Android forensic analysis with Autopsy

Nowadays, we have lots of commercial mobile forensics suites. Oxygen Forensic Analyst and Detective, Cellebrite UFED, MSAB XRY are just a few of them. Of course, these tools are very, even extremely, powerful and are able to extract huge datasets from lots of mobile devices including Android. But it’s always good to have an open source alternative to the commercial ones. And we have good news: there is an open -source tool called Autopsy, suitable for Android mobile forensic examinations.

Of course, this tool is not a new one. It’s used globally by thousands of digital forensic examiners for traditional computer forensics, especially file system forensics. This open-source tool was created as a graphical interface for the Sleuth Kit, but since version – 3, it was completely rewritten and became Windows-based.

The most current version is 4.0. It’s very important to note that it has the Android Analyzer Module, which makes it possible to extract the following artifacts:

• Text messages (SMS / MMS);
• Call logs
• Contacts
• Tango messages
• Words with Friends messages
• GPS from the browser and Google Maps
• GPS from cache.wifi and cache.cell files

But this is not the only module suitable for Android forensics. There are also such important modules as EXIF Parser Module, Keyword Search Module, PhotoRec Carver Module and some others.

Let’s create a case and add an Android physical image. Start the suite and you’ll see the Welcome window:

We need to create a new case, so choose the corresponding option.

It’s time to start filling in our case information:

Start with the case name, choose WeAre4n6_Android_Test – our base directory is D:\, but you can choose your own, so our data will be stored in D:\ WeAre4n6_Android_Test.

Setting the case number and examiner’s name is optional, so you can skip this step if you want:

Choose our data source:

In our case, it’s an Android userdata partition physical image (userdata.dd), located at C:\Users\Olly\Desktop. Don’t forget about setting the correct time zone!

Now choose the ingest modules you want to run on the image:

Don’t forget to choose Android Analyzer! Exif Parser, Keyword Search and PhotoRec Carver are also very useful. Also, make sure you check Process Unallocated Space option – it’ll be automatically carved with PhotoRec.

That’s it! Now our image is being analyzed by Autopsy Ingest Modules:

Here is what we got from the Android Analyzer module:

As you can see, quite a lot of data is extracted automatically. Call logs, contacts, GPS trackpoints and messages are extracted by Android Analyzer module, EXIF metadata is extracted by EXIF Parser module, files with wrong extensions are detected by Extension Mismatch Detector module, and web cookies, web downloads, web history / web searches are extracted by Recent Activity module.

Extension Mismatch Detector module is very useful for Android forensics, for example, it can be used to find cached images:

As you can see, this cached image has “0” extension instead of “jpg”:

Analyzing its location, we come to the conclusion that this image is cached by Odnoklassniki – a popular Russian social media application.

Also, Autopsy supports automatic deleted files recovery from Ext4 file system:

Finally, PhotoRec Carver module helps a mobile forensic examiner to extract data from unallocated space via carving technique:

This article has shown that Autopsy is a quite powerful open source tool for Android forensics with a number of modules capable of both data parsing and recovery.

About the authors:

Igor Mikhaylov

Interests: Computer, Cell Phone & Chip-Off Forensics

Oleg Skulkin

Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics