Andriod Analyzer

agonzalez · May 9, 2020, 11:30am

Good Evening,

I have acquired several images of a Samsung A20 Android 9 phone. To include a .zip, .ad, .tar, and .ab_extracted. However, when I use Android Analyzer Ingest, there are no results. Any help would be greatly appreciated. The following are screenshots:

apriestman · May 9, 2020, 12:38pm

Open up your Logical File Set and see if you have the Android data folders in there. It should look something like this:

It should work fine even if the data folder isn’t at the top level - it just needs to be in there somewhere. Most (possibly all) of the data parsed by Android Analyzer comes from these folders. For example, here’s a call log extracted from data/com.sec.android.provider.logsprovider/databases/logs.db:

A lot of the results come from .db files (contacts2.db, logs.db, mmssms.db, etc) so you could see if any of those exist in your data set.

agonzalez · May 9, 2020, 5:10pm

Thank you for getting back to me quickly. For an odd reason, the backups that I conducted do not contain a data directory. However, I am able to manually view the mms.db. Here is the tree:

apriestman · May 9, 2020, 6:21pm

Unfortunately, I don’t think the parser is going to work unless the databases are in the paths it expects. It’s not a great solution but if you’re only interested in a small number of the files (like contacts and messages) you could move those files into their expected path and then ingest your new folder structure as a logical file set. You might have to look at each python module to figure out what path/database name it expects.

agonzalez · May 9, 2020, 6:34pm

Thank you. I will try that. Do you know a better way to back up an android device? I used android studio and as you can see, it did copy the file structure appropriately.

apriestman · May 9, 2020, 7:37pm

I believe we used adb for our test phones, but I believe you need to root them to get all the data. Others here may have better suggestions.

agonzalez · May 10, 2020, 11:31pm

Ok. So I created the folder that android analyzer is looking into for text messages and changed the name of the file to what its expecting and it will not pick anything up? Any other recommendations"

apriestman · May 10, 2020, 11:41pm

Put that folder under “data” and try again

agonzalez · May 11, 2020, 12:18am

Still not ingesting.

apriestman · May 11, 2020, 11:29am

Ok that’s confusing. I checked the code and all that should be required is that “com.android.providers.telephony” is somewhere in the path of mmssms.db. Here’s a test I just ran (only ran Android Analyzer):

If you use the application viewer in the lower right section and look at the tables, do you see data? Can you check the log to see if there are any errors? Go to Help->Open log folder to find them.

agonzalez · May 11, 2020, 12:58pm

The application viewer works like a charm. However, it doesn’t ingest.

Here is a screen shot of the logs:

Here is log 6:
2020-05-10 19:10:47.304 org.sleuthkit.autopsy.keywordsearch.Server isRunning
INFO: Solr server is running
2020-05-10 19:10:47.434 org.sleuthkit.autopsy.imagegallery.datamodel.DrawableDB setPragmas
INFO: sqlite-jdbc version 3.25.2 loaded in native mode
2020-05-10 19:10:47.442 org.sleuthkit.autopsy.casemodule.Case openAsCurrentCase
INFO: Opened 19-0006637 (19-0006637_20200424_105149) in C:\Users\agonzalez\Documents\19-0006637 as the current case
2020-05-10 19:10:51.233 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Correlation Engine, version = 4.15.0
2020-05-10 19:10:51.24 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Data Source Integrity, version = 4.15.0
2020-05-10 19:10:51.244 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Drone Analyzer, version = 4.15.0
2020-05-10 19:10:51.25 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Embedded File Extractor, version = 4.15.0
2020-05-10 19:10:51.258 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Encryption Detection, version = 4.15.0
2020-05-10 19:10:51.263 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Exif Parser, version = 4.15.0
2020-05-10 19:10:51.268 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Extension Mismatch Detector, version = 4.15.0
2020-05-10 19:10:51.276 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = File Type Identification, version = 4.15.0
2020-05-10 19:10:51.276 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Hash Lookup, version = 4.15.0
2020-05-10 19:10:51.282 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Interesting Files Identifier, version = 4.15.0
2020-05-10 19:10:51.286 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = PhotoRec Carver, version = 7.0
2020-05-10 19:10:51.292 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Plaso, version = 4.15.0
2020-05-10 19:10:51.298 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Virtual Machine Extractor, version = 4.15.0
2020-05-10 19:10:51.299 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Keyword Search, version = 4.15.0
2020-05-10 19:10:51.3 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Email Parser, version = 4.15.0
2020-05-10 19:10:51.301 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Recent Activity, version = 4.15.0
2020-05-10 19:10:51.302 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Object Detection, version = 4.15.0
2020-05-10 19:10:59.014 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = GPX Parser, version = 1.2
2020-05-10 19:10:59.014 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Android Analyzer, version = 4.15.0
2020-05-10 19:11:42.673 org.sleuthkit.autopsy.ingest.IngestPipelinesConfiguration getInstance
INFO: Creating ingest module loader instance
2020-05-10 19:11:42.68 org.sleuthkit.autopsy.ingest.IngestMonitor$MonitorTimerAction logMonitoredRootDirectory
INFO: Monitoring disk space of C:
2020-05-10 19:11:42.68 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob
INFO: Starting ingest job 0
2020-05-10 19:11:42.749 org.sleuthkit.autopsy.recentactivity.SearchEngineURLQueryAnalyzer loadConfigFile
INFO: Load successful
2020-05-10 19:11:42.843 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Starting first stage analysis (data source = LogicalFileSet1, objId = 1, jobId = 0)
2020-05-10 19:11:42.844 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Scheduling first stage data source level analysis tasks (data source = LogicalFileSet1, objId = 1, jobId = 0)
2020-05-10 19:11:42.845 org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline process
INFO: Recent Activity analysis of LogicalFileSet1 (jobId=0) starting
2020-05-10 19:11:42.85 org.sleuthkit.autopsy.recentactivity.Chrome getHistory
INFO: Could not find any allocated Chrome history files.
2020-05-10 19:11:42.852 org.sleuthkit.autopsy.recentactivity.Chrome getBookmark
INFO: Didn’t find any Chrome bookmark files.
2020-05-10 19:11:42.854 org.sleuthkit.autopsy.recentactivity.Chrome getCookie
INFO: Didn’t find any Chrome cookies files.
2020-05-10 19:11:42.856 org.sleuthkit.autopsy.recentactivity.Chrome getLogins
INFO: Didn’t find any Chrome Login Data files.
2020-05-10 19:11:42.858 org.sleuthkit.autopsy.recentactivity.Chrome getAutofill
INFO: Didn’t find any Chrome Web Data files.
2020-05-10 19:11:42.859 org.sleuthkit.autopsy.recentactivity.Chrome getDownload
INFO: Didn’t find any Chrome download files.
2020-05-10 19:11:42.866 org.sleuthkit.autopsy.recentactivity.Firefox getHistory
INFO: No FireFox history files found.
2020-05-10 19:11:42.868 org.sleuthkit.autopsy.recentactivity.Firefox getBookmark
INFO: Didn’t find any firefox bookmark files.
2020-05-10 19:11:42.869 org.sleuthkit.autopsy.recentactivity.Firefox getDownloadPreVersion24
INFO: Didn’t find any pre-version-24.0 Firefox download files.
2020-05-10 19:11:42.871 org.sleuthkit.autopsy.recentactivity.Firefox getDownloadVersion24
INFO: Didn’t find any version-24.0 Firefox download files.
2020-05-10 19:11:42.873 org.sleuthkit.autopsy.recentactivity.Firefox getCookie
INFO: Didn’t find any Firefox cookie files.
2020-05-10 19:11:42.874 org.sleuthkit.autopsy.recentactivity.Firefox getFormsHistory
INFO: No FireFox form history files found.
2020-05-10 19:11:42.876 org.sleuthkit.autopsy.recentactivity.Firefox getAutofillProfiles
INFO: Didn’t find any Firefox Autofill Profiles files.
2020-05-10 19:11:42.877 org.sleuthkit.autopsy.recentactivity.ExtractIE getBookmark
INFO: Didn’t find any IE bookmark files.
2020-05-10 19:11:42.879 org.sleuthkit.autopsy.recentactivity.ExtractIE getCookie
INFO: Didn’t find any IE cookies files.
2020-05-10 19:11:42.879 org.sleuthkit.autopsy.recentactivity.ExtractIE getHistory
INFO: Pasco results path: C:\Users\agonzalez\Documents\19-0006637\Temp\RecentActivity\IE\results
2020-05-10 19:11:42.88 org.sleuthkit.autopsy.recentactivity.ExtractIE getHistory
INFO: Pasco2 home: C:\Program Files (x86)\autopsy\pasco2
2020-05-10 19:11:42.882 org.sleuthkit.autopsy.recentactivity.ExtractIE getHistory
INFO: No InternetExplorer history files found.
2020-05-10 19:11:42.892 org.sleuthkit.autopsy.recentactivity.RecentDocumentsByLnk getRecentDocuments
INFO: Didn’t find any recent files.
2020-05-10 19:11:42.892 org.sleuthkit.autopsy.recentactivity.SearchEngineURLQueryAnalyzer findSearchQueries
INFO: Processing 0 blackboard artifacts.
2020-05-10 19:11:42.893 org.sleuthkit.autopsy.recentactivity.SearchEngineURLQueryAnalyzer findSearchQueries
INFO: Extracted 0 queries from the blackboard
2020-05-10 19:11:42.893 org.sleuthkit.autopsy.recentactivity.SearchEngineURLQueryAnalyzer process
INFO: Search Engine stats:
Google : 0
Yahoo : 0
Twitter : 0
LinkedIn : 0
Facebook : 0
Bing : 0
Baidu : 0
Sogou : 0
Soso : 0
Youdao : 0
Yandex : 0
Biglobe : 0
Linkestan : 0
Parseek : 0
Parset : 0

2020-05-10 19:11:42.932 org.sleuthkit.autopsy.recentactivity.SearchEngineURLQueryAnalyzer complete
INFO: Search Engine URL Query Analyzer has completed.
2020-05-10 19:11:42.932 org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline process
INFO: Recent Activity analysis of LogicalFileSet1 (jobId=0) finished
2020-05-10 19:11:42.932 org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline process
INFO: Android Analyzer analysis of LogicalFileSet1 (jobId=0) starting
2020-05-10 19:11:43.242 AndroidIngestModule process
INFO: running 22 analyzers
2020-05-10 19:11:43.292 org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline process
INFO: Android Analyzer analysis of LogicalFileSet1 (jobId=0) finished
2020-05-10 19:11:43.292 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Finished first stage analysis (data source = LogicalFileSet1, objId = 1, jobId = 0)
2020-05-10 19:11:43.292 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Finished analysis (data source = LogicalFileSet1, objId = 1, jobId = 0)
2020-05-10 19:11:43.296 org.sleuthkit.autopsy.ingest.IngestManager finishIngestJob
INFO: Ingest job 0 completed
2020-05-10 19:12:20.761 org.sleuthkit.autopsy.contentviewers.FileViewer isSupported
INFO: Mimetype not known for file: agent_accounts.db
2020-05-10 19:12:37.469 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Correlation Engine, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Data Source Integrity, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Drone Analyzer, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Embedded File Extractor, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Encryption Detection, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Exif Parser, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Extension Mismatch Detector, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = File Type Identification, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Hash Lookup, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Interesting Files Identifier, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = PhotoRec Carver, version = 7.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Plaso, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Virtual Machine Extractor, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Keyword Search, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Email Parser, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Recent Activity, version = 4.15.0
2020-05-10 19:12:37.47 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Object Detection, version = 4.15.0
2020-05-10 19:12:37.635 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = GPX Parser, version = 1.2
2020-05-10 19:12:37.635 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Android Analyzer, version = 4.15.0
2020-05-10 19:12:37.636 org.sleuthkit.autopsy.ingest.IngestJobSettings load
WARNING: Previously loaded Plaso module could not be found.
2020-05-10 19:13:06.668 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Correlation Engine, version = 4.15.0
2020-05-10 19:13:06.668 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Data Source Integrity, version = 4.15.0
2020-05-10 19:13:06.668 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Drone Analyzer, version = 4.15.0
2020-05-10 19:13:06.668 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Embedded File Extractor, version = 4.15.0
2020-05-10 19:13:06.668 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Encryption Detection, version = 4.15.0
2020-05-10 19:13:06.669 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Exif Parser, version = 4.15.0
2020-05-10 19:13:06.669 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Extension Mismatch Detector, version = 4.15.0
2020-05-10 19:13:06.669 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = File Type Identification, version = 4.15.0
2020-05-10 19:13:06.669 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Hash Lookup, version = 4.15.0
2020-05-10 19:13:06.669 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Interesting Files Identifier, version = 4.15.0
2020-05-10 19:13:06.67 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = PhotoRec Carver, version = 7.0
2020-05-10 19:13:06.67 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Plaso, version = 4.15.0
2020-05-10 19:13:06.67 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Virtual Machine Extractor, version = 4.15.0
2020-05-10 19:13:06.67 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Keyword Search, version = 4.15.0
2020-05-10 19:13:06.67 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Email Parser, version = 4.15.0
2020-05-10 19:13:06.671 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Recent Activity, version = 4.15.0
2020-05-10 19:13:06.671 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Object Detection, version = 4.15.0
2020-05-10 19:13:06.841 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = GPX Parser, version = 1.2
2020-05-10 19:13:06.841 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Android Analyzer, version = 4.15.0
2020-05-10 19:13:06.842 org.sleuthkit.autopsy.ingest.IngestJobSettings load
WARNING: Previously loaded Plaso module could not be found.
2020-05-10 19:13:12.568 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob
INFO: Starting ingest job 1
2020-05-10 19:13:12.57 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Starting first stage analysis (data source = LogicalFileSet1, objId = 1, jobId = 1)
2020-05-10 19:13:13.021 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Scheduling file level analysis tasks, no first stage data source level analysis configured (data source = LogicalFileSet1, objId = 1, jobId = 1)
2020-05-10 19:13:13.511 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Finished first stage analysis (data source = LogicalFileSet1, objId = 1, jobId = 1)
2020-05-10 19:13:13.511 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Finished analysis (data source = LogicalFileSet1, objId = 1, jobId = 1)
2020-05-10 19:13:13.513 org.sleuthkit.autopsy.ingest.IngestManager finishIngestJob
INFO: Ingest job 1 completed
2020-05-10 19:13:23.093 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Correlation Engine, version = 4.15.0
2020-05-10 19:13:23.093 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Data Source Integrity, version = 4.15.0
2020-05-10 19:13:23.094 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Drone Analyzer, version = 4.15.0
2020-05-10 19:13:23.094 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Embedded File Extractor, version = 4.15.0
2020-05-10 19:13:23.094 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Encryption Detection, version = 4.15.0
2020-05-10 19:13:23.094 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Exif Parser, version = 4.15.0
2020-05-10 19:13:23.094 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Extension Mismatch Detector, version = 4.15.0
2020-05-10 19:13:23.095 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = File Type Identification, version = 4.15.0
2020-05-10 19:13:23.095 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Hash Lookup, version = 4.15.0
2020-05-10 19:13:23.095 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Interesting Files Identifier, version = 4.15.0
2020-05-10 19:13:23.095 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = PhotoRec Carver, version = 7.0
2020-05-10 19:13:23.095 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Plaso, version = 4.15.0
2020-05-10 19:13:23.095 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Virtual Machine Extractor, version = 4.15.0
2020-05-10 19:13:23.096 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Keyword Search, version = 4.15.0
2020-05-10 19:13:23.096 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Email Parser, version = 4.15.0
2020-05-10 19:13:23.096 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Recent Activity, version = 4.15.0
2020-05-10 19:13:23.096 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Object Detection, version = 4.15.0
2020-05-10 19:13:23.258 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = GPX Parser, version = 1.2
2020-05-10 19:13:23.259 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Android Analyzer, version = 4.15.0
2020-05-10 19:13:23.259 org.sleuthkit.autopsy.ingest.IngestJobSettings load
WARNING: Previously loaded Plaso module could not be found.
2020-05-10 19:13:32.275 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob
INFO: Starting ingest job 2
2020-05-10 19:13:32.28 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Starting first stage analysis (data source = LogicalFileSet1, objId = 1, jobId = 2)
2020-05-10 19:13:32.722 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Scheduling file level analysis tasks, no first stage data source level analysis configured (data source = LogicalFileSet1, objId = 1, jobId = 2)
2020-05-10 19:13:33.008 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Finished first stage analysis (data source = LogicalFileSet1, objId = 1, jobId = 2)
2020-05-10 19:13:33.008 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Finished analysis (data source = LogicalFileSet1, objId = 1, jobId = 2)
2020-05-10 19:13:33.012 org.sleuthkit.autopsy.ingest.IngestManager finishIngestJob
INFO: Ingest job 2 completed
2020-05-10 19:13:39.456 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Correlation Engine, version = 4.15.0
2020-05-10 19:13:39.456 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Data Source Integrity, version = 4.15.0
2020-05-10 19:13:39.456 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Drone Analyzer, version = 4.15.0
2020-05-10 19:13:39.456 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Embedded File Extractor, version = 4.15.0
2020-05-10 19:13:39.457 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Encryption Detection, version = 4.15.0
2020-05-10 19:13:39.457 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Exif Parser, version = 4.15.0
2020-05-10 19:13:39.457 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Extension Mismatch Detector, version = 4.15.0
2020-05-10 19:13:39.457 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = File Type Identification, version = 4.15.0
2020-05-10 19:13:39.457 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Hash Lookup, version = 4.15.0
2020-05-10 19:13:39.458 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Interesting Files Identifier, version = 4.15.0
2020-05-10 19:13:39.458 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = PhotoRec Carver, version = 7.0
2020-05-10 19:13:39.458 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Plaso, version = 4.15.0
2020-05-10 19:13:39.458 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Virtual Machine Extractor, version = 4.15.0
2020-05-10 19:13:39.458 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Keyword Search, version = 4.15.0
2020-05-10 19:13:39.458 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Email Parser, version = 4.15.0
2020-05-10 19:13:39.459 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Recent Activity, version = 4.15.0
2020-05-10 19:13:39.459 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Object Detection, version = 4.15.0
2020-05-10 19:13:39.622 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = GPX Parser, version = 1.2
2020-05-10 19:13:39.622 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Android Analyzer, version = 4.15.0
2020-05-10 19:17:24.341 org.sleuthkit.autopsy.casemodule.Case closeCurrentCase
INFO: Closing current case 19-0006637 (19-0006637_20200424_105149) in C:\Users\agonzalez\Documents\19-0006637
2020-05-10 19:17:26.359 org.sleuthkit.autopsy.imagegallery.ImageGalleryController shutDown
INFO: Shutting down image gallery controller for case 19-0006637 (19-0006637_20200424_105149)
2020-05-10 19:17:26.36 org.sleuthkit.autopsy.imagegallery.datamodel.DrawableDB close
INFO: Closing the drawable.db
2020-05-10 19:17:26.36 org.sleuthkit.autopsy.imagegallery.ImageGalleryController shutDown
INFO: Completed shut down of image gallery controller for case 19-0006637 (19-0006637_20200424_105149)

Log 7:
2020-04-24 10:51:52.426 org.sleuthkit.autopsy.keywordsearch.Server isRunning
INFO: Solr server is running
2020-04-24 10:51:53.097 org.sleuthkit.autopsy.imagegallery.PerCaseProperties getConfigSetting
INFO: File did not exist. Created file [Image Gallery.properties]
2020-04-24 10:51:53.206 org.sleuthkit.autopsy.imagegallery.datamodel.DrawableDB setPragmas
INFO: sqlite-jdbc version 3.25.2 loaded in native mode
2020-04-24 10:51:53.247 org.sleuthkit.autopsy.casemodule.Case openAsCurrentCase
INFO: Opened 19-0006637 (19-0006637_20200424_105149) in C:\Users\agonzalez\Documents\19-0006637 as the current case
2020-04-24 10:51:53.585 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Correlation Engine, version = 4.14.0
2020-04-24 10:51:53.591 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Data Source Integrity, version = 4.14.0
2020-04-24 10:51:53.595 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Embedded File Extractor, version = 4.14.0
2020-04-24 10:51:53.603 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Encryption Detection, version = 4.14.0
2020-04-24 10:51:53.608 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Exif Parser, version = 4.14.0
2020-04-24 10:51:53.612 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Extension Mismatch Detector, version = 4.14.0
2020-04-24 10:51:53.619 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = File Type Identification, version = 4.14.0
2020-04-24 10:51:53.625 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Hash Lookup, version = 4.14.0
2020-04-24 10:51:53.631 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Interesting Files Identifier, version = 4.14.0
2020-04-24 10:51:53.635 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = PhotoRec Carver, version = 7.0
2020-04-24 10:51:53.641 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Plaso, version = 4.14.0
2020-04-24 10:51:53.645 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Virtual Machine Extractor, version = 4.14.0
2020-04-24 10:51:53.647 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Keyword Search, version = 4.14.0
2020-04-24 10:51:53.648 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Email Parser, version = 4.14.0
2020-04-24 10:51:53.65 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader addFactory
INFO: Found ingest module factory: name = Recent Activity, version = 4.14.0
2020-04-24 10:52:00.372 org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader getIngestModuleFactories
INFO: Found ingest module factory: name = Android Analyzer, version = 4.14.0
2020-04-24 12:02:22.207 org.sleuthkit.autopsy.keywordsearch.Server stop
INFO: Stopping Solr server from: C:\Program Files\Autopsy-4.14.0\autopsy\solr
2020-04-24 12:02:22.208 org.sleuthkit.autopsy.keywordsearch.Server runSolrCommand
INFO: Running Solr command: [C:\Program Files\Autopsy-4.14.0\jre\bin\java, -Xmx512m, -DSTOP.PORT=34343, -Djetty.port=23232, -DSTOP.KEY=jjk#09s, -jar, start.jar, --stop]
2020-04-24 12:02:22.233 org.sleuthkit.autopsy.keywordsearch.Server runSolrCommand
INFO: Finished running Solr command
2020-04-24 12:02:22.233 org.sleuthkit.autopsy.keywordsearch.Server stop
INFO: Waiting for Solr server to stop
2020-04-24 12:02:22.781 org.sleuthkit.autopsy.keywordsearch.Server stop
INFO: Finished stopping Solr server
2020-04-24 12:02:22.782 org.sleuthkit.autopsy.core.Installer
INFO: core installer created
2020-04-24 12:02:22.793 org.sleuthkit.autopsy.casemodule.Case closeCurrentCase
INFO: Closing current case 19-0006637 (19-0006637_20200424_105149) in C:\Users\agonzalez\Documents\19-0006637
2020-04-24 12:02:24.804 org.sleuthkit.autopsy.imagegallery.ImageGalleryController shutDown
INFO: Shutting down image gallery controller for case 19-0006637 (19-0006637_20200424_105149)
2020-04-24 12:02:24.81 org.sleuthkit.autopsy.imagegallery.datamodel.DrawableDB close
INFO: Closing the drawable.db
2020-04-24 12:02:24.813 org.sleuthkit.autopsy.imagegallery.ImageGalleryController shutDown
INFO: Completed shut down of image gallery controller for case 19-0006637 (19-0006637_20200424_105149)

Mark_McKinnon · May 11, 2020, 1:01pm

@agonzalez when you copied over the mmssms.db did you also make sure that you copied over the -wal (write ahead log) file. There may be data in the -wal file that has not been moved over to the .db file. You do not need to get the -shm file but it does not hurt to make the directory complete if it exists.

agonzalez · May 11, 2020, 1:17pm

I could not locate a wal file in the logical extract. I did not root the phone. Would I have this file if the phone was not rooted?

Mark_McKinnon · May 11, 2020, 1:39pm

That I do not know. If you open up the mmssms.db file in a SQLite viewer can you see any data in the sms table? if you do not have a SQLite viewer then you can use the one in Autopsy. Just make sure you run the ingest module “File Type Identification”, once that is run then select the mmsms.db file and in the Content Viewer you should see a SQLite viewer in the application tab.

agonzalez · May 11, 2020, 2:00pm

I am able to view all MMSSMS messages by using the built-in SQL viewer in autopsy. However, the Android analyzer will not recognize it. I appreciate the continued effort to assist.

For what its worth, I imaged the android device two ways. One using a software named Magnet Acquisition. The other through android studio.

Magnet Acquisition provided a folder named agent data that contains the mmssms.db.

Android studio provided the following directory "data>apps>com.android.providers.telephony>d-f>000000_sms_backup

The mmssms.db from Magnet is viewable by the SQL viewer and I can see all messages. However, Android analyzer will not recognize it as an SMS data base for whatever reason.

apriestman · May 15, 2020, 1:04pm

Sorry for not responding - Mark and I are both stumped about what the problem might be. If you’re comfortable with Python, you might be able to add some debugging statements to “Program Files\Autopsy-4.14.0\autopsy\InternalPythonModules\android\textmessage.py” to try to figure out if it’s finding the file and narrow down what’s going on.

shamsmehra90 · May 25, 2020, 9:36am

Hi,
i have some solution, will share you on email, if you want help just reply

agonzalez · May 25, 2020, 4:05pm

That would be great. Thank you.

Sent from my mobile life line. Please excuse any grammatical errors.

NJABULO_MAZIBUKO · June 5, 2020, 5:34pm

Hi, I have a problem here I can not even see any android phone any suggestions please

NJABULO_MAZIBUKO · June 5, 2020, 5:37pm

Any manual please on how to go about android case

Topic		Replies	Views
autopsy and andriller Autopsy Help	2	822	December 7, 2020
Autopsy android version 10 analysis Autopsy Help	15	3857	September 9, 2021
Android analysis Autopsy Help	0	215	January 25, 2024
Analysing (no-root) android backup.ab files Autopsy Help	1	3521	May 2, 2020
Android 10 forensics Autopsy Help	1	526	August 17, 2021

Andriod Analyzer

Related topics