Android Mobile Device Forensics with Mobile Phone Examiner Plus

AccessData (AD) Mobile Phone Examiner Plus (MPE+) is a powerful mobile device data review tool that can be used in the field as part of a mobile field unit or in the lab. Additionally, data extracted from mobile devices using MPE+ can be easily imported into an FTK case, which offers more in-depth drill-down, categorization, full-text index searching, and all of this is right alongside other digital evidence collected for a case. MPE+ can extract information such as phone and address book data, media files, call logs, SMS and MMS messages, calendar, and file system data stored in the memory of a mobile device.

Download MPE+ from here & install in your PC.

Now Double click on MPE+ Icon to open it.

Note: USB Debugging must be enabled.

Now select the Drive Management option from Home tab.

To install the mobile driver in your system, click on download option from the given list.

It will install the driver. Click on Select Device.

Now enter the Manufacturer and Model No of the mobile. Click on Connect.

Now select the mobile android version and click on finish.

It will display a message. Connecting to Android Device.

Now it will show the Select Data for Extraction Pop Up. Click on Select All Option and select Extract Option.

It will show the Progress Bar for Android Logical Device Data Extraction.

Now click on Device Information, it will show all the details about the Android Mobile.

 Select Call History Option to see all incoming and outgoing call details with duration as well as date and time.

To view all the contacts in the mobile, select Contacts option.

To get all the SMS messages, Select SMS Option.

To see how many android packages have been installed, select Android Packages.

To see all the connected Bluetooth devices, click on Bluetooth Devices Option.

To get the information about the WIFI connections connected with this android mobile, select WiFi Hotspots.

To see the bookmarks, click on WEB option and then select Bookmarks Sub option.

To get Browser History, Click on Web Option and select Browser History Sub option.

To see all the images existing in the Android Mobile from different resources, select Media option and click on Image Sub option.

To get the information about all video files, Select Video sub option from Media Option.

How to Retrieve Saved Password from RAW Evidence Image

First Download OS Forensic from here and install in your pc then open OSForensic and click on Create  Case  button to  create a new forensic case.

Now enter the details such as Case Name, Investigator Name, Default Drive, and Acquisition Type To specify the case folder, click on browse & select the Location where you want to save your Evidence Report. Now click on ok.

Now it will show us the registered case in this tool. Now to manage this case, click on Add Device option available in Manage Case.

Now select Image File option in Select Device to add option. Now assign the path of the folder where image file exists and also give the Display Name which is compulsory. Click on OK Button.

Now to get the saved browser password clicks on Find Browser Passwords Option and selects the Scan Drive option and then click on Retrieve Password. It will show you all saved passwords  in RAW Image.

How to Hack Windows Wallpaper of Remote PC

Today we will learn how change the wallpaper on a Remote System.

Table of Content:

·        Introduction of set_wallpaper module

·        Change Wallpaper on Windows

·        Change Wallpaper on Android

Requirements

Attacker: Kali Linux

Targets: Windows, Android

Introduction of set_wallpaper module

Metasploit Framework is primarily made on Ruby Language. This post exploitation module is also made on Ruby. On the in-depth analysis we get to understand that it targets different services on different platforms to do its job. This module is pretty simple as all it does is set the desktop wallpaper background on the specified session.

When we run the module, Firstly the wallpaper file is located on the attacker machine. After that the file is uploaded to the Victim System on which we have a meterpreter session. The location on which the file is uploaded varies from platform to platform. Next the script uses the suitable method and changes the wallpaper. This module is made by timwr. This module is Normally reliable. Now that we know about the working of the module, let’s change the wallpaper.

Change Wallpaper on Windows

Open Kali Linux terminal and type msfconsole in order to load Metasploit framework.  Now we need to compromise victim’s machine once to achieve any type of session either meterpreter or shell and to do so we can read our previous article from here.

After getting meterpreter on the remote system, now time to use the post exploitation module. But this can’t be done from the meterpreter shell. So, we will use background command in meterpreter session or “Ctrl + z” shortcut to keep the session in background. Now follow the steps shown in the image to use the set_wallpaper post exploitation module.

use post/multi/manage/set_wallpaper

set session 1

set wallpaper_file /root/Desktop/1.jpeg

exploit

This will change the wallpaper on the target system.

Change Wallpaper on Android

Firstly, get a meterpreter session on an Android system. Learn this here.

After getting meterpreter on the remote system, now time to use the post exploitation module. But this can’t be done from the meterpreter shell. So, we will use background command in meterpreter session or “Ctrl + z” shortcut to keep the session in background. Now follow the steps shown in the image to use the set_wallpaper post exploitation module.

use post/multi/manage/set_wallpaper

set session 1

set wallpaper_file /root/Desktop/1.jpeg

exploit

This will change the wallpaper on the target system.

How to Create a Forensic Image of Andorid Phone using Magnet Acquire

Magnet ACQUIRETM is designed to quickly and easily acquire an image of any iOS or Android device. Examiners are given the option of two extraction methods: Quick and Full.

First Download Magnet Acquire from here  and Install in your Computer. Now connect your Android phone with Computer using Data Cable. You will get a pop up on your computer screen which says choose your device. Select the device and click Next.

Quick Extraction:

The Quick Extraction method will work on any IOS device, version 5 or newer. Magnet ACQUIRE will combine an iTunes backup, with some additional acquisition techniques, to obtain both native and third-party data.

Full Extraction:

Magnet ACQUIRE can also help you obtain a full, physical image of many Android devices by using either the built-in privilege escalation exploits or by imaging a device that has already been rooted.

Now select your desired option and click next.

Now you will get a pop up first choose the folder destination and put Examiner name and other details and click ACQUIRE.

On your Android Phone you will get a screen says Full Back up, at the bottom right of your phone screen you will see back up my data click on that.

Process will start as shown below.

Process complete as shown in below Image. Click On Exit.

Magnet Acquire has created a raw image of Android phone in the folder your selected.

Forensics Investigation of Android Phone using Andriller

Andriller - is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. It has other features, such as powerful Lockscreen cracking for Pattern, PIN code, or Password; custom decoders for Apps data from Android (and some Apple iOS) databases for decoding communications. Extraction and decoders produce reports in HTML and Excel (.xlsx) formats.

Features

·         Automated data extraction and decoding

·         Data extraction of non-rooted without devices by Android Backup (Android versions 4.x)

·         Data extraction with root permissions: root ADB daemon, CWM recovery mode, or SU binary (Superuser/SuperSU)

·         Data parsing and decoding for Folder structure, Tarball files (from nanddroid backups), and Android Backup ('backup.ab' files)

·         Selection of individual database decoders for Android and Apple

·         Decryption of encrypted WhatsApp archived databases (msgstore.db.crypt, msgstore.db.crypt5, msgstore.db.crypt7, msgstore.db.crypt8)

·         Lockscreen cracking for Pattern, PIN, Password

·         Unpacking the Android backup files

First Download Andriller from here : and install in your Computer.

Now open the Andriller and select output folder. You will get a pop up and select your desired folder.

Now connect your Android phone with computer using Data cable. IN Andriller software click on Check option, if your Android phone is successfully connected with Andriller it will give a Serial ID.

Once you get Serial ID then select the check box which says Open Report & Use AB method and click on GO.

Your will get a Pop up click ok.

On your Android Phone you will get a screen says Full Back up , at the bottom right of your phone screen you will see Back up my data click on that.

Now Andriller will start taking the Back up of your phone and you can see the logs on Andriller as well.

Once the Backup is complete, you can see the complete data in the folder your selected.

You will see a pop up on your browser which will show you the complete phone report.

You can select any of the option to see the details as shown in the below image. Example select WiFi password, you will get all the details which is saved under this folder.

Same way select another option says Android Download history in this you will see all downloads.

Same way select another option says Android Call logs in this you will see all Call details.

Same way select another option says SMS Snippets in this you will see all Overview.