Calculate the hash of the
android_image2.tar.gz file.
Verify that it matches the image below.
Unzipping the Data
If you have a "data" folder on your desktop,
delete it.
Put the android_image2.tar.gz
file on your Windows desktop.
Right-click the android_image2.tar.gz file and click
7-Zip,
"Extract Here".
A data folder appears on your
desktop.
If 7-Zip shows some messages saying
"Can not create symbolic link", just ignore
them and click Close.
Analyzing the Android Data with Autopsy
Launch Autopsy.
Creating a New Case
From the Autopsy menu bar, click
the "New Case" button.
Enter a Case Name of Android2.
Click the Next button.
Click the Finish button.
Importing the Android Data
In the Add Data Source, at step
1. Select Host, click the Next button.
At step 2. Select Data Source Type,
click "Logical Files".
Click the Next button.
At step 3. Select Data Source,
click the Add button.
Navigate to your desktop.
Click the data folder and click Select.
Click the Next button.
At step 4. Configure Ingest,
clear all the boxes except
"Android Analyzer (aLEAPP)",
as shown below.
Click the Next button.
At step 5. Add Data Source,
click the Finish button.
Examining the Evidence
In the left pane of Autopsy,
in the "Data Artifacts" section,
useful data from Android appears,
including Phone calls, Messages,
and Web searches,
as shown below.
M 144.1: Newest App (5 pts)
What is the most recently installed app?
That program name is the flag.
M 144.2: Website (5 pts)
What website was viewed at 14:52:39 PDT on Oct 8, 2022?
That URL is the flag.
