This Python script dumps all important SQLite Databases from a connected Android smartphone to the local disk and analyzes these files in a forensically accurate workflow. If no smartphone is connected you can specify a local directory which contains the databases you want to analyze. Afterwards this script creates a clearly structured XML report.
If you connect a smartphone you need a rooted and insecure kernel or a custom recovery installed on the smartphone.
Forensic principles: ADEL is intended to treat data in a forensically correct way. This goal is reached by the fact that activities are not conducted directly on the phone but on a copy of the databases. This procedure assures that data does not become changed, neither by the users of ADEL nor by an uncompromised operating system. In order to proof the forensic correctness of ADEL, hash values are calculated prior and after each analysis, to guarantee that dumped data did not become changed during analysis.
Extendibility: ADEL has been modularly built and contains two separate modules: the analysis and the report module. Predefined interfaces exist between these modules and both of them can be easily amended by additional functions. The modular structure allows for dumping and analyzing further databases of smartphones without great effort and facilitates updates of the system in the future.
Usability: The use of ADEL is intended to be as simple as possible to allow its use by both qualified persons and non-experts. At best, the analysis of the mobile phone is conducted in an autonomous way so that the user does not receive any notice of internal processes. Moreover, the report module creates a detailed report in a readable form, including all of the decoded data. During the execution, ADEL optionally writes an extensive log file where all of the important steps that were executed are traced.
ADEL needs a predefined configuration for each device to work proper. This configuration has to be added in the following file:
xml/phone_configs.xml
As an example we added the configuration for the Samsung Galaxy S2 running Android 2.3.3, more phone configurations will follow.
Example for the use of ADEL with a connected smartphone:
adel.py -d device -l 4
Example for the use of ADEL with database backups:
adel.py -d /home/user/backup -l 4
In the current development state, the following databases are forensically treated and parsed:
- telephone and SIM-card information (e. g. IMSI and serial
number)
- telephone book and call lists,
- calendar entries,
- SMS messages,
- GPS locations from different sources on the smartphone.
ADEL now makes use of a custom recovery image based on the Clockworkmod-Recovery. Due to this change you do not need to modify the kernel or the adb daemon anymore. Furthermore, on some newer smartphones you can load the modified recovery to RAM via fastboot, so you don't need to do any persistent changes to the smartphone.
Download and more information
Fuente: http://www.ehacking.net/2014/06/android-data-extractor-lite-adel.html
No hay comentarios:
Publicar un comentario