HOWTO: Use AFLogical OSE for Logical Forensics of an Android Device
This HOWTO will walk you through the use of AFLogical OSE to extract data from an Android mobile device.
Note: The Open Source Edition has been released for use by non-law enforcement personnel, Android aficionados, and forensics gurus alike. It allows an examiner to extract CallLog Calls, Contacts Phones, MMS messages, MMSParts, and SMS messages from Android devices. The full AFLogical software is available free for Law Enforcement personnel. More information is available at https://viaforensics.com/products/android-forensics-tool/.
Contents
What you will need:
- Santoku Linux Alpha 0.1 (or later)
- AFLogical OSE (already bundled with Santoku Linux)
- An Android mobile device with USB debugging on
Getting started with AFLogical OSE
Make sure your device is connected to your machine. If you’re using Santoku in VirtualBox, go to Devices –> USB Devices. Make sure there’s a checkmark next to your device.
If in VMWare Player, go to VM –> Removable Devices –>
Enable USB debugging on your device. For Android 3.x and below, go to Settings –> Applications –> Development, then check ‘USB debugging’.
On Android 4.x and above go to Settings –> Developer Options, then check ‘USB debugging’.
In Santoku, open AFLogicalOSE: Santoku –> Device Tools –> SDK Manager.
Extract Data from your Device:
Push the AFLogical-OSE_1.5.2.apk to your device.
$ ls -l total 72 -rw-r--r-- 1 santoku-user santoku-user 28794 Dec 19 2011 AFLogical-OSE_1.5.2.apk -rw-r--r-- 1 santoku-user santoku-user 35819 Dec 19 2011 GPL -rw-r--r-- 1 santoku-user santoku-user 1236 Dec 19 2011 README.txt $ sudo adb devices [sudo] password for santoku-user: * daemon not running. starting it now on port 5037 * * daemon started successfully * List of devices attached aDf1357867 device $ adb install AFLogical-OSE_1.5.2.apk 296 KB/s (28794 bytes in 0.094s) pkg: /data/local/tmp/AFLogical-OSE_1.5.2.apk Success
On your Android device, open the AFLogical OSE application, choose what data you want to extract, and follow the prompts to extract the data.
Note: You must have an SD card installed on your device (or a built in SD card) to extract the data.
Next, pull the data from your SD card to your Santoku machine.
$ mkdir ~/Desktop/AFLogical_Phone_Data $ adb pull /sdcard/forensics/ ~/Desktop/AFLogical_Phone_Data pull: building file list... pull: /sdcard/forensics/20120720.1833/Contacts Phones.csv -> /home/santoku-user/Desktop/AFLogical_Phone_Data/20120720.1833/Contacts Phones.csv ...< snip >... 40 files pulled. 0 files skipped. 410 KB/s (3880025 bytes in 9.229s)
Your extracted data is in your ~/Desktop/AFLogical_Phone_Data directory.