Tag Archives: santoku

Thoughts on viaExtract (Demo)

I recently had the opportunity to try the viaForensics viaExtract VM utility. viaExtract is essentially a framework in which many different advanced analysis features can be utilized (and automated). Based on Ubuntu, the VM utility is easy to setup and even easier to operate.

Although I’m not terribly advanced in mobile forensics (more of a hobby at the moment), I’ve used Santoku and acquired android data through AFLogical OSE. The law enforcement/government-only AFLogical proper is offered through viaExtract and enables the reporting and harvesting of many different types of data, including:

* Device Information
* Browser History including Searches & Bookmarks
* An in-depth call log
* In-depth contact information acquisition
* Thumbnailed photos each including their own hash
* Application installations
And more…

Much like using AFLogical OSE within Santoku, the analyst can easily deploy the ADB daemon onto the device and have the workstation connect to it so long as the android is set into debugging mode and the VM properly passes through the USB connection. The daemon essentially allows you to execute commands on the device and is packaged with the SDK (in case you haven’t had the pleasure of using ADB in the past). As with all viaForensics tools, there’s no digging around the Android SDK for ADB to manually deploy it. But in viaExtract there’s the added benefit of automated deployment of AFLogical OSE on the smartphone. In fact, the data collection process is fully automated and shouldn’t require the analyst to actually touch the mobile device at all.

Along those lines you don’t actually have to pull the acquired reports from the device’s SD card. All of that is also automated. But should you want to push any additional tools to the device, you can do so with the command line (via adb push).

Case management is one of viaExtract’s most important features. You can manage your entire case using viaExtract and include multiple devices for inspection.

Whereas in Santoku the reports output in CSV, viaExtract allows you to compile PDF-reports based on HTML reports it acquires. The feature is as simple as selecting the PDF option on the toolbar.

But what other advanced features does viaExtract have? While I can’t access them within the demo version, the tool offers the analyst the following additional options:

* Gesture Key Code (if used to lock a device)
* Image Storage Device (SD)
* Unlock Screen (Thomas Cannon mentioned in his Defcon speech how 4 digit pins are extremely easy to crack whereas using complex passphrases may not be as simple)
* Sleuth Kit Timeline exporting (allows for use in generating super timelines)
* Encryption Brute Force (makes use of file headers and footers akin to the bruteforce_stdcrypto Python script in Santoku, but fully automated and makes use of the viaExtract GUI)

Despite being limited to basic data acquisition with the demo version, I can already tell how valuable this tool can be when conducting forensic examinations. Automation, case management and advanced mobile forensic features rolled all into one easy-to-use package marks viaExtract as a good product for law enforcement personnel.

On AFLogical OSE and SD Card Limitations

While it’s beyond the scope of this post, when using AFLogical OSE in Santoku reports are saved to the device’s SD card and must be copied to the analyst’s workstation via the command line. But devices like the Razr Maxx HD only allow for pictures and video to be transferred to the SD card (this limit seems to coincide with the release of MTP with jelly bean). This limitation is imposed on many newer devices running android 4.2+. Upon some research into the matter, I believe this limitation does not  restrict AFLogical OSE reports from being saved to the card.

Santoku aside – and more to the point of using viaExtract with AFLogical-proper – vE worked flawlessly as advertised and automatically extracted the needed data for me, reporting on it with ease.

Type of device used: Unrooted Motorola Razr Maxx HD and a rooted Motorola Razr.

Note: I do not work for viaForensics, I was simply interested in this tool and decided to test it. The reason for the blog post is to help others make the decision to try it if they’re looking for a valuable android forensics tool.

Resources

viaExtract: https://viaforensics.com/products/viaextract/
AFLogical & AFL OSE: https://viaforensics.com/resources/tools/android-forensics-tool/
Santoku Linux: https://santoku-linux.com/