!"#$%&# (%$)"*&+* ,"# -)+.

$&/0 1)*/&"2
!"#$%&'#' )*+ ,&*-" ./00)*+'
!"#$%#$&
Lxerclse 1 - CreaLe Avu and explore dlrecLorles of lnLeresL .................................... 1
Lxerclse 2 - LocaLe daLa dlrecLory on an Androld devlce ......................................... 2
Lxerclse 3 - Apply Androld forenslcs knowledge Lo locaLe daLa of lnLeresL ............. 3
Lxerclse 4 - ALLempL Lo clrcumvenL passcode and obLaln Lemp rooL access ........... 4
Lxerclse 3 - Loglcal AcqulslLlon of uaLa .................................................................... 3
Lxerclse 6 - ueLermlne whaL Lhe user does for work and fun .................................. 6
Lxerclse 7 - 8everse englneer an app and locaLe crlLlcal daLa ................................. 7
8ack Cover - Llnux commands .................................................................................. 8






1

()%*+,&% - . !*%/$% 012 /#3 %)45"*% 3,*%+$"*,%& "6 ,#$%*%&$
Cb[ecLlves
CreaLe an Androld vlrLual uevlce for use durlng Lhe class
ldenLlfy flle sysLem dlrecLorles and famlllarlze wlLh Lhe dlrecLory Lree
lnsLrucLlons
1. CreaLe Avu LlLled lroyolorenslcs" wlLh Androld 2.2
a. use slldes on Avu for guldance
2. (CpLlonal) CreaLe Avu based on your own Androld devlce
3. Lxplore /.androld subdlrecLorles, uslng command llne Lools
a. use ulrecLory 1ree sllde for guldance
4. LocaLe cache.lmg
a. use lnLeresLlng llles sllde for guldance
3. (CpLlonal) Add uuLv 8ules for your Androld devlce. 1hls wlll allow you Lo provlde forenslc
analysls on your devlce.
a. use uS8 vendor lu and uuLv slldes for guldance
nC1LS:








2

()%*+,&% 7 . 8"+/$% 3/$/ 3,*%+$"*9 "# /# 0#3*",3 3%:,+%
Cb[ecLlves
verlfy we can connecL an Androld devlce Lo a forenslc worksLaLlon
ALLempL Lo access shell and locaLe daLa dlrecLorles
lnsLrucLlons
1. ConnecL an Androld devlce Lo your vM worksLaLlon wlLh uS8 cable (or sLarLup an Avu)
a. use slldes on ConnecLlng uevlce and uS8 for guldance
2. verlfy uS8 uebugglng ls enabled on Lhe devlce
a. use slldes on uS8 uebugglng for guldance
3. SLarL adb on your forenslc worksLaLlon
a. use slldes on Au8 for guldance
4. uslng adb shell, locaLe dlrecLorles ln /daLa/daLa
a. use slldes on Au8 Shell for guldance
3. !oL down Lhe name of some lnLeresLlng dlrecLorles for furLher exploraLlon laLer





6. (CpLlonal) Check for mounLed Su cards
a. use sllde on uS8 lorenslcs recauLlon for guldance
nC1LS:







3

()%*+,&% ; . 04459 0#3*",3 6"*%#&,+& <#"=5%3>% $" 5"+/$% 3/$/ "6 ,#$%*%&$
Cb[ecLlves
8ecome famlllar wlLh common command llne uLlllLles for locaLlng daLa
Lxplore mosL common daLa dlrecLorles and daLabases
lnsLrucLlons
1. uslng adb shell (or /.androld lf uslng an Avu), explore an appllcaLlons shared_prefs wlLhln
/daLa/daLa
a. use slldes on dlrecLorles Shared preferences for guldance
2. use Lhe caL command Lo open an xml flle and revlew Lhe conLenLs
3. noLe anyLhlng of lnLeresL Lo share wlLh Lhe class




4. uslng sqllLe3, explore an appllcaLlons daLabases wlLhln /daLa/daLa
a. use slldes on SCLlLe for guldance
3. use .Lables and selecL commands Lo gaLher daLa of lnLeresL, whlch could ldenLlfy someLhlng
speclflc abouL Lhe user.
6. noLe anyLhlng of lnLeresL Lo share wlLh Lhe class





7. (CpLlonal) 8un llve sLream of devlce messages ln Lermlnal, whlle runnlng an appllcaLlon
a. use slldes on logcaL for guldance
nC1LS:



4

()%*+,&% ? . 0$$%@4$ $" +,*+A@:%#$ 4/&&+"3% /#3 "B$/,# $%@4 *""$ /++%&&
Cb[ecLlves
Apply rooLlng Lechnlques, uslng avallable Lools
lnsLrucLlons
1. ldenLlfy whaL Lype (lf any) of passcode ls enabled on Lhe devlce
a. use asscode 1ypes slldes for guldance




2. Conflrm lf devlce ls already rooLed, or noL
a. use 1emp 8ooL slldes for guldance
3. lf noL rooLed, aLLempL Lo enable 1emp 8ooL (aka Shell 8ooL)
a. use SuperCneCllck slldes for guldance
4. (opLlonal) Apply Lhe LxLend, Lnable, ulsable Lechnlques of a flrsL responder"
a. use uevlce AcqulslLlon sllde for guldance
3. (opLlonal) verlfy lf user accesslble 8ecovery Mode ls on your devlce
a. use 8ecovery Mode slldes for guldance
6. (opLlonal - afLer verlflcaLlon ln #3) verlfy lf 8ecovery Mode has rooL access
nC1LS:








3

()%*+,&% C . 8">,+/5 0+DA,&,$,"# "6 2/$/
Cb[ecLlves
LxLracL a loglcal acqulslLlon from devlce or Avu
uocumenL daLa slze exLracLed
lnsLrucLlons
1. LxecuLe a loglcal daLa exLracLlon of /daLa wlLh Au8 ull
a. use Au8 ull slldes for guldance
2. uocumenL number of flles pulled and sklpped




3. (opLlonal) uslng CLAu8, run logcaL
a. use CLAu8 slldes for guldance
4. (opLlonal) uslng CLAu8, execuLe Lhe same loglcal exLracLlon from SLep #1.
nC1LS:







6

()%*+,&% E . 2%$%*@,#% =F/$ $F% A&%* 3"%& 6"* ="*< /#3 6A#
Cb[ecLlves
Lxplore dlfferenL commerclal and open-source Androld forenslcs producLs
ldenLlfy daLa on devlce whlch can be used as evldence Lo ldenLlfy user acLlvlLy
lnsLrucLlons
1. (Croup / lndlvldual acLlvlLy) now LhaL you have acqulred daLa many dlfferenL ways, analyze Lhe
daLa uslng one of Lhe forenslcs Lools (adb, adb shell, uevlce Selzure, CLAu8, eLc) Lo geL a fresh
daLa acqulslLlon from your devlce
2. Look aL earller exerclses for commands, as a refresher
3. Lxplore daLa ln dlrecLorles llke /daLa/ and /cache/
4. As a forenslc analysL, documenL flndlngs LhaL would help you deLermlne Lhe users professlon
and hobbles
3. 8e prepared Lo share your flndlngs wlLh Lhe class
lnvesLlgaLors name(s):
lnvesLlgaLlon uaLe:
uaLa LxLracLlon llle Slze:
8ecenL hoLos ueLall / lnclude geo-locaLlon lf avallable:

8ecenL CS deLalls:


8ecenL SMS / emall deLalls:


nC1LS:




7

()%*+,&% G . H%:%*&% %#>,#%%* /# /44 /#3 5"+/$% +*,$,+/5 3/$/
Cb[ecLlves
Lxplore reverslng Lools for Androld
8everse englneer an Androld appllcaLlon uslng avallable Lools
LocaLe daLa wlLhln Lhe appllcaLlon
lnsLrucLlons
1. use AklnspecLor
a. AL command llne, navlgaLe Lo /opL/apklnspecLor", run command pyLhon sLarLC1.py"
2. ALLempL Lo reverse englneer lacebook or l-urold .apk, locaLed ln uocumenLs dlrecLory of
forenslcs worksLaLlon (Pln1: llle > new, locaLe .apk flle Lo reverse)
a. nC1L: l-urold may have lssue reverslng
3. 8e prepared Lo share your flndlngs wlLh Lhe class
nC1LS:








8

I/+< !":%* . 8,#A) +"@@/#3&
./androld 8un Androld Suk Manager and Avu Manager
df -h ulsplay free dlsk space. -h dlsplays slzed ln k, M and C. Lasler Lo read.
adb devlces ldenLlfles Androld devlces runnlng abdb and connecLed Lo worksLaLlon.
adb klll-server kllls runnlng adb server. useful lf 'adb devlces' ls noL respondlng properly.
adb pull <remoLe dlr> <local dlr> ulls daLa from an emulaLor/devlce lnsLance's daLa flle
adb shell Cpens a shell on an Androld devlce.
apL-geL Advanced ackaglng 1ool used for lnsLalllng/unlnsLalllng sofLware vla Llnux command llne
caL used Lo dlsplay flle conLenLs ln shell
dd unlx program for copylng / converLlng raw daLa
dmesg ulsplays Llnux kernel messages. useful wlLh Avu or adb shell
gconf-edlLor Cpens ConflguraLlon LdlLor appllcaLlon, slmllar Lo reglsLry edlLor ln Wlndows. lor Androld
forenslcs, lL's used for enabllng / dlsabllng auLomounL for moblle devlces.
grep used for searchlng keywords, wlll become lndlspensable lf uslng Llnux for forenslcs
lnvesLlgaLlons
lsusb -v LlsLs all uS8 devlces. -v dlsplays verbose deLalls. Pelpful lf needlng Lo ldenLlfy 'ldvendor' for
updaLlng udev rules.
mounL lor mounLlng a flle sysLem (commonly when mounLlng an Androld devlce Lo a forenslcs
worksLaLlon)
nano Wlll follow Lhe paLh and open LhaL flle lf lL exlsLs.
lf lL does noL exlsL, lL'll sLarL a new buffer wlLh LhaL fllename ln LhaL dlrecLory
sqllLe 3 <db name> Cpens SCLlLe
.Lables llsLs all Lables
C18L+z LxlLs SCLlLe
sudo 8unnlng ln escalaLed mode, usually as superuser or rooL, useful for rooLed Androld devlces
sudo nano -w /eLc/udev/rules.d/31-androld.rules llle for addlng uS8 vendor lus
Lar xzvf unzlp / exLracL package uLlllLy, e"LracL, un#lp, $erbose, %lle.