CNIT 121 Project 14: Acquiring a Forensic Image of an Android Phone (25 pts.)

What You Need for This Project

Purpose

To acquire a forensic image of the internal storage on an Android device. We will use an emulated phone in VirtualBox.

Task 1: Making an Android Virtual Machine

Installing VirtualBox

In S214, VirtualBox is already installed on most of the computers.

If you don't have it, do these steps:

Open a Web browser and go to

https://www.virtualbox.org/

On the left side of the page, click Downloads.

On the next page, download the appropriate "VirtualBox platform package" for your computer, as shown below. The Windows version is a 105 MB download.

Install Virtualbox on your computer, accepting the default options.

After the installation, VirtualBox opens, as shown below.

Downloading an Android VirtualBox VM

Download this file. It is 280 MB in size.

https://samsclass.info/128/proj/Andx86-1G.zip

Right-click the file, click "Extract All...", Extract. A folder opens, as shown below.

If the folder is green, this means Windows thinks it's encrypted, which is a known problem with Zip archives copied from Mac to Windows. To remove the encryption, right-click the folder, click Properties, click Advanced, and clear the "Encrypt contents to secure data" box. Then click OK three times. The process takes a couple of minutes.

Creating an Android Virtual Machine

Launch VirtualBox.

Creating an Android VM

In VirtualBox, click New.

In the "Name and operating system" box, enter these values, as shown below.

Replace "YOURNAME" with your own name.

Click Next.

In the "Memory size" box, enter 512MB.

Click Next.

In the "Hard drive" box, click the "Uae an existing virtual hard drive" button. Click the little yellow folder icon on the right side, and navigate to the Andx86-1G.vdi in the folder you unzipped previously, as shown below.

Click Create.

Your VM now appears in the left pane of the VirtualBox window, as shown below.

Click the green Start arrow.

The virtual machine startsm but the screen turns black and shows two gray message bars at the top, as shown below.

Controlling the Virtual Machine

In the "And1g-YOURNAME [Running]" window, click Machine, "Disable Mouse Integration".

Click Machine, "ACPI Shutdown". This wakes the virtual machine, as shown below.

Note: in S214, on Ubuntu Linux, if the VirtualBox menu bar is not visible, press Right Ctrl+Home

Click in the VM.

An Information box pops up, as shown below. Click Capture.

The mouse pointer appears inside the VM. Drag the padlock to the right to get to the Home Screen, as shown below.

Releasing the Mouse Cursor from the VM

Look at the lower right corner of the "And1G-YOURNAME [Running]" window.

You will see the keystroke indicated that can release the cursor from the virtual machine.

On a Mac, it is the left Command button, as shown in the image above.

On a PC, it's the Right Ctrl key.

Press the indicated key.

The mouse pointer escapes from the VM.

Click the X in the gray bars at the top of the window to close them.

Saving a Screen Image

Make sure you can the Android VM home page, as shown above.

Press Shift+PrintScrn to save a full-desktop image.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 14a", replacing "YOUR NAME" with your real name.

Task 2: Installing Android Studio

Note for Linux Users

If you are using Linux, instructions for installing Android Studio are at the link below. We don't need GenyMotion for this project.

ubuntu-prep-121.htm

Then return to these instructions and resume at Task 3.

Downloading Android Studio

http://developer.android.com/sdk

Follow the instructions on the Web page to download and install Android Studio for your OS. The Mac version is 234 MB in size, but the Windows version is 828 MB.

Missing Java

If you are using a Mac:
Finish the install and launch Android Studio.

A box pops up, asking if you want to import settings from a previous installation. Accept the default selection refusing to do that.

The Setup Wizard launches. Click Next.

If you are using a PC, start the installation process.

In either case, you will probably see a screen saying that you need the Java SDK, as shown below.

Installing Java SDK

If JDK was not detected, as shown above, you need to fix that.

In the Android Studio Setup Wizard, click the blue link.

Download the correct Java SDK for your OS, as shown below.

Install the Java SDK, with the default options.

Resuming the Android Studio Setup

If you are using a Mac, in the Android Studio Setup Wizard, click Previous and then Next. If you are using a PC, cancel the installation and start it from the beginning again.

Install Android Studio with the default options.

Accept all the license agreements, of course.

It's a long process, with a lot of files downloaded and installed.

When the install finishes, Android Studio launches.

You should see the "Welcome to Android Studio" screen, as shown below.

Close Android Studio

At this point, close all Android Studio windows. You have what you need for this project.

Finding the SDK Path

We will use the SDK (Software Development Kit) for this project. You need to find out where it is installed.

Windows Users

Click Start, type in CMD and press Enter to open a Command Prompt window.

Note: don't use an Administrator Command Prompt

Execute these commands:

cd AppData\Local\Android\sdk

dir

You should see several items here, including "platform-tools", as shown above.

The SDK path appears in the last line, as highlighted in the image above. It will be something like this:

C:\Users\sam\AppData\Local\Android\sdk

Mac Users

In a Terminal window, execute these commands:
cd

cd Library/Android/sdk

ls

pwd

You should see several items here, including "platform-tools", as shown above.

The SDK path appears in the last line, as highlighted in the image above. It will be something like this:

/Users/sambowne/Library/Android/sdk

Task 3: Creating Evidence on the Android VM

Click in the Android VM. Click Messaging. Click "New message" and compose a message containing your name, as shown below.

Do not use the literal string "YOURNAME" -- replace that with your own name without any embedded spaces.

At the lower right, click the arrow icon to send your message.

A message says "Currently unable to send..". That's OK, it saved the message locally, which is what we wanted.

In the bottom center, click the icon shaped like an open business envelope. This takes you back to the home screen.

Click Notes. At the top right, click the little icon of a pencil and paper.

Compose a note containing your name, as shown below.

Do not use the literal string "YOURNAME" -- replace that with your own name without any embedded spaces.

At the top right, click SAVE.

Task 4: Capturing a Live Image

Installing Nmap (Windows Only)

If you are using Windows, you must instll Nmap, so you get the "Ncat" command-line tool. If you are using Linux or a Mac you already have netcat and may skip this step.

Open a Web browser and go to

https://nmap.org/download.html

Scroll down to the "Microsoft Windows binaries" section, as shown below, and click on the link labelled "Latest release self-installer:", as shown below.

When I did it, it was nmap-6.47-setup.exe.

Download and install the software with the default options. It will also install WinPCap.

Configuring Bridged Networking

You need to know the IP address of your Android VM.

Click in the Android VM. Press Alt+F1. (On a Macbook, press fn+opt+F1. On the Macs in S214, press RightCtrl+Alt+Fn+F1).

A Linux terminal opens in the Android VM. Execute this command:

netcfg
The eth0 device has an address of 10.0.2.15, as shown below.

That won't work. Press the button to release the cursor from the VM and click Devices, Network, "Network Settings".

Change the "Attached to" setting to "Bridged Adapter", as shown below. Then click OK.

In the Android terminal window, execute this command again:

netcfg
The eth0 device has a different address now, as shown below.

Connecting to the Android Device with Android Debug Bridge (ADB)

On your host machine, open a Command Prompt window.

Execute these commands, changing the path in the first command to your correct SDK path.

Change the address in the third command to the correct address of your Android VM.

NOTE: If you are using a Mac, add a "./" before "adb".

cd AppData\Local\Android\sdk

cd platform-tools

adb connect 10.10.21.39

Examining the Filesystem of the Android Device

Execute these commands:

NOTE: If you are using a Mac or Linux, add a "./" before "adb".

adb shell

mount

The /data partition is at /dev/block/sda1, as highlighted in the image above.

At the "shell@x86:/ $" prompt, execute this command:

df
This shows that the /data partition is 718.0 MB in size, as shown below.

The /data partition is where apps store their data; the main place to find forensic artifacts.

Configuring Port Forwarding

Open a second Terminal or Command Prompt window.

Navigate to the sdk/platform-tools directory.

Execute this command:

NOTE: If you are using a Mac or Linux, add a "./" before "adb". On the host Mac,

adb forward tcp:7000 tcp:7000
This command forwards network traffic on port 7000 on the host computer to the same port on the Android virtual device.

Performing a Network Acquisition

At the "shell@x86:/ $" prompt, execute these commands:
su

dd if=/dev/block/sda1 | busybox nc -l -p 7000

The "su" commands switches to the superuser account (root), and the next command starts the Android device listening on port 7000, and tells it to send a live image of the "/dev/block/sda1" partition to that port once a connection is established.

If you are using Windows, open a new Administrator Command Prompt window (you cannot write to the root of C: without Administrator privileges) and execute this command:

ncat 127.0.0.1 7000 > C:/p14-YOURNAME.dd
If you are using a Mac or Linux, open a new Terminal window and execute this command:
nc 127.0.0.1 7000 > /tmp/p14-YOURNAME.dd
Wait a few minutes. When the process completes, you'll see the "764918784 bytes transferred" message, as shown below.

Saving a Screen Image

Make sure you can see the "764918784 bytes transferred" message, as shown above.

Press Shift+PrintScrn to save a full-desktop image.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 14b", replacing "YOUR NAME" with your real name.

Viewing the Captured Data (Windows Only)

On your host machine, if it's Windows, execute this command:
dir c:
You should see a file with a size of 750 MB. If you don't, it may be a bug in Ncat. One problem some students had was a "close: Result too large" error.

If that happens, try using "nc" or "nc64" instead of Ncat. You can get those programs here:

https://eternallybored.org/misc/netcat/

Task 5: Analyzing the Image

Installing Strings (Windows Only)

If you are using Windows, you need to download and install "strings". If you are using a Mac or Linux, it's already installed.

In a Web browser, go here:

http://technet.microsoft.com/en-us/sysinternals/bb897439

Click the "Download Strings" link.

Save the Strings.zip file on your desktop.

Right-click it and click "Extract All...", Extract.

A window opens showing a strings.exe file.

Open a second Windows Explorer window and navigate to the C:\Windows folder.

Drag the strings.exe file into the C:\Windows\System32 folder, as shown below.

If a "User Account Control" box pops up, approve the privilege escalation.

Examining the Evidence with Strings on Windows

If you are using Windows, open a Command Prompt and execute this command, changing "YOURNAME" to your own name. Make sure to spell your name exactly the same way you did when creating the evidence.
strings C:\p14-YOURNAME.dd | findstr YOURNAME
A lot of messages appear complaining that lines are too long, as shown below.

Eventually, findstr will pause its complaints long enough to show you the actual evidence lines containing YOURNAME, as shown below.

Using Strings (Mac or Linux)

In a Terminal window, execute this command to find YOURNAME in the image. Make sure to spell your name exactly the same way you did when creating the evidence.
strings /tmp/p14-YOURNAME.dd | grep YOURNAME
The results should appear within a few seconds, showing the text of your messages, containing YOURNAME, as shown below.

Saving a Screen Image

Make sure you can see at least one line of text found containing YOURNAME, as shown above.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 14c", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the images to to cnit.121@gmail.com with the subject line: Proj 14 from YOUR NAME

Sources

Getting Started with Android Forensics

Review of Android Partition Layout

DD over Netcat for a Cheap Ghost Alternative

Android Forensics, Part 1: How we recovered (supposedly) erased data

Live imaging an Android device | Free Android Forensics (from 2014)

Importing a VDI in VirtualBox

http://virtualboxes.org/images/android-x86/

Factory reset Android x86

Last modified 11-9-16