M 144: Android Analysis with Autopsy (10 pts)

What You Need for This Project

A Windows computer with Autopsy, which you prepared in a previous project.

Purpose

To analyze data from an Android device with Autopsy.

Launch your Windows Analysis Machine

Launch the Windows machine you use, with Autopsy on it.

Installing 7-Zip

On your Windows analysis machine, if you don't have 7-Zip, get it here:

https://7-zip.org

Downloading the Evidence File

In a Web browser, download this file:

android_image2.tar.gz

The file is 991 MB. After unzipping it, it expands to 1.73 GB.

Verifying the Hash Value

Calculate the hash of the unzipped android_image2.tar.gz file. Verify that it matches the image below.

Hashcalc is no longer available, but you can calculate hashes with Powershell like this:

Get-FileHash -Algorithm SHA1 android_image2.tar.gz

Unzipping the Data

If you have a "data" folder on your desktop, delete it.

Put the android_image2.tar.gz file on your Windows desktop.

Right-click the android_image2.tar.gz file and click 7-Zip, "Extract Here".

A data folder appears on your desktop.

If 7-Zip shows some messages saying "Can not create symbolic link", just ignore them and click Close.

Analyzing the Android Data with Autopsy

Launch Autopsy.

Creating a New Case

From the Autopsy menu bar, click the "New Case" button.

Enter a Case Name of Android2.

Click the Next button.

Click the Finish button.

Importing the Android Data

In the Add Data Source, at step 1. Select Host, click the Next button.

At step 2. Select Data Source Type, click "Logical Files".

Click the Next button.

At step 3. Select Data Source, click the Add button. Navigate to your desktop. Click the data folder and click Select.

Click the Next button.

At step 4. Configure Ingest, clear all the boxes except "Android Analyzer (aLEAPP)", as shown below.

Click the Next button.

At step 5. Add Data Source, click the Finish button.

Examining the Evidence

In the left pane of Autopsy, in the "Data Artifacts" section, useful data from Android appears, including Phone calls, Messages, and Web searches, as shown below.

M 144.1: Newest App (5 pts)
What is the most recently installed app? That program name is the flag.

M 144.2: Website (5 pts)
What website was viewed at 14:52:39 PDT on Oct 8, 2022? That URL is the flag.

Sources

https://resources.infosecinstitute.com/topic/android-forensic-logical-acquisition/

http://sleuthkit.org/autopsy/docs/user-docs/4.18.0/aleapp_page.html

Posted 10-7-22
Hash value and unzipping instructions updated 10-16-22
Video added 4-3-23
Fixed download size, hashcalc link 7-15-23
Unzipping to get hash value explained more 10-6-25