Hands-on Android Forensics using ADB (en)

From OnnoWiki
Revision as of 05:18, 21 October 2024 by Onnowpurbo (talk | contribs) (Created page with "Here’s the translation while retaining the wiki format: ==Android Forensic Techniques on Ubuntu Using ADB== '''What is ADB?''' Android Debug Bridge (ADB) is a powerful co...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Here’s the translation while retaining the wiki format:

Android Forensic Techniques on Ubuntu Using ADB

What is ADB?

Android Debug Bridge (ADB) is a powerful command-line tool used to communicate with an Android device connected to a computer. In the context of forensics, ADB allows us to extract data, execute commands on the device, and analyze the system in depth.

Preparation

1. Installing ADB:

  • SDK Platform-tools Method: Download the platform-tools from the official Android developer site and extract it to your desired directory. Add the path to this directory to the PATH environment variable.
  • SDK Manager Method: If you have already installed Android Studio, you can use the SDK Manager to install the platform-tools.

2. Enable USB Debugging:

  • Open the settings on your Android device.
  • Look for the "Developer Options" (usually hidden; enable it by tapping "Build Number" several times).
  • Enable "USB Debugging".

ADB Commands and Usage Examples

  • adb devices:
    • Function: Displays a list of Android devices connected to the computer.
    • Example:
adb devices  
List of devices attached  
emulator-5554   device
  • adb shell:
    • Function: Opens a shell on the Android device, allowing you to run commands directly on the operating system.
    • Example:
adb shell  
# Once in the shell, you can run Linux commands like ls, cd, cat, etc.
  • adb pull:
    • Function: Copies files from the Android device to the computer.
    • Example:
adb pull /sdcard/Documents/file.txt ~/Downloads
  • adb push:
    • Function: Copies files from the computer to the Android device.
    • Example:
adb push ~/tools/myapp.apk /sdcard/
  • adb shell screencap -p /sdcard/screenshot.png:
    • Function: Takes a screenshot of the device and saves it as a PNG file in internal storage.
    • Example:
adb shell screencap -p /sdcard/screenshot.png  
adb pull /sdcard/screenshot.png ./
  • adb logcat:
    • Function: Prints the Android system logs to the terminal. Very useful for tracing application activity, errors, and other information.
    • Example:
adb logcat > log.txt
  • adb install myapp.apk:
    • Function: Installs an APK application on the device.
    • Example:
adb install myapp.apk
  • adb shell dumpsys meminfo:
    • Function: Displays memory usage information on the device.
    • Example:
adb shell dumpsys meminfo > meminfo.txt
  • adb analyze database:
    • Function: To analyze databases on the device, you need to use additional tools like SQLite Browser or SQLite command-line tools.
adb pull /data/data/com.example.app/databases/mydatabase.db .  
sqlite3 mydatabase.db
  • adb analyze malware:
    • Function: Requires specialized tools such as VirusTotal, Cuckoo Sandbox, or other malware analysis frameworks. You need to extract suspicious files and analyze them using those tools.
  • adb analyze RAT:
    • Function: To detect and analyze RATs, you need to check system logs, network activity, and configuration files related to RATs. Tools like Wireshark can help in network analysis.

Case Example and Analysis Steps

For example, you want to analyze an application suspected of being malware. The steps that can be taken:

1. Connect the device: Connect the Android device to the computer and ensure USB debugging is enabled.
2. Extract the application:
adb pull /data/app/com.example.malware-1.apk .
3. Static analysis: Use decompilation tools like jadx to view the application's source code.
4. Dynamic analysis: Run the application on a virtual or physical device, then monitor its activity using logcat and network analysis tools.
5. Look for indicators of compromise: Note any unusual permissions, suspicious network connections, and abnormal application behavior.
6. Malware analysis: Upload the APK to VirusTotal for an analysis report.

Notes:

  • Root Access: For deeper access, you may need to root the device.
  • Data Protection: Always follow the law and ethics when performing digital forensics. Do not access data without permission.
  • Additional Tools: Besides ADB, there are many specialized Android forensic tools that can assist in more complex analyses.

Conclusion

ADB is an invaluable tool for digital forensic investigators. With a good understanding of ADB commands and supporting tools, you can conduct in-depth analysis on Android devices to uncover relevant digital evidence.

Disclaimer: This information is for educational purposes only and should not be used for illegal activities.

Interesting Links