M 144: Android Analysis with Autopsy (10 pts)

What You Need for This Project


To analyze data from an Android device with Autopsy.

Launch your Windows Analysis Machine

Launch the Windows machine you use, with Autopsy on it.

Installing 7-Zip

On your Windows analysis machine, if you don't have 7-Zip, get it here:


Downloading the Evidence File

In a Web browser, download this file:


The file is 991 MB on the server, but your browser automatically unzips it to a size of 1.6 GB.

Installing Hashcalc

On your Windows analysis machine, if you don't have Hashcalc, get it here:


Verifying the Hash Value

Calculate the hash of the android_image2.tar.gz file. Verify that it matches the image below.

Unzipping the Data

If you have a "data" folder on your desktop, delete it.

Put the android_image2.tar.gz file on your Windows desktop.

Right-click the android_image2.tar.gz file and click 7-Zip, "Extract Here".

A data folder appears on your desktop.

If 7-Zip shows some messages saying "Can not create symbolic link", just ignore them and click Close.

Analyzing the Android Data with Autopsy

Launch Autopsy.

Creating a New Case

From the Autopsy menu bar, click the "New Case" button.

Enter a Case Name of Android2.

Click the Next button.

Click the Finish button.

Importing the Android Data

In the Add Data Source, at step 1. Select Host, click the Next button.

At step 2. Select Data Source Type, click "Logical Files".

Click the Next button.

At step 3. Select Data Source, click the Add button. Navigate to your desktop. Click the data folder and click Select.

Click the Next button.

At step 4. Configure Ingest, clear all the boxes except "Android Analyzer (aLEAPP)", as shown below.

Click the Next button.

At step 5. Add Data Source, click the Finish button.

Examining the Evidence

In the left pane of Autopsy, in the "Data Artifacts" section, useful data from Android appears, including Phone calls, Messages, and Web searches, as shown below.

M 144.1: Newest App (5 pts)

What is the most recently installed app? That program name is the flag.

M 144.2: Website (5 pts)

What website was viewed at 14:52:39 PDT on Oct 8, 2022? That URL is the flag.




Posted 10-7-22
Hash value and unzipping instructions updated 10-16-22