Android Inspector is a forensic command-line tool that lets you extract & examine data from Android mobile devices. You may choose to extract data of diverse types and from different sources by using an extensible set of operations it offers. The information examined is then represented using the CybOX language.
This tool is part of the undergraduate thesis Data extraction from mobile devices of Juan Andrés Diana and José Ignacio Varela.
$ ./andi.py
Android Inspector v1.0
(Andi) set_device_info −m XT1053 −v 4.3
Device model ’XT1053’ running Android version ’4.3’ was set as the current device information.
(Andi) list
Name Data type Data Source Devices supported Android versions supported
--------------------- ------------ --------------------------------------------------------- -------------------------- ----------------------------
EmailMessageAOSPEmail EmailMessage Application{package_name:com.android.email} [GT-I9300, XT1053] [2.3.7-5.1.1]
SmsMessageAOSPSms SMSMessage Application{package_name:com.android.providers.telephony} [GT-I9300, XT1053] [2.2.0-4.4.4]
ContactFacebook Contact Application{package_name:com.facebook.katana} [GT-I9300, Nexus5, XT1053] [4.1-4.4.4]
ContactWhatsApp Contact Application{package_name:com.whatsapp} [GT-I9300, XT1053] [4.1-4.4.4]
ContactAOSPAgenda Contact Application{package_name:com.android.providers.contacts} [GT-I9300, XT1053] [2.3-4.4.4]
(Andi) execute −op SmsMessageAOSPSms
[1/1] Executing ’SmsMessageAOSPSms’:
Fetching ’/system/app/TelephonyProvider.apk’ file ...
Fetching ’/data/data/com.android.providers.telephony’ directory ...
COMPLETED. Data stored to ’results/SmsMessageAOSPSms_20150826_081415’. 1 operation(s) completed successfully.
- Python 2.7
- Java Runtime Environment 6 (Optional: Used for HTML output only)
Python dependencies:
- python-cybox (2.1.0.12)
- python-magic (0.4.6)
- python-tabulate (0.7.5)
- nose-parameterized (0.5.0) (Optional: Used to run the tests only)
Other dependencies:
- adb (from the Android SDK Platform Tools)
- aapt (from the Android SDK Build Tools)
- Download this repository and extract it to a directory on your filesystem.
- To install the Python dependencies automatically run:
$ pip install −r requirements.txt
- Add the Android SDK's
platform-tools/
&build-tools/
directories to your PATH.
$ export ANDROID_HOME=/Path/to/Android/sdk
$ export PATH=$PATH:$ANDROID_HOME/platform-tools:$ANDROID_HOME/build-tools/22.0.1
- If you wish to make use of the HTML generation option, add Java's
bin/
directory to your PATH.
$ export PATH=$PATH:$JAVA_HOME/bin/
- Make the Python scripts executable by running:
$ chmod +x andi.py load_data_sets.py
You may start by loading into your test device a test data set from the datasets/
directory as follows:
$ ./load_data_sets.py HTC_Evo_3D
Once the data is loaded, just initiate Android Inspector in interactive mode, like so:
$ ./andi.py
Android Inspector v1.0
You may then use the following commands to operate:
Command | Description |
---|---|
set_device_info | Sets the device information (i.e. device model and Android version). |
list | Lists the operations available for the device being used and lets you filter by data type and data source. |
execute | Executes a list of operations. |
If you wish to extend the tool's functionality you may develop DataType
, DataSourceType
or Operation
extensions. More information on how to proceed is available in the thesis's appendix A mentioned above.
Users may then import an extension using the add_ext and rm_ext commands. E.g.:
$ ./andi.py add_ext data_type path/to/new_data_type_definition.tar
$ ./andi.py rm_ext data_type new_data_type_name
The tool's relevant packages structure is as follows:
Package | Description |
---|---|
components | Core components of the tool. |
model | Data model classes. |
repositories | Extensions (DataTypes, DataSourceTypes & Operations) repositories. |
test | UnitTests & testing resources. |
util | Utility modules for developing extensions. |
The code reference documentation may be built using Sphinx.
Before building, make sure you have the dependencies (Sphinx & themes):
$ pip install −r docs/requirements.txt
Then, compile using:
$ sphinx-build -b html docs/source/ docs/build/
Finally, go to /docs/build/index.html
to access the generated docs.
This tool also makes use of device.py (from the Android Open Source Project) and STIX-to-HTML (from the STIX Project).
José Ignacio Varela
Grupo de Seguridad Informática
Facultad de Ingeniería
Universidad de la República