LabCIF - Forensic Analysis for Mobile Apps
Getting Started
Android extraction and analysis framework with an integrated Autopsy Module. Dump easily user data from a device and generate powerful reports for Autopsy or external applications.
Functionalities
- Extract user application data from an Android device with ADB (root and ADB required).
- Dump user data from an android image or mounted path.
- Easily build modules for a specific Android application.
- Generate clean and readable JSON reports.
- Complete integrated Autopsy compatibility (datasource processor module, ingest module, report module, geolocation, communication and timeline support).
- Export HTML report based on the current case.
Report Screenshots
Prerequisites
How to use
The script can be used directly in terminal or as Autopsy module.
Running from Terminal
usage: start.py [-h] [-d DUMP [DUMP ...]] [-p PATH] [-o OUTPUT] [-a] app
Forensics Artefacts Analyzer
positional arguments:
app Application or package to be analyzed <tiktok> or <com.zhiliaoapp.musically>
optional arguments:
-h, --help show this help message and exit
-d DUMP [DUMP ...], --dump DUMP [DUMP ...] Analyze specific(s) dump(s) <20200307_215555 ...>
-p PATH, --path PATH Dump app data in path (mount or folder structure)
-o OUTPUT, --output OUTPUT Report output path folder
-a, --adb Dump app data directly from device with ADB
-H, --html Generate HTML report
Running from Autopsy
- Download repository contents (zip).
- Open Autopsy -> Tools -> Python Plugins
- Unzip previously downloaded zip in
python_modules
folder. - Restart Autopsy, create a case and select the module.
- Select your module options in the Ingest Module window selector.
- Click "Generate Report" to generate an HTML report of the case.
Build an application module
Do you need a forensics module for a specific Android application? Follow the instructions here and build a module by yourself.
Authors
Mentors
Project developed as final project for Computer Engineering course in Escola Superior de Tecnologia e Gestão de Leiria.
Environments Tested
- Windows (primary)
- Linux
- Mac OS
License
This project is licensed under the terms of the GNU GPL v3 License.
- ADB - Android Software Development Kit License Agreement
- Base64 - GNU GPL v2 License
- Bootstrap - MIT License
- feather - MIT License
- Freepic Icons
- jQuery - MIT License
- jQuery.lazy - MIT License
- leaflet - BSD 2-Clause "Simplified" License
- pdfmake - MIT License
- SQLite-Deleted-Records-Parser - GNU GPL v3 License
- Undark - BSD License 2.0
Notes
- Made with
❤ in Leiria, Portugal