I have recently acquired an image for android version 10 device.
Now I want to analyze it in autopsy but, the tool does not show any data.
Can you tell me whether autopsy support android version 10 partitions and volume analysis?
Secondly what is the maximum android version which we can easily analyze in autopsy without any difficulty and get forensic artifacts from android applications?
Urgent response is highly appreciated.
What kind of Android image are you trying to parse? ie. Is it a logical image via an ADB backup, a decrypted full filesystem extraction, or just a single partition extraction? Also, what version of Autopsy are you using? Are you using Autopsy 4.19.1?
Can you confirm that when you load the image into Autopsy you can see the filesystem structure and can manually peruse the image.
In regards to the versions of Android which can be parsed in Autopsy 4.19.1, you should be able to parse artifacts from the latest Android 12 albeit you may require 3rd party ingest modules for certain artifacts!
Hi !
Thankyou for your response.
Currently I am using autopsy 4.17.
I have created adb logical image from Samsung A10s 32 gb storage with android version 10.
I can see the partitions and volumes but the data and userdata volume do not contain my installed applications of android and their data.
I am stuck at this point for many weeks and wanted to get help regarding this.
If you have done this work already, can you give me your email address or any contact information so that I can directly contact you and get my problem resolved.
Unfortunately the issue here isn’t with Autopsy, it’s a byproduct of that ADB extraction. The ADB extraction will likely be missing most of your userdata as these days many Android applications protect their application data which means you can’t extract it via ADB. What you will need is either an advanced logical or a physical extraction (decrypted).
Is this a test device (ie. your own) or a exhibit on a file? If it’s a test device you could consider rooting the device to allow you to get a physical extraction but note that this often requires unlocking the bootloader which often wipes all your userdata so you’d be starting from scratch. If this is an exhibit then you will need something like Cellebrite Advanced Services (CAS) or Cellebrite Premium to get the extraction and preserve the data.
HI !
Thankyou so much for your reply.
Actually I have already rooted my phone ( test device), I also unlocked bootlocker and encountered bootloop which I fixed it during the process.
Now I have no idea what to do next.
Apparently according to your analysis, the android applications are more secure so we cannot do analysis through ADB extraction?
Actually I want any open source tool for image acquisition , the tools you have mentioned are paid versions.
If the device is rooted then you are in luck as you should be able to read the raw decrypted device (ie. /dev/block/mmcblk0 or /dev/block/sda) after the phone has booted. I’ve attached some instructions from our wiki on how you can do this via netcat. In the below case we used TCU Live (Live - TCU - Google Drive) and a root ADB shell. You can repeat this process in Windows if you download and install the Android SDK minimal platform tools (Download Android Studio and SDK tools | Android Developers) but the instructions below are for Linux.
Open up 2 terminals. Commands from the user prompt below are issued on the computer’s terminal, and commands issued at the root prompt are through the ADB shell in the phone.
Confirm your device is visible to the computer:
$ sudo adb start-server
$ adb devices (device should be shown as attached with its serial number and mode displayed (Recovery))
$ adb forward tcp:8888 tcp:8888 and leave this terminal open (you need one terminal for the shell, and one for the local computer).
$ sudo adb shell
# cd /dev/block
# ls (find if your structure is in mmcblk or sda as it differs between phones)
# dd if=/dev/block/mmcblk0 | busybox nc -l -p 8888 (hit enter in this window)
$ nc 127.0.0.1 8888 > test.bin (hit enter in this window now)
The physical image (test.bin) will take some time to complete but if you start another terminal you can watch its file size grow with ‘ls -la’ etc. Also, for the ‘nc’ command where you write out the file, you probably want to use a large exFAT formatted key and have it mounted so that you can write the image out to it. Should be something like “> /media/user/YOURKEY/image.bin”.
Hi !
I just implemented all the steps you have mentioned in my windows 10 pc.
Kindly find the attached screenshots.
After creating bin file from my android device ( device storage = 32 gb, bin file size 29gb ), I added the file in autopsy 4.17.
Now still after separately watching all volumes and partitions I could not find any data related to my installed android applications and contacts ( I installed food delivery apps and online shopping apps ).
Kindly tell me if there is any further solution? or Should I buy another device with lesser android version ( android 8 ) and acquire its adb dd image and analyze in autopsy.
It is now an urgent task but now I am stuck and couldn’t find any solution.
My last way will be to buy another android device with android version 8 and analyse the artifacts from android apps.
It looks like you got a successful image (good job!) and can see your ‘userdata’ partition (vol42). Under your userdata folder can you manually see the mmssms.db and localappstate.db databases? If you can, I’d recommend installing the latest Autopsy 4.19.1 and running the Android Analyzer* ingest modules to see what it parses.
Hi !
I searched all the data inside vol42 = userdata, but could not find any database file here.
Also The autopsy 4.19 is not freely available here so I couldn’t download it.
Even in Autopsy 4.17 you should be able to see the files and run the Android Analyzer ingest module. Under “Tools → File Search by Attributes” you can select “Name” and then search for “library.db” or “mmssms”.