.

Open Source Forensics on Android

<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Jun 03, 2011 3:27 pm

Open Source Forensics on Android

Alright, since no one has posted in a little bit, decided to post some of my ramblings I sent to some friends. As some may or may not know, I'm doing the DFRWS Android forensics challenge for fun and thought I would share, in the event any of you ever have to do some open source "scalpel/foremost" forensics scalpelnig on Android images....

I already did my entry for the challenge using both EnCase and FTK but also am doing it the freebie way now with a modified version CAINE. (Mines now has testdisk, Android SDK, yaffs2 file system, Volatility, etc.)


My quick way to parse out the numbers dialed from the forensic image:

  Code:
strings *.img | grep '^\![0-9]\{10\}' | grep -vi [a-z] | sort -u


In action: (numbers are X'd out to avoid giving away answers to the challenge)

  Code:
root@phorensix:/media/sdb1/DFRWS# strings *.img | grep '^\![0-9]\{10\}'
| grep -vi [a-z] | sort -u
!2xxxxxxxxxxxxxxxxxx
!4xxxxxxxxx
!4xxxxxxxxx
!5xxxxxxxxx


I can pipe it out and do a reverse lookup for the number(s) found as well from a terminal:

  Code:
strings *.img | grep '^\![0-9]\{10\}' | grep -vi [a-z] |\
sort -u | sed 's:\!::g;s:^:links -dump "http\://www.whitepages.com/search/ReversePhone?full_phone=:g;s:$:":g'|sh


God AW(K)ful parsing of sms message addressees: (in action)

  Code:
root@phorensix:/media/sdb1/DFRWS# strings mtdblock6.img | awk
'/FORW/{print $7}' | awk '/@/{gsub(/:/,"");print $1|"sort"}' | awk 'a !~
$0; {a=$0}'
sxxxxxx@xxxxxxxx.com
sxx.xxxxxxx@xxxxx.com


Still working on the disks as time allows however, foremost and scalpel are raping my storage space forcing me to plop on another 500GB for this Android image:

  Code:
root@phorensix:/media/sdb1/DFRWS#  df -h | grep G
/dev/sda1             195G  4.6G  180G   3% /
/dev/sdb1             493G  226G  242G  49% /media/sdb1


Original sizes of forensics:

  Code:
root@phorensix:/media/sdb1/DFRWS# ls -ltha *.img | awk '{print $8"\t"$5}'
mtdblock6.img   262M
mtdblock7.img   2.0M
mtdblock5.img   93M
mtdblock4.img   141M
mtdblock0.img   1.5M
mtdblock1.img   384K
mtdblock3.img   4.5M
SDCard.img      0


After Scalpel rapes my disk with its carving:


  Code:
root@phorensix:/media/sdb1/DFRWS# du -h DFRWS{0..7}|grep -vi /
du: cannot access `DFRWS2': No such file or directory
du: cannot access `DFRWS4': No such file or directory
4.5M    DFRWS0
8.0K    DFRWS1
7.9M    DFRWS3
16M     DFRWS5
219G    DFRWS6
8.0K    DFRWS7


Mind you I'm not even done,  I have to re-scalp mtdblock4.img and mtdblock7.img. The total process for *6.img has taken so far 5 hours, has grown to 219G and its only 72.6% done as of right now. Like crawlingly slow. Not even my industrial music makes it seem any faster and that is averaging about 120+bpms give or take 80bpms if its KMFDM.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Jun 03, 2011 3:38 pm

Re: Open Source Forensics on Android

More fun (because I'm painfully waiting for scalpel to finish, to get a quick glimpse at anything that was saved (files, pdf, doc, ppt, etc.)


  Code:

strings *.img|grep -i "/sdcard/\|/data/"|\
grep -vi "<\|>\|\!\|(\|)\|system\|;\|=\|#\|*\|com.\|%"|\
awk '!($0 in a) {a[$0];print}'



Unfortunately that this carving will likely be running until circa 10PM it seems

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software