Table of Contents
Introduction to Andriller
Andriller is a popular and comprehensive android forensic tool that provides a powerful suite of features for forensic experts and law enforcement agencies to extract and analyze digital evidence from Android devices. The tool provides a comprehensive and user-friendly interface for capturing and examining the various data artefacts available on an Android device, including contacts, call logs, messages, GPS locations, app data, and much more.
One of the key advantages of Andriller is its ability to extract and analyze data from both physical and logical acquisitions of Android devices. This means that even if a device is locked or encrypted, forensic experts can still obtain valuable evidence from it using Andriller. The tool also supports multiple file formats, including the widely used ADB, JTAG, and chip-off acquisition methods, making it a versatile option for any forensic investigation.
In addition to its data extraction capabilities, Andriller also provides a range of powerful analysis features. This includes the ability to view and analyze call logs, messages, contacts, and GPS data, as well as the ability to examine app data and recover deleted files. The tool also provides support for third-party app analysis, making it possible to extract evidence from apps such as WhatsApp, Skype, Viber, and more.
Another key feature of Andriller is its support for multiple operating systems, including Windows, MacOS, and Linux. This makes it accessible to a wide range of users, including forensic experts, law enforcement agencies, and security researchers. The tool also offers a range of customization options, allowing users to modify their behaviour and output according to their specific needs.
- PC running Kali Linux or Ubuntu (Andriller android forensic tool can also run on Windows OS ).
- Android device( You can run the target device on the android pentesting lab).
- Data cable (If you intend to use a physical device, a data cable will be required).
- An active internet connection.
To install Andriller, we first have to download the tool’s file from Andriller’s GitHub repository. We can either download the android forensic tool as a zip folder or use the terminal by running the below command.
git clone https://github.com/den4uk/andriller.git
After the download is complete, we navigate into the newly created folder to create a virtual environment that we will be using to run Andriller while performing android forensics using the command shown below.
cd andriller virtualenv env
We then activate the newly created environment
We can then install the required dependencies on the virtual environment we created by running the below command.
pip install -r requirements.txt
After the installation is complete, we are now ready to perform android forensic analysis on a device.
Android forensic evidence acquisition
The first step of performing android forensic acquisition from any android device is to check whether the device we want to extract data from is connected to the forensic lab via ADB. To check the devices available we run the below command.
As you can see in the image above, the android device is connected hence we can start android forensic file acquisition. To run Andriller we use the below command.
python3 -m andriller
Andriller is a GUI based android forensic tool. Once launched, we get a screen as shown in the image below. By clicking the check button on the page, Andriller will check for ADB connected devices and indicate their serial ID as shown in the image below.
To start extracting information, we first indicate the output folder for the extracted forensic information and then click on “extract” to acquire and copy the android forensic information to the output folder. We can monitor the extraction process in the logs section as shown in the image below. Andriller converts the extracted android forensic information data and organizes it in form of both XLSX and HTML reports for easier analysis.
Android forensic evidence analysis
When Andriller finishes extracting the collected android forensic evidence, it automatically opens a view of the collected file information on the default web browser. The first page of the report has a summary of all the collected forensic information as shown in the image below.
As shown in the image above, we can see several application entries found on the extracted android forensic evidence. We can see that the victim’s device has Google Chrome, Calendar, Call logs and Download history entries. To view information collected from these applications, we click the specific entry we want to view the recorded information on that specific application. In the image below, we can see the Google Chrome history report.
Andriller has numerous advanced features required while performing android forensic evidence analysis by forensic experts. Some of these features include;
- Decoder - using the decoder a forensic expert is able to decode and access information stored as SQLite databases on the phone. i.e. call logs, downloads, messages, Calendar information, WhatsApp data etc.
- Whatsapp Decryptor - forensic experts can use the decryptor to decrypt and view the WhatsApp messages collected during the android forensic evidence acquisition. When decrypting WhatsApp messages using Andriller, we have to provide the “key file” to use to decrypt the messages.
- PIN/Pattern/Password cracker - Using the cracking feature of Andriller, forensic experts can be able to bypass the lock screen of a target device even when the device has a pattern lock security on it however the cracking feature has its limitations which may vary.
Overall, Andriller is a powerful and comprehensive Android forensic tool that provides a wide range of features and capabilities for forensic experts and law enforcement agencies. Whether you are conducting a criminal investigation or conducting security research, Andriller is a versatile and reliable tool that is capable of extracting and analyzing digital evidence from Android devices with ease.