Android Analysis Quickstart

Enable USB Debugging

This is the first step.

  • For ColorOS 12 and above: Go to [Settings] > [System settings] > [Developer options] and enable [USB debugging].
  • For ColorOS 11: Go to [Settings] > [Additional settings] > [Developer options] and enable [USB debugging].

Tools you need to get started: the basics

  • Android File Transfer
  • ADB
  • Fastboot
  • MVT + Dependencies

Android File Transfer

This is the tool you can use to look at the files on the devices, transfer them between your computer and the device.

ADB

Android Debug Bridge can be used to run commands on the Android device you are analysing and is very powerful when it comes to forensics.

./adb devices
./adb devices -l
./adb shell getprop ro.build.version.release./adb pull /system/app/. phone1-apps
adb root (restarts adbd with root permissions)
adb start-server (starts the adb server)
adb kill-server (kills the adb server)
adb reboot (reboots the device)
adb devices -l (list of devices by product/model)
adb shell (starts the backround terminal)
exit (exits the background terminal)
adb help (list all commands)
adb -s <deviceName> <command> (redirect command to specific device)
adb –d <command> (directs command to only attached USB device)
adb –e <command> (directs command to only attached emulator)
adb pull <remote> <local> (copy file/dir from device)

Fastboot

Fastboot is a command-line tool for Android. You can use this tool to gather information from and run commands on the device you are analysing. The device needs to be booted into fastboot before you can start running its commands.

% fastboot devices
% fastboot getvar version
version: 0.5
Finished. Total time: 0.001s
% fastboot getvar version-bootloader
% fastboot getvar version-baseband
% fastboot getvar serialno
% fastboot getvar product

MVT + Dependencies

Mobile Verification Toolkit (MVT) is a tool to facilitate the consensual forensic analysis of Android and iOS devices, for the purpose of identifying traces of compromise.

Indicators of Compromise (IOCs)

MVT uses Structured Threat Information Expression (STIX) files to identify potential traces of compromise.

mvt-android check-backup --iocs ~/iocs/malware.stix2 /path/to/android/backup/
export MVT_STIX2="/home/user/IOC1.stix2:/home/user/IOC2.stix2"

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vishal Thakur

Vishal Thakur

162 Followers

DFIR enthusiast. Founder of HCKSYD. Founder of Security BSides Sydney Australia. Malware Analyst.