Hi guys
I am an aspiring forensic developer who has created something I believe will be of use to the forensic community. It is a free toolkit for extracting communications and select app data from an Android image (it will also do the honours in dumping the image over-the-wire via ADB).
It is a mostly-automated tool and the data it extracts is in universal format, that is, plain-text files. The app list it handles so far is
- Facebook (and Messenger) - notifications, cached messages, cached media, contacts, VoIP call logs
- WhatsApp - cached/downloaded media, decrypts and dumps messages
- GMail - mailboxes for all registered accounts (looks messy in a text file)
- Skype - account details, call logs, IM messages, contact details, SMS Messages to Skype numbers, group chat participants and logs, video messages
- SMS/MMS - Full Message logs
- Contacts - Full contact details, including services available on and service user ID
- Call log - Full call log, including contact name, contact number and where the contact info is stored
I will be adding more apps to the support list in time, but this is only a first release. You can find a link at
NOTES The data extraction tools can only be used in Linux. This is because Windows lacks the required loopback interfaces and OSX doesn't support Ext 2/3/4. You can use the tool on a Live-CD and copy the results onto your hard drive.
You need to root the Android device and install BusyBox to obtain the image. This should be in keeping with ACPO so long as you explain why it's necessary.
UPDATE I've released Alpha 2, full changelog is below, but the basic idea is that operability in Windows and OSX has improved, as has interoperability between other methods of imaging.
Hi,
I really appreciate your work. Will surely go for testing it. I am also having some experience with Android development. Let me know if you need any assistance.
Regards
Hi,
I really appreciate your work. Will surely go for testing it. I am also having some experience with Android development. Let me know if you need any assistance.
Regards
Thank you. If you have any feedback regarding device compatibility, that would be most helpful as I have only tested this on two devices myself and both of those are from the Nexus range. I am aware some manufacturer ROMs have quirks that might make them incompatible with the tool.
Alternatively, if you feel an Android application should be covered by the tool (I know I left out some important ones in the initial release), you can contribute a BASH script to extract the data from the database and/or file cache. I left a template in there to help integrate any custom scripts into the tool.
You will, of course, recieve full attribution for any code you submit or any feedback that leads to fixes or new features.
Nice tool, you could take some ideas from andriller.com
Nice tool, you could take some ideas from andriller.com
This is interesting. I especially like the lockscreen bruteforcing.
Just released Alpha 2. The changelog
- AFFT now detects the OS it is run on, and changes it's available options appropriately.
- Importing of image files acquired through other means is now supported.
- Extracting data from Google Maps, Google Calendar API and AOSP Email is now supported.
- AFFT can now break screenlocks; be aware this is a last-resort tool. This was added in no small part to a suggestion up above. I haven't got lockscreen cracking written in yet, but I am working on it.
- The AFFT case file structure is no longer limited to the home directory, and is now user-configurable. Great for Live-CD use.
- AFFT now asks for root access upfront.
- Extraction on Windows and OSX is now possible with the help of third party mounting tools.