Autopsy User Documentation  4.5.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Android Analyzer Module

What Does It Do

The Android Analyzer module allows you to analyze SQLite and other files from an Android device. It works on Physical dumps from most Android devices (note that we do not provide an acquisition method). Autopsy will not support older Android devices that do not have a volume system. These devices will often have a single physical image file for them and there is no information in the image that describes the layout of the file systems. Autopsy will therefore not be able to detect what it is.

The module should be able to extract the following:

NOTE: These database formats vary by version of OS and different vendors can place the databases in different places. Autopsy may not support all versions and vendors.

NOTE: This module is not exhaustive with its support for Android. It was created as a starting point for others to contribute plug-ins for 3rd party apps. See the Developer docs for information on writing modules.

Configuration

There is no configuration required.

Using the Module

Simply add your physical images or file system dumps as data sources and enable the Android Analyzer module.

Ingest Settings

There are no runtime ingest settings required.

Seeing Results

The results show up in the tree under "Results", "Extracted Content".

android_analyzer_output.PNG

Messages can also be seen by browsing to the source file in the Data Sources tree, which will display the messages in the Results Viewer to the right. Any messages with attachments will be shown under the source file in the tree, and the attachments can be seen in the Result Viewer.

messages_datasource_tree.png

Copyright © 2012-2016 Basis Technology. Generated on Thu Dec 14 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.