How Tos

HOWTO: Use AFLogical OSE for Logical Forensics of an Android Device

This HOWTO will walk you through the use of AFLogical OSE to extract data from an Android mobile device.

Note: The Open Source Edition has been released for use by non-law enforcement personnel, Android aficionados, and forensics gurus alike. It allows an examiner to extract CallLog Calls, Contacts Phones, MMS messages, MMSParts, and SMS messages from Android devices. The full AFLogical software is available free for Law Enforcement personnel. More information is available at


What you will need:

  • Santoku Linux Alpha 0.1 (or later)
  • AFLogical OSE (already bundled with Santoku Linux)
  • An Android mobile device with USB debugging on


Getting started with AFLogical OSE

Make sure your device is connected to your machine. If you’re using Santoku in VirtualBox, go to Devices –> USB Devices. Make sure there’s a checkmark next to your device.

If in VMWare Player, go to VM –> Removable Devices –> and click “Connect”.

Enable USB debugging on your device. For Android 3.x and below, go to Settings –> Applications –> Development, then check ‘USB debugging’.
On Android 4.x and above go to Settings –> Developer Options, then check ‘USB debugging’.

In Santoku, open AFLogicalOSE: Santoku –> Device Tools –> SDK Manager.


Extract Data from your Device:

Push the AFLogical-OSE_1.5.2.apk to your device.

$ ls -l
total 72
-rw-r--r-- 1 santoku-user santoku-user 28794 Dec 19  2011 AFLogical-OSE_1.5.2.apk
-rw-r--r-- 1 santoku-user santoku-user 35819 Dec 19  2011 GPL
-rw-r--r-- 1 santoku-user santoku-user  1236 Dec 19  2011 README.txt

$ sudo adb devices
[sudo] password for santoku-user: 
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
List of devices attached 
aDf1357867	device

$ adb install AFLogical-OSE_1.5.2.apk 
296 KB/s (28794 bytes in 0.094s)
	pkg: /data/local/tmp/AFLogical-OSE_1.5.2.apk

On your Android device, open the AFLogical OSE application, choose what data you want to extract, and follow the prompts to extract the data.
Note: You must have an SD card installed on your device (or a built in SD card) to extract the data.

Next, pull the data from your SD card to your Santoku machine.

$ mkdir ~/Desktop/AFLogical_Phone_Data

$ adb pull /sdcard/forensics/ ~/Desktop/AFLogical_Phone_Data
pull: building file list...
pull: /sdcard/forensics/20120720.1833/Contacts Phones.csv -> /home/santoku-user/Desktop/AFLogical_Phone_Data/20120720.1833/Contacts Phones.csv
...< snip >...
40 files pulled. 0 files skipped.
410 KB/s (3880025 bytes in 9.229s)

Your extracted data is in your ~/Desktop/AFLogical_Phone_Data directory.