Tag Archives: android

Android USB Device Support

While reading Android Forensics by AH and setting up the SDK on my Ubuntu box, I noticed the udev rules needed an update. Makes sense considering there’s been many new vendors since the book was published.

I’ve compiled an up-to-date ruleset that uses the standard format and includes comments indicating each vendor. While not a terribly new contribution, I’ve decided to post the rules here to allow android devs and examiners the opportunity to use them with little effort.

Copy & paste it:

# 51-android-rules should be placed in /etc/udev/rules.d (chmod 664 or a+r)
# Official Guide & Vendor IDs: http://developer.android.com/tools/device.html#Acer
SUBSYTEM==”USB”, SYSFS{idVendor}==”502″, MODE=”0666″
#ASUS
SUBSYTEM==”USB”, SYSFS{idVendor}==”0b05″, MODE=”0666″
#Dell
SUBSYTEM==”USB”, SYSFS{idVendor}==”413c”, MODE=”0666″
#Foxconn
SUBSYTEM==”USB”, SYSFS{idVendor}==”0489″, MODE=”0666″
#Fujitsu
SUBSYTEM==”USB”, SYSFS{idVendor}==”04c5″, MODE=”0666″
#Fujitsu Toshiba
SUBSYTEM==”USB”, SYSFS{idVendor}==”04c5″, MODE=”0666″
#Garmin-Asus
SUBSYTEM==”USB”, SYSFS{idVendor}==”091e”, MODE=”0666″
#Google
SUBSYTEM==”USB”, SYSFS{idVendor}==”18d1″, MODE=”0666″
#Haier
SUBSYTEM==”USB”, SYSFS{idVendor}==”501E”, MODE=”0666″
#Hisense
SUBSYTEM==”USB”, SYSFS{idVendor}==”109b”, MODE=”0666″
#HTC
SUBSYTEM==”USB”, SYSFS{idVendor}==”0bb4″, MODE=”0666″
#Huawei
SUBSYTEM==”USB”, SYSFS{idVendor}==”12d1″, MODE=”0666″
#K-Touch
SUBSYTEM==”USB”, SYSFS{idVendor}==”24e3″, MODE=”0666″
#KT Tech
SUBSYTEM==”USB”, SYSFS{idVendor}==”2116″, MODE=”0666″
#Kyocera
SUBSYTEM==”USB”, SYSFS{idVendor}==”0482″, MODE=”0666″
#Lenovo
SUBSYTEM==”USB”, SYSFS{idVendor}==”17ef”, MODE=”0666″
#LG
SUBSYTEM==”USB”, SYSFS{idVendor}==”1004″, MODE=”0666″
#Motorola
SUBSYTEM==”USB”, SYSFS{idVendor}==”22b8″, MODE=”0666″
#MTK
SUBSYTEM==”USB”, SYSFS{idVendor}==”0e8d”, MODE=”0666″
#NEC
SUBSYTEM==”USB”, SYSFS{idVendor}==”0409″, MODE=”0666″
#Nook
SUBSYTEM==”USB”, SYSFS{idVendor}==”2080″, MODE=”0666″
#Nvidia
SUBSYTEM==”USB”, SYSFS{idVendor}==”0955″, MODE=”0666″
#OTGV
SUBSYTEM==”USB”, SYSFS{idVendor}==”2257″, MODE=”0666″
#Pantech
SUBSYTEM==”USB”, SYSFS{idVendor}==”10a9″, MODE=”0666″
#Pegatron
SUBSYTEM==”USB”, SYSFS{idVendor}==”1d4d”, MODE=”0666″
#Philips
SUBSYTEM==”USB”, SYSFS{idVendor}==”0471″, MODE=”0666″
#PMC-Sierra
SUBSYTEM==”USB”, SYSFS{idVendor}==”04da”, MODE=”0666″
#Qualcomm
SUBSYTEM==”USB”, SYSFS{idVendor}==”05c6″, MODE=”0666″
#SK Telesys
SUBSYTEM==”USB”, SYSFS{idVendor}==”1f53″, MODE=”0666″
#Samsung
SUBSYTEM==”USB”, SYSFS{idVendor}==”04e8″, MODE=”0666″
#Sharp
SUBSYTEM==”USB”, SYSFS{idVendor}==”04dd”, MODE=”0666″
#Sony
SUBSYTEM==”USB”, SYSFS{idVendor}==”054c”, MODE=”0666″
#Sony Ericsson
SUBSYTEM==”USB”, SYSFS{idVendor}==”0fce”, MODE=”0666″
#Teleepoch
SUBSYTEM==”USB”, SYSFS{idVendor}==”2340″, MODE=”0666″
#Toshiba
SUBSYTEM==”USB”, SYSFS{idVendor}==”0930″, MODE=”0666″
#ZTE
SUBSYTEM==”USB”, SYSFS{idVendor}==”12d2″, MODE=”0666″

Or you can download it from my Sourceforge @ https://sourceforge.net/projects/forensicscripts/files/android/

Edit: Do you see android running on a device that works but somehow isn’t officially mentioned in the SDK docs? Feel free to grab the vid and comment with it (to get the vid you can connect the device and run a simple dmesg | usb.)

Thoughts on viaExtract (Demo)

I recently had the opportunity to try the viaForensics viaExtract VM utility. viaExtract is essentially a framework in which many different advanced analysis features can be utilized (and automated). Based on Ubuntu, the VM utility is easy to setup and even easier to operate.

Although I’m not terribly advanced in mobile forensics (more of a hobby at the moment), I’ve used Santoku and acquired android data through AFLogical OSE. The law enforcement/government-only AFLogical proper is offered through viaExtract and enables the reporting and harvesting of many different types of data, including:

* Device Information
* Browser History including Searches & Bookmarks
* An in-depth call log
* In-depth contact information acquisition
* Thumbnailed photos each including their own hash
* Application installations
And more…

Much like using AFLogical OSE within Santoku, the analyst can easily deploy the ADB daemon onto the device and have the workstation connect to it so long as the android is set into debugging mode and the VM properly passes through the USB connection. The daemon essentially allows you to execute commands on the device and is packaged with the SDK (in case you haven’t had the pleasure of using ADB in the past). As with all viaForensics tools, there’s no digging around the Android SDK for ADB to manually deploy it. But in viaExtract there’s the added benefit of automated deployment of AFLogical OSE on the smartphone. In fact, the data collection process is fully automated and shouldn’t require the analyst to actually touch the mobile device at all.

Along those lines you don’t actually have to pull the acquired reports from the device’s SD card. All of that is also automated. But should you want to push any additional tools to the device, you can do so with the command line (via adb push).

Case management is one of viaExtract’s most important features. You can manage your entire case using viaExtract and include multiple devices for inspection.

Whereas in Santoku the reports output in CSV, viaExtract allows you to compile PDF-reports based on HTML reports it acquires. The feature is as simple as selecting the PDF option on the toolbar.

But what other advanced features does viaExtract have? While I can’t access them within the demo version, the tool offers the analyst the following additional options:

* Gesture Key Code (if used to lock a device)
* Image Storage Device (SD)
* Unlock Screen (Thomas Cannon mentioned in his Defcon speech how 4 digit pins are extremely easy to crack whereas using complex passphrases may not be as simple)
* Sleuth Kit Timeline exporting (allows for use in generating super timelines)
* Encryption Brute Force (makes use of file headers and footers akin to the bruteforce_stdcrypto Python script in Santoku, but fully automated and makes use of the viaExtract GUI)

Despite being limited to basic data acquisition with the demo version, I can already tell how valuable this tool can be when conducting forensic examinations. Automation, case management and advanced mobile forensic features rolled all into one easy-to-use package marks viaExtract as a good product for law enforcement personnel.

On AFLogical OSE and SD Card Limitations

While it’s beyond the scope of this post, when using AFLogical OSE in Santoku reports are saved to the device’s SD card and must be copied to the analyst’s workstation via the command line. But devices like the Razr Maxx HD only allow for pictures and video to be transferred to the SD card (this limit seems to coincide with the release of MTP with jelly bean). This limitation is imposed on many newer devices running android 4.2+. Upon some research into the matter, I believe this limitation does not  restrict AFLogical OSE reports from being saved to the card.

Santoku aside – and more to the point of using viaExtract with AFLogical-proper – vE worked flawlessly as advertised and automatically extracted the needed data for me, reporting on it with ease.

Type of device used: Unrooted Motorola Razr Maxx HD and a rooted Motorola Razr.

Note: I do not work for viaForensics, I was simply interested in this tool and decided to test it. The reason for the blog post is to help others make the decision to try it if they’re looking for a valuable android forensics tool.

Resources

viaExtract: https://viaforensics.com/products/viaextract/
AFLogical & AFL OSE: https://viaforensics.com/resources/tools/android-forensics-tool/
Santoku Linux: https://santoku-linux.com/