M 143: Forensic Acquisition from Android (15 pts extra)

What You Need for This Project

Purpose

To collect data from an Android emulator and analyze it with Autopsy.

Start your Emulator

Start your emulator, as shown below.

Putting Evidence on the Phone

The steps depend on your operating system. Follow the appropriate instructions below.

Mac Users

Open a new Terminal window and execute these commands: 
cd
cat .emulator_console_auth_token
Carefully highlight and copy your auth_token, as shown below.

Execute these commands, inserting the correct auth token in the second one: 

nc localhost 5554
auth k5EPEBUt7Gf3NQ9v 
sms send 1112223333 "HELLO, PHONE!"

Windows Users

In a Web browser, go to

https://nmap.org/download

Download Nmap and install it.

Execute these commands. If it asks for an auth token, follow the instructions on your screen to find it. 

ncat 127.0.0.1 5554
sms send 1112223333 "HELLO, PHONE!"
On your emulator, open Messages.

Click Agree.

You received the SMS. Reply, as shown below.

In your Terminal or Command Prompt, execute this command: 

gsm call 11122233333
Your phone rings. Answer the call, as shown below.

After a few seconds, hang up.

In your Terminal or Command Prompt, press Ctrl+C to terminate the netcat connection.

Opening a Root Shell

In a Command Prompt or Terminal, execute these commands: 
adb shell
su
You get a root shell, as shown below.

Collecting User Data

All the user data, including SMS and phone calls, is in the /data directory.

In your root shell, execute this command: 

tar --exclude=android_image.tar.gz \
 -cvzf /sdcard/Download/android_image.tar.gz /data
A lot of filenames scroll by.

When it's done, you see a # prompt, as shown below.

Execute these commands to exit the shell and download the captured data, as shown below: 

exit
exit
cd
cd Downloads
adb pull /sdcard/Download/android_image.tar.gz

Launch your Windows Analysis Machine

Launch the Windows machine you use, with Autopsy on it.

Installing 7-Zip

On your Windows analysis machine, if you don't have 7-Zip, get it here:

https://7-zip.org

Unzipping the Data

Put the android_image.tar.gz file on your Windows desktop.

Mac M1 Users

You cannot copy and paste files from the host to the Windows guest, as of March 2023, because VMware 13 doesn't fully implement VMware Tools.

You can use PowerShell's "scp" command, however, using the IP address of your Mac, and your Mac's username and password, with a command like this: 

scp username@ip_of_mac:/Users/username/Downloads/android_image.tar.gz .
If you don't have 7-Zip on your Windows machine, get it here:

https://7-zip.org/

Right-click the android_image.tar.gz file and click 7-Zip, "Extract Here".

A android_image.tar file appears on your desktop.

Right-click the android_image.tar file and click 7-Zip, "Extract Here".

A data folder appears on your desktop.

If 7-Zip shows some messages saying "Can not create symbolic link", just ignore them and click Close.

Analyzing the Android Data with Autopsy

Launch Autopsy.

Creating a New Case

From the Autopsy menu bar, click the "New Case" button.

Enter a Case Name of Android.

Click the Next button.

Click the Finish button.

Importing the Android Data

In the Add Data Source box:

At step 5: "Add Data Source", click the Finish button.

Examining the Evidence

In the left pane of Autopsy, in the "Data Artifacts" section, useful data from Android appears, including Phone calls, Messages, and Web searches, as shown below.

M 143.1: Phone Source (15 pts)

Find the text covered by a green box in the image below. That's the flag.

Sources

https://resources.infosecinstitute.com/topic/android-forensic-logical-acquisition/

http://sleuthkit.org/autopsy/docs/user-docs/4.18.0/aleapp_page.html

Posted 10-7-22
Mac M1 file transfer tip added 3-13-23
Flag number corrected 7-1-23