Autopsy  4.21.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Mobile Forensics

Overview

Smart phones are basically small computers and Autopsy can parse and analyze the contents of Android and iOS devices. This includes both the official databases and third-party app databaes. This page provides some basic pointers for doing so. It assumes that you have already read Developing Ingest Modules and know the basics of writing ingest modules.

The basic idea is that you need an ingest module. We've typically written mobile forensics modules as data source-level ingest modules, which means they are passed in a reference to the entire data source and not passed in individual files. We do this because we typically know the path where we expect to find the files and databases of interest.

The ingest module has a basic flow of

The BlackBoard has standard artifacts for the standard cell phone forensics data types, such as BlackboardArtifact.TSK_CALLLOG.

There are a couple of classes that can help streamline processing mobile databases. The org.sleuthkit.autopsy.coreutils.AppSQLiteDB class has methods for opening and querying SQLite databases. For example, to find and open a database named "transfer20.db" in the "com.dewmobile.kuaiya.play" package, you can simply use the following method (examples in Python):

transferDbs = AppSQLiteDB.findAppDatabases(dataSource, "transfer20.db", True, "com.dewmobile.kuaiya.play")

Once you have your databases, you can run easily run queries on them:

queryString = "SELECT device, name, direction, createtime, path, title FROM transfer"
transfersResultSet = transferDb.runQuery(queryString)

You can make Blackboard Artifacts using the org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper class. This gives you methods to make contacts, messages, and call log entries. The following is sample code in Python to set up the CommunicationArtifactsHelper and then use it to make artifacts.

transferDbHelper = CommunicationArtifactsHelper(current_case.getSleuthkitCase(),
"Zapya Analyzer", transferDb.getDBFile(),
Account.Type.ZAPYA)
direction = CommunicationDirection.UNKNOWN
fromAddress = None
toAddress = None
if (transfersResultSet.getInt("direction") == 1):
direction = CommunicationDirection.OUTGOING
toAddress = Account.Address(transfersResultSet.getString("device"), transfersResultSet.getString("name") )
else:
direction = CommunicationDirection.INCOMING
fromAddress = Account.Address(transfersResultSet.getString("device"), transfersResultSet.getString("name") )
msgBody = "" # there is no body.
attachments = [transfersResultSet.getString("path")]
msgBody = general.appendAttachmentList(msgBody, attachments)
timeStamp = transfersResultSet.getLong("createtime") / 1000
messageArtifact = transferDbHelper.addMessage(
self._MESSAGE_TYPE,
direction,
fromAddress,
toAddress,
timeStamp,
MessageReadStatus.UNKNOWN,
None, # subject
msgBody,
None ) # thread id

Look in the autopsy\InternalPythonModules\android\ folder for additional examples.

Android Module

Autopsy comes with an Android module, as defined in various classes in the org.sleuthkit.autopsy.modules.android package. You can use those classes as a reference example.

Submit pull requests with any additions that you have to these modules.


Copyright © 2012-2022 Basis Technology. Generated on: Tue Feb 6 2024
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.