|
Title: Open Source Forensics on Android Post by: sil on June 03, 2011, 03:27:10 PM Alright, since no one has posted in a little bit, decided to post some of my ramblings I sent to some friends. As some may or may not know, I'm doing the DFRWS Android forensics challenge for fun and thought I would share, in the event any of you ever have to do some open source "scalpel/foremost" forensics scalpelnig on Android images....
I already did my entry for the challenge using both EnCase and FTK but also am doing it the freebie way now with a modified version CAINE. (Mines now has testdisk, Android SDK, yaffs2 file system, Volatility, etc.) My quick way to parse out the numbers dialed from the forensic image: Code: strings *.img | grep '^\![0-9]\{10\}' | grep -vi [a-z] | sort -u In action: (numbers are X'd out to avoid giving away answers to the challenge) Code: root@phorensix:/media/sdb1/DFRWS# strings *.img | grep '^\![0-9]\{10\}' | grep -vi [a-z] | sort -u !2xxxxxxxxxxxxxxxxxx !4xxxxxxxxx !4xxxxxxxxx !5xxxxxxxxx I can pipe it out and do a reverse lookup for the number(s) found as well from a terminal: Code: strings *.img | grep '^\![0-9]\{10\}' | grep -vi [a-z] |\ sort -u | sed 's:\!::g;s:^:links -dump "http\://www.whitepages.com/search/ReversePhone?full_phone=:g;s:$:":g'|sh God AW(K)ful parsing of sms message addressees: (in action) Code: root@phorensix:/media/sdb1/DFRWS# strings mtdblock6.img | awk '/FORW/{print $7}' | awk '/@/{gsub(/:/,"");print $1|"sort"}' | awk 'a !~ $0; {a=$0}' sxxxxxx@xxxxxxxx.com sxx.xxxxxxx@xxxxx.com Still working on the disks as time allows however, foremost and scalpel are raping my storage space forcing me to plop on another 500GB for this Android image: Code: root@phorensix:/media/sdb1/DFRWS# df -h | grep G /dev/sda1 195G 4.6G 180G 3% / /dev/sdb1 493G 226G 242G 49% /media/sdb1 Original sizes of forensics: Code: root@phorensix:/media/sdb1/DFRWS# ls -ltha *.img | awk '{print $8"\t"$5}' mtdblock6.img 262M mtdblock7.img 2.0M mtdblock5.img 93M mtdblock4.img 141M mtdblock0.img 1.5M mtdblock1.img 384K mtdblock3.img 4.5M SDCard.img 0 After Scalpel rapes my disk with its carving: Code: root@phorensix:/media/sdb1/DFRWS# du -h DFRWS{0..7}|grep -vi / du: cannot access `DFRWS2': No such file or directory du: cannot access `DFRWS4': No such file or directory 4.5M DFRWS0 8.0K DFRWS1 7.9M DFRWS3 16M DFRWS5 219G DFRWS6 8.0K DFRWS7 Mind you I'm not even done, I have to re-scalp mtdblock4.img and mtdblock7.img. The total process for *6.img has taken so far 5 hours, has grown to 219G and its only 72.6% done as of right now. Like crawlingly slow. Not even my industrial music makes it seem any faster and that is averaging about 120+bpms give or take 80bpms if its KMFDM. Title: Re: Open Source Forensics on Android Post by: sil on June 03, 2011, 03:38:33 PM More fun (because I'm painfully waiting for scalpel to finish, to get a quick glimpse at anything that was saved (files, pdf, doc, ppt, etc.)
Code: strings *.img|grep -i "/sdcard/\|/data/"|\ grep -vi "<\|>\|\!\|(\|)\|system\|;\|=\|#\|*\|com.\|%"|\ awk '!($0 in a) {a[$0];print}' Unfortunately that this carving will likely be running until circa 10PM it seems
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |