├── README.md
└── android_triage.sh


/README.md:
--------------------------------------------------------------------------------
  1 | # Android Triage
  2 | 
  3 | Bash script to extract data from an Android device
  4 | 
  5 | Developed and tested on Mac OS X Mojave (10.14.6), but works also on Linux
  6 | 
  7 | <b>Mandatory Requirements</b>
  8 | 
  9 | - adb (https://developer.android.com/studio/releases/platform-tools)
 10 | - dialog (for Mac OS X see here http://macappstore.org/dialog/)
 11 | 
 12 | <b>How to use it</b>
 13 | 
 14 | - Activate ADB on the Android Device
 15 | - Connect and pair the Android Device and the host
 16 | - Make the script executable (chmod +x android_triage.sh)
 17 | - Execute the script and follow the instructions
 18 | 
 19 | See also the original blog post here
 20 | 
 21 | https://blog.digital-forensics.it/2021/03/triaging-modern-android-devices-aka.html
 22 | 
 23 | <b>Version 1.0 [30/3/2021]</b>
 24 | 
 25 | First release
 26 | 
 27 | <b>Version 1.1 [30/3/2021]</b>
 28 | 
 29 | - Added "-keyvalue" in the ADB backup commant (Thanks Yogesh Khatri - @SwiftForensics)
 30 | - Added option 10 to dump file system folders and files not requiring root privileges
 31 | - Minor fixes
 32 | 
 33 | <b>Version 1.2 [3/4/2021]</b>
 34 | 
 35 | - Added "dumpsys diskstats" processing (credits https://android.stackexchange.com/questions/220442/obtaining-app-storage-details-via-adb)
 36 | - Added "appops" processing (credits https://android.stackexchange.com/questions/226282/how-can-i-see-which-applications-is-reading-the-clipboard)
 37 | - Minor adds
 38 | 
 39 | <b>Version 1.3 [6/9/2021]</b>
 40 | 
 41 | - Added "dumpsys notification --noredact" to extract notification text 
 42 | - Added "dumpsys dbinfo -v"
 43 | - Added "dumpsys bluetooth_manager | grep 'BOOT_COMPLETED\|AIRPLANE'" to extract boot and airplane mode information
 44 | - Changed "dumpsys meminfo -a" with "dumpsys -t 60 meminfo -a"
 45 | - Minor fixes
 46 | 
 47 | <b>Version 1.4 [11/2/2022]</b>
 48 | 
 49 | - Added full "/data/app" acquisition (not only APKs, but also libs and other files)
 50 | - Add "-obb" option to the ADB Backup command
 51 | - Added "References" section
 52 | - Added "Special thanks" section
 53 | - Minor fixes
 54 | 
 55 | <b>Version 1.5 [28/10/2022]</b>
 56 | 
 57 | - Added various dumpsys commands
 58 | - Added some "telecom" commands
 59 | - Minor fixes
 60 | 
 61 | <b>List of executed commands</b>
 62 | 
 63 | <b>Option 1 - Collect basic information</b>
 64 | 
 65 | - adb shell getprop
 66 | - adb shell settings list system
 67 | - adb shell settings list secure
 68 | - adb shell settings list global
 69 | - adb shell getprop ro.product.model
 70 | - adb shell getprop ro.product.manufacturer
 71 | - adb shell settings get global airplane_mode_on
 72 | - adb shell getprop ro.serialno
 73 | - adb shell getprop ro.build.fingerprint
 74 | - adb shell getprop ro.build.version.release
 75 | - adb shell getprop ro.build.date
 76 | - adb shell getprop ro.build.id
 77 | - adb shell getprop ro.boot.bootloader
 78 | - adb shell getprop ro.build.version.security_patch
 79 | - adb shell settings get secure bluetooth_address
 80 | - adb shell settings get secure bluetooth_name
 81 | - adb shell getprop persist.sys.timezone
 82 | - adb shell getprop ro.product.manufacturer
 83 | - adb shell getprop ro.product.device
 84 | - adb shell getprop ro.product.name
 85 | - adb shell getprop ro.product.code
 86 | - adb shell getprop ro.chipname
 87 | - adb shell getprop ril.serialnumber
 88 | - adb shell getprop gsm.version.baseband
 89 | - adb shell getprop ro.csc.country_code
 90 | - adb shell getprop persist.sys.usb.config
 91 | - adb shell getprop storage.mmc.size
 92 | - adb shell getprop ro.config.notification_sound
 93 | - adb shell getprop ro.config.alarm_alert
 94 | - adb shell getprop ro.config.ringtone
 95 | - adb shell getprop rro.config.media_sound
 96 | - adb shell date
 97 | - adb shell getprop ro.crypto.state
 98 | - adb shell uptime -s
 99 | - adb shell getprop ro.crypto.type
100 | - adb shell dumpsys iphonesubinfo
101 | - adb shell service call iphonesubinfo
102 | - adb shell id
103 | - adb shell su -c id
104 | 
105 | <b>Option 2 - Execute live commands</b>
106 | 
107 | - adb shell id
108 | - adb shell uname -a
109 | - adb shell cat /proc/version
110 | - adb shell uptime
111 | - adb shell printenv
112 | - adb shell cat /proc/partitions
113 | - adb shell cat /proc/cpuinfo
114 | - adb shell cat /proc/diskstats
115 | - adb shell df
116 | - adb shell df -ah
117 | - adb shell mount
118 | - adb shell ip address show wlan0
119 | - adb shell ifconfig -a
120 | - adb shell netstat -an
121 | - adb shell lsof
122 | - adb shell ps -ef
123 | - adb shell top -n 1
124 | - adb shell cat /proc/sched_debug
125 | - adb shell vmstat
126 | - adb shell sysctl -a
127 | - adb shell ime list
128 | - adb shell service list
129 | - adb shell logcat -S -b all
130 | - adb shell logcat -d -b all V:*
131 | 
132 | <b>Option 3 - Execute package manager commands</b>
133 | 
134 | - adb shell pm get-max-users
135 | - adb shell pm list users
136 | - adb shell pm list features
137 | - adb shell pm list instrumentation
138 | - adb shell pm list libraries -f
139 | - adb shell pm list packages -f
140 | - adb shell pm list packages -d
141 | - adb shell pm list packages -e
142 | - adb shell pm list packages -f -u
143 | - adb shell pm list permissions -f
144 | - adb shell pm list permission-groups
145 | - adb shell cat /data/system/uiderrors.txt
146 | 
147 | <b>Option 4 - Execute bugreport,dumpsys,appops</b>
148 | 
149 | - adb shell bugreport
150 | - adb shell dumpsys
151 | - adb shell dumpsys account
152 | - adb shell dumpsys accessibility
153 | - adb shell dumpsys activity
154 | - adb shell dumpsys alarm
155 | - adb shell dumpsys app_binding
156 | - adb shell dumpsys app_hibernation
157 | - adb shell dumpsys application_policy
158 | - adb shell dumpsys appwidget
159 | - adb shell dumpsys appops
160 | - adb shell dumpsys audio
161 | - adb shell dumpsys autofill
162 | - adb shell dumpsys backup
163 | - adb shell dumpsys battery
164 | - adb shell dumpsys batteryproperties
165 | - adb shell dumpsys batterystats
166 | - adb shell dumpsys batterystats -c
167 | - adb shell dumpsys biometric
168 | - adb shell dumpsys blob_store
169 | - adb shell dumpsys bluetooth_manager
170 | - adb shell dumpsys bluetooth_manager | grep 'BOOT_COMPLETED\|AIRPLANE'
171 | - adb shell dumpsys cacheinfo
172 | - adb shell dumpsys carrier_config
173 | - adb shell dumpsys clipboard
174 | - adb shell dumpsys color_display
175 | - adb shell dumpsys connectivity
176 | - adb shell dumpsys connmetrics
177 | - adb shell dumpsys content
178 | - adb shell dumpsys content_capture
179 | - adb shell dumpsys cover
180 | - adb shell dumpsys cpuinfo
181 | - adb shell dumpsys desktopmode
182 | - adb shell dumpsys dbinfo
183 | - adb shell dumpsys dbinfo -v
184 | - adb shell dumpsys device_policy
185 | - adb shell dumpsys device_state
186 | - adb shell dumpsys devicestoragemonitor
187 | - adb shell dumpsys diskstats   
188 | - adb shell dumpsys display
189 | - adb shell dumpsys dropbox
190 | - adb shell dumpsys gfxinfo
191 | - adb shell dumpsys graphicsstats
192 | - adb shell dumpsys hardware_properties
193 | - adb shell dumpsys input
194 | - adb shell dumpsys isub
195 | - adb shell dumpsys iphonesubinfo
196 | - adb shell dumpsys jobscheduler
197 | - adb shell dumpsys location
198 | - adb shell dumpsys lock_settings
199 | - adb shell dumpsys meminfo -t 60 -a
200 | - adb shell dumpsys mount
201 | - adb shell dumpsys netpolicy
202 | - adb shell dumpsys netstats
203 | - adb shell dumpsys netstats detail
204 | - adb shell dumpsys network_management
205 | - adb shell dumpsys network_score
206 | - adb shell dumpsys notification
207 | - adb shell dumpsys notification --noredact
208 | - adb shell dumpsys overlay
209 | - adb shell dumpsys package
210 | - adb shell dumpsys password_policy
211 | - adb shell dumpsys permission
212 | - adb shell dumpsys permissionmgr
213 | - adb shell dumpsys phone
214 | - adb shell dumpsys power
215 | - adb shell dumpsys print
216 | - adb shell dumpsys procstats --full-details
217 | - adb shell dumpsys procstats --full-details -c
218 | - adb shell dumpsys restriction_policy
219 | - adb shell dumpsys role
220 | - adb shell dumpsys rollback
221 | - adb shell dumpsys sdhms
222 | - adb shell dumpsys sec_location
223 | - adb shell dumpsys secims
224 | - adb shell dumpsys search
225 | - adb shell dumpsys sensorservice
226 | - adb shell dumpsys settings
227 | - adb shell dumpsys shortcut
228 | - adb shell dumpsys stats
229 | - adb shell dumpsys statusbar
230 | - adb shell dumpsys storaged
231 | - adb shell dumpsys telecom
232 | - adb shell dumpsys thermalservice
233 | - adb shell dumpsys time_detector
234 | - adb shell dumpsys time_zone_detector
235 | - adb shell dumpsys usagestats
236 | - adb shell dumpsys user
237 | - adb shell dumpsys usb
238 | - adb shell dumpsys vibrator
239 | - adb shell dumpsys voip
240 | - adb shell dumpsys wallpaper
241 | - adb shell dumpsys wifi
242 | - adb shell dumpsys wifiaware
243 | - adb shell dumpsys wifiscanner
244 | - adb shell dumpsys window
245 | - adb shell telecom get-default-dialer
246 | - adb shell telecom get-system-dialer
247 | - adb shell telecom get-max-phones
248 | - adb shell telecom get-sim-config
249 | - adb shell appops get $pkg
250 | 
251 | <b>Option 5 - Acquire an ADB Backup</b>
252 | 
253 | - adb backup -all -shared -system -keyvalue -apk -obb -f backup.ab
254 | 
255 | <b>Option 6 - Acquire /system folder</b>
256 | 
257 | - adb pull /system/
258 | - adb pull /system/apex
259 | - adb pull /system/app
260 | - adb pull /system/bin
261 | - adb pull /system/cameradata
262 | - adb pull /system/container
263 | - adb pull /system/etc
264 | - adb pull /system/fake-libs
265 | - adb pull /system/fonts
266 | - adb pull /system/framework
267 | - adb pull /system/hidden
268 | - adb pull /system/lib
269 | - adb pull /system/lib64
270 | - adb pull /system/media
271 | - adb pull /system/priv-app
272 | - adb pull /system/saiv
273 | - adb pull /system/tts
274 | - adb pull /system/usr
275 | - adb pull /system/vendor
276 | - adb pull /system/xbin
277 | 
278 | <b>Option 7 - Acquire /sdcard folder</b>
279 | 
280 | - adb pull /sdcard
281 | 
282 | <b>Option 8 - Acquire /data/app folder</b>
283 | 
284 | - adb pull /data/app/${app_path}/
285 | 
286 | <b>Option 9 - Extract data from content providers</b>
287 | 
288 | - adb shell dumpsys package providers
289 | - adb shell content query --uri content://com.android.calendar/calendar_entities
290 | - adb shell content query --uri content://com.android.calendar/calendars
291 | - adb shell content query --uri content://com.android.calendar/attendees
292 | - adb shell content query --uri content://com.android.calendar/event_entities
293 | - adb shell content query --uri content://com.android.calendar/events
294 | - adb shell content query --uri content://com.android.calendar/properties
295 | - adb shell content query --uri content://com.android.calendar/reminders
296 | - adb shell content query --uri content://com.android.calendar/calendar_alerts
297 | - adb shell content query --uri content://com.android.calendar/colors
298 | - adb shell content query --uri content://com.android.calendar/extendedproperties
299 | - adb shell content query --uri content://com.android.calendar/syncstate
300 | - adb shell content query --uri content://com.android.contacts/raw_contacts
301 | - adb shell content query --uri content://com.android.contacts/directories
302 | - adb shell content query --uri content://com.android.contacts/syncstate
303 | - adb shell content query --uri content://com.android.contacts/profile/syncstate
304 | - adb shell content query --uri content://com.android.contacts/contacts
305 | - adb shell content query --uri content://com.android.contacts/profile/raw_contacts
306 | - adb shell content query --uri content://com.android.contacts/profile
307 | - adb shell content query --uri content://com.android.contacts/profile/as_vcard
308 | - adb shell content query --uri content://com.android.contacts/stream_items
309 | - adb shell content query --uri content://com.android.contacts/stream_items/photo
310 | - adb shell content query --uri content://com.android.contacts/stream_items_limit
311 | - adb shell content query --uri content://com.android.contacts/data
312 | - adb shell content query --uri content://com.android.contacts/raw_contact_entities
313 | - adb shell content query --uri content://com.android.contacts/profile/raw_contact_entities
314 | - adb shell content query --uri content://com.android.contacts/status_updates
315 | - adb shell content query --uri content://com.android.contacts/data/phones
316 | - adb shell content query --uri content://com.android.contacts/data/phones/filter
317 | - adb shell content query --uri content://com.android.contacts/data/emails/lookup
318 | - adb shell content query --uri content://com.android.contacts/data/emails/filter
319 | - adb shell content query --uri content://com.android.contacts/data/emails
320 | - adb shell content query --uri content://com.android.contacts/data/postals
321 | - adb shell content query --uri content://com.android.contacts/groups
322 | - adb shell content query --uri content://com.android.contacts/groups_summary
323 | - adb shell content query --uri content://com.android.contacts/aggregation_exceptions
324 | - adb shell content query --uri content://com.android.contacts/settings
325 | - adb shell content query --uri content://com.android.contacts/provider_status
326 | - adb shell content query --uri content://com.android.contacts/photo_dimensions
327 | - adb shell content query --uri content://com.android.contacts/deleted_contacts
328 | - adb shell content query --uri content://downloads/my_downloads
329 | - adb shell content query --uri content://downloads/download
330 | - adb shell content query --uri content://media/external/file
331 | - adb shell content query --uri content://media/external/images/media
332 | - adb shell content query --uri content://media/external/images/thumbnails
333 | - adb shell content query --uri content://media/external/audio/media
334 | - adb shell content query --uri content://media/external/audio/genres
335 | - adb shell content query --uri content://media/external/audio/playlists
336 | - adb shell content query --uri content://media/external/audio/artists
337 | - adb shell content query --uri content://media/external/audio/albums
338 | - adb shell content query --uri content://media/external/video/media
339 | - adb shell content query --uri content://media/external/video/thumbnails
340 | - adb shell content query --uri content://media/internal/file
341 | - adb shell content query --uri content://media/internal/images/media
342 | - adb shell content query --uri content://media/internal/images/thumbnails
343 | - adb shell content query --uri content://media/internal/audio/media
344 | - adb shell content query --uri content://media/internal/audio/genres
345 | - adb shell content query --uri content://media/internal/audio/playlists
346 | - adb shell content query --uri content://media/internal/audio/artists
347 | - adb shell content query --uri content://media/internal/audio/albums
348 | - adb shell content query --uri content://media/internal/video/media
349 | - adb shell content query --uri content://media/internal/video/thumbnails
350 | - adb shell content query --uri content://settings/system
351 | - adb shell content query --uri content://settings/system/ringtone
352 | - adb shell content query --uri content://settings/system/alarm_alert
353 | - adb shell content query --uri content://settings/system/notification_sound
354 | - adb shell content query --uri content://settings/secure
355 | - adb shell content query --uri content://settings/global
356 | - adb shell content query --uri content://settings/bookmarks
357 | - adb shell content query --uri content://com.google.settings/partner
358 | - adb shell content query --uri content://nwkinfo/nwkinfo/carriers
359 | - adb shell content query --uri content://com.android.settings.personalvibration.PersonalVibrationProvider/
360 | - adb shell content query --uri content://settings/system/bluetooth_devices
361 | - adb shell content query --uri content://settings/system/powersavings_appsettings
362 | - adb shell content query --uri content://user_dictionary/words
363 | - adb shell content query --uri content://browser/bookmarks
364 | - adb shell content query --uri content://browser/searches
365 | - adb shell content query --uri content://com.android.browser
366 | - adb shell content query --uri content://com.android.browser/accounts
367 | - adb shell content query --uri content://com.android.browser/accounts/account_name
368 | - adb shell content query --uri content://com.android.browser/accounts/account_type
369 | - adb shell content query --uri content://com.android.browser/accounts/sourceid
370 | - adb shell content query --uri content://com.android.browser/settings
371 | - adb shell content query --uri content://com.android.browser/syncstate
372 | - adb shell content query --uri content://com.android.browser/images
373 | - adb shell content query --uri content://com.android.browser/image_mappings
374 | - adb shell content query --uri content://com.android.browser/bookmarks
375 | - adb shell content query --uri content://com.android.browser/bookmarks/folder
376 | - adb shell content query --uri content://com.android.browser/history
377 | - adb shell content query --uri content://com.android.browser/bookmarks/search_suggest_query
378 | - adb shell content query --uri content://com.android.browser/searches
379 | - adb shell content query --uri content://com.android.browser/combined
380 | 
381 | <b>Option 10 - Extract system dump (no root)</b>
382 | 
383 | - Option 6 + Option 7 + Option 8
384 | 
385 | 


--------------------------------------------------------------------------------
/android_triage.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # android_triage
  4 | # Mattia Epifani && Giovanni Rattaro
  5 | # 20220210 V1.5
  6 | #
  7 | # This program is free software: you can redistribute it and/or modify
  8 | # it under the terms of the GNU General Public License as published by
  9 | # the Free Software Foundation, either version 3 of the License, or
 10 | # (at your option) any later version.
 11 | #
 12 | # This program is distributed in the hope that it will be useful,
 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 15 | # GNU General Public License for more details.
 16 | #
 17 | # You should have received a copy of the GNU General Public License
 18 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 19 | #
 20 | #####################################################################
 21 | # MANDATORY REQUIREMENTS
 22 | #####################################################################
 23 | #
 24 | # - adb
 25 | # - dialog
 26 | #
 27 | #####################################################################
 28 | # REFERENCES
 29 | #####################################################################
 30 | #
 31 | # - Android Live Info by Magpol
 32 | #   https://github.com/Magpol/AndroidLiveInfo
 33 | # - Foroboto by Chapin Bryce
 34 | #   https://github.com/chapinb/foroboto
 35 | # - ADB-Export by sromku
 36 | #   https://github.com/sromku/adb-export
 37 | #
 38 | #####################################################################
 39 | # SPECIAL THANKS
 40 | #####################################################################
 41 | #
 42 | # - ydkhatri for adding -keyvalue to the adb backups
 43 | # - upintheairsheep for adding -obb to the adb backups
 44 | # - haxom for suggesting a fix
 45 | #
 46 | #####################################################################
 47 | 
 48 | time_update () { NOW=$(date +"%Y%m%d_%H_%M_%S"); }
 49 | 
 50 | check_tools() {
 51 |         TOOL="adb"
 52 |         if [ "$(command -v "$TOOL" | wc -l)" == "1" ]; then
 53 |            ADB="$(command -v "$TOOL")"
 54 |            else
 55 |              if [[ -f "./$TOOL" ]]; then
 56 |                  ADB="./$TOOL"
 57 |                else
 58 |                  clear && dialog --title "Android triage" --msgbox "$TOOL NOT FOUND! It's not possible to use android_triage script" 6 45
 59 | 	    	 exit
 60 |              fi
 61 |         fi
 62 | }
 63 | 
 64 | set_var () {
 65 | 	# generic var
 66 | 	VERSION="1.5 - 20221028"
 67 | 
 68 | 	# generic commands var
 69 | 	SHELL_COMMAND="${ADB} shell"
 70 | 	BACKUP_COMMAND="${ADB} backup"
 71 | 	PULL_COMMAND="${ADB} pull"
 72 | 	BUGREPORT_COMMAND="${ADB} bugreport"
 73 | 
 74 | 	# Android ID
 75 | 	ANDROID_ID=$($SHELL_COMMAND settings get secure android_id)
 76 |     
 77 | }
 78 | 
 79 | set_path () {
 80 | 	clear && time_update
 81 | 	    
 82 | 	# Generic path var
 83 | 	SPATH="${ANDROID_ID}"
 84 | 
 85 | 	# Directories for device information
 86 | 	INFO_DIR="${SPATH}/${NOW}_info"
 87 | 	INFO_TXT_FILE="${INFO_DIR}/device_info.txt"
 88 |     
 89 | 	# Directories for live commands execution
 90 | 	LIVE_DIR="${SPATH}"/${NOW}_live
 91 | 	LIVE_LOG_FILE="$LIVE_DIR/log_live_acquisition.txt"
 92 | 
 93 | 	# Directories for package manager execution
 94 | 	PM_DIR="${SPATH}"/${NOW}_package_manager
 95 | 	PM_LOG_FILE="$PM_DIR/log_pm_acquisition.txt"
 96 | 
 97 | 	# Directories for DUMPSYS acquisition
 98 | 	DUMPSYS_DIR="${SPATH}/${NOW}_dumpsys"
 99 | 	DUMPSYS_LOG_FILE="$DUMPSYS_DIR/log_dumpsys_acquisition.txt"
100 | 
101 | 	# Directories for SDCARD acquisition
102 | 	SDCARD_DIR="${SPATH}/${NOW}_sdcard"
103 | 	SDCARD_LOG_FILE="$SDCARD_DIR/log_sdcard_acquisition.txt"
104 | 
105 | 	# Directories for SYSTEM acquisition
106 | 	SYSTEM_DIR="${SPATH}/${NOW}_system"
107 | 	SYSTEM_LOG_FILE="$SYSTEM_DIR/log_system_acquisition.txt"
108 | 
109 | 	# Directories for 'private' image
110 | 	BACKUP_DIR="${SPATH}/${NOW}_backup"
111 | 
112 | 	# Directories for APKs image
113 | 	APK_DIR="${SPATH}/${NOW}_apk"
114 | 	APK_LOG_FILE="$APK_DIR/log_apk_acquisition.txt"
115 | 
116 | 	# Directories for content providers
117 | 	CONTENTPROVIDER_DIR="${SPATH}/${NOW}_contentprovider"
118 | 	CONTENTPROVIDER_LOG_FILE="$CONTENTPROVIDER_DIR/${NOW}_contentprovider.txt"
119 |     
120 | 	# Directories for file system dump
121 | 	ALL_DIR="${SPATH}/${NOW}_filesystem"
122 | 	ALL_LOG_FILE="$ALL_DIR/log_filesystem_acquisition.txt"
123 | }
124 | 
125 | check_device () {
126 | 	if [ -z "$ANDROID_ID" ];then
127 | 	   clear && dialog --title "android triage" --msgbox "NO DEVICE CONNECTED!" 5 24 && clear && exit
128 | 	fi
129 | }
130 | 
131 | info_collect () {
132 |         set_path
133 |         mkdir -p "$INFO_DIR"
134 |         $SHELL_COMMAND getprop > "${INFO_DIR}"/getprop.txt
135 |         $SHELL_COMMAND settings list system > "${INFO_DIR}"/settings_system.txt
136 |         $SHELL_COMMAND settings list secure > "${INFO_DIR}"/settings_secure.txt
137 |         $SHELL_COMMAND settings list global > "${INFO_DIR}"/settings_global.txt
138 |         PRODUCT=$($SHELL_COMMAND getprop ro.product.model)
139 |         MANUFACTURER=$($SHELL_COMMAND getprop ro.product.manufacturer)
140 |         echo "[*] Dumping info from ${MANUFACTURER} ${PRODUCT}"       
141 |         AIRPLANE_MODE=$($SHELL_COMMAND settings get global airplane_mode_on)
142 |         ANDROID_SERIAL_NUMBER=$($SHELL_COMMAND getprop ro.serialno)
143 |         FINGERPRINT=$($SHELL_COMMAND getprop ro.build.fingerprint)
144 |         ANDROID_VERSION=$($SHELL_COMMAND getprop ro.build.version.release)
145 |         BUILD_DATE=$($SHELL_COMMAND getprop ro.build.date)
146 |         BUILD_ID=$($SHELL_COMMAND getprop ro.build.id)
147 |         BOOTLOADER=$($SHELL_COMMAND getprop ro.boot.bootloader)
148 |         SECURITY_PATCH=$($SHELL_COMMAND getprop ro.build.version.security_patch)
149 |         BLUETOOTH_MAC=$($SHELL_COMMAND settings get secure bluetooth_address)
150 |         BLUETOOTH_NAME=$($SHELL_COMMAND settings get secure bluetooth_name)
151 |         TIMEZONE=$($SHELL_COMMAND getprop persist.sys.timezone)
152 |         MANUFACTURER=$($SHELL_COMMAND getprop ro.product.manufacturer)
153 |         DEVICE=$($SHELL_COMMAND getprop ro.product.device)
154 |         NAME=$($SHELL_COMMAND getprop ro.product.name)
155 |         PRODUCT_CODE=$($SHELL_COMMAND getprop ro.product.code)
156 |         CHIPNAME=$($SHELL_COMMAND getprop ro.chipname)
157 |         SERIAL_NUMBER=$($SHELL_COMMAND getprop ril.serialnumber)
158 |         BASEBAND_VERSION=$($SHELL_COMMAND getprop gsm.version.baseband)
159 |         COUNTRY_CODE=$($SHELL_COMMAND getprop ro.csc.country_code)
160 |         USB_CONFIGURATION=$($SHELL_COMMAND getprop persist.sys.usb.config)
161 |         STORAGE_SIZE=$($SHELL_COMMAND getprop storage.mmc.size)
162 |         NOTIFICATION_SOUND=$($SHELL_COMMAND getprop ro.config.notification_sound)
163 |         ALARM_ALERT=$($SHELL_COMMAND getprop ro.config.alarm_alert)
164 |         RINGTONE=$($SHELL_COMMAND getprop ro.config.ringtone)
165 |         MEDIA_SOUND=$($SHELL_COMMAND getprop rro.config.media_sound)
166 |         DEVICE_TIME=$($SHELL_COMMAND date)
167 |         ENCRYPTION=$($SHELL_COMMAND getprop ro.crypto.state)
168 |         UPTIME=$($SHELL_COMMAND uptime -s)
169 | 
170 |         ENCRYPTION_TYPE="none"
171 |         if [[ ! ${ENCRYPTION} =~ "unecrypted" ]]; then
172 | 	       ENCRYPTION_TYPE=$(${ADB} shell getprop ro.crypto.type)
173 |         fi
174 | 
175 |         IMEI=$(${ADB} shell dumpsys iphonesubinfo | grep 'Device ID' | grep -o '[0-9]+')
176 |         if [[ -z ${IMEI} ]]; then
177 | 	       IMEI=$(${ADB} shell service call iphonesubinfo 1 | awk -F "'" '{print $2}' | sed '1 d' | tr -d '.' | awk '{print}' ORS=)
178 |         fi
179 | 
180 |         if [[ $(adb shell id) =~ "root" ]] || [[ $(adb shell su -c id) =~ "root" ]];then 
181 | 	       ROOT="Device is ROOTED!"
182 |         else
183 | 	       ROOT="Device is NOT ROOTED"
184 |         fi
185 |         
186 |         dialog --title "android triage" --msgbox "\n
187 |         [*] Dumping info from ${MANUFACTURER} ${PRODUCT} \n
188 |         [*] Android_id: ${ANDROID_ID} \n
189 |         [*] Android Serial number: ${ANDROID_SERIAL_NUMBER} \n
190 |         [*] Serial number: ${SERIAL_NUMBER} \n 
191 |         [*] IMEI: ${IMEI} \n
192 |         [*] Android version: ${ANDROID_VERSION} \n
193 |         [*] Chipname: ${CHIPNAME} \n
194 |         [*] Build date: ${BUILD_DATE} \n
195 |         [*] Security Patch: ${SECURITY_PATCH} \n
196 |         [*] Timezone: ${TIMEZONE} \n 
197 |         [*] ${ROOT} \n
198 |         [*] Device is ${ENCRYPTION} \n
199 |         [*] Encryption type: ${ENCRYPTION_TYPE}" 20 70
200 |         
201 | 	echo "[*]
202 | 	[*] Dumping info from device ${MANUFACTURER} ${PRODUCT} 
203 | 	[*] Android_id: ${ANDROID_ID}
204 | 	[*] Android Serial number: ${ANDROID_SERIAL_NUMBER}
205 | 	[*] Serial number: ${SERIAL_NUMBER}
206 | 	[*] IMEI: ${IMEI}
207 | 	[*] Android version: ${ANDROID_VERSION}
208 | 	[*] Product Code: ${PRODUCT_CODE}
209 | 	[*] Product Device: ${DEVICE}
210 | 	[*] Product Name: ${NAME}
211 | 	[*] Chipname: ${CHIPNAME}
212 | 	[*] Android fingerprint: ${FINGERPRINT}
213 | 	[*] Build date: ${BUILD_DATE}
214 | 	[*] Build ID: ${BUILD_ID}
215 | 	[*] Bootloader: ${BOOTLOADER}
216 | 	[*] Security Patch: ${SECURITY_PATCH}
217 | 	[*] Bluetooth_address: ${BLUETOOTH_MAC}
218 | 	[*] Bluetooth_name: ${BLUETOOTH_NAME}
219 | 	[*] Timezone: ${TIMEZONE}
220 | 	[*] USB Configuration: ${USB_CONFIGURATION}
221 | 	[*] Storage Size: ${STORAGE_SIZE}
222 | 	[*] Notification sound: ${NOTIFICATION_SOUND}
223 | 	[*] Alarm alert: ${ALARM_ALERT}
224 | 	[*] Ringtone: ${RINGTONE}
225 | 	[*] Media sound: ${MEDIA_SOUND}
226 | 	[*] Uptime since: ${UPTIME}
227 | 	[*] Device time: ${DEVICE_TIME}
228 | 	[*] Acquisition time: ${NOW}
229 | 	[*] ${ROOT}
230 | 	[*] Device is ${ENCRYPTION}" > "$INFO_TXT_FILE"
231 | 
232 | 	if [[ ! ${ENCRYPTION_TYPE} =~ "none" ]]; then
233 | 	    echo "[*] Encryption type: ${ENCRYPTION_TYPE}" >> "$INFO_TXT_FILE"
234 | 	fi
235 | 	if [[ ${AIRPLANE_MODE} = "1" ]]; then
236 | 	    echo "[*] Airplane mode is ON" >> "$INFO_TXT_FILE" 
237 | 	  else
238 | 	    echo "[*] Airplane mode is OFF" >> "$INFO_TXT_FILE"
239 | 	fi
240 | 
241 |         clear && dialog --title "android triage" --msgbox "DEVICE INFO acquisition completed" 5 40
242 |         menu
243 | }
244 | 
245 | live_commands () {
246 | 	set_path
247 | 	mkdir -p "$LIVE_DIR"
248 | 	echo -e "[*]\n[*]"
249 | 	echo "[*] This option executes 20 live commands on the device. The executions should take about 20 seconds"
250 | 	echo -e "[*]\n[*]"
251 | 	echo "[*] LIVE Acquisition started at ${NOW}" | tee $LIVE_LOG_FILE
252 | 	echo -e "[*]\n[*]"     
253 | 	echo "[*] Executing live commands"
254 | 	echo "[*] id" && $SHELL_COMMAND id > "$LIVE_DIR"/id.txt
255 | 	echo "[*] uname -a" && $SHELL_COMMAND uname -a > "$LIVE_DIR"/uname-a.txt
256 | 	echo "[*] cat /proc/version" && $SHELL_COMMAND cat /proc/version > "$LIVE_DIR"/kernel_version.txt
257 | 	echo "[*] uptime" && $SHELL_COMMAND uptime > "$LIVE_DIR"/uptime.txt    
258 | 	echo "[*] printenv" && $SHELL_COMMAND printenv > "$LIVE_DIR"/printenv.txt 
259 | 	echo "[*] cat /proc/partitions" && $SHELL_COMMAND cat /proc/partitions > "$LIVE_DIR"/partitions.txt
260 | 	echo "[*] cat /proc/cpuinfo" && $SHELL_COMMAND cat /proc/cpuinfo > "$LIVE_DIR"/cpuinfo.txt 
261 | 	echo "[*] cat /proc/diskstats" && $SHELL_COMMAND cat /proc/diskstats > "$LIVE_DIR"/diskstats.txt  
262 | 	echo "[*] df" && $SHELL_COMMAND df > "$LIVE_DIR"/df.txt
263 | 	echo "[*] df -ah" && $SHELL_COMMAND df -ah > "$LIVE_DIR"/df-ah.txt 
264 | 	echo "[*] mount" && $SHELL_COMMAND mount > "$LIVE_DIR"/mount.txt 
265 | 	echo "[*] ip address show wlan0" && $SHELL_COMMAND ip address show wlan0 > "$LIVE_DIR"/ip_wlan0.txt 
266 | 	echo "[*] ifconfig -a" && $SHELL_COMMAND ifconfig -a > "$LIVE_DIR"/ifconfig-a.txt 
267 | 	echo "[*] netstat -an" && $SHELL_COMMAND netstat -an > "$LIVE_DIR"/netstat-an.txt 
268 | 	echo "[*] lsof" && $SHELL_COMMAND lsof > "$LIVE_DIR"/lsof.txt 
269 | 	echo "[*] ps -ef" && $SHELL_COMMAND ps -ef > "$LIVE_DIR"/ps-ef.txt 
270 | 	echo "[*] top -n 1" && $SHELL_COMMAND top -n 1 > "$LIVE_DIR"/top.txt     
271 | 	echo "[*] cat /proc/sched_debug" && $SHELL_COMMAND cat /proc/sched_debug > "$LIVE_DIR"/proc_sched_debug.txt   
272 | 	echo "[*] vmstat" && $SHELL_COMMAND vmstat > "$LIVE_DIR"/vmstat.txt   
273 | 	echo "[*] sysctl -a" && $SHELL_COMMAND sysctl -a > "$LIVE_DIR"/sysctl-a.txt   
274 | 	echo "[*] ime list" && $SHELL_COMMAND ime list > "$LIVE_DIR"/ime_list.txt   
275 | 	echo "[*] service list" && $SHELL_COMMAND service list > "$LIVE_DIR"/service_list.txt
276 | 	echo "[*] logcat -S -b all" && $SHELL_COMMAND logcat -S -b all > "$LIVE_DIR"/logcat-S-b_all.txt
277 | 	echo "[*] logcat -d -b all V:*" && $SHELL_COMMAND logcat -d -b all V:*  > "$LIVE_DIR"/logcat-d-b-all_V.txt
278 | 	echo -e "[*]\n[*]"   
279 |     
280 | 	time_update
281 | 	echo "[*] LIVE Acquisition completed at ${NOW}" | tee -a $LIVE_LOG_FILE
282 |     
283 | 	clear && dialog --title "android triage" --msgbox "LIVE Acquisition completed at ${NOW}" 6 34
284 | 	menu
285 | }
286 | 
287 | package_manager_commands () {
288 | 	set_path
289 | 	mkdir -p "$PM_DIR"
290 | 
291 | 	echo -e "[*]\n[*]"
292 | 	echo "[*] This option executes 7 'pm' commands. The execution should take about 30 seconds"
293 | 	echo -e "[*]\n[*]"
294 | 	time_update
295 | 	echo "[*] PACKAGE MANAGER Acquisition started at ${NOW}" | tee $PM_LOG_FILE
296 | 	echo -e "[*]\n[*]"     
297 | 	echo "[*] Executing pm commands"
298 | 	echo "[*] pm get-max-users" && $SHELL_COMMAND pm get-max-users > "$PM_DIR"/pm_get_max_users.txt
299 | 	echo "[*] pm list users" && $SHELL_COMMAND pm list users > "$PM_DIR"/pm_list_users.txt
300 | 	echo "[*] pm list features" && $SHELL_COMMAND pm list features > "$PM_DIR"/pm_list_features.txt
301 | 	echo "[*] pm list permission-groups" && $SHELL_COMMAND pm list permission-groups > "$PM_DIR"/pm_list_permission_groups.txt
302 | 	echo "[*] pm list instrumentation" && $SHELL_COMMAND pm list instrumentation > "$PM_DIR"/pm_list_instrumentation.txt
303 | 	echo "[*] pm list libraries -f" && $SHELL_COMMAND pm list libraries -f > "$PM_DIR"/pm_list_libraries-f.txt
304 | 	echo "[*] pm list packages -f" && $SHELL_COMMAND pm list packages -f > "$PM_DIR"/pm_list_packages-f.txt
305 | 	echo "[*] pm list packages -d" && $SHELL_COMMAND pm list packages -d > "$PM_DIR"/pm_list_packages-d.txt
306 | 	echo "[*] pm list packages -e" && $SHELL_COMMAND pm list packages -e > "$PM_DIR"/pm_list_packages-e.txt
307 | 	echo "[*] pm list packages -f -u" && $SHELL_COMMAND pm list packages -f -u > "$PM_DIR"/pm_list_packages-f-u.txt
308 | 	echo "[*] pm list permissions -f" && $SHELL_COMMAND pm list permissions -f > "$PM_DIR"/pm_list_permissions-f.txt
309 | 	echo "[*] cat /data/system/uiderrors.txt" && $SHELL_COMMAND cat /data/system/uiderrors.txt > "$PM_DIR"/uiderrors.txt
310 |     
311 |     	#mkdir -p "$PM_DIR/package_dump"
312 |    	#for pkg in $( $SHELL_COMMAND pm list packages | sed 's/package://' )
313 |     	#do
314 |     	#echo "[*] pm dump $pkg" && $SHELL_COMMAND pm dump $pkg > "$PM_DIR"/package_dump/"$pkg"_dump.txt
315 |     	#done
316 | 	#echo -e "[*]\n[*]"
317 |     
318 | 	time_update
319 | 	echo "[*] PACKAGE MANAGER Acquisition completed at ${NOW}" | tee -a $PM_LOG_FILE
320 |     
321 | 	clear && dialog --title "android triage" --msgbox "PACKAGE MANAGER Acquisition completed at ${NOW}" 6 40
322 | 	menu
323 | }
324 | 
325 | sdcard () {
326 | 	set_path
327 | 	mkdir -p "$SDCARD_DIR"
328 | 	echo -e "[*]\n[*]"
329 | 	echo "[*] This option extracts files from /sdcard" 
330 | 	echo -e "[*]\n[*]"
331 | 	echo "[*] SDCARD acquisition started at ${NOW}" | tee "$SDCARD_LOG_FILE"
332 | 	echo -e "[*]\n[*]"		
333 | 	echo -e "[*]\n[*]"        
334 | 	mkdir -p ${SDCARD_DIR}/sdcard
335 | 	$PULL_COMMAND /sdcard/ ${SDCARD_DIR}/ >> "$SDCARD_LOG_FILE"
336 | 	echo "[*] Creating TAR file" 
337 | 	tar -cvf "$SDCARD_DIR"/sdcard.tar -C ${SDCARD_DIR} sdcard >> "$SDCARD_LOG_FILE" 2>/dev/null
338 | 	time_update
339 | 	echo -e "[*]\n[*]"    
340 | 	echo "[*] SDCARD acquisition completed at ${NOW}" | tee -a "$SDCARD_LOG_FILE"
341 | 	echo -e "[*]\n[*]"
342 | 	echo "[*] Calculating SHA hash" 
343 | 	shasum "$SDCARD_DIR"/sdcard.tar >> "$SDCARD_LOG_FILE" 2>&1
344 | 
345 | 	clear && dialog --title "android triage" --msgbox "SDCARD acquisition completed at ${NOW}" 6 40
346 | 	menu    
347 | }
348 | 
349 | dumpsys () {
350 | 	set_path
351 | 	mkdir -p "$DUMPSYS_DIR"
352 | 	echo -e "[*]\n[*]"
353 | 	echo "[*] This option extracts bugreport, dumpsys and appops information" 
354 | 	echo -e "[*]\n[*]"
355 | 	echo "[*] DUMPSYS acquisition started at ${NOW}" | tee "$DUMPSYS_LOG_FILE"
356 | 	echo -e "[*]\n[*]"		
357 | 	echo -e "[*]\n[*]"  
358 | 	echo "[*] Executing bugreport and dumpsys commands"
359 |     echo "[*] bugreport" && $BUGREPORT_COMMAND "$DUMPSYS_DIR"/bugreport.zip
360 | 	echo "[*] dumpsys" && $SHELL_COMMAND dumpsys > "$DUMPSYS_DIR"/dumpsys.txt
361 | 	echo "[*] dumpsys -l" && $SHELL_COMMAND dumpsys -l > "$DUMPSYS_DIR"/dumpsys-l.txt    
362 | 	echo "[*] dumpsys account" && $SHELL_COMMAND dumpsys account > "$DUMPSYS_DIR"/dumpsys_account.txt 
363 | 	echo "[*] dumpsys accessibility" && $SHELL_COMMAND dumpsys accessibility > "$DUMPSYS_DIR"/dumpsys_accessiblity.txt 
364 |     echo "[*] dumpsys activity" && $SHELL_COMMAND dumpsys activity > "$DUMPSYS_DIR"/dumpsys_activity.txt
365 |    	echo "[*] dumpsys alarm" && $SHELL_COMMAND dumpsys alarm > "$DUMPSYS_DIR"/dumpsys_alarm.txt  
366 | 	echo "[*] dumpsys app_binding" && $SHELL_COMMAND dumpsys app_binding > "$DUMPSYS_DIR"/dumpsys_app_binding.txt  
367 | 	echo "[*] dumpsys app_hibernation" && $SHELL_COMMAND dumpsys app_hibernation > "$DUMPSYS_DIR"/dumpsys_app_hibernation.txt  
368 | 	echo "[*] dumpsys application_policy" && $SHELL_COMMAND dumpsys application_policy > "$DUMPSYS_DIR"/dumpsys_application_policy.txt  
369 | 	echo "[*] dumpsys appwidget" && $SHELL_COMMAND dumpsys appwidget > "$DUMPSYS_DIR"/dumpsys_appwidget.txt  
370 |     echo "[*] dumpsys appops" && $SHELL_COMMAND dumpsys appops > "$DUMPSYS_DIR"/dumpsys_appops.txt  
371 | 	echo "[*] dumpsys audio" && $SHELL_COMMAND dumpsys audio > "$DUMPSYS_DIR"/dumpsys_audio.txt  
372 |  	echo "[*] dumpsys autofill" && $SHELL_COMMAND dumpsys autofill > "$DUMPSYS_DIR"/dumpsys_autofill.txt  
373 |  	echo "[*] dumpsys backup" && $SHELL_COMMAND dumpsys backup > "$DUMPSYS_DIR"/dumpsys_backup.txt  
374 | 	echo "[*] dumpsys battery" && $SHELL_COMMAND dumpsys battery > "$DUMPSYS_DIR"/dumpsys_battery.txt 
375 | 	echo "[*] dumpsys batteryproperties" && $SHELL_COMMAND dumpsys batteryproperties > "$DUMPSYS_DIR"/dumpsys_batteryproperties.txt 
376 | 	echo "[*] dumpsys batterystats" && $SHELL_COMMAND dumpsys batterystats > "$DUMPSYS_DIR"/dumpsys_batterystats.txt
377 | 	echo "[*] dumpsys batterystats -c" && $SHELL_COMMAND dumpsys batterystats -c > "$DUMPSYS_DIR"/dumpsys_batterystats-c.txt
378 | 	echo "[*] dumpsys biometric" && $SHELL_COMMAND dumpsys biometric > "$DUMPSYS_DIR"/dumpsys_biometric.txt
379 | 	echo "[*] dumpsys blob_store" && $SHELL_COMMAND dumpsys blob_store > "$DUMPSYS_DIR"/dumpsys_blob_store.txt
380 | 	echo "[*] dumpsys bluetooth_manager" && $SHELL_COMMAND dumpsys bluetooth_manager > "$DUMPSYS_DIR"/dumpsys_bluetooth_manager.txt
381 | 	echo "[*] dumpsys bluetooth_manager | grep 'BOOT_COMPLETED\|AIRPLANE'" && $SHELL_COMMAND dumpsys bluetooth_manager | grep 'BOOT_COMPLETED\|AIRPLANE' > "$DUMPSYS_DIR"/dumpsys_bluetooth_manager_boot.txt
382 | 	echo "[*] dumpsys cacheinfo" && $SHELL_COMMAND dumpsys cacheinfo > "$DUMPSYS_DIR"/dumpsys_cacheinfo.txt
383 |     echo "[*] dumpsys carrier_config" && $SHELL_COMMAND dumpsys carrier_config > "$DUMPSYS_DIR"/dumpsys_carrier_config.txt
384 |  	echo "[*] dumpsys clipboard" && $SHELL_COMMAND dumpsys clipboard > "$DUMPSYS_DIR"/dumpsys_clipboard.txt 
385 |  	echo "[*] dumpsys color_display" && $SHELL_COMMAND dumpsys color_display > "$DUMPSYS_DIR"/dumpsys_color_display.txt 
386 | 	echo "[*] dumpsys connectivity" && $SHELL_COMMAND dumpsys connectivity > "$DUMPSYS_DIR"/dumpsys_connectivity.txt
387 | 	echo "[*] dumpsys connmetrics" && $SHELL_COMMAND dumpsys connmetrics > "$DUMPSYS_DIR"/dumpsys_connmetrics.txt
388 | 	echo "[*] dumpsys content" && $SHELL_COMMAND dumpsys content > "$DUMPSYS_DIR"/dumpsys_content.txt
389 | 	echo "[*] dumpsys content_capture" && $SHELL_COMMAND dumpsys content_capture > "$DUMPSYS_DIR"/dumpsys_content_capture.txt
390 | 	echo "[*] dumpsys cover" && $SHELL_COMMAND dumpsys cover > "$DUMPSYS_DIR"/dumpsys_cover.txt    
391 |     echo "[*] dumpsys cpuinfo" && $SHELL_COMMAND dumpsys cpuinfo > "$DUMPSYS_DIR"/dumpsys_cpuinfo.txt
392 |     echo "[*] dumpsys desktopmode" && $SHELL_COMMAND dumpsys desktopmode > "$DUMPSYS_DIR"/dumpsys_desktopmode.txt
393 | 	echo "[*] dumpsys dbinfo" && $SHELL_COMMAND dumpsys dbinfo > "$DUMPSYS_DIR"/dumpsys_dbinfo.txt 
394 |     echo "[*] dumpsys dbinfo -v" && $SHELL_COMMAND dumpsys dbinfo -v > "$DUMPSYS_DIR"/dumpsys_dbinfo.txt 
395 |     echo "[*] dumpsys device_policy" && $SHELL_COMMAND dumpsys device_policy > "$DUMPSYS_DIR"/dumpsys_device_policy.txt
396 |     echo "[*] dumpsys device_state" && $SHELL_COMMAND dumpsys device_state > "$DUMPSYS_DIR"/dumpsys_device_state.txt
397 |     echo "[*] dumpsys devicestoragemonitor" && $SHELL_COMMAND dumpsys devicestoragemonitor > "$DUMPSYS_DIR"/dumpsys_devicestoragemonitor.txt
398 | 	echo "[*] dumpsys diskstats" && $SHELL_COMMAND dumpsys diskstats > "$DUMPSYS_DIR"/dumpsys_diskstats.txt 
399 |     
400 |     	#Process dumpsys diskstats - See here https://android.stackexchange.com/questions/220442/obtaining-app-storage-details-via-adb
401 |     
402 |     	F_PKG_NAMES="$DUMPSYS_DIR"/package_names.txt
403 |     	F_PKG_SIZE="$DUMPSYS_DIR"/app_pkg_sizes.txt
404 |     	F_DAT_SIZE="$DUMPSYS_DIR"/app_data_sizes.txt
405 |     	F_CACHE_SIZE="$DUMPSYS_DIR"/app_cache_sizes.txt
406 |     	F_OUTPUT="$DUMPSYS_DIR"/dumpsys_diskstats_ordered.txt
407 |     	sed -n '/Package Names:/p' "$DUMPSYS_DIR"/dumpsys_diskstats.txt | sed -e 's/,/\n/g' -e 's/"//g' -e 's/.*\[//g' -e 's/\].*//g' > "$F_PKG_NAMES"
408 |     	sed -n '/App Sizes:/p' "$DUMPSYS_DIR"/dumpsys_diskstats.txt | sed -e 's/,/\n/g' -e 's/.*\[//g' -e 's/\].*//g' > "$F_PKG_SIZE"
409 |     	sed -n '/App Data Sizes:/p' "$DUMPSYS_DIR"/dumpsys_diskstats.txt | sed -e 's/,/\n/g' -e 's/.*\[//g' -e 's/\].*//g' > "$F_DAT_SIZE"
410 |     	sed -n '/Cache Sizes:/p' "$DUMPSYS_DIR"/dumpsys_diskstats.txt | sed -e 's/,/\n/g' -e 's/.*\[//g' -e 's/\].*//g' > "$F_CACHE_SIZE"
411 | 
412 |     	# Printing package names and their sizes 
413 |     	ttl_apps=$(wc -l < "$F_PKG_NAMES")
414 |     	count=1
415 |     	while [ $count -le $ttl_apps ]; do 
416 |         	pkg=$(sed -n "${count}p" "$F_PKG_NAMES")
417 |         	pkg_size=$(sed -n "${count}p" "$F_PKG_SIZE") 
418 |         	dat_size=$(sed -n "${count}p" "$F_DAT_SIZE")
419 |         	csh_size=$(sed -n "${count}p" "$F_CACHE_SIZE")
420 |         	echo -e "Package Name: $pkg" >> "$F_OUTPUT"
421 |         	echo -e "\t Package Size=$pkg_size bytes" >> "$F_OUTPUT"
422 |         	echo -e "\t Data Size=$dat_size bytes" >> "$F_OUTPUT"
423 |         	echo -e "\t Cache Size=$csh_size bytes" >> "$F_OUTPUT"
424 |         	echo -e "\t Total Size=$(($pkg_size + $dat_size + $csh_size)) bytes\n" >> "$F_OUTPUT"
425 |     	count=$(( $count + 1)); 
426 |     	done
427 |     	rm -f "$DUMPSYS_DIR"/package_names.txt
428 |     	rm -f "$DUMPSYS_DIR"/app_pkg_sizes.txt
429 |     	rm -f "$DUMPSYS_DIR"/app_data_sizes.txt
430 |     	rm -f "$DUMPSYS_DIR"/app_cache_sizes.txt
431 |     
432 | 	echo "[*] dumpsys display" && $SHELL_COMMAND dumpsys display > "$DUMPSYS_DIR"/dumpsys_display.txt
433 | 	echo "[*] dumpsys dropbox" && $SHELL_COMMAND dumpsys dropbox > "$DUMPSYS_DIR"/dumpsys_dropbox.txt
434 | 	echo "[*] dumpsys gfxinfo" && $SHELL_COMMAND dumpsys gfxinfo > "$DUMPSYS_DIR"/dumpsys_gfxinfo.txt
435 | 	echo "[*] dumpsys graphicsstats" && $SHELL_COMMAND dumpsys graphicsstats > "$DUMPSYS_DIR"/dumpsys_graphicsstats.txt
436 |    	echo "[*] dumpsys hardware_properties" && $SHELL_COMMAND dumpsys hardware_properties > "$DUMPSYS_DIR"/dumpsys_hardware_properties.txt
437 |    	echo "[*] dumpsys input" && $SHELL_COMMAND dumpsys input > "$DUMPSYS_DIR"/dumpsys_hardware_input.txt
438 |    	echo "[*] dumpsys isub" && $SHELL_COMMAND dumpsys isub > "$DUMPSYS_DIR"/dumpsys_hardware_isub.txt
439 |     echo "[*] dumpsys iphonesubinfo" && $SHELL_COMMAND dumpsys iphonesubinfo > "$DUMPSYS_DIR"/dumpsys_iphonesubinfo.txt
440 |     echo "[*] dumpsys jobscheduler" && $SHELL_COMMAND dumpsys jobscheduler > "$DUMPSYS_DIR"/dumpsys_jobscheduler.txt
441 | 	echo "[*] dumpsys launcherapps" && $SHELL_COMMAND dumpsys launcherapps > "$DUMPSYS_DIR"/dumpsys_launcherapps.txt 
442 | 	echo "[*] dumpsys location" && $SHELL_COMMAND dumpsys location > "$DUMPSYS_DIR"/dumpsys_location.txt 
443 | 	echo "[*] dumpsys lock_settings" && $SHELL_COMMAND dumpsys lock_settings > "$DUMPSYS_DIR"/dumpsys_lock_settings.txt 
444 |     echo "[*] dumpsys meminfo -t 60 -a" && $SHELL_COMMAND dumpsys meminfo -t 60 -a > "$DUMPSYS_DIR"/dumpsys_meminfo-a.txt
445 |     echo "[*] dumpsys meminfo -t 60 -a -c" && $SHELL_COMMAND dumpsys meminfo -t 60 -a -c > "$DUMPSYS_DIR"/dumpsys_meminfo-a-c.txt
446 | 	echo "[*] dumpsys mount" && $SHELL_COMMAND dumpsys mount > "$DUMPSYS_DIR"/dumpsys_mount.txt
447 | 	echo "[*] dumpsys netpolicy" && $SHELL_COMMAND dumpsys netpolicy > "$DUMPSYS_DIR"/dumpsys_netpolicy.txt
448 |     echo "[*] dumpsys netstats" && $SHELL_COMMAND dumpsys netstats > "$DUMPSYS_DIR"/dumpsys_netstats.txt
449 |     echo "[*] dumpsys netstats detail" && $SHELL_COMMAND dumpsys netstats detail > "$DUMPSYS_DIR"/dumpsys_netstats_detail.txt
450 | 	echo "[*] dumpsys network_management" && $SHELL_COMMAND dumpsys network_management > "$DUMPSYS_DIR"/dumpsys_network_management.txt
451 | 	echo "[*] dumpsys network_score" && $SHELL_COMMAND dumpsys network_score > "$DUMPSYS_DIR"/dumpsys_network_score.txt
452 | 	echo "[*] dumpsys notification" && $SHELL_COMMAND dumpsys notification > "$DUMPSYS_DIR"/dumpsys_notification.txt
453 | 	echo "[*] dumpsys notification --noredact" && $SHELL_COMMAND dumpsys notification --noredact > "$DUMPSYS_DIR"/dumpsys_notification_noredact.txt
454 | 	echo "[*] dumpsys overlay" && $SHELL_COMMAND dumpsys overlay > "$DUMPSYS_DIR"/dumpsys_overlay.txt
455 |     echo "[*] dumpsys package" && $SHELL_COMMAND dumpsys package > "$DUMPSYS_DIR"/dumpsys_package.txt
456 |     echo "[*] dumpsys password_policy" && $SHELL_COMMAND dumpsys password_policy > "$DUMPSYS_DIR"/dumpsys_password_policy.txt
457 |     echo "[*] dumpsys permission" && $SHELL_COMMAND dumpsys permission > "$DUMPSYS_DIR"/dumpsys_permission.txt
458 |     echo "[*] dumpsys permissionmgr" && $SHELL_COMMAND dumpsys permissionmgr > "$DUMPSYS_DIR"/dumpsys_permissionmgr.txt
459 |     echo "[*] dumpsys phone" && $SHELL_COMMAND dumpsys phone > "$DUMPSYS_DIR"/dumpsys_phone.txt 
460 | 	echo "[*] dumpsys power" && $SHELL_COMMAND dumpsys power > "$DUMPSYS_DIR"/dumpsys_power.txt 
461 | 	echo "[*] dumpsys print" && $SHELL_COMMAND dumpsys print > "$DUMPSYS_DIR"/dumpsys_print.txt 
462 |   	echo "[*] dumpsys procstats --full-details" && $SHELL_COMMAND dumpsys procstats --full-details > "$DUMPSYS_DIR"/dumpsys_procstats--full-details.txt 
463 |   	echo "[*] dumpsys procstats --full-details -c" && $SHELL_COMMAND dumpsys procstats --full-details -c > "$DUMPSYS_DIR"/dumpsys_procstats--full-details-c.txt 
464 | 	echo "[*] dumpsys restriction_policy" && $SHELL_COMMAND dumpsys restriction_policy > "$DUMPSYS_DIR"/dumpsys_restriction_policy.txt 
465 |     echo "[*] dumpsys role" && $SHELL_COMMAND dumpsys role > "$DUMPSYS_DIR"/dumpsys_role.txt 
466 |     echo "[*] dumpsys rollback" && $SHELL_COMMAND dumpsys rollback > "$DUMPSYS_DIR"/dumpsys_rollback.txt 
467 | 	echo "[*] dumpsys sdhms" && $SHELL_COMMAND dumpsys sdhms > "$DUMPSYS_DIR"/dumpsys_sdhms.txt 
468 | 	echo "[*] dumpsys sec_location" && $SHELL_COMMAND dumpsys sec_location > "$DUMPSYS_DIR"/dumpsys_sec_location.txt 
469 | 	echo "[*] dumpsys secims" && $SHELL_COMMAND dumpsys secims > "$DUMPSYS_DIR"/dumpsys_secims.txt 
470 | 	echo "[*] dumpsys search" && $SHELL_COMMAND dumpsys search > "$DUMPSYS_DIR"/dumpsys_search.txt 
471 | 	echo "[*] dumpsys sensorservice" && $SHELL_COMMAND dumpsys sensorservice > "$DUMPSYS_DIR"/dumpsys_sensorservice.txt 
472 | 	echo "[*] dumpsys settings" && $SHELL_COMMAND dumpsys settings > "$DUMPSYS_DIR"/dumpsys_settings.txt 
473 | 	echo "[*] dumpsys shortcut" && $SHELL_COMMAND dumpsys shortcut > "$DUMPSYS_DIR"/dumpsys_shortcut.txt 
474 | 	echo "[*] dumpsys stats" && $SHELL_COMMAND dumpsys stats > "$DUMPSYS_DIR"/dumpsys_stats.txt 
475 | 	echo "[*] dumpsys statusbar" && $SHELL_COMMAND dumpsys statusbar > "$DUMPSYS_DIR"/dumpsys_statusbar.txt 
476 |     echo "[*] dumpsys storaged" && $SHELL_COMMAND dumpsys storaged > "$DUMPSYS_DIR"/dumpsys_storaged.txt 
477 | 	echo "[*] dumpsys telecom" && $SHELL_COMMAND dumpsys telecom > "$DUMPSYS_DIR"/dumpsys_telecom.txt 
478 |     echo "[*] dumpsys thermalservice" && $SHELL_COMMAND dumpsys thermalservice > "$DUMPSYS_DIR"/dumpsys_thermalservice.txt 
479 |     echo "[*] dumpsys time_detector" && $SHELL_COMMAND dumpsys time_detector > "$DUMPSYS_DIR"/dumpsys_time_detector.txt  
480 |     echo "[*] dumpsys time_zone_detector" && $SHELL_COMMAND dumpsys time_zone_detector > "$DUMPSYS_DIR"/dumpsys_time_zone_detector.txt  
481 |     echo "[*] dumpsys usagestats" && $SHELL_COMMAND dumpsys usagestats > "$DUMPSYS_DIR"/dumpsys_usagestats.txt 
482 | 	echo "[*] dumpsys user" && $SHELL_COMMAND dumpsys user > "$DUMPSYS_DIR"/dumpsys_user.txt 
483 | 	echo "[*] dumpsys usb" && $SHELL_COMMAND dumpsys usb > "$DUMPSYS_DIR"/dumpsys_usb.txt 
484 | 	echo "[*] dumpsys vibrator" && $SHELL_COMMAND dumpsys vibrator > "$DUMPSYS_DIR"/dumpsys_vibrator.txt 
485 | 	echo "[*] dumpsys voip" && $SHELL_COMMAND dumpsys voip > "$DUMPSYS_DIR"/dumpsys_voip.txt 
486 |     echo "[*] dumpsys wallpaper" && $SHELL_COMMAND dumpsys wallpaper > "$DUMPSYS_DIR"/dumpsys_wallpaper.txt   
487 |     echo "[*] dumpsys wifi" && $SHELL_COMMAND dumpsys wifi > "$DUMPSYS_DIR"/dumpsys_wifi.txt 
488 |     echo "[*] dumpsys wifiaware" && $SHELL_COMMAND dumpsys wifiaware > "$DUMPSYS_DIR"/dumpsys_wifiaware.txt
489 |     echo "[*] dumpsys wifiscanner" && $SHELL_COMMAND dumpsys wifiscanner > "$DUMPSYS_DIR"/dumpsys_wifiscanner.txt 
490 |     echo "[*] dumpsys window" && $SHELL_COMMAND dumpsys window > "$DUMPSYS_DIR"/dumpsys_window.txt
491 |     
492 |     echo "[*] telecom get-default-dialer" && $SHELL_COMMAND telecom get-default-dialer > "$DUMPSYS_DIR"/telecom_get-default-dialer.txt
493 |     echo "[*] telecom get-system-dialer" && $SHELL_COMMAND telecom get-system-dialer > "$DUMPSYS_DIR"/telecom_get-system-dialer.txt
494 |     echo "[*] telecom get-max-phones" && $SHELL_COMMAND telecom get-max-phones > "$DUMPSYS_DIR"/telecom_get-max-phones.txt
495 |     echo "[*] telecom get-sim-config" && $SHELL_COMMAND telecom get-sim-config > "$DUMPSYS_DIR"/telecom_get-sim-config.txt
496 | 
497 | 
498 |     	#Extract appops for every package - See here https://android.stackexchange.com/questions/226282/how-can-i-see-which-applications-is-reading-the-clipboard
499 |     
500 |     	mkdir -p "$DUMPSYS_DIR/appops"
501 |     	for pkg in $( $SHELL_COMMAND pm list packages | sed 's/package://' )
502 |     	do
503 |         	echo "[*] appops get $pkg" && $SHELL_COMMAND appops get $pkg > "$DUMPSYS_DIR"/appops/"$pkg"_appops.txt
504 |     	done
505 |     
506 | 	time_update
507 | 	echo -e "[*]\n[*]"    
508 | 	echo "[*] DUMPSYS acquisition completed at ${NOW}" | tee -a "$DUMPSYS_LOG_FILE"
509 | 
510 | 	clear && dialog --title "android triage" --msgbox "DUMPSYS acquisition completed at ${NOW}" 6 40
511 | 	menu    
512 | }
513 |     
514 | system () {
515 | 	set_path
516 | 	mkdir -p "$SYSTEM_DIR"
517 | 	echo -e "[*]\n[*]"
518 | 	echo "[*] This option extracts files from /system" 
519 | 	echo -e "[*]\n[*]"
520 | 	echo "[*] SYSTEM acquisition started at ${NOW}" | tee "$SYSTEM_LOG_FILE"
521 | 	echo -e "[*]\n[*]"		
522 | 	echo -e "[*]\n[*]"        
523 | 	mkdir -p ${SYSTEM_DIR}/system
524 | 	$PULL_COMMAND /system/ ${SYSTEM_DIR}/ >> "$SYSTEM_LOG_FILE"
525 | 	echo "[*] /system/apex" && $PULL_COMMAND /system/apex ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
526 | 	echo "[*] /system/app" && $PULL_COMMAND /system/app ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
527 | 	echo "[*] /system/bin" && $PULL_COMMAND /system/bin ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
528 | 	echo "[*] /system/cameradata" && $PULL_COMMAND /system/cameradata ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
529 | 	echo "[*] /system/container" && $PULL_COMMAND /system/container ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
530 | 	echo "[*] /system/etc" && $PULL_COMMAND /system/etc ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
531 | 	echo "[*] /system/fake-libs" && $PULL_COMMAND /system/fake-libs ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
532 | 	echo "[*] /system/fonts" && $PULL_COMMAND /system/fonts ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
533 | 	echo "[*] /system/framework" && $PULL_COMMAND /system/framework ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
534 | 	echo "[*] /system/hidden" && $PULL_COMMAND /system/hidden ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
535 | 	echo "[*] /system/lib" && $PULL_COMMAND /system/lib ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
536 | 	echo "[*] /system/lib64" && $PULL_COMMAND /system/lib64 ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
537 | 	echo "[*] /system/media" && $PULL_COMMAND /system/media ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
538 | 	echo "[*] /system/priv-app" && $PULL_COMMAND /system/priv-app ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
539 | 	echo "[*] /system/saiv" && $PULL_COMMAND /system/saiv ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
540 | 	echo "[*] /system/tts" && $PULL_COMMAND /system/tts ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
541 | 	echo "[*] /system/usr" && $PULL_COMMAND /system/usr ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
542 | 	echo "[*] /system/vendor" && $PULL_COMMAND /system/vendor ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
543 | 	echo "[*] /system/xbin" && $PULL_COMMAND /system/xbin ${SYSTEM_DIR}/system >> "$SYSTEM_LOG_FILE"
544 | 	echo "[*] Creating TAR file" 
545 | 	tar -cvf "$SYSTEM_DIR"/system.tar -C ${SYSTEM_DIR} system >> "$SYSTEM_LOG_FILE" 2>/dev/null
546 | 	time_update
547 | 	echo -e "[*]\n[*]"    
548 | 	echo "[*] SYSTEM acquisition completed at ${NOW}" | tee -a "$SYSTEM_LOG_FILE"
549 | 	echo -e "[*]\n[*]"
550 | 	echo "[*] Calculating SHA hash" 
551 | 	shasum "$SYSTEM_DIR"/system.tar >> "$SYSTEM_LOG_FILE" 2>&1
552 | 
553 | 	clear && dialog --title "android triage" --msgbox "SYSTEM acquisition completed at ${NOW}" 6 40
554 | 	menu    
555 | }
556 | 
557 | adb_backup () {
558 | 	set_path
559 | 	mkdir -p "$BACKUP_DIR"
560 | 	echo -e "[*]\n[*]"
561 | 	echo "[*] This option creates an Android Backup by using the command" 
562 | 	echo "[*] adb backup -all -shared -system -keyvalue -apk -obb -f backup.ab"
563 | 	echo -e "[*]\n[*]"    
564 | 	echo "[*] ADB Backup started at ${NOW}" | tee -a "$BACKUP_DIR"/backup_log.txt
565 | 	echo -e "[*]\n[*]"      
566 | 	echo "[*] Executing 'adb backup -all -shared -system -keyvalue -apk -obb -f backup.ab'" 
567 | 	$BACKUP_COMMAND -all -shared -system -keyvalue -apk -obb -f "$BACKUP_DIR"/backup.ab
568 | 	echo -e "[*]\n[*]" 
569 | 	time_update	
570 | 	echo "[*] ADB Backup completed at ${NOW}" | tee -a "$BACKUP_DIR"/backup_log.txt
571 | 	echo -e "[*]\n[*]\n"
572 | 	echo "[*] sha1sum of ${BACKUP_DIR}/backup.ab in progress" | tee -a "$BACKUP_DIR"/backup_log.txt
573 | 	shasum "${BACKUP_DIR}"/backup.ab | tee -a "$BACKUP_DIR"/backup_log.txt    
574 |     
575 | 	clear && dialog --title "android triage" --msgbox "ADB Backup completed at ${NOW}" 6 40
576 | 	menu
577 | }
578 | 
579 | apk () {
580 | 	set_path
581 | 	mkdir -p "$APK_DIR"
582 | 	echo -e "[*]\n[*]"
583 | 	echo "[*] This option extractes APK files from DATA partition" 
584 | 	echo -e "[*]\n[*]"      
585 | 	echo "[*] APK Acquisition started at ${NOW}" | tee "$APK_LOG_FILE"
586 | 	echo -e "[*]\n[*]"  
587 | 	echo "[*] Extracting APK list"
588 | 
589 |  	$SHELL_COMMAND pm list packages -f -u > ${APK_DIR}/${ANDROID_ID}_apk_list.txt
590 | 
591 | 	SELECTED_FILE=${APK_DIR}/${ANDROID_ID}_apk_list.txt
592 | 
593 | 	echo "[*] Pulling /data/app/"
594 | 	while read -r line
595 | 	do
596 | 		line=${line#"package:"}
597 | 		target_file=${line%%".apk="*}
598 | 		target_file=$target_file".apk"
599 | 		IFS='/' read -ra tokens <<<"$target_file"
600 | 		apk_type=${tokens[1]}
601 | 		app_folder=${tokens[2]}
602 | 		app_path=${tokens[3]}
603 | 		apk_name=${tokens[4]}
604 | 
605 | 		if [ ${apk_type} == "data" ]; then
606 | 		    mkdir -p ${APK_DIR}/${apk_type}/${app_folder}/${app_path}
607 | 		    $PULL_COMMAND ${apk_type}/${app_folder}/${app_path}/ ${APK_DIR}/${apk_type}/${app_folder}/
608 | 		fi
609 | 
610 | 	continue
611 | 	done < "$SELECTED_FILE"    
612 | 
613 | 	echo "[*] Creating TAR file" 
614 | 	tar -cvf "$APK_DIR"/data_apks.tar -C ${APK_DIR} data >> "$APK_LOG_FILE" 2>/dev/null
615 |     
616 | 	echo -e "[*]\n[*]" 
617 | 	time_update
618 | 	echo "[*] /data/app/ Acquisition completed at ${NOW}" | tee -a "$APK_LOG_FILE"
619 | 	echo -e "[*]\n[*]" 
620 | 	echo "[*] sha1sum of ${APK_DIR}/data_apks.tar in progress" | tee -a "$APK_LOG_FILE"
621 | 	shasum "${APK_DIR}"/data_apks.tar | tee -a "$APK_LOG_FILE"
622 | 
623 | 	clear && dialog --title "android triage" --msgbox "/data/app/ Acquisition completed at ${NOW}" 6 40
624 | 	menu
625 | }
626 | 
627 | all () {
628 | 	set_path
629 | 	mkdir -p "$ALL_DIR"
630 | 	echo -e "[*]\n[*]"
631 | 	echo "[*] This option dump files and folders available without root acces" 
632 | 	echo -e "[*]\n[*]"      
633 | 	echo "[*] Data Acquisition started at ${NOW}" | tee "$ALL_LOG_FILE"
634 | 	echo -e "[*]\n[*]"  
635 |     
636 |     	mkdir -p ${ALL_DIR}/filesystem
637 |     
638 | 	echo "[*] Extracting /data/app/"
639 | 	$SHELL_COMMAND pm list packages -f -u > ${ALL_DIR}/${ANDROID_ID}_apk_list.txt
640 | 
641 | 	SELECTED_FILE=${ALL_DIR}/${ANDROID_ID}_apk_list.txt
642 | 
643 | 	echo "[*] Pulling APK files"
644 | 	while read -r line
645 | 	do
646 | 		line=${line#"package:"}
647 | 		target_file=${line%%".apk="*}
648 | 		target_file=$target_file".apk"
649 | 		IFS='/' read -ra tokens <<<"$target_file"
650 | 		apk_type=${tokens[1]}
651 | 		app_folder=${tokens[2]}
652 | 		app_path=${tokens[3]}
653 | 		apk_name=${tokens[4]}
654 | 
655 | 		if [ ${apk_type} == "data" ]; then
656 | 		    mkdir -p ${ALL_DIR}/filesystem/${apk_type}/${app_folder}/${app_path}
657 | 		    $PULL_COMMAND ${apk_type}/${app_folder}/${app_path}/ ${ALL_DIR}/filesystem/${apk_type}/${app_folder}/
658 | 		fi
659 | 	continue
660 | 	done < "$SELECTED_FILE" 
661 | 
662 | 	echo "[*] Extracting /system/"
663 | 	mkdir -p ${ALL_DIR}/filesystem/system
664 | 	$PULL_COMMAND /system/ ${ALL_DIR}/filesystem/
665 | 	$PULL_COMMAND /system/apex ${ALL_DIR}/filesystem/system
666 | 	$PULL_COMMAND /system/app ${ALL_DIR}/filesystem/system
667 | 	$PULL_COMMAND /system/bin ${ALL_DIR}/filesystem/system
668 | 	$PULL_COMMAND /system/cameradata ${ALL_DIR}/filesystem/system
669 | 	$PULL_COMMAND /system/container ${ALL_DIR}/filesystem/system
670 | 	$PULL_COMMAND /system/etc ${ALL_DIR}/filesystem/system
671 | 	$PULL_COMMAND /system/fake-libs ${ALL_DIR}/filesystem/system
672 | 	$PULL_COMMAND /system/fonts ${ALL_DIR}/filesystem/system
673 | 	$PULL_COMMAND /system/framework ${ALL_DIR}/filesystem/system
674 | 	$PULL_COMMAND /system/hidden ${ALL_DIR}/filesystem/system
675 | 	$PULL_COMMAND /system/lib ${ALL_DIR}/filesystem/system
676 | 	$PULL_COMMAND /system/lib64 ${ALL_DIR}/filesystem/system
677 | 	$PULL_COMMAND /system/media ${ALL_DIR}/filesystem/system
678 | 	$PULL_COMMAND /system/priv-app ${ALL_DIR}/filesystem/system
679 | 	$PULL_COMMAND /system/product ${ALL_DIR}/filesystem/system
680 | 	$PULL_COMMAND /system/saiv ${ALL_DIR}/filesystem/system
681 | 	$PULL_COMMAND /system/tts ${ALL_DIR}/filesystem/system
682 | 	$PULL_COMMAND /system/usr ${ALL_DIR}/filesystem/system
683 | 	$PULL_COMMAND /system/vendor ${ALL_DIR}/filesystem/system
684 | 	$PULL_COMMAND /system/xbin ${ALL_DIR}/filesystem/system
685 | 	mkdir -p $ALL_DIR/filesystem/data/system
686 |     	$SHELL_COMMAND cat /data/system/uiderrors.txt > $ALL_DIR/filesystem/data/system/uiderrors.txt
687 | 
688 | 	echo "[*] Extracting /sdcard/"
689 | 	mkdir -p ${ALL_DIR}/filesystem/sdcard
690 | 	$PULL_COMMAND /sdcard/ ${ALL_DIR}/filesystem/
691 | 
692 | 	echo "[*] Creating TAR file" 
693 | 	tar -cvf "$ALL_DIR"/filesystem.tar -C ${ALL_DIR}/filesystem data system sdcard >> "$ALL_LOG_FILE" 2>/dev/null
694 |     
695 | 	echo -e "[*]\n[*]" 
696 | 	time_update
697 | 	echo "[*] File System Acquisition completed at ${NOW}" | tee -a "$ALL_LOG_FILE"
698 | 	echo -e "[*]\n[*]" 
699 | 	echo "[*] sha1sum of ${ALL_DIR}/filesystem.tar in progress" | tee -a "$ALL_LOG_FILE"
700 | 	shasum "${ALL_DIR}"/filesystem.tar | tee -a "$ALL_LOG_FILE"
701 | 
702 | 	clear && dialog --title "android triage" --msgbox "File System Acquisition completed at ${NOW}" 6 40
703 | 	menu
704 | }
705 | 
706 | content_provider () {
707 | 	set_path
708 | 	mkdir -p "$CONTENTPROVIDER_DIR"
709 | 	echo -e "[*]\n[*]"
710 | 	echo "[*] This option extractes data by using CONTENT PROVIDERS" 
711 | 	echo -e "[*]\n[*]"      
712 | 	echo "[*] Content Provider Acquisition started at ${NOW}" | tee "$CONTENTPROVIDER_LOG_FILE"
713 | 	echo -e "[*]\n[*]"  
714 | 	echo "[*] Extracting Content Provider data"
715 |     
716 |     	${SHELL_COMMAND} dumpsys package providers > ${CONTENTPROVIDER_DIR}/content_providers_list.txt
717 | 
718 | 	echo "[*] QUERY CALENDAR CONTENT"
719 | 	${SHELL_COMMAND} content query --uri content://com.android.calendar/calendar_entities > ${CONTENTPROVIDER_DIR}/calendar_calendar_entities.txt
720 | 	${SHELL_COMMAND} content query --uri content://com.android.calendar/calendars > ${CONTENTPROVIDER_DIR}/calendar_calendars.txt
721 | 	${SHELL_COMMAND} content query --uri content://com.android.calendar/attendees > ${CONTENTPROVIDER_DIR}/calendar_attendees.txt
722 | 	${SHELL_COMMAND} content query --uri content://com.android.calendar/event_entities > ${CONTENTPROVIDER_DIR}/calendar_event_entities.txt
723 | 	${SHELL_COMMAND} content query --uri content://com.android.calendar/events > ${CONTENTPROVIDER_DIR}/calendar_events.txt
724 | 	${SHELL_COMMAND} content query --uri content://com.android.calendar/properties > ${CONTENTPROVIDER_DIR}/calendar_properties.txt
725 | 	${SHELL_COMMAND} content query --uri content://com.android.calendar/reminders > ${CONTENTPROVIDER_DIR}/calendar_reminders.txt
726 | 	${SHELL_COMMAND} content query --uri content://com.android.calendar/calendar_alerts > ${CONTENTPROVIDER_DIR}/calendar_alerts.txt
727 | 	${SHELL_COMMAND} content query --uri content://com.android.calendar/colors > ${CONTENTPROVIDER_DIR}/calendar_colors.txt
728 | 	${SHELL_COMMAND} content query --uri content://com.android.calendar/extendedproperties > ${CONTENTPROVIDER_DIR}/calendar_extendedproperties.txt
729 | 	${SHELL_COMMAND} content query --uri content://com.android.calendar/syncstate > ${CONTENTPROVIDER_DIR}/calendar_syncstate.txt
730 | 
731 | 	echo "[*] QUERY CONTACTS CONTENT"
732 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/raw_contacts > ${CONTENTPROVIDER_DIR}/contacts_raw_contacts.txt
733 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/directories > ${CONTENTPROVIDER_DIR}/contacts_directories.txt
734 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/syncstate > ${CONTENTPROVIDER_DIR}/contacts_syncstate.txt
735 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/profile/syncstate > ${CONTENTPROVIDER_DIR}/contacts_profile_syncstate.txt
736 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/contacts > ${CONTENTPROVIDER_DIR}/contacts_contacts.txt
737 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/profile/raw_contacts > ${CONTENTPROVIDER_DIR}/contacts_profile_raw_contacts.txt
738 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/profile > ${CONTENTPROVIDER_DIR}/contacts_profile.txt
739 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/profile/as_vcard > ${CONTENTPROVIDER_DIR}/contacts_profile_as_vcard.txt
740 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/stream_items > ${CONTENTPROVIDER_DIR}/contacts_stream_items.txt
741 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/stream_items/photo > ${CONTENTPROVIDER_DIR}/contacts_stream_items_photo.txt
742 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/stream_items_limit > ${CONTENTPROVIDER_DIR}/contacts_stream_items_limit.txt
743 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/data > ${CONTENTPROVIDER_DIR}/contacts_data.txt
744 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/raw_contact_entities > ${CONTENTPROVIDER_DIR}/contacts_raw_contact_entities.txt
745 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/profile/raw_contact_entities > ${CONTENTPROVIDER_DIR}/contacts_profile_raw_contact_entities.txt
746 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/status_updates > ${CONTENTPROVIDER_DIR}/contacts_status_updates.txt
747 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/data/phones > ${CONTENTPROVIDER_DIR}/contacts_data_phones.txt
748 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/data/phones/filter > ${CONTENTPROVIDER_DIR}/contacts_data_phones_filter.txt
749 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/data/emails/lookup > ${CONTENTPROVIDER_DIR}/contacts_data_emails_lookup.txt
750 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/data/emails/filter > ${CONTENTPROVIDER_DIR}/contacts_data_emails_filter.txt
751 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/data/emails > ${CONTENTPROVIDER_DIR}/contacts_data_emails.txt
752 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/data/postals > ${CONTENTPROVIDER_DIR}/contacts_data_postals.txt
753 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/groups > ${CONTENTPROVIDER_DIR}/contacts_groups.txt
754 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/groups_summary > ${CONTENTPROVIDER_DIR}/contacts_groups_summary.txt
755 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/aggregation_exceptions > ${CONTENTPROVIDER_DIR}/contacts_aggregation_exceptions.txt
756 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/settings > ${CONTENTPROVIDER_DIR}/contacts_settings.txt
757 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/provider_status > ${CONTENTPROVIDER_DIR}/contacts_provider_status.txt
758 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/photo_dimensions > ${CONTENTPROVIDER_DIR}/contacts_photo_dimensions.txt
759 | 	${SHELL_COMMAND} content query --uri content://com.android.contacts/deleted_contacts > ${CONTENTPROVIDER_DIR}/contacts_deleted_contacts.txt
760 | 
761 | 	echo "[*] QUERY DOWNLOADS CONTENT"
762 | 	${SHELL_COMMAND} content query --uri content://downloads/my_downloads > ${CONTENTPROVIDER_DIR}/downloads_my_downloads.txt
763 | 	${SHELL_COMMAND} content query --uri content://downloads/download > ${CONTENTPROVIDER_DIR}/downloads_download.txt
764 | 
765 | 	echo "[*] QUERY EXTERNAL MEDIA CONTENT"
766 | 	${SHELL_COMMAND} content query --uri content://media/external/file > ${CONTENTPROVIDER_DIR}/media_external_file.txt
767 | 	${SHELL_COMMAND} content query --uri content://media/external/images/media > ${CONTENTPROVIDER_DIR}/media_external_images_media.txt
768 | 	${SHELL_COMMAND} content query --uri content://media/external/images/thumbnails > ${CONTENTPROVIDER_DIR}/media_external_images_thumbnails.txt
769 | 	${SHELL_COMMAND} content query --uri content://media/external/audio/media > ${CONTENTPROVIDER_DIR}/media_external_audio_media.txt
770 | 	${SHELL_COMMAND} content query --uri content://media/external/audio/genres > ${CONTENTPROVIDER_DIR}/media_external_audio_genres.txt
771 | 	${SHELL_COMMAND} content query --uri content://media/external/audio/playlists > ${CONTENTPROVIDER_DIR}/media_external_audio_playlists.txt
772 | 	${SHELL_COMMAND} content query --uri content://media/external/audio/artists > ${CONTENTPROVIDER_DIR}/media_external_audio_artists.txt
773 | 	${SHELL_COMMAND} content query --uri content://media/external/audio/albums > ${CONTENTPROVIDER_DIR}/media_external_audio_albums.txt
774 | 	${SHELL_COMMAND} content query --uri content://media/external/video/media > ${CONTENTPROVIDER_DIR}/media_external_video_media.txt
775 | 	${SHELL_COMMAND} content query --uri content://media/external/video/thumbnails > ${CONTENTPROVIDER_DIR}/media_external_video_tuhmbnails.txt
776 | 
777 | 	echo "[*] QUERY INTERNAL MEDIA CONTENT"
778 | 	${SHELL_COMMAND} content query --uri content://media/internal/file > ${CONTENTPROVIDER_DIR}/media_internal_file.txt
779 | 	${SHELL_COMMAND} content query --uri content://media/internal/images/media > ${CONTENTPROVIDER_DIR}/media_internal_images_media.txt
780 | 	${SHELL_COMMAND} content query --uri content://media/internal/images/thumbnails > ${CONTENTPROVIDER_DIR}/media_internal_images_thumbnails.txt
781 | 	${SHELL_COMMAND} content query --uri content://media/internal/audio/media > ${CONTENTPROVIDER_DIR}/media_internal_audio_media.txt
782 | 	${SHELL_COMMAND} content query --uri content://media/internal/audio/genres > ${CONTENTPROVIDER_DIR}/media_internal_audio_genres.txt
783 | 	${SHELL_COMMAND} content query --uri content://media/internal/audio/playlists > ${CONTENTPROVIDER_DIR}/media_internal_audio_playlists.txt
784 | 	${SHELL_COMMAND} content query --uri content://media/internal/audio/artists > ${CONTENTPROVIDER_DIR}/media_internal_audio_artists.txt
785 | 	${SHELL_COMMAND} content query --uri content://media/internal/audio/albums > ${CONTENTPROVIDER_DIR}/media_internal_audio_albums.txt
786 | 	${SHELL_COMMAND} content query --uri content://media/internal/video/media > ${CONTENTPROVIDER_DIR}/media_internal_video_media.txt
787 | 	${SHELL_COMMAND} content query --uri content://media/internal/video/thumbnails > ${CONTENTPROVIDER_DIR}/media_internal_video_tuhmbnails.txt
788 | 
789 | 	echo "[*] QUERY SETTINGS CONTENT"
790 | 	${SHELL_COMMAND} content query --uri content://settings/system > ${CONTENTPROVIDER_DIR}/settings_system.txt
791 | 	${SHELL_COMMAND} content query --uri content://settings/system/ringtone > ${CONTENTPROVIDER_DIR}/settings_system_ringtone.txt
792 | 	${SHELL_COMMAND} content query --uri content://settings/system/alarm_alert > ${CONTENTPROVIDER_DIR}/settings_system_alarm_alert.txt
793 | 	${SHELL_COMMAND} content query --uri content://settings/system/notification_sound > ${CONTENTPROVIDER_DIR}/settings_system_notification_sound.txt
794 | 	${SHELL_COMMAND} content query --uri content://settings/secure > ${CONTENTPROVIDER_DIR}/settings_secure.txt
795 | 	${SHELL_COMMAND} content query --uri content://settings/global > ${CONTENTPROVIDER_DIR}/settings_global.txt
796 | 	${SHELL_COMMAND} content query --uri content://settings/bookmarks > ${CONTENTPROVIDER_DIR}/settings_bookmarks.txt
797 | 	${SHELL_COMMAND} content query --uri content://com.google.settings/partner > ${CONTENTPROVIDER_DIR}/google_settings_partner.txt
798 | 	${SHELL_COMMAND} content query --uri content://nwkinfo/nwkinfo/carriers > ${CONTENTPROVIDER_DIR}/nwkinfo_carriers.txt 
799 | 	${SHELL_COMMAND} content query --uri content://com.android.settings.personalvibration.PersonalVibrationProvider/ > ${CONTENTPROVIDER_DIR}/personal_vibration.txt 
800 | 	${SHELL_COMMAND} content query --uri content://settings/system/bluetooth_devices > ${CONTENTPROVIDER_DIR}/bluetooth_devices.txt 
801 | 	${SHELL_COMMAND} content query --uri content://settings/system/powersavings_appsettings > ${CONTENTPROVIDER_DIR}/powersavings_appsettings.txt 
802 | 
803 | 	echo "[*] QUERY USER DICTIONARY CONTENT"
804 | 	${SHELL_COMMAND} content query --uri content://user_dictionary/words > ${CONTENTPROVIDER_DIR}/user_dictionary_words.txt
805 | 
806 | 	echo "[*] QUERY BROWSER CONTENT"
807 | 	${SHELL_COMMAND} content query --uri content://browser/bookmarks > ${CONTENTPROVIDER_DIR}/browser_bookmarks.txt
808 | 	${SHELL_COMMAND} content query --uri content://browser/searches > ${CONTENTPROVIDER_DIR}/browser_searches.txt
809 | 
810 | 	echo "[*] QUERY ANDROID BROWSER CONTENT"
811 | 	${SHELL_COMMAND} content query --uri content://com.android.browser > ${CONTENTPROVIDER_DIR}/android_browser.txt
812 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/accounts > ${CONTENTPROVIDER_DIR}/android_browser_accounts.txt
813 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/accounts/account_name > ${CONTENTPROVIDER_DIR}/android_browser_accounts_account_name.txt
814 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/accounts/account_type > ${CONTENTPROVIDER_DIR}/android_browser_accounts_account_type.txt
815 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/accounts/sourceid > ${CONTENTPROVIDER_DIR}/android_browser_accounts_sourceid.txt
816 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/settings > ${CONTENTPROVIDER_DIR}/android_browser_settings.txt
817 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/syncstate > ${CONTENTPROVIDER_DIR}/android_browser_syncstate.txt
818 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/images > ${CONTENTPROVIDER_DIR}/android_browser_images.txt
819 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/image_mappings > ${CONTENTPROVIDER_DIR}/android_browser_image_mappings.txt
820 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/bookmarks > ${CONTENTPROVIDER_DIR}/android_browser_bookmarks.txt
821 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/bookmarks/folder > ${CONTENTPROVIDER_DIR}/android_browser_bookmarks_folder.txt
822 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/history > ${CONTENTPROVIDER_DIR}/android_browser_history.txt
823 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/bookmarks/search_suggest_query > ${CONTENTPROVIDER_DIR}/android_browser_bookmarks_search_suggest_query.txt
824 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/searches > ${CONTENTPROVIDER_DIR}/android_browser_searches.txt
825 | 	${SHELL_COMMAND} content query --uri content://com.android.browser/combined > ${CONTENTPROVIDER_DIR}/android_browser_combined.txt
826 | 	echo "[*]"
827 | 	echo -e "[*]\n[*]"
828 | 	clear && dialog --title "android triage" --msgbox "Content Provider extraction completed at ${NOW}" 6 40
829 | 	menu
830 | }
831 | 
832 | menu () {
833 | 	tmpfile=`tmpfile 2>/dev/null` || tmpfile=/tmp/test$$ 
834 | 	trap "rm -f $tmpfile" 0 1 2 5 15 
835 | 	clear
836 | 	dialog --clear --backtitle "Android triage" --title "Android triage $VERSION" --menu "Choose an option:" 16 45 10 \
837 | 	1 "Collect basic information" \
838 | 	2 "Execute live commands" \
839 | 	3 "Execute package manager commands" \
840 | 	4 "Execute bugreport,dumpsys,appops" \
841 | 	5 "Acquire an ADB Backup" \
842 | 	6 "Acquire /system folder" \
843 | 	7 "Acquire /sdcard folder" \
844 | 	8 "Extract /data/app/ (APK files)" \
845 | 	9 "Extract data from content providers" \
846 | 	10 "File system dump (no root)" \
847 | 	11 "Help" \
848 | 	12 "Exit" 2> $tmpfile
849 | 
850 | 	return=$?
851 | 	choice=`cat $tmpfile`
852 | 
853 | 	case $return in
854 |           0)
855 | 	    #echo "'$choice' chosen"
856 | 	    selected ;;
857 | 	  1)
858 | 	    # Cancel pressed
859 | 	    clear && exit 1 ;;
860 | 	255)
861 | 	    # ESC pressed
862 | 	    clear && exit 1 ;;
863 | 	esac
864 | }
865 | 
866 | confirmation () {
867 | 	clear
868 | 	dialog --title "Confirmation" --yesno  "Option $choice selected. Are you sure to proceed? " 8 30
869 | 	answer=$(echo $?)
870 | 
871 | 	#if no
872 | 	if [ "$answer" != "0" ]; then
873 | 	   menu
874 | 	fi
875 | 	clear
876 | }
877 | 
878 | selected () {
879 | 	case $choice in
880 | 		1)
881 | 		  # info_collect
882 | 		  confirmation;
883 | 		  info_collect;
884 | 		  ;;
885 | 		2)
886 | 		  # live_commands
887 | 		  confirmation;
888 | 		  live_commands;
889 | 		  ;;
890 | 		3)
891 | 		  # package_manager_commands
892 | 		  confirmation;
893 | 		  package_manager_commands;
894 | 		  ;;
895 | 		4)
896 | 		  # dumpsys
897 | 		  confirmation;
898 | 		  dumpsys;
899 | 		  ;;
900 | 		5)
901 | 		  # adb_backup
902 | 		  confirmation;
903 | 		  adb_backup;
904 | 		  ;;
905 | 		6)
906 | 		  # system
907 | 		  confirmation;
908 | 		  system;
909 | 		  ;;
910 | 		7)
911 | 		  # sdcard
912 |           confirmation;
913 | 		  sdcard;
914 | 		  ;;
915 | 		8)
916 | 		  # apk
917 |           confirmation;
918 | 		  apk;
919 | 		  ;;
920 | 		9)
921 | 		  # content provider
922 |           confirmation;
923 | 		  content_provider;
924 | 		  ;;
925 | 		10)
926 | 		  # all
927 |           confirmation;
928 | 		  all;
929 | 		  ;;
930 |         11)
931 | 		  # help
932 |           clear && dialog --title "android triage" --msgbox "Android Triage Script\n[ Version \"$VERSION\" ]\n\n" 60 60;
933 | 		  menu
934 | 		  ;;
935 | 		12)
936 | 		  # exit
937 | 		  clear;
938 | 		  exit 1;
939 | 		  ;;  
940 | 	esac
941 | }
942 | 
943 | ## main ##
944 | check_tools
945 | set_var
946 | check_device
947 | menu
948 | 


--------------------------------------------------------------------------------