Android forensic analysis with Autopsy
Nowadays we have lots of commercial mobile forensics suites. Oxygen Forensic Analyst and Detective, Cellebrite UFED, MSAB XRY, just to name a few. Of course, these tools are very, even extremely, powerful and are able to extract huge datasets from lots of mobile devices including Android. But it’s always good to have an open source alternative to the commercial ones. And we have good news: there is an open source tool called Autopsy suitable for performing Android forensic examinations.
Of course, this tool is not a new one. It’s widely used by thousands of digital forensic examiners from all over the world for traditional computer forensics, especially file system forensics. It’s was created as a graphical interface for the Sleuth Kit, but since version 3 was completely rewritten and became Windows-based.
The most actual version now is 4.0.0. It’s very important to note that it has the Android Analyzer Module. This module is able to extract the following artifacts:
- text messages (SMS / MMS);
- call logs;
- Tango messages;
- Words with Friends messages;
- GPS from the browser and Google Maps;
- GPS from cache.wifi and cache.cell files.
But this is not the only module suitable for Android forensics. There are also such important modules, as EXIF Parser Module, Keyword Search Module, PhotoRec Carver Module and some others.
Let’s create a case and add an Android physical image. Start the suite and you’ll see the Welcome window:
We need to create a new case, so choose the corresponding option.
It’s time to start filling in our case information:
Start from the case name, we choose “WeAre4n6_Android_Test”, our base directory is D:\, you can choose your own, so our data will be stored in D:\ WeAre4n6_Android_Test.
Setting the case number and examiner’s name is optional, you can skip it if you want:
It’s high time to choose our data source:
In our case it’s an Android userdata partition physical image (userdata.dd), located at C:\Users\Olly\Desktop. Don’t forget about setting the correct timezone!
Now choose the ingest modules you want to run on the image:
Don’t forget to choose Android Analyzer! Exif Parser, Keyword Search and PhotoRec Carver are also very useful. Also make sure you checked Process Unallocated Space option – it’ll be automatically carved with PhotoRec.
That’s it! Now our image is being analyzed by Autopsy Ingest Modules:
Here is what we got from the Android Analyzer module:
As you can see, quite a lot of data is extracted automatically. Call logs, contacts, GPS trackpoints and messages are extracted by Android Analyzer module, EXIF metadata is extracted by EXIF Parser module, files with wrong extensions are detected by Extension Mismatch Detector module, web cookies, web downloads, web history and web searches are extracted by Recent Activity module.
Extension Mismatch Detector module is very useful for Android forensics, for example, it can be used to find cached images:
As you can see, this cached image has “0” extension instead of “jpg”:
Analyzing its location we come to the conclusion that this image is cached by “Odnoklassniki” – a popular Russian social media application.
Also Autopsy supports automatic deleted files recovery from Ext4 file system:
Finally, PhotoRec Carver module helps a mobile forensic examiner to extract data from unallocated space via carving technique:
This article has shown that Autopsy is quite powerful open source tool for Android forensics with a number of modules capable of both data parsing and recovery.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics