Android Forensic

This Python script dumps all necessary SQLite Databases from a connected automaton smartphone to the native disk and analyzes these files in an exceedingly forensically correct progress. If no smartphone is connected you'll be able to specify an area directory that contains the databases you wish to researchsubsequently this script creates a clearly structured XML report. 



If you connect a smartphone you would like a frozen and insecure kernel or a custom recovery put inon the smartphone. 

Forensic principles: ADEL is meant to treat knowledge in an exceedingly forensically correctmethod. This goal is reached by the very fact that activities aren't conducted directly on the phonehowever on a duplicate of the databases. This procedure assures that knowledge doesn't becomemodified, neither by the users of ADEL nor by Associate in Nursing uncompromised software systemso as to proof the rhetorical correctness of ADEL, hash values area unit calculatedprevious and when every analysis, to ensure that drop knowledge didn't become modifiedthroughout analysis. 

Extendibility: ADEL has been modularly designed and contains 2 separate modules: the analysis and also the report module. Predefined interfaces exist between these modules and each of them may besimply amended by further functions. The standard structure permits for merchandising and analyzing additional databases of smartphones while not nice effort and facilitates updates of the system within the future. 

Usability: the utilization of ADEL is meant to be as easy as doable to permit its use by eachqualified persons and non-experts. At best, the Associate in Nursingalysis of the movable is conducted in an autonomous method so the user doesn't receive any notice of internal processes. Moreover, the report module creates a close report in an exceedingly clear kindtogether with all of the decoded knowledgethroughout the execution, ADEL optionally writes an in depth log filewherever all of the necessary steps that were dead area unit derived.





ADEL wants a predefined configuration for every device to figure correct. This configuration shouldbe another within the following file: 

"xml/phone_configs.xml"

As Associate in Nursing example we tend to another the configuration for the Samsung Galaxy S2 running automaton a pair of.3.3, a lot of phone configurations can follow. 
Example for the utilization of ADEL with a connected smartphone: 

adel.py -d device -l four 

Example for the utilization of ADEL with info backups: 

adel.py -d /home/user/backup -l four 


In the current development state, the subsequent databases area unit forensically treated and parsed:

phonephone and SIM-card data (e. g. IMSI and serial number) 
phonebook and decision lists, 
calendar entries, 
SMS messages, 
GPS locations from totally different sources on the smartphone. 


ADEL currently makes use of a custom recovery image supported the Clockworkmod-Recovery. as a result of this alteration you are doing not ought to modify the kernel or the adb daemon any longermoreover, on some newer smartphones you'll be able to load the changed recovery to RAM via fastboot, thus you do not ought to do any persistent changes to the smartphone.

Android information Extractor

Appie is a software package that has been pre-configured to function as an Android Pentesting Environment on any Windows based machine without the need of a VM or dualboot.
It is completely portable and can be carried on USB stick or your smartphone. It is one of its kind Android Security Analysis Tool and is a one stop answer for all the tools needed in Android Application Security Assessment, Android Forensics, Android Malware Analysis.

Why Appie was created ?

Just because i wanted something awesome instead of traditional virtual machines.

Difference between Appie and existing environments ?

  • Tools contained in Appie are running on host machine instead of running on virtual machine.
  • Less Space Needed(Only 800MB compared to atleast 10 GB of Virual Machine)
  • Less consumption of RAM. Only 20 MB needed in ideal state compared to atleast 1GB on Virtual Machines.
  • As the name suggests it is completely Portable i.e it can be carried on USB Stick or on your own smartphone and your pentesting environment will go wherever you go without any configuring changes.
  • Awesome Interface :)

What Does Appie Mean ?

In the search for an awesome name ,i found Appie which stands for Android Pentesting Portable Integrated Environment and the most important thing the name define itself.

Getting Started

  • Download the file.
  • Unzip the file.
  • Click on the executable Appie in the extracted folder.
  • Go through the Usage
I have also started a series on Android Application Security for the ones who need to learn about android application security.In that series i have used Appie extensively.

Which tools are included in Appie ?

Usage

  • Androguard Usage
    You can use any file from androguard project by just typing it’s filename , like given below.
  • Pidcat Usage
    In order view logcat entries for org.owasp.goatdroid.fourgoats, type pidcat org.owasp.goatdroid.fourgoats in Appie and you would see something similar.
  • Androwarn Usage
    Type androwarn in the console to open androwarn directory and then see usage for it’s usage.
  • Volatility Usage
    Type volatility in the console to use this.
  • Wireshark Usage
    Type wireshark in Appie console to open wireshark within Appie.
  • Drozer Usage
    • Type in drozer console connect and drozer application will load up in the right half.
  • Type sublime in the console and it will load up Sublime Text in the right half.It has been customized like this to have a better experience while testing. No hassle of Tabs/Windows.
  • Type apktool in the Appie and it will list the default options of apktool.
  • Introspy can be used by just typing introspy in the console.
  • Burpsuite
    Type burp in the Appie console to open up BurpSuite.
  • eclipse can be used to launch Eclipse for Android Application Development.
  • Androidguard SublimeText Plugin
    • CTRL+F5: open a APK/DEX/ODEX/AXML/ARSC files
    • F5: switch to Dalvik Bytecodes to source codes, switch to AndroidManifest.xml summary to original xml file
    Click on the GIF to view it.
  • Jd-GUI Usage
    • Type jdgui in the console and a new tab will open with JD-GUI in it .
  • Keywords
    like apktool, eclipse, dex2jar, adb, sqlite3 can be directly used in the console and will link to the corresponding files.

To Do

  • New Logo.Currently i’m using logo of Conemu.If you could suggest something, i am all ears :)
  • Currently i’m figuring out a way to make Genymotion also portable and ship with the Appie with better configuration.

How Appie kickstarted ?

Actually when i started in Android Application Security ,I found that there are so many tools which are needed during the assessment of Android Applications and every penetration tester had to install those in his system.One way to skip those installations would be to work on a Virtual Machine(based on Android Security) like Santoku-Linux but i personally do not like virtual machines because working on VM and working on Host machine is never the same.
One day I came across Cmder which is an amazing portable console emulator for windows.It has all the UNIX utilities like ls,cat,find,cp etc which are not there in windows so it gives experience of linux while working on windows environment.That was the day when I thought of getting those Android Security tools in to Cmder and make something which could the change the experience of a security professional to something intuitively amazing.
The main credit goes to awesome Project Cmder without which this awesome tool could not have been existed.

Frequently Asked Questions

Q. When it will be available for Linux/Mac?
Currently this is only available for windows but yes i am figuring out something for Linux/Mac as well. But for now you can run Appie on Win7/Win8 Virtual machine. Appie doesn’t need any software pre-installed on the machine, it contain all the environments like Java Runtime Environment, Python Environment neccessary for it’s running.
Q. I am interested in Android Security and willing to learn it. Do you know any resources where i could start ?
Yes. Actually myself have started an Android Application Security Series in which i have started from the very basics and explained each vulnerability in detail. Hope you will like it :)
Q. How can i work in FullScreen in Appie ?
Just press Alt + Enter while using Appie to go in FullScreen Mode and do the same to come back in normal mode.
Q. How could i resize Appie ?
If you move your cursor along it edges then outer boundary start appearing and you can resize using it but this procedure is something everyone is not able to follow.
There is an alternative way to da this
  • Right click on the top bar and then click on settings.
  • Then a new window will appear then uncheck “Hide caption Always” and then save settings as given below.
  • Then Appie would look something like this.
  • You can now resize the window as you would like. After that you can again go to setting and check that option again and save settings.
Appie will save your current windows size and will open as it is when you open next time.
Q. Why is Appie throwing up red flags with being malware?
Actually Appie is packed by UPX which is identified as malware by some antivirus softwares. You can scan Appie.exe with virtustotal.com and see the result. As an alternative there is a Appie.bat file in the same directory which upon running won’t show any warnings.
Q. ADB is not running properly.
Actually in order to run adb with your emualtor, you need to set the path of Android SDK Tools in your emulator.
Android SDK TOOLS Path:- path_to_appie/bin/adt/sdk/
If you are using Genymotion Device as your emulator then follow the procedure below.
  • First go to Genymotion then click on settings.
  • Then in the ADB tab, select “Use Custom Android SDK Tools”
  • Then select the path of sdk folder which is located at path_to_appie/bin/adt/sdk/
It will through an error that “AAPT tool not found”. Ignore it. Actually AAPT is used for drag and drop feature in genymotion which we don’t require.