Android Data Extractor Lite - An Open Source Forensic Tool For Android

We developed a tool named ADEL which is meant as an abbreviation of “Android Data Extractor Lite”. ADEL was developed for versions 2.x of Android and is able to automatically dump selected SQLite database files from Android devices and extract the contents stored within the dumped files. In this section we describe the main tasks of ADEL and what steps the tool actually performs. However, there are conditions that must apply for ADEL to work correctly. These conditions are stated in the following sections, corresponding to the relevant tasks. A flow chart showing the structure of ADEL is depicted in the following figure:
During the development of ADEL we primarily took into account the following design guidelines:
Forensic principles: ADEL is intended to treat data in a forensically correct way. This goal is reached by the fact that activities are not conducted directly on the phone but on a copy of the databases. This procedure assures that data does not become changed, neither by the users of ADEL nor by an uncompromised operating system. In order to proof the forensic correctness of ADEL, hash values are calculated prior and after each analysis, to guarantee that dumped data did not become changed during analysis.
Extendibility: ADEL has been modularly built and contains two separate modules: the analysis and the report module. Predefined interfaces exist between these modules and both of them can be easily amended by additional functions. The modular structure allows for dumping and analyzing further databases of smartphones without great effort and facilitates updates of the system in the future.
Usability: The use of ADEL is intended to be as simple as possible to allow its use by both qualified persons and non-experts. At best, the analysis of the mobile phone is conducted in an autonomous way so that the user does not receive any notice of internal processes. Moreover, the report module creates a detailed report in a readable form, including all of the decoded data. During the execution, ADEL optionally writes an extensive log file where all of the important steps that were executed are traced.
ADEL makes use of the Android Software Development Kit (Android SDK) and especially the adb deamon to dump database files to the investigator’s machine.
To extract contents contained within a SQLite database file ADEL parses the low-level data structures. After having opened the database file that is to be parsed in read-only mode, ADEL reads the database header (first 100 bytes of the file) and extracts the values for each of the header fields. Not all, but some of the values in the header fields are necessary to be able to parse the rest of the database file. An important value is the size of the pages in the database file which is required for parsing the b-tree structures (page-wise). After having read the database header fields, ADEL parses the b-tree that contains the “sqlite_master” table for which the first page of the database always is the root page. The SQL CREATE statement and the page number of the b-tree root page are extracted for each of the database tables. Additionally, the SQL CREATE statement is further analyzed to extract the name and the data type for each column of the corresponding table. Finally the complete b-tree structure is parsed for each table, beginning at the b-tree root page that was extracted from the “sqlite_master” table. Every leaf page of the b-tree is identified by following the pointers of all of the interior pages. Finally the row contents of each table are extracted from the cells found in any leaf page that belongs to the same table b-tree.
Within this section we address the report module and its functionalities. In the current development state, the following databases are forensically treated and parsed:
  • telephone and SIM-card information (e. g. IMSI and serial number)
  • telephone book and call lists,
  • calendar entries,
  • SMS messages,
  • GPS locations from different sources on the smartphone.
Data retrieved this way is written to an XML-File by the report module in order to ease further use and depiction of the data. As the analysis module, it can be easily updated regarding possible changes in future Android versions or in the underlying database schemas. Therefore, we have created different tuple – e. g. [table, row, column] – to define the data that is exchanged between both modules. If the database design changes in the future, only the tuple have to be adapted. The report module automatically creates XML-files for each of the data types listed above. In addition, a report is created which contains all data extracted from the analyzed databases. With the help of a XSL-file the report will be graphically refurbished. All files created by ADEL are stored in a subfolder of the current project.
Changes since the first version of ADEL presented on May 2011:
Since many manufactures opened their boot loader it is no longer necessary to exploit the Android system to gain root access in order to be able to execute ADEL correctly. Now it is sufficient to modify the original kernel in a way so that a root-shell is included. Due to this procedure, the amount of modified data on a smartphone is significantly reduced as compared to other approaches, for example flashing the smartphone with a custom ROM. As soon as the smartphone has been updated with the modified kernel, the following changes have to be made manually in order to guarantee that the data given to the investigator are trustworthy and satisfy integrity: The original, untrusted adb-deamon on the smartphone is replaced by a different, trustful copy. The commands listed below can be used to copy a trustful adb-deamon onto the smartphone and, subsequently, remount the system partition to make it writeable. If this step is successfully performed the existing deamon is backed up and the new one is moved to the same place. Afterwards the partition is mounted to read-only again in order to prevent further changes. As a final step the running (original) adb-deamon is terminated.
  • adb push adbd /sdcard/
  • adb shell
  • su –
  • mount -orw,remount /
  • mv /sbin/adbd /sbin/adbd.old
  • mv /sdcard/adbd /sbin/adbd
  • mount -oro,remount /
  • kill $(ps | grep adbd)
Additionally to the above fundamental change to the ADEL framework, new functionality regarding the retrieval and analysis of location information has been added. Now we are able to retrieve location data from the well known cache-files as well as from some of the most downloaded apps (like twitter and Facebook) and we are extracting GPS-coordinates out of the EXIF data from pictures. Here is an example how the result looks like:
Changes since the second version of ADEL presented on January 2012:
ADEL now makes use of a custom recovery image based on the Clockworkmod-Recovery. Due to this change you do not need to modify the kernel or the adb daemon anymore. Furthermore, on some newer smartphones you can load the modified recovery to RAM via fastboot, so you don’t need to do any persistent changes to the smartphone.
Powered by Blogger.