Extracting data at the logical level
Of course, the easiest method of logical extraction is the notorious backup via Android Debug Bridge. This is quite easy to do - just activate USB debugging in the device settings, connect it to the computer and use the following command:
adb backup -f “F:\forensic_backup.ab” -apk -shared -all
The first key, -apk, tells ADB to backup APK applications; the second, -shared, allows you to include application data and the contents of a memory card in the backup, if you have one; the third, -all, will add all applications, including system ones, to the backup copy, which can be useful when investigating incidents related to malware. And everything would be fine, but modern devices allow you to save not everything in such a backup copy. For example, it does not include either a list of contacts or SMS messages, except perhaps their fragments from logs.db.
To combat this injustice, forensic software developers such as Oxygen Software and Magnet Forensics include in their tools so-called agent applications that are installed on the target device and allow you to extract the coveted databases. For example, mmssms.db, as you might guess, contains information about sent and received SMS and MMS. As you already understand, often forensic software uses the same ADB for logical extraction, and the resulting backup is unpacked and enriched with data extracted by the agent application. By the way, if you want to unpack such a backup yourself, then thanks to the open source tool adbextractor you can easily do this:
java -jar abe.jar unpack backup.ab backup.tar
As a result, you will receive a tar archive with the contents of your ADB backup.
Mobile criminologist
PURPOSE AND CAPABILITIES. Mobile Forensic is an effective tool that allows you to quickly extract data from your phone. Mobile Forensic Scientist guarantees the immutability of mobile device data while working with the program. The use of specialized access protocols allows the program to retrieve basic phone memory and SIM card data, contact list, dialer groups, speed dials, missed, incoming and outgoing calls, SMS, MMS and email messages from standard and custom folders, deleted SMS messages (with some restrictions), time and date of receipt of SMS messages to the Message Sending Center (SMSC) of the communication provider, calendar event schedule, tasks, text notes, photos, videos, ringtones, Lifeblog section data (all main events in the phone with geographic coordinates), applications Java, phone memory file system and memory cards, GPRS and Wi-Fi traffic data, voice recordings and much more. The list of supported features depends on the specific phone model. Mobile Forensic Scientist extracts data from Nokia, iPhone, Sony Ericsson, Samsung, Motorola, Blackberry, Panasonic, Siemens, HTC, HP, E-Ten, Gigabyte, i-Mate, Vertu and many other mobile phones. Mobile Forensic Scientist supports smartphones running Symbian OS, Nokia S60, Sony Ericsson UIQ, Windows Mobile 5/6 (without ActiveSync), Blackberry, Android and Apple. It includes a Root access module to support Android smartphones and a support module for Chinese phones. The program interface is specially designed for forensic technical examination, analysis, data retrieval and report generation. Using Mobile Forensic Analyst, you can both print reports and save them in popular file formats (PDF, RTF, XLS). Allows you to extract WebKit data from iOS and Android devices. WebKit data analysis allows you to access the content of visited web pages and the texts of messages from email services. Mobile Forensic Software allows you to retrieve blocked phone numbers and a list of Wi-Fi points from your Google account, as well as notes from Google Keep. Mobile Forensic Software starting from version 11.7 - implements the ability to extract and decrypt physical images of Qualcomm devices on MSM8917, MSM8937, MSM8940 and MSM8953 chipsets with hardware encryption and activated Secure StartUp mode - supports Android applications: SCRUFF (6.0019), Speedtest (4.4. 26), Discord (9.9.3), Endomondo (19.3.5), Evernote (8.12.2), FaceApp (3.5.1), Facebook (247.0.0.42.116), Facebook Messenger (241.0.0.17.116), Google Maps (10.27.2), Google Photos (4.32.1.282438324), Instagram (121.0.0.29.119), Kik Messenger (5.18.2.21835), Line (9.19.3), LinkedIn (4.1.383), Romeo (3.7 .2), Samsung Health (6.7.1.003), SHAREiT (5.0.78_ww), Skype (8.54.0.91), Slack (11.19.20.0), TamTam (2.9.0), Telegram (5.12.0), Telegram X ( 0.22.0.1205-arm64-v8a), Threema (4.2), TikTok (13.9.3), Twitter (8.22.0-release.00), UC Browser (12.13.2.1208), Viber (11.9.1.1), VIPole Private Messenger (2.0.95), VK (5.49)Waze (4.55.3.0), WeChat (7.0.7), WhatsApp Business (2.19.124), WhatsApp Messenger (2.19.345), WickrMe (5.40.2), Xabber (2.6 .4), Yahoo! Mail (6.1.4), YouTube (14.46.52) - supports iOS applications: SCRUFF (6.0111), Speedtest (4.1.10), UC Browser (11.3.5.1203), CoverMe (3.1.3), Discord (3.1.5 ), Evernote (8.24.2), FaceApp (3.5.5), Facebook (247.0), Firefox (20.2), Fitbit (3.11), Google Chrome (78.0.3904.84), Google Keep (2.2019.46203), Google Maps ( 5.29), Google Translate (6.3.0), Instagram (121.0), Likee (3.9.0), Line (9.18.1), LinkedIn (9.1.157), Microsoft Outlook (4.13.0), OK (8.27.1 ), OneDrive (11.9.3), SHAREit (3.1.68), Skype (8.54), Slack (11.19.20), TamTam (2.6.8), Telegram (5.12.1), Threema (4.4.2), Viber (11.9)VIPole Private Messenger (2.6.4)VK (5.28)VSCO (139.0)Waze (4.55.2), WeChat (7.0.8), WhatsApp Messenger (2.19.120), Yandex Disk (2.86), Yandex.Mail (4.1.0), Zangi Private Messenger (4.6.5) Starting from version 2.0 Mobile forensic expert supports: - devices on Exynos chipsets, including receiving information from devices of the Samsung Galaxy line of models A2 - A8, S7 - S9+, J2 - J7 and other Samsung devices running the Android operating system from version 7 to 9 - more than 38,600 models of mobile devices, more than 18,000 application versions, 562 unique applications, 85 cloud services and 83 data sources from a PC - automatic image examination using analytical tools built into program, including the presence of identical faces and text on them - cloud services in the Zoom video communication application, Firefox Lockwise password storage and Huawei Cloud Backup backup serviceRetrieving data at the file system level
Since recently, especially with the release of Android Nougat, smartphones with encryption have ceased to be a rarity, this method of data extraction is the most acceptable. As you probably know, you cannot simply gain full access to the file system of a user partition; this requires superuser rights. I will not dwell on this in detail. I’m sure you have a dozen tools in your arsenal that will allow you to get the coveted root access on your Android device (and if not, I advise you to study the material at this link, and Google will help you).
As you understand, this is not the most humane method, especially when it comes to mobile forensics, because it leaves a lot of traces in the device’s memory, for example, it will add the SuperSU application, and in the case of KingoRoot, a couple of other useless applications. Nevertheless, at times it is necessary to use such dubious methods: the main thing here is to carefully document everything. Of course, not all root methods are equally harmful; sometimes you can get temporary root access, which is quite forensically correct.
There is a more acceptable method - the so-called Nandroid backup. Here, all kinds of custom recovery firmware, for example TWRP, come to the aid of the forensic scientist. By the way, the guys from Oxygen Software made their own, cleared of all kinds of garbage and as close as possible to forensic standards, we’ll talk about them later, when we start extracting data at the physical level.
Let's go back to TWRP and Nandroid. Such a backup, unlike the notorious ADB, allows you to make an almost exact copy of the state of your Android device at a certain point in time, which means that absolutely all application data will go to forensic experts. And yes, a complex graphic password is unlikely to save your data. But a locked bootloader may very well be the case, since in this case it will hardly be possible to flash a custom recovery. Such smartphones are very frustrating for criminologists, believe me.
So, what do we need to create a Nandroid backup? Let's look at the example of the most common Android devices - those produced by the Samsung group of companies. Firstly, you need a suitable recovery image, it can be found on the official TWRP website. Secondly, a fresh (and sometimes not so fresh) version of Odin - this is what will allow you to upload the firmware to your smartphone.
Continuation is available only to members
Option 1. Join the “Xakep.ru” community to read all materials on the site
Membership in the community during the specified period will give you access to ALL Hacker materials, allow you to download issues in PDF, disable advertising on the site and increase your personal cumulative discount! More details
Forensics
IP TelCom LLC is the official representative, Moscow, Russian Federation.
https://www.oxygensoftware.ru/ru/company
Oxygen Software is a leading Russian developer of software for conducting computer technical examination of mobile devices, drones, cloud services and PCs.
The company develops software tools for extracting and analyzing information, covering a wide range of mobile devices (running Android, Apple iOS, BlackBerry, Windows Phone and other operating systems), cloud services (Google, Apple, Yandex, Microsoft, Samsung, WhatsApp, etc. ) and PC.
Law enforcement agencies and government agencies of the Russian Federation and CIS countries, and security services of commercial organizations use Oxygen Software solutions in matters of obtaining and researching data, including remote information. The company's clients are the Ministry of Internal Affairs, the FSB, the Federal Security Service, the Ministry of Justice, Department "K", the Investigative Committee, banks and large companies.
IP TelCom LLC offers the following products:
https://www.oxygensoftware.ru/download/articles/MK_Expert_Brochure.pdf
"Mobile Forensic Expert" (flagship product)
A perfect multifunctional tool for high-speed and efficient work with data from mobile devices, drones, cloud services and PCs, combining all the capabilities of MK Detective software and new unique functionality.
Mobile Forensicist supports more than 31,500 devices, 12,000 application versions, 478 unique applications and 76 cloud services.
Main functionality of the program:
Mobile gadgets and multimedia devices:
- Creates physical images of Android, Kai, etc. devices.
- Creates logical images of iOS, Android, Blackberry, Windows Phone, Symbian, etc. devices.
- Retrieves and decrypts all data, including deleted ones.
- Imports physical images and backups of multiple devices.
- Receives data from drones and builds flight routes.
Cloud services:
- Allows you to log into your account and pass 2FA.
- Retrieves information from several dozen cloud storages: Apple, Google, Yandex, iCloud, WhatsApp, Viber, Telegram, etc.
- Decrypts backups.
Personal computers:
- Retrieves correspondence, media files and contacts from Viber, Unigram, Skype, Wickr Me messengers.
- Receives letters and contacts from Mozilla Thunderbird, Microsoft Outlook, Microsoft Mail mail agents.
- Extracts data from web browsers Google Chrome, Mozilla FireFox, Opera, Microsoft Edge, Internet Explorer.
- Retrieves information about the system.
Analytical tools
- Analyzes data simultaneously from several devices in one case.
- Collects all calls, as well as messages from the device, including from instant messengers in the “Calls” and “Messages” sections.
- Unites contacts according to individual settings.
- Explores communications between multiple devices.
- Performs high-speed search both within a case and within a single document.
https://www.oxygensoftware.ru/download/articles/MK_Detective_Brochure.pdf
"Mobile Forensic Detective"
A universal information extraction and analysis tool covering a wide range of mobile devices, drones, cloud services and PCs.
Program features:
- establishing connections between device owners and their contacts;
- combining contacts from different sources;
- reports in various formats;
- constructing all events in chronological order;
- the ability to combine several devices in one case;
- grouping all important evidence in one place;
- import and view physical images and backup copies of various devices;
- viewers for SQLITE databases, PLIST, HTML, HEX files, etc.;
- searching and retrieving credentials and tokens from mobile devices and PCs;
- search for data using keywords, regular expressions, hash sets, phone numbers, passports, SNILS and other important criteria;
- constructing travel routes for one or more objects;
- determination of the most visited and common places of stay.
https://www.oxygensoftware.ru/download/articles/MK_Business_Brochure.pdf
"Mobile Forensic Business"
A tool for investigating and preventing corporate crimes based on extracting and analyzing information from mobile devices and cloud services.
"MK Business":
- Allows you to audit a mobile device;
- Provides access to information from mobile devices and cloud services;
- Prevents disclosure of trade secrets and theft of intellectual property;
- Helps identify and investigate incidents.
Main functionality of the program:
- Mobile devices:
- Creates physical images of Android, Windows Phone, etc. devices.
- Creates logical images of iOS, Android, Blackberry, Symbian, etc. devices.
- Recovers deleted data from instant messengers and social networks. networks.
- Retrieves available data: contacts, chats, application data, media files and more.
- Analyzes the information received.
— Cloud services
- Allows you to log into your account and pass 2FA.
- Retrieves data from cloud services: Apple, Google, Yandex, Microsoft, Dropbox.
- Retrieves chats from cloud messenger services WhatsApp, Viber, Telegram, etc.
- Analyzes the received data.
- Decrypts backups.
"Mobile Forensic Scout"
Software module "Mobile Forensic Scientist" versions "Expert" and "Detective". Finds and extracts forensically important information from the examined laptops and personal computers:
— Credentials and tokens
- from iCloud for Windows, WhatsApp Desktop, TamTam Desktop, Line, Viber for Desktop, Skype for Desktop, Unigram X, Wickr Me Desktop, Telegram;
- from email services Mozilla Thunderbird, Microsoft Outlook, Microsoft Mail;
- from portable versions of programs and programs installed via a non-standard path.
— Web browser data: accounts, bookmarks, autofill form data, browsing history and cookies from Internet browsers Google Chrome, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer.
- Wi-Fi access points and passwords for them.
- iTunes backups.
- PC system information.
"Mobile Forensic Scout Plus"
Extension of the “Mobile Forensic Expert” software, which allows you to analyze data from applications for Windows OS extracted using the “Mobile Forensic Scout” module:
- Messages, contacts and media files from Viber, Unigram, Skype, Wickr Me.
- Correspondence and contacts from Mozilla Thunderbird, Microsoft Outlook, Microsoft Mail.
https://www.oxygensoftware.ru/download/articles/MK_Desktop_Brochure.pdf
"Mobile Forensic Desktop"
MK Desktop is a high-speed, portable, multifunctional tool that allows you to extract, decrypt and analyze key data from personal computers, laptops and servers on Windows, macOS, GNU/Linux operating systems.
3 main advantages of the product:
- High speed of information extraction and analysis
- Portable tool
- Simple and convenient interface
Why choose MK Desktop:
- Product for extracting and examining critical data from personal computers
- Fast processing of all extracted information
- Large set of analytical tools for investigation
- Regular functionality updates in accordance with the latest IT technologies
- Constant access to video lessons, instructions and webinars to gain skills in working with the product
For law enforcement agencies:
MK Desktop has a wide range of tasks and is an indispensable assistant in the work of law enforcement agencies, helping to extract and analyze data in a short period of time, conduct an initial examination of the data and create a portrait of the owner of a laptop or personal computer.
For corporate clients:
Business security professionals now have opportunities to investigate and prevent various types of corporate incidents, such as intellectual property theft, insider breaches, confidential data leaks, and more.
MK Desktop is a key tool for conducting an information security system audit.