Alright, since no one has posted in a little bit, decided to post some of my ramblings I sent to some friends. As some may or may not know, I'm doing the DFRWS Android forensics challenge for fun and thought I would share, in the event any of you ever have to do some open source "scalpel/foremost" forensics scalpelnig on Android images....
I already did my entry for the challenge using both EnCase and FTK but also am doing it the freebie way now with a modified version CAINE. (Mines now has testdisk, Android SDK, yaffs2 file system, Volatility, etc.)
My quick way to parse out the numbers dialed from the forensic image:
strings *.img | grep '^\![0-9]\{10\}' | grep -vi [a-z] | sort -u
In action: (numbers are X'd out to avoid giving away answers to the challenge)
root@phorensix:/media/sdb1/DFRWS# strings *.img | grep '^\![0-9]\{10\}'
| grep -vi [a-z] | sort -u
!2xxxxxxxxxxxxxxxxxx
!4xxxxxxxxx
!4xxxxxxxxx
!5xxxxxxxxx
I can pipe it out and do a reverse lookup for the number(s) found as well from a terminal:
strings *.img | grep '^\![0-9]\{10\}' | grep -vi [a-z] |\
sort -u | sed 's:\!::g;s:^:links -dump "http\://www.whitepages.com/search/ReversePhone?full_phone=:g;s:$:":g'|sh
God AW(K)ful parsing of sms message addressees: (in action)
root@phorensix:/media/sdb1/DFRWS# strings mtdblock6.img | awk
'/FORW/{print $7}' | awk '/@/{gsub(/:/,"");print $1|"sort"}' | awk 'a !~
$0; {a=$0}'
sxxxxxx@xxxxxxxx.com
sxx.xxxxxxx@xxxxx.com
Still working on the disks as time allows however, foremost and scalpel are raping my storage space forcing me to plop on another 500GB for this Android image:
root@phorensix:/media/sdb1/DFRWS# df -h | grep G
/dev/sda1 195G 4.6G 180G 3% /
/dev/sdb1 493G 226G 242G 49% /media/sdb1
Original sizes of forensics:
root@phorensix:/media/sdb1/DFRWS# ls -ltha *.img | awk '{print $8"\t"$5}'
mtdblock6.img 262M
mtdblock7.img 2.0M
mtdblock5.img 93M
mtdblock4.img 141M
mtdblock0.img 1.5M
mtdblock1.img 384K
mtdblock3.img 4.5M
SDCard.img 0
After Scalpel rapes my disk with its carving:
root@phorensix:/media/sdb1/DFRWS# du -h DFRWS{0..7}|grep -vi /
du: cannot access `DFRWS2': No such file or directory
du: cannot access `DFRWS4': No such file or directory
4.5M DFRWS0
8.0K DFRWS1
7.9M DFRWS3
16M DFRWS5
219G DFRWS6
8.0K DFRWS7
Mind you I'm not even done, I have to re-scalp mtdblock4.img and mtdblock7.img. The total process for *6.img has taken so far 5 hours, has grown to 219G and its only 72.6% done as of right now. Like crawlingly slow. Not even my industrial music makes it seem any faster and that is averaging about 120+bpms give or take 80bpms if its KMFDM.
GCIH - GIAC Certified Incident Handler : Passed my GCIH
