Intro to Static Forensic Analysis of an Android Image
In this post we are going to be talking about static forensics with an entire Android image, not a single piece of malware or an application. The goal here is to get general user information out of the phone instead of finding a traditional malicious compromise. So you have a dd image of an Android phone, what now you ask? Well let's dig into using The Sleuth Kit, or TSK for short. TSK is a collection of open source forensics tools, which are free, easy to operate, and produce reliable results.
We will start by running fdisk on our image for some holistic info: fdisk -l dump.img
Next, we want to read all of the partitions on the disk with mmls, simply run: mmls dump.img
This also tells us where each partition begins and ends.
From here, we can start to read specific partitions with fls (for example, lets take a look at the 'userdata' partition): fls -r -o 0003133700 dump.img > userdata_filestruct.txt
Sweet! that's a lot of data. Lets start by finding and extracting some useful information to our objective, such as user data stores:
grep *.db* userdata_filestruct.txt
Lets grab some of the most interesting and basic databases for user communication:
mmssms.db
telephony.db
downloads.db
mail.db
*@gmail.com.db
emailDB.db
search_history.db
suggestions.db
Select offsets specific to the files you want to recover, for example mmssms.db, and carve them out with icat:
icat -o 0003133700 dump.img 263147 > mmssms.db
The databases are mostly sqlite, so browsing them with the cli is quick and easy:
md5sum mmssms.db
sqlite3
.open mmssms.db
.tables
select * from sms;
Boom! In less than five commands we've carved the sms database. You will notice the timestamps are in epoc time. I wrote the following quick script to convert them to UTC for you (Updated script*):
There are definitely some more advanced and streamlined tools out there, but The Sleuth Kit, aka the forensics command line swiss army knife, is a reliable and free approach. This is also just an intro and not at all comprehensive, there are other guides out there on more advanced techniques. Both FTK and Cellebrite are other great approaches, and it's always wise to use more than one tool and compare the results.
We will start by running fdisk on our image for some holistic info: fdisk -l dump.img
Next, we want to read all of the partitions on the disk with mmls, simply run: mmls dump.img
This also tells us where each partition begins and ends.
From here, we can start to read specific partitions with fls (for example, lets take a look at the 'userdata' partition): fls -r -o 0003133700 dump.img > userdata_filestruct.txt
Sweet! that's a lot of data. Lets start by finding and extracting some useful information to our objective, such as user data stores:
grep *.db* userdata_filestruct.txt
Lets grab some of the most interesting and basic databases for user communication:
mmssms.db
telephony.db
downloads.db
mail.db
*@gmail.com.db
emailDB.db
search_history.db
suggestions.db
Select offsets specific to the files you want to recover, for example mmssms.db, and carve them out with icat:
icat -o 0003133700 dump.img 263147 > mmssms.db
The databases are mostly sqlite, so browsing them with the cli is quick and easy:
md5sum mmssms.db
sqlite3
.open mmssms.db
.tables
select * from sms;
Boom! In less than five commands we've carved the sms database. You will notice the timestamps are in epoc time. I wrote the following quick script to convert them to UTC for you (Updated script*):
There are definitely some more advanced and streamlined tools out there, but The Sleuth Kit, aka the forensics command line swiss army knife, is a reliable and free approach. This is also just an intro and not at all comprehensive, there are other guides out there on more advanced techniques. Both FTK and Cellebrite are other great approaches, and it's always wise to use more than one tool and compare the results.