Android forensics essential training download

So, the objective of this exercise is to use an emulator to show how we can take backups from devices and then how we can analyze them later. Now, run the following command to get the backup from the device.

Make sure that the device is unlocked before you run the command. You can check it as shown below. Now, using this stable adb binary, run the same command as shown below.

When you run the above command, the device will show the following screen asking for user confirmation. As we can see, we have got the backup. This is in Android Backup format, which is understandable only to the device. We should now convert this backup file into a format that can be used by us.

The next step is to convert the. Android backup extractor v If -useenv is used, yourenv is tried when password is not given. If -debug is used, information and passwords may be shown. Now, we have got the tar file in the above step. This is because we are going to extract the tar file in the next step, which may produce many files into the working directory. This can be done as shown below. As you can notice, all the applications that are backed up are located here. Note: If the developer of an application explicitly disables backup using AndroidManifest.

As we can see in the above figure, there are few folders within the app directory. Following is the description for each of these apps. There is a file called browser2.

Goal: You have been given with a backup file called chatlock. Analyze the chatlock. Navigate to this directory and convert this backup file to tar archive as shown below. Navigating to the app com. There are a couple of interesting files. Exploring the contents of com. Goal: You have been given with a backup file called sms.

Analyze the sms. Navigate to com. As you can see in the above figure, there is a file called mmssms. We can query it as shown below. Logical Acquisition is the process of extracting data that is accessible to the users of the device and hence it cannot acquire deleted data or the data in unallocated space. The above statement has limitations in some cases We can recover deleted data from an SQLite database that is acquired using logical acquisition.

So, the objective of this exercise is to use an emulator to show how we can perform logical acquisition using the tools available in Santoku Linux. In this section, we will learn the techniques to extract sensitive data from an android device using adb.

But, having root access will always be an advantage to extract more data from the device. We will also use some popular logical acquisition tools, which already exist. As discussed in one of our previous exercises, it is important to know where and how the data is stored in the device.

Examining this directory for individual applications will give a lot of information to the examiner. To start examining the data of our interest, we should know that each application has a unique package name under which it stores all its data on the device. As we can see in the above figure, adb pull command went ahead and fetched all the files inside the specified package name. There may be cases where SQLite database files have no extension. As you can see in the above figure, there are a couple of interesting tables out there.

We can see the contents of any table using standard SQL commands. Similar to how we have extracted SMS from inbuilt SMS app databases, we can extract the browser history just by using the path of the browser app.

Now the pull should succeed. AFLogical performs a logical acquisition of any Android device running Android 1. This exercise shows you the step-by-step procedure to manually use AF Logical OSE tool to extract the data from the emulator. Once after running the above command, you should see the agent installed on the target device. The above figure shows the successful installation of AFLogical on the target device. Now, launch the app and select whichever data you want to extract.

As shown in the above figure, AFLogical shows a message after successfully completing the extraction process. As shown in the above figure, AFLogical has saved the report in csv format. We have successfully pulled SMS. With the growing mobile phones, SQLite databases contain a great amount of data due to the fact that most of the mobile apps use SQLite databases for their local data storage needs.

Recovering deleted data from SQLite databases is always a necessary task during a forensics examination. SQLite databases store deleted data within the database itself. So, this particular python script tries to get deleted from the SQLite databases specifically by exploring unallocated and free blocks within the database file. Uutput to a tsv file. Strips white space, tabs and. Will out put data field in a raw format and.

Now cross check the contents of downloads. We can see the contents of this file to check if the deleted data has been recovered. Another interesting yet easy way to recover data from SQLite databases is running strings command on the database file. This will show all the data from the database in a clear manner as shown below.

This exercise discusses how we can carve files from raw images. Specifically, we are going to do it using a tool called scalpel, which is preinstalled in Santoku. Carving makes use of the internal structure of a file.

A file is a block of stored information like an image in a JPEG file. OSForensics can generate Rainbow Tables for different input parameters. Some example Rainbow Tables are available below for download. You can also download and use Indexed Rainbow Tables from rainbowtables. The rainbow tables can also be purchased as a set pre-loaded onto a hard disk.

To install the Rainbow Tables, you must download the individual zip files linked above , and unzip them into the RainbowTables folder located in the OSForensics program data folder. Free Trial Buy Now. Download OSForensics 9. Compile or download the latest apk. Then Install the apk file to your device. Either copy the apk to your device and run it on the device OR Use adb shell.

On your Android device, open the AFLogical OSE application, choose what data you want to extract, and follow the prompts to extract the data.

You can then copy the data from your SD card to your computer to view the content, either by removing the external SD Card and connecting it to your computer, or using adb pull. If you would like to contribute code, please fork this repository, make your changes, and then submit a pull-request.

Here are related courses you are legible for. Related Courses. The smart phone market is growing higher and higher. With the drastic changes in technology, smart phones are becoming targets of criminals.