├── Make-files ├── Makefile.LiME.cross └── Makefile.Volatility.cross ├── README.md ├── Volatility-plugins └── Android_Goldfish_3.4.67-gd3ffcc7.zip ├── androidforensics.py ├── dump └── dump_files_end_up_here.log ├── kernal-image └── zImage ├── lime-kernel-module └── lime-goldfish.ko ├── myapp └── place_your_apps_here.log └── procdump └── processes_dumps_get_placed_in_here.log /Make-files/Makefile.LiME.cross: -------------------------------------------------------------------------------- 1 | obj-m := lime.o 2 | lime-objs := tcp.o disk.o main.o 3 | 4 | KDIR := ~/android/test-goldfish/goldfish/ 5 | KVER := goldfish 6 | 7 | PWD := $(shell pwd) 8 | CCPATH := ~/android/test-goldfish/arm-eabi-4.8/bin 9 | 10 | default: 11 | $(MAKE) -C $(KDIR) M=$(PWD) modules 12 | $(CCPATH)/arm-eabi-strip --strip-unneeded lime.ko 13 | mv lime.ko lime-$(KVER).ko 14 | 15 | $(MAKE) tidy 16 | 17 | tidy: 18 | rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \ 19 | \.*.ko.cmd \.*.o.d 20 | rm -rf \.tmp_versions 21 | 22 | clean: 23 | $(MAKE) tidy 24 | rm -f *.ko 25 | -------------------------------------------------------------------------------- /Make-files/Makefile.Volatility.cross: -------------------------------------------------------------------------------- 1 | obj-m += module.o 2 | 3 | KDIR := ~/android/test-goldfish/goldfish/ 4 | CCPATH := ~/android/test-goldfish/arm-eabi-4.8/bin 5 | 6 | -include version.mk 7 | 8 | all: dwarf 9 | 10 | dwarf: module.c 11 | $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-eabi- -C $(KDIR) \ 12 | CONFIG_DEBUG_INFO=y M=$(PWD) modules 13 | dwarfdump -di module.ko > module.dwarf 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AndroidForensics 2 | LiME, Volatility and custom Python wrapper script for android forensic analysis 3 | 4 | # Description 5 | This project contains files and custom scripts to extract processes from Android devices using LiME and Volatility. 6 | The main file androidforensics.py can be run using the command python androidforensics.py 7 | 8 | # Emulator specifications 9 | * Nexus 5 API 21 10 | * Android 5.0 Google API 21 11 | * ARM CPU 12 | * 1GB RAM 13 | 14 | # Details 15 | The script has options to 16 | * start an emulator with a custom built kernel that has custom modules enabled 17 | * upload custom apps to emulator 18 | * functions to upload and install a custom module for LiME that has been cross compiled for this kernel 19 | * dump the contents of the running machine via netcat as emulators virtual sdcards are rarely large enough 20 | * use volatility to intergate the memory dump 21 | * use volatility to dump out the running processes from the memory dump 22 | 23 | Video's that demo the use of this script are available on YouTube at: 24 | https://www.youtube.com/playlist?list=PLIHEc6VrhPadSg6Gvts1e224INVROKfRR 25 | -------------------------------------------------------------------------------- /Volatility-plugins/Android_Goldfish_3.4.67-gd3ffcc7.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devopscrazy/AndroidForensics/c1ab8ad1b06c5df6ac4c8676f13ab4bd88f0057f/Volatility-plugins/Android_Goldfish_3.4.67-gd3ffcc7.zip -------------------------------------------------------------------------------- /androidforensics.py: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/python 2 | 3 | __author__ = "David Stent" 4 | __copyright__ = "Copyright 2017, David Stent" 5 | __license__ = "GPL" 6 | __version__ = "1" 7 | __maintainer__ = "David Stent" 8 | __email__ = "secopscrazy@gmail.com" 9 | __status__ = "Production" 10 | 11 | import sys, getopt, subprocess, os, glob, time 12 | 13 | def main(argv): 14 | task = '' 15 | parameters = '' 16 | execute = '' 17 | home_directory = os.environ['HOME'] 18 | path_to_android_sdk = home_directory + '/Library/Android/sdk/' 19 | emulator_name = 'Nexus_5_API_21' 20 | dumpfile = 'dump/lime.dmp' 21 | volatility_program = 'volatility_2.6_mac64_standalone/volatility_2.6_mac64_standalone' 22 | try: 23 | opts, args = getopt.getopt(argv,"ht:p:",["task=","params="]) 24 | except getopt.GetoptError: 25 | print 'androidforensics.py -t -p ' 26 | sys.exit(2) 27 | for opt, arg in opts: 28 | if opt == '-h': 29 | print 'androidforensics.py -t -p ' 30 | sys.exit() 31 | elif opt in ("-t", "--task"): 32 | task = arg 33 | elif opt in ("-p", "--params"): 34 | parameters = arg 35 | if task == 'start_emulator': 36 | subprocess.Popen([path_to_android_sdk + 'tools/emulator', '-avd', emulator_name, '-kernel', 'kernal-image/zImage']) 37 | elif task == 'deploy_app': 38 | apps = glob.glob("myapp/*.apk") 39 | subprocess.Popen([path_to_android_sdk + 'platform-tools/adb', 'install', apps[0]]) 40 | elif task == 'run_lime': 41 | os.remove(dumpfile) if os.path.exists(dumpfile) else None 42 | time.sleep( 3 ) 43 | subprocess.Popen([path_to_android_sdk + 'platform-tools/adb', 'push', 'lime-kernel-module/lime-goldfish.ko', '/sdcard/lime.ko']) 44 | time.sleep( 3 ) 45 | subprocess.Popen([path_to_android_sdk + 'platform-tools/adb', 'forward', 'tcp:4444', 'tcp:4444']) 46 | time.sleep( 3 ) 47 | subprocess.Popen([path_to_android_sdk + 'platform-tools/adb', 'shell', 'insmod', '/sdcard/lime.ko', '"path=tcp:4444 format=lime"']) 48 | time.sleep( 3 ) 49 | subprocess.call("nc localhost 4444 > " + dumpfile, shell=True) 50 | elif task == 'volatility': 51 | subprocess.Popen([volatility_program, '--plugins=Volatility-plugins/', '-f', dumpfile, '--profile=LinuxAndroid_Goldfish_3_4_67-gd3ffcc7ARM', parameters]) 52 | elif task == 'volatility_dump': 53 | subprocess.Popen([volatility_program, '--plugins=Volatility-plugins/', '-f', dumpfile, '--profile=LinuxAndroid_Goldfish_3_4_67-gd3ffcc7ARM', 'linux_procdump', '--dump-dir=procdump/']) 54 | if __name__ == "__main__": 55 | main(sys.argv[1:]) 56 | -------------------------------------------------------------------------------- /dump/dump_files_end_up_here.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devopscrazy/AndroidForensics/c1ab8ad1b06c5df6ac4c8676f13ab4bd88f0057f/dump/dump_files_end_up_here.log -------------------------------------------------------------------------------- /kernal-image/zImage: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devopscrazy/AndroidForensics/c1ab8ad1b06c5df6ac4c8676f13ab4bd88f0057f/kernal-image/zImage -------------------------------------------------------------------------------- /lime-kernel-module/lime-goldfish.ko: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devopscrazy/AndroidForensics/c1ab8ad1b06c5df6ac4c8676f13ab4bd88f0057f/lime-kernel-module/lime-goldfish.ko -------------------------------------------------------------------------------- /myapp/place_your_apps_here.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devopscrazy/AndroidForensics/c1ab8ad1b06c5df6ac4c8676f13ab4bd88f0057f/myapp/place_your_apps_here.log -------------------------------------------------------------------------------- /procdump/processes_dumps_get_placed_in_here.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devopscrazy/AndroidForensics/c1ab8ad1b06c5df6ac4c8676f13ab4bd88f0057f/procdump/processes_dumps_get_placed_in_here.log --------------------------------------------------------------------------------