Andriller - is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. It has other features, such as powerful Lockscreen cracking for Pattern, PIN code, or Password; custom decoders for Apps data from Android (and some Apple iOS) databases for decoding communications. Extraction and decoders produce reports in HTML and Excel (.xlsx) formats. | |
Basic SetupAndriller is a cross-platform application for Microsoft Windows and Ubuntu Linux. The Windows lightweight setup installer only requires Microsoft Visual C++ 2010 Redistributable Package (x86) installed, USB drivers for your Android device, and a web browser for viewing results. Ubuntu version needs the "android-tools-adb" package installed. Simple. Features
|  |
Database DecodersThis feature allows importing individual App database files for automated parsing of the data. There are decoders mainly for Android and some for Apple iOS Apps. Once successfully decoded, reports will be shown your web browser. Databases can be exported from mainstream forensic tools, such as XRY, UFED Cellebite, Oxygen Forensic, and imported into Andriller for individual decoding. The output from Andriller offers cleaner output data. For a full list of supported databases see button of this page, or see decoders section. |
|
Data Extraction from AndroidsConnect an Android device by a USB cable, have USB Debugging enabled; make sure the device drivers are installed. First, select the [Output] directory where you wish extraction data to be saved to. Second, click [Check] to see if Andriller detected your connected device. You may wish Andriller to open the Report on extraction's completion, or ignore root permissions (would extract by the Android Backup method for Androids 4.x). To begin an extraction, hit [Go!] button to commence data extraction. Andriller should run, download any data, and decode it all at once. Note 1: Android version 4.2.2+ requires to authorise the PC to accept RSA fingerprint. Please do so, and tick the box to remember for future. Note 2: Devices with Superuser or SuperSU App require to authorise root access from an unlocked screen. Please grand permissions if requested. |  |
Data ParsingFolder Structure Tarball Files Android Backup Files |  |
ReportingAfter the data extraction finishes, all data is saved in the folder in the directory specified before extraction. The main index file of extraction is REPORT.html.It will contain the summary of the device examined, and will list any data extracted. From there, you can navigate to other data extracted, like SMS or Contacts. An excel REPORT.xlsx is also simultaneously produced, which contains all data in one file. There will also be the following files and folders, which may be of interest: db/ - folder where downloaded databases are extracted to |  |
Lockscreens BypassAndriller has the means of decoding pattern locks, and cracking PIN codes and Passwords. Pattern, PIN and Password Cracking Get Salt from... |  |
Gesture Pattern DecodingTo decode a Pattern lock, click [Browse] and select the gesture.key file located at /data/system/gesture.key on your Android device. Else, just submit the gesture pattern hash (hexadecimal string of the gesture.key file), and click [Decode]. When decoded, the pattern will be shown as a sequence list. When Pattern is filled, click [Draw] and the pattern displayed in a visualised form. Right-click on the drawn pattern to save is as a PostScrip file. Tip: if you wish to draw a pattern but don't have a gesture hash key or value, you can double-click on the disabled Pattern field, this will re-enable the field for editing. Enter the pattern in a form of a list, and click [Draw]. The pattern will be drawn, which can be saved as a file. |  |
Lockscreen PIN code cracking
Once Start is clicked, a percentage progress will be displayed. You can pause and resume cracking at any time. Last tried PIN will be shown just to let you know how far you've gone. Also includes Samsung cracking, which uses different type of password hashing than other Android vendors. |  |
Lockscreen Password cracking
Once Start is clicked, tried password will be displayed while cracking. You can pause and resume cracking at any time, just like with PIN cracking. Also includes Samsung cracking, which uses different type of password hashing than other Android vendors. |  |
Lockscreen Password brute force
This cracking method cannot be paused/resumed like with other methods. |  |
Decrypt Encrypted DatabasesAndriller supports decryption of encrypted WhatsApp databases: msgstore.db.crypt Plain Crypt (msgstore.db.crypt) The encrypted database is automatically decrypted into an SQLite3 database. Browse and select the encrypted file, Andriller will decode to a new file in the same directory. msgstore.db.crypt ==> msgstore.db Crypt5 (msgstore.db.crypt5) To successfully decrypt this type of database, an email address is required, which is synchronised with the Android device. Browse and select the encrypted file, you will be prompted to enter the email address. Once successful, it will decode to a new file in the same directory. msgstore.db.crypt5 ==> msgstore.db Crypt7,Crypt8 (msgstore.db.crypt7/msgstore.db.crypt8) To successfully decrypt this type of database, an encryption key file is required for the following location: Browse and select the encrypted file, you will be prompted to browse and select the key file next. Once successful, it will decode to a new file in the same directory. msgstore.db.crypt7 ==> msgstore.db |  |
Decode & Merge Multiple DatabaseThis utility will decode multiple Facebook databases and produce combined messages on one report (without duplicates). This is useful if attempting to combine "threads_db2" databases from com.facebook.katana and com.facebook.orca applications directories. This utility will decode multiple WhatsApp databases and produce combined messages on one report (without duplicates). Use recovered (from /data/data/com.whatsapp) and decrypted backup databases (such as decrypted msgstore.db.crypt8 from /sdcard/WhatsApp/Databases). | 
 |
ToolsAndriller has a feature to unpack Android backup files from Android versions 4.x and above. AB to TAR Converts backup.ab file to Tarball. backup.ab ==> backup.ab.tar AB to folder Converts and extracts backup.ab to a folder. backup.ab ==> backup.ab_extracted/ |  |
Screen CaptureNew Feature for Andriller - take screen captures.
|  |
Configurations (Preferences)Configation preferences is located at File > Configurations
| |
'old > Forensic' 카테고리의 다른 글
| [자료] 포렌식 실습 이미지 (0) | 2018.03.08 |
|---|---|
| [자료] sysmon을 활용한 분석 (0) | 2017.10.11 |
| [Tool] Hidviz (0) | 2017.05.08 |
| [자료] sysmon windows event collectinon (0) | 2017.03.16 |
| [Tool] 파워쉘을 활용한 크롬 중요정보 획득 (0) | 2017.03.15 |
