Practical Labs

Mobile Forensic Using Linux

Practical Requirement

1. Oracle VM Virtualbox with Virtualbox Extension pack installed

2. PUSFID-TSURUGI virtual machine

Important! : Ensure the VM (PUSFID-TSURUGI Virtual Machine) is started with no errors.

3. Android Devices with ANDROID 2.2 or higher for Practical

Objective

Extracting forensically data from Android devices using Linux application.

Hands On

Activating USB Debugging on Android Devices

Tip: for activating USB debugging you must have developer options in your Android devices

Procedure

1. Open device setting of your Android device

2. Check first, if you have Developer options are activated(if not, please follow the next step)

1
3. For activating developer options menu, Go to Setting>About Phone. Tap Build number 7
times for Xiaomi devices or other information in About phone menu. (In my case is Kernel
Number)

Tip: It’s always tap 7 times but different devices, different OS has different procedure (menu)
to get Developer Options

4. You will find the Developer options immediately in your setting. (In Additional
Setting>Developer options on Xiaomi devices).

2
5. Ensure USB Debugging is activated, go to Setting>Developer Options>USB Debugging(for
Xiaomi devices, ensure Install via USB also activated)

Introduction Tsurugi Mobile Forensic

Tip: Tsurugi Linux is a new DFIR open source project that is and will be totally free, independent
without involving any commercial brand. The main goal is share knowledge and "give back to the

3
community". Tsurugi is an heavily customized Linux distribution designed to support your DFIR
investigations, malware analysis and open source intelligence activities.

The system is based on a 64 bits Ubuntu LTS (Long Time Support) and we preferred to use the
16.04 version to have a stable system with more supported tools, but an upgrade to 18.04 LTS
version is still planned in the roadmap with also a dedicated repository.

Important: For this workshop the Tsurugi Linux distribution is patched and added some application
for mobile forensic investigation.

Mobile Forensic Menu

1. Mobile forensic menu on Tsurugi is easy to find. Go To Applications>TSURUGI>Mobile

Forensics

2. There is 2 different apps in menu, it is terminal apps and GUI apps.

4
Connecting The Device

Remember: USB debugging on your device must be activated and Virtualbox extension pack must
be installed.

Procedure

1. Connect your device to computer using USB cable

2. Open your PUSFID-TSURUGI WINDOW, go to Right bottom corner, find out USB logo.
Right click on the USB logo, check the Android devices to attach the devices to VM.

5
3. Ensure Android device is connected by running command
adb devices

Tip: Run the command on Terminator, Open Terminator by clicking Terminator logo on to
bar (beside the Firefox logo).

Extracting Android Data Using AFLogical_OSE

Tip: We will install AFLogical_OSE app(Android Apps) through the adb command, without your
hand in your devices

Procedure

1. Ensure your devices is listed and authorized in PUSFID-TSURUGI(Run adb devices

command in PUSFID-TSURUGI)
2. Install AFLogical_OSE to your Android devices, Go to Application>TSURUGI>Mobile
Forensics>Android>AFLogical_OSE or write the following command in your Terminator
sudo adb install /opt/AFLogical-OSE/AFLogical-OSE_1.5.2.apk

Tip: On your Android screen you will see AFLogical is installed. AFLogical_OSE will extract
the following information Contacts, Call Logs, SMS, MMS, MMS Parts, Device info

3. Now, we will extract information using AFLogical_OSE by launch the apps and perform
extract data

6
4. Open yout Terminator, ensure your Android devices still detected by adb(run adb devices
command). Run the following command to launch AFLogical_OSE and performing
extraction.
sudo adb shell am start -n
com.viaforensics.android.aflogical_ose/com.viaforensics.android.Fo
rensicsActivity

sudo adb shell am start -n

com.viaforensics.android.aflogical_ose/com.viaforensics.android.Ex
tractAllData

5. The second command will creating forensics directory in your sdcard. Under the forensic
directory AFLogical_OSE will create result directory with “date.time” name

Tip: Extraction result is in .csv format, you can open the result using Spreadsheet application
$ adb shell
ls /sdcard/

6. Create directory under your Document directory with directory name is “Extract Result”

7. (On PUSFID-TSURUGI) with the following command

mkdir Documents/ExtractResult

8. Copy the extract result from Android devices to your Extract Result directory using following
command
sudo adb pull /sdcard/forensics/ ~/Documents/ExtractResult

9. If you want to remove your AFLogical_OSE installation in your Android, use the following
command
sudo adb uninstall com.viaforensic.android

7
8