whenever you find something suspicious, you find a
thread that you keep pulling until you might actually find something
malicious. Remember to correlate what you find with the manifest.
And as always, if you need help, please comment or reach out to me.<br />
<br />
Questions, comments, suggestions, or experiences? Frustrations related to reverse engineering efforts? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a><br />
<br /></div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com4tag:blogger.com,1999:blog-6748555274835706450.post-79222733339586105902014-08-26T16:28:00.001-07:002019-04-27T06:40:21.572-07:00Examining the image<h3 style="text-align: center;">
See what's underneath the hood</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b>
<br />
<br />
At this point, you have an image of the device. I hope you've patted yourself on the back by now because you
have done more in the field of Android forensics than most people
ever will.<br />
<br />
(If you don't know what a file system is,
go ahead and check out <a href="http://pcsupport.about.com/od/termsf/g/filesystem.htm">this link.</a>)
<br />
<br />
There are some good free Windows
tools for examining an image. Any good forensic tool will allow an examiner to browse around an image file and will not alter the image file in any way. This post will detail FTK Imager by AccessData. So copy your image over to your
Windows environment and install FTK Imager. You can find it on <a href="http://www.accessdata.com/support/product-downloads">this page</a>.<br />
<br />
(Note: If you would prefer to work on Linux, you can run FTK Imager Lite in Wine. If you have Windows, I suggest running it natively in Windows instead of in Linux using Wine.)
<br />
<br />
Open FTK Imager, go
to File → add evidence item → image, and open the image. You'll
see that the image has opened in Imager, and you'll see all of your
partitions. Here's what I see:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAoGki2P9q5O9ZwFV6VxsCPY84QEHrRPyG9jVKUo2EV5YWe0XtnvW-i5lccJ8kGOHz_cHljaNZDDvldjcrxbNuZL7D7PmeKZYDazqo1FCjMbgp1yKG0EKkt6BIXtjKYSyg_ZWTO8zcZUym/s1600/2014-08-26-115515_1366x744_scrot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAoGki2P9q5O9ZwFV6VxsCPY84QEHrRPyG9jVKUo2EV5YWe0XtnvW-i5lccJ8kGOHz_cHljaNZDDvldjcrxbNuZL7D7PmeKZYDazqo1FCjMbgp1yKG0EKkt6BIXtjKYSyg_ZWTO8zcZUym/s1600/2014-08-26-115515_1366x744_scrot.png" width="640" /></a></div>
<br />
<br />
And zoomed in on the left side looks like this:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiP1wlgSvp9SKYsXxfHNeDYM4O7SG7imoC0lSTsF9uqMf18IB8dp2TDdXEl4_TL1o8eKDa2R93wfchDhgmpS8TKyPrJZsMbJdAWKUDoc0tRam5PPWubX6GV-Cp_-mO7YYFRiZ5omwj9vrU/s1600/partitions.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiP1wlgSvp9SKYsXxfHNeDYM4O7SG7imoC0lSTsF9uqMf18IB8dp2TDdXEl4_TL1o8eKDa2R93wfchDhgmpS8TKyPrJZsMbJdAWKUDoc0tRam5PPWubX6GV-Cp_-mO7YYFRiZ5omwj9vrU/s1600/partitions.jpg" /></a></div>
<br />
<br />
At minimum, you will see the partitions
boot, recovery, system, and userdata. Depending on your device, you
could see all kinds of other ones. My phone is a Nexus 5, which as you can see above has a lot of partitions.
<br />
<br />
Expand the “userdata” partition as
seen in the following image:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWgfO6HDY6moPcs78ix2zgBcsM7aEO4PECLnM2SdqpFyA_h0dO2vmFOMRLcvcfSnti08nk1KMRK4_jr-MrpdHoxdsd2ubKkB096jfKr5gjj3EeOmMZkNETE6-R5B5Wyo7DRVjjAT2NjnB0/s1600/userdata_partition.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWgfO6HDY6moPcs78ix2zgBcsM7aEO4PECLnM2SdqpFyA_h0dO2vmFOMRLcvcfSnti08nk1KMRK4_jr-MrpdHoxdsd2ubKkB096jfKr5gjj3EeOmMZkNETE6-R5B5Wyo7DRVjjAT2NjnB0/s1600/userdata_partition.jpg" /></a></div>
<br />
<br />
The image above indicates that
“userdata” contains an unnamed ext4 file system. Ext4 is a Linux
file system, and FTK Imager can read this file system perfectly.
<br />
<br />
Navigate around the userdata partition.
(If by chance you have encrypted userdata, you may or may not be
able to make heads or tails of this partition. If you encrypt your
userdata and you don't see a file system and want help decrypting,
contact me.) You'll see directories at the root of the partition,
some of which are quite important. You'll see /data, /app, and you
might see /media. /data stores all of the data associated with your
installed apps, /app stores all apps you have installed, and if there
is a /media, then that is an “internal sd card”, or a directory
which acts like an SD card.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4fRWTc2PFL-sbmud14-8N1riH8dQPFSLkeX-MwUdYkw5BGCu-zq0CqVNgDhvOUT91iL-4Z6SU2qDChJZJ-Bfp-6hhp1KZ3eOSeD9qDw3A8fxHFJpM_67EwEcVZTb-qSuGmv8WuM1ZVu99/s1600/userdata_directory.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4fRWTc2PFL-sbmud14-8N1riH8dQPFSLkeX-MwUdYkw5BGCu-zq0CqVNgDhvOUT91iL-4Z6SU2qDChJZJ-Bfp-6hhp1KZ3eOSeD9qDw3A8fxHFJpM_67EwEcVZTb-qSuGmv8WuM1ZVu99/s1600/userdata_directory.jpg" /></a></div>
<br />
<br />
Browse around the directory data and
find the directory com.android.providers.telephony. This directory
stores data associated with your text messages. Within is a
directory called databases and file called smsmms.db. That is a
database file which stores all of your text messages. Pretty cool,
huh? In a future post, I'll show how to open database files. You
can export files by right-clicking on a file as seen below.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ9LgUYn8UPgERjOESlDM_v6ZyhkxqiQTRq7aMKCGSr286tGWWLtHizYWJXCtvXUGdPyrF-WbD5BRIyLiJG_4JsoRepbPEO7ZBANgMDjXjsEJs8RXwaXxfTlHhzrEwdAzf3Czwd-75Hqa5/s1600/export_file.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ9LgUYn8UPgERjOESlDM_v6ZyhkxqiQTRq7aMKCGSr286tGWWLtHizYWJXCtvXUGdPyrF-WbD5BRIyLiJG_4JsoRepbPEO7ZBANgMDjXjsEJs8RXwaXxfTlHhzrEwdAzf3Czwd-75Hqa5/s1600/export_file.jpg" /></a></div>
<br />
<br />
Navigate around the system partition
and go the directory app. This directory stores default installed
apps. Just seeing filenames, you'll probably see some familiar
names.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBtgJ5HoJXjwnbXyafZJ474TdnChyrGZrp29NDwy4MA64_Y4LEVV24m0ApaJHutAzRRRJy3ADwml2ouRcENXi2GzG7BVF9Br9WUmy1gJoPffkYU1e7w5nLTZ6Qghf1OyL0ORKgoldfsNcx/s1600/system_apps.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBtgJ5HoJXjwnbXyafZJ474TdnChyrGZrp29NDwy4MA64_Y4LEVV24m0ApaJHutAzRRRJy3ADwml2ouRcENXi2GzG7BVF9Br9WUmy1gJoPffkYU1e7w5nLTZ6Qghf1OyL0ORKgoldfsNcx/s1600/system_apps.jpg" /></a></div>
<br />
<br />
With FTK imager, you can navigate
around an image. You can also extract files so you can interact with
them in another tool. You can also view the hex of an image. Though
it is difficult to make sense of hex, it is important to look at
files and even device images in hex.
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOulUy7-b4VPqmnkCvIWRC2J_N8Bk_imnCE_hNjEOL2ZqSJArjSxwdE0gdbrrZ5V11a0L3aMPDc9fM4Te4iWF80FPC7CnYV-MgwTI2BoEsYSqIGYsS0poS7_hdCj7O0Hd3HYz32rBXntrO/s1600/2014-08-26-120105_1366x744_scrot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOulUy7-b4VPqmnkCvIWRC2J_N8Bk_imnCE_hNjEOL2ZqSJArjSxwdE0gdbrrZ5V11a0L3aMPDc9fM4Te4iWF80FPC7CnYV-MgwTI2BoEsYSqIGYsS0poS7_hdCj7O0Hd3HYz32rBXntrO/s1600/2014-08-26-120105_1366x744_scrot.png" width="640" /></a></div>
<br />
<br />
For example, you may have deleted a
photograph you took with your camera and cannot recover it (or so you
think.) You may be able to find the photograph in the hex. It takes
an experienced examiner, or a curious tech mind, to do this. It also
helps to have some good forensic tools at your disposal.<br />
<br />
Looking at the hex of files allows you to understand the file at a deeper level. A photograph file opens by default in an image viewer, but the image viewer will not display geolocation data or data related to the camera which took the photograph if it is embedded in the file. Viewing the hex of the file may reveal this kind of data.
<br />
<br />
Previously I mentioned that you can export a file to your computer. Go ahead and export a photograph if you can find one. You may find
some in the userdata partition at /media/0/DCIM, which is your camera
directory (assuming your userdata partition acts like an SD card, and
most modern phones work this way.) Pick out a photograph you've
taken and export it to a location on your computer. If you've not installed a Hex editor, go ahead and install a hex editor. I personally use <a href="http://mh-nexus.de/en/hxd/">HxD Hex Editor</a>, though there are many other wonderful ones.
<br />
<br />
Open the photograph you extracted in a hex editor. You'll notice the first
few bytes of the image look something like this:
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDyt00Rmkd8vUL6YZlCF83Yc0zO26BjgZ9xEVDfYyAIdNeKLvooSw2XDShyJ-BKi3dfN05ng3OBE14k2rj3RZlGtQdK7cvSoykA8i6wsAuAu_mu_EeuO104eok5INFTufxGz2Wph8gXg8-/s1600/Hex_photo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDyt00Rmkd8vUL6YZlCF83Yc0zO26BjgZ9xEVDfYyAIdNeKLvooSw2XDShyJ-BKi3dfN05ng3OBE14k2rj3RZlGtQdK7cvSoykA8i6wsAuAu_mu_EeuO104eok5INFTufxGz2Wph8gXg8-/s1600/Hex_photo.jpg" /></a></div>
<br />
<br />
All JPG files begin with this header.
<br />
<br />
Quick forensics lesson: file headers
and footers. The way we traditionally identify a file type is by the
extension. We see a .jpg file, it's a picture. We see a .docx file,
it's a word document. (It's actually a ZIP file. Seriously, try it
out. Rename a .docx file to .zip and open it up.) However, that is
not how files actually work. When a .jpg file is encoded and saved,
the first few bytes, or the file header, are FF D8 FF as seen above. There are equivalencies with
other file types, like ZIP archives, PDF documents, and executables.
If you have a nasty piece of malware and rename it with a .docx
extension, it may pass under some basic file scanners, but good
forensic tools will identify this renamed file as suspicious and
indicate that you should check into it. <a href="http://www.forensicswiki.org/wiki/File_Carving">Here is a good writeup on
file carving</a>, or putting together files based off of headers and
footers.
<br />
<br />
FTK Imager is a powerful, free tool which allows the user to examine a forensic image. The image of your phone is a file which Windows, Microsoft Office, or any other program you frequently use could not possibly understand, but FTK Imager parses through it perfectly. Android uses the ext4 filesystem, which is a Linux file system that Windows cannot understand, but FTK Imager can parse through it with ease.
<br />
<br />
FTK Imager, however, is limited. It is not a full forensic tool; it is a tool for understanding filesystems. FTK is AccessData's powerful forensic suite, and it is expensive. It is a wonderful tool that I have used for years, but this is a blog about free tools.
<br />
<br />
A free alternative to FTK is <a href="http://www.sleuthkit.org/autopsy/">Autopsy</a>. I will not be covering Autopsy on this post, but I might do a rundown of it in the future. It is a very powerful, free, open source tool with great support. I've had some good luck with Autopsy on Android devices.
<br />
<br />
<b>Summary</b>
<br />
<ul>
<li>FTK Imager can allow the examiner to easily take a look at the image</li>
<li>No forensic tool will alter an image</li>
<li>Headers and footers, not file extensions, determine the file type</li>
<li>Viewing files at the hex level allows for a great understanding of the file</li>
</ul>
Questions, comments, suggestions, or experiences? File system questions? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a><br />
<br /></div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com4tag:blogger.com,1999:blog-6748555274835706450.post-86050003946489016032014-08-10T18:30:00.000-07:002019-04-27T06:40:13.155-07:00Live imaging an Android device<h3 style="text-align: center;">
Not as hard as it sounds if you break it down</h3>
<br />
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin-bottom: 0in; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin: 0px;">
<b>All blog posts to date</b></div>
</div>
<div style="margin-bottom: 0in;">
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<table style="width: 100%;">
<tbody>
<tr>
<td><b>Introduction</b></td>
<td><b>Acquisition</b></td>
<td><b>Analysis</b></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/introduction.html">Introduction</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/imaging-android-device.html">Imaging an Android Device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/examining-image.html">Examining the image</a></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/picking-toolkit.html">Picking a Toolkit</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/08/live-imaging-android-device.html">Live imaging an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/10/some-hidden-artifacts-in-physical-image.html">Some hidden artifacts in a physical image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/04/why-not-load-clockworkmod-or-twrp-to.html">Why not load ClockworkMod or TWRP to image a device?</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/using-autopsy-to-examine-android-image.html">Using Autopsy to examine an Android image</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/10/identifying-your-userdata-partition.html">Identifying your Userdata Partition</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/11/some-artifacts-in-datasystem-directory.html">Some artifacts in the /data/system/ directory</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/02/some-non-root-methods-to-learn-about.html">Some non-root methods to learn about a device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/01/viewing-sqlite-databases.html">Viewing SQLite Databases</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/05/a-quick-note-on-imaging-newer-android.html">A quick note on imaging newer Android devices</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2015/02/facebook-for-android-artifacts.html">Facebook for Android Artifacts</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">Using Windows to Live Image an Android device</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/06/interpreting-data-from-apps.html">Interpreting data from apps</a></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/04/obtaining-all-files-in-data-partition.html">Obtaining all files in the data partition without a physical image</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/02/waze-for-android-forensics.html">Waze for Android forensics</a></td>
</tr>
<tr>
<td></td>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2019/04/magnet-forensics-app-simulator.html">Magnet Forensics App Simulator</a></td>
</tr>
<tr>
<td><b>App Reversing</b></td>
<td><b>Other Topics</b></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/reverse-engineering-android-app-file.html">Reverse Engineering an Android App File</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2014/09/the-differences-between-physical-image.html">The differences between a physical image and a logical extraction</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2017/03/fun-with-apktool.html">Fun with Apktool</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2016/12/dirty-cow.html">Dirty cow</a></td>
<td></td>
</tr>
<tr>
<td><a href="http://freeandroidforensics.blogspot.com/2018/02/deep-dive-into-app.html">Deep dive into an app</a></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/08/imaging-and-examining-android-car-stereo.html">Imaging and examining an Android car stereo</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2017/12/unpacking-boot-and-recovery-kernels.html">Unpacking boot and recovery kernels</a></td>
<td></td>
</tr>
<tr>
<td></td>
<td><a href="http://freeandroidforensics.blogspot.com/2018/01/mtpwn.html">MTPwn</a></td>
<td></td>
</tr>
</tbody>
</table>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Introduction</b><br />
Live imaging an Android device is a
complicated process but I'll do my best to break it down.
<br />
<br />
First, I mentioned in my previous post
that many computer forensic experts are rather opposed to live
imaging. So before I get into the technicals, I'm going to address
forensic soundness here. (To skip over a discussion of forensic
soundness, skip over a bit)<br />
<br />
<b>Forensic soundness considerations</b>
<br />
Forensic soundness is not a completely
well defined term. In
a paper titled “The Impact of Full Disk Encryption on Digital
Forensics” by Eoghan Casey and Gerasimos J. Stellatos (Digital Investigation 01/2011; 8:129-134), the authors addressed forensic soundness in
acquiring a live encrypted system, and stated the following:
<br />
<blockquote class="tr_bq" style="margin-bottom: 0in;">
“Setting an absolute standard that dictates 'preserve everything
but change nothing' is not only inconsistent with other forensic
disciplines but also is dangerous in a legal context. Conforming to
such a standard may be impossible in some circumstances and,
therefore, postulating this standard as the 'best practice' only
opens digital evidence to criticisms that have no bearing on the
issues under investigation.”</blockquote>
<br />
Forensic examiners often consider
DNA typing a “gold standard” to which other forensic disciplines
should strive, but when collecting biological samples for DNA
analysis, the scene from which the biological samples are collected
is altered, and the biological samples are actually destroyed during
the analysis. This is a roundabout way of saying that “alter
nothing” and “forensic soundness” do not mean the same thing.
<br />
<br />
In the realm of hard drive forensics,
we are truly spoiled. With a write blocker and hashing techniques
(like SHA-256), we can image a hard drive and authenticate the image
as an exact copy of the original without altering the original
drive's data. (Note: when the drive is powered on, it spins, so the
drive's state changes at a physical level, but if hooked to a write
blocker the data does not change.) Other digital forensic
disciplines are often held to the same standard as hard drive
forensics in terms of forensic soundness, for better or for worse.
<br />
<br />
Live imaging absolutely requires
altering the device data. What I recommend is to document every step
of the way if you pursue live imaging and be careful as to avoid
unnecessary changes to the device. The files we will load to the
device to do the imaging are very small, and I would recommend
documenting the size of these files before loading them to the
device.
<br />
<br />
<b>Imaging the device</b>
<br />
Now that is all out of the way. As I
stated in a previous blog post, imaging a device (whether dead or
live) requires three things: a data connection between the device and
the computer, an exploit, and the imaging command. Let's knock one
out at a time.
<br />
<br />
<b>Data connection between the device and
the computer</b>
<br />
Connect the phone you want to image to
the Linux computer. If you have not installed the Android SDK, do so
now. (Update: I more recently <a href="http://freeandroidforensics.blogspot.com/2017/07/using-windows-to-live-image-android.html">posted on how to use Windows to make an image</a>, but I do not fully endorse the method.)
<br />
<br />
We will be communicating with the phone
using the Android Debug Bridge tool, or adb. Here's an official
read-up on it. <a href="http://developer.android.com/tools/help/adb.html">developer.android.com/tools/help/adb.html</a>
<br />
<br />
Next, we need to treat the device as a
debug device. There's a good official writeup here:
<a href="http://developer.android.com/tools/device.html">developer.android.com/tools/device.html</a>
<br />
<br />
Follow the above link, then open up a
terminal window. If you have installed adb and it is in your
system's PATH, type the following:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">adb devices</span></blockquote>
<br />
If adb is not in your PATH, then
navigate to the directory including your adb binary and type the
following:
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">./adb devices</span></blockquote>
<br />
If you don't know what I'm talking
about, I recommend including adb in your PATH. Check out this
website for an explanation: <a href="http://www.linfo.org/path_env_var.html">http://www.linfo.org/path_env_var.html</a>
and if you would like further clarification, Google it, post in the
comments section, or <a href="mailto:freedroidforensics@gmail.com">contact me</a> and I'll help you out.
<br />
<br />
Now, if when you type “adb devices”,
you see something along these lines:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">~$ adb devices<br />* daemon not running. starting it now on port 5037 *<br />* daemon started successfully *<br />List of devices attached<br />03************17<span class="Apple-tab-span" style="white-space: pre;"> </span>device</span></blockquote>
then adb has found your phone. Great. If you type “adb devices” and all
you see is the following:<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">~$ adb devices<br />List of devices attached </span></blockquote>
then something went wrong and your
computer is not seeing your device. <a href="mailto:freedroidforensics@gmail.com">Reach out to me</a> and I'll try to
walk you through.
<br />
<br />
If your computer recognizes your
device, then you in fact have a data connection between your computer
and phone.
<br />
<br />
<b>Exploit</b>
<br />
Note: In this section, I will explain my personal way of rooting a phone and installing busybox. If you have a preferred method or if you find a way specific to your phone online that you would like to try, go for it. At the end of this section, you will need your phone rooted and have busybox installed, and there are multiple means to this end.
<br />
<br />
In 2009 and 2010 when the newest
Android devices ran Android 2.2 and 2.3, security was a bit of a
problem. You could run all kinds of one-click root exploits and gain
an easy root shell. It was simple.
<br />
<br />
Then the developers at Google tightened
the kernel quite a bit. In the newest versions of Android, there is
not a public universal live Android exploit …
<br />
… until recently. A known security
researcher wrote a tool called Towel Root, available at
https://towelroot.com/. The exploit is a universal Android exploit
that should work on all kernels released prior to June 2014.
Download exploit at the following link: https://towelroot.com/tr.apk
<br />
<br />
A few notes on rooting your device:
<br />
<ul>
<li>you may void your warranty</li>
<li>root privilege is a powerful thing.
You can easily make a mistake and “brick” your device</li>
<li>if you render your device useless
while following my blog or my advice, I am not responsible. You root
your phone at your own risk. If by chance you do damage your device,
<a href="mailto:freedroidforensics@gmail.com">contact me</a> and I'll do my best to get you out of your rut.</li>
</ul>
<br />
To run the exploit, all you have to do
is install the app. Once you've downloaded the app, run the
following command from your command line on your Linux computer
connected to your device:
<br />
<br />
adb -d install /path/to/tr.apk (where
obviously /path/to is not a literal)
<br />
<br />
That command installs towelroot on your
device. Don't run the app yet, but we will soon. Go ahead and
verify it is on your device. It will appear in your app menu.
<br />
<br />
Next, install Busybox Installer from
the Google play store.
<a href="https://play.google.com/store/apps/details?id=com.jrummy.busybox.installer&hl=en">https://play.google.com/store/apps/details?id=com.jrummy.busybox.installer&hl=en</a>.
Busybox installs some extra Linux commands that are not installed by
default on Android. We'll need the netcat, or nc, command, which is
included in Busybox.<br />
<br />
You also can download busybox and install the APK via sideloading. You can find this apk by a Google search and install it via Android Debug Bridge. I say this option because if you have a phone without a Google account, you cannot use the Play Store.
<br />
<br />
I also advise installing a root
manager. I recommend SuperSU. Here's a writeup on it:
<a href="http://lifehacker.com/5895134/supersu-for-android-manages-root-permissions-so-you-dont-have-to">http://lifehacker.com/5895134/supersu-for-android-manages-root-permissions-so-you-dont-have-to</a>
and here's a link to SuperSU …
<a href="https://play.google.com/store/apps/details?id=eu.chainfire.supersu">https://play.google.com/store/apps/details?id=eu.chainfire.supersu</a>
<br />
<br />
Now. Go to your Towelroot app and
follow the instructions to root. Assuming no errors, you are rooted.
It's a fast process. Next, open your Busybox app and follow the
instructions to install. Again, assuming no errors, you have buybox.
<br />
<br />
Now it is time to have some fun. On
your Linux computer, type the following:
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">adb -d shell</span></blockquote>
<br />
This starts up a shell session with
your phone, allowing you to type commands to your phone and interact
with it. From here on (or until you end the session), commands you
type are issued to the phone. Refer to the previous adb link to see
a writeup about shell commands on the phone.
<br />
<br />
Now type the following:
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">su</span></blockquote>
<br />
If you installed SuperSU, you may need
to push an OK button on the phone, as mentioned in the lifehacker
writeup. Assuming no errors, all of the next commands until you end
this session run as root. Just to check to see if you are in fact
root, type the following:
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">ls /data</span></blockquote>
<br />
If you get some kind of error, you are
not root, because only the root user can read the /data directory.
If you are root, you can see and edit the entire directory. Don't
screw up, or else you may convert your phone into an expensive
paperweight. If you're all set to this point, you have successfully
exploited your phone. Give yourself a pat on the back for making it
this far.
<br />
<br />
<b>Imaging command</b>
<br />
At this point, you are root and all
ready to image. We will be using the dd command, which allows us to
read and write device block files, and the netcat command, which
allows us to forward commands across ports, to read the device block
representing the entire device and write it to your computer across
the USB connection. Easy, right?
<br />
<br />
Read over the following link on the
/dev directory and device blocks. It will help make some sense: <a href="http://www.linuxjournal.com/article/2597">http://www.linuxjournal.com/article/2597</a>
<br />
<br />
The actual command you will be using to image the device is rather specific to the device you have. It is because we need to image the right block. <a href="mailto:freedroidforensics@gmail.com">Reach out to me</a> to find the right block for your device and I will give you an imaging command. You may want to image the entire device or just a certain partition and I can guide you through an imaging command as needed. For my personal phone (Nexus 5), the head block of the device is /dev/block/mmcblk0. I'll write a guide for how to image my personal device.<br />
<br />
To image the device, you need to do
some commands in two different sessions: one shell session to the
device, and one shell session to your computer. Open up a terminal window and adb into your device. Then open up a new
terminal window (it will open as a shell to your computer, not your
phone) and navigate to the directory where you intend to store your
image. Note: if you create the image in a volume formatted FAT32,
the maximum file size is 4 gigabytes, so imaging the device would
require splitting the file. For ease sake, I suggest imaging to a
volume formatted ext or NTFS. Also, make sure the volume has enough
space for the device image, which will be as large as the device's
storage. For my phone, I need 32 gigabytes of storage to image.
<br />
<br />
Now, in the shell to your computer in
the directory of your choosing, type the following:
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">adb forward tcp:8888 tcp:8888</span></blockquote>
<br />
This command allows adb to communicate
via netcat on port 8888.
<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">dd if=/dev/block/mmcblk0 | busybox nc -l -p 8888</span></blockquote>
<br />
This command reads the contents of
/dev/block/mmcblk0 (the head block of my device) and writes it via
port 8888 across adb using netcat.
<br />
<br />
Finally, back in the shell to the
computer, type the following:
<br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">nc 127.0.0.1 8888 > device_image.dd</span></blockquote>
<br />
This command saves the output of the
contents across port 8888 (which will be the results of reading
/dev/block/mmcblk0 on the device, or the complete image of the
device) to the file device_image.dd.
<br />
<br />
If there's no errors, you are imaging
the device. The window will “freeze”, or not allow any more
commands because it is busy executing this command. When the imaging
process is done, you will be able to type commands into this shell
window again. To confirm, open a new terminal window, navigate to
the directory where you are saving the image, and type ls -l. This
will get a file listing, including file size. If the size of your
file is increasing, you are successfully imaging your device.
<br />
<br />
Give yourself another pat on the back.<br />
<br />
<b>Summary</b><br />
<ul>
<li>Imaging an Android device requires three things:</li>
<ul>
<li>A data connection between the device and the computer</li>
<li>An exploit</li>
<li>An imaging command</li>
</ul>
<li>You've read over how to image my device.</li>
<li><a href="mailto:freedroidforensics@gmail.com">Reach out to me</a> to help find the imaging command for your personal device</li>
</ul>
<br />
That’s all for now. Next page (which I'll post when ready) examines your image.<br />
<br />
Questions, comments, suggestions, or experiences? Other preferred ways to image Android devices without expensive kits? Leave a comment below, or <a href="mailto:freedroidforensics@gmail.com">send me an email.</a><br />
<br /></div>
Mark Lohrumhttp://www.blogger.com/profile/07077867576734525405noreply@blogger.com99