Notifications
Clear all

Android Emulator  

  RSS
PensiveHike
(@pensivehike)
New Member

Hi guys,

Has anyone got any experience with Android Emulators?

I work for LE and the case I'm working on contains IIOC and inciting of children. We have downloaded a phone and recovered a video created with screen recording software (DU Recorder) showing a victim. Plus there are several other .rec files found in the same folder location, which we assume are videos that were not saved/discarded and may be recoverable to show further victims.
The .rec videos do not play, so my idea was to put these files into the recording software and see if they could be recovered.

Cellebrite is supposed to have an emulator within PA, but we cannot seem to find how to use it. The videos we have seen are of them selling their product.

We have also tried some software that you throw the working video at, it should recognise the format and then decode the other files. This hasn't worked though as the software expects there to be something in the first sector of the .rec file that isn't there.

There appear to be quite a few emulators out there and I don't want to try them all so would like suggestions of reliable/powerful ones to use. I'm open to suggestions and possibly other methods to try to recover the .rec files.

Thank you for your time.

Quote
Posted : 06/11/2018 7:03 am
dandaman_24
(@dandaman_24)
Active Member

EDITED -
The emulator function within PA is pretty simple just follow the instructions. Download the virtulaisation software from the Cellebrite portal

DO NOT USE ANDYROID, ONLY USE DISTRO FROM CELLEBRITE

Open PA - go to the app virtualisation section- select your apps and away you go.

ReplyQuote
Posted : 06/11/2018 10:47 am
PensiveHike
(@pensivehike)
New Member

How do you populate the table with apps? Ours is blank

ReplyQuote
Posted : 06/11/2018 12:09 pm
mcman
(@mcman)
Active Member

I haven't used Cellebrite's implementation but I always hated using Andy, felt dirty and I was never comfortable running it outside a sandbox (and never on my forensics machine). I always liked NOX as an emulator. I did a webinar on Android emulators here if you want an overview of a few
https://www.magnetforensics.com/recorded-webinars/android-emulators-when-an-android-device-isnt-an-android-device/

Not sure if it would work in your case but could be useful. I've installed apps and then just dropped media in the appropriate path and had success before.

Another option is to skip the emulator all together and just find a way to play the recording, could be proprietary but I often use VLC as my first pass to try and play videos since it covers a lot, if not I'll try to convert it to something a little more recognizable using something like Handbrake which works quite well and supports a lot of formats as well.

Hopefully one of those options works for ya, good luck

Jamie McQuaid
Magnet Forensics

ReplyQuote
Posted : 06/11/2018 2:12 pm
polar
(@polar)
Junior Member

I haven't used Cellebrite's implementation but I always hated using Andy, felt dirty and I was never comfortable running it outside a sandbox (and never on my forensics machine).

Hear hear. Especially after they bundled a cryptocurrency miner in some versions.

ReplyQuote
Posted : 06/11/2018 5:37 pm
B1N2H3X
(@b1n2h3x)
New Member

Alexis Brignoni did a great post on manually doing this with nox on his blog https://abrignoni.blogspot.com/2017/08/viewing-extracted-android-app-data.html

ReplyQuote
Posted : 06/11/2018 8:05 pm
RonS
 RonS
(@rons)
Active Member

In the context of the new Android Emulator solution that was integrated into Cellebrite UFED PA, please only use the Emulator package that is distributed by Cellebrite and can be downloaded from Cellebrite user portal, as it is a clean version that does not include any commercial advertising.

Few weeks ago there was a webinar that explained and demonstrated the usage and the different use cases of this new great capability. Please approach support to get a link to that recorded webinar.

Best regards,
Ron Serber

ReplyQuote
Posted : 07/11/2018 5:54 pm
mcman
(@mcman)
Active Member

please only use the Emulator package that is distributed by Cellebrite and can be downloaded from Cellebrite user portal, as it is a clean version that does not include any commercial advertising.

Thanks for the clarification Ron. My comments weren't directed to Cellebrite's implementation, only to Andy in general for anyone looking to download it directly from their website. Glad to see a clean implementation for Andy or any emulator as they can be quite useful in an investigation but there's definitely some risks to using them as the developers look to make money from either ads, data leakage, or crypto mining as others have mentioned.

Jamie

ReplyQuote
Posted : 07/11/2018 7:02 pm
greatkate8
(@greatkate8)
New Member

The webinar was called "The Convergence of Physical & Virtual Data for Faster Discovery of Evidence" and it is on their website. If for some reason you can't access it, I can share my notes.

ReplyQuote
Posted : 07/11/2018 8:43 pm
PensiveHike
(@pensivehike)
New Member

Thank you for the responses guys. I'm trying each of the suggestions to see which works best.

ReplyQuote
Posted : 13/11/2018 9:38 am
Share: