Avilla Forensics Extraction Manual
Uploaded by
ScribdTranslationsAvilla Forensics Extraction Manual
Uploaded by
ScribdTranslationsDATA EXTRACTION IN
ANDROID DEVICES USING THE
SOFTWARE FORENSICS - AVILLA FORENSICS
The software used for data extraction in this tutorial is developed
by the State Police Officer of São Paulo,Daniel Avilla.
AVILLA FORENSICS is aforensic software used to perform
data extractions from mobile devices.
Emerson Borges Machado
[email protected]
MINIMUM REQUIREMENTS:
Device: USB Debugging Enabled.
Operating System: Updated Windows 10.
For Extraction: 32 or 64 Bit Systems.
Backup Conversion .AB to .TAR: 32 or 64 Bit Systems and JAVA
installed.
IPED PF Report: 64 Bits System and 64 Bits JAVA installed.
NECESSARY PROGRAMS:
DOWNLOADAVILLA FORENSICS:DOWNLOAD HERE
DOWNLOAD JAVA: DOWNLOAD HERE
DOWNLOAD WINRAR:DOWNLOAD HERE
TUTORIAL VIDEO:
https://youtu.be/KuSmct1Qa30
Emerson Borges Machado
[email protected]
PREPARING THE CELL PHONE
To start, we must prepare the mobile device to be made
the communication with ADB - Android Debug Bridge, for that we will activate the
USB DEBUGGING mode of the mobile device, basic principle used in
forensic extractions on mobile devices (android).
FOLLOW THE STAGES FAITHFULLY:
Access the phone settings and scroll down to the option About the
telephone.
Go to the Software Information option, and go to the Number option
compile and click 7 (seven) TIMES.
Emerson Borges Machado
[email protected]
During this process, the device will display an alert informing how many
steps are missing to unlock DEVELOPER MODE.
When released, the system will display the following alert:
Emerson Borges Machado
[email protected]
After enabling the DEVELOPER MODE, go back to 'Settings' and scroll
the sidebar until the end. You will notice that the 'Developer Mode' was
activated and already appears in the options.
Emerson Borges Machado
[email protected]
ATTENTION AT THIS STAGE!
Within the DEVELOPER OPTIONS, we will enable the mode
USB DEBUGGING.
ALLOW USB DEBUGGING?
Click OK.
Still within the Developer Options, there is also the option
STAY ACTIVE.
Emerson Borges Machado
[email protected]
After completing these steps, connect the mobile device to the USB port of the
computer allows access to the phone as soon as it is requested.
When the cell phone is connected to the USB port of the computer,
the following alert box is reported by Windows. This alert informs that
The mobile device is in communication with the operating system.
These are the necessary steps to set up the cell phone
ready to be used in Avilla Forensics.
Emerson Borges Machado
[email protected]
***Options About the phone, Software information and Number of
compilation, they can vary the location from where they are found, depending on the
manufacturer of the device, model and version of android. Just a search on
Google 'how to unlock the developer mode of the device XYZ' to find out
precise information about a certain model/manufacturer.
IMPORTANT INFORMATION!
After downloading AVILLA FORENSICS(download here), the software
who zipped (.zip), use WINRAR(download here), and unpacks the file
inside MY COMPUTER => LOCAL DISK (C:)
Emerson Borges Machado
[email protected]
CARRYING OUT LOGICAL EXTRACTION - BACKUP
ADB - ANDROID
Inside the pastaforensics, right-click on the file
Avilla_Forensics click to run it as administrator.
With Avilla Forensics open we will begin to perform the LOGICAL extraction
of the mobile phone. The first step is to perform the connection test between the
cell phone and the software.
1) Enter the BACKUP ADB option.
2) Click on TEST CONNECTION.
Emerson Borges Machado
[email protected]
If there is communication occurring between the mobile device and the software, it will
appear in the 'List of devices attached', the model of the mobile device.
The next step is to choose the folder where the extraction will be saved, just click
in 'SAVE AS:' and select the folder.
Once done, click on 'EXTRACT'.
When the extraction process starts, alert boxes will appear, read carefully
pay attention and follow the instructions faithfully.
At this moment, the BACKUP screen will appear on the cell phone, if it is available.
enabled the option TO BACKUP MY DATA just click on it, if
Emerson Borges Machado
[email protected]
No, please provide a password of your choice so that the option can be enabled.
You can use a basic standard password, such as 12345.
The software will start backing up the data from the cell phone, just
await the conclusion of the process.
When the extraction is completed, it will be reported on the information screen of the
software, as shown in the following image:
The extraction in the format will be in the folder that was selected at the beginning.
process, which in the case of the tutorial is DESKTOP\TUTORIAL\EXTRACTION.
Emerson Borges Machado
[email protected]
Thus, the logical extraction module BACKUP ADB of Avilla is concluded.
Forensics.
But later we will convert the file.AB to .TAR, extension of
file accepted by the Federal Police software
APK DOWNGRADE - DATA EXTRACTION
WHATSAPP–ANDROID
Now that you are more familiar with Avilla Forensics, access the
optionAPK DOWNGRADE.
Click on TEST CONNECTION, and if the communication is OK, it will display
a 'List of devices attached' model of the mobile phone, in the same way
what we did in the previous step of the tutorial.
The next step is to click on TEST APPLICATION, at that moment it will be
installed on the mobile device the application 'Test Application'.
Note that the test app will be open on the screen of the mobile device.
Having completed these steps, the next step is to choose which application we will use.
perform the downgrade, which in our tutorial case will be WhatsApp. To
so click on DETECT.
Emerson Borges Machado
[email protected]
Select ocom.whatsapp.
Now just click on SAVE AS: and select the folder where the extraction will be.
save.
ATTENTION!
In the next steps, carefully follow the instructions that will be presented in the
doAvilla Forensics alerts also on the mobile device screen.
Click on EXTRACT.
Click on Yes.
Emerson Borges Machado
[email protected]
PASTA BACKUP located in the lower right corner of Avilla Forensics.
The alert informs that it will be necessary to restart the mobile device, click yes.
Click OK only after the cell phone has completely restarted and
if you have a password and/or screen lock, make sure you have done the
unlocking of the same.
PAY ATTENTION AT THIS STAGE!
Emerson Borges Machado
[email protected]
At this moment, the current version of WhatsApp was uninstalled.
exploit version of the application (com.whatsapp), to grant permissions
necessary, open the app on the mobile device and click CONTINUE.
After clicking CONTINUE, go back to Avilla Forensic and click OK.
Emerson Borges Machado
[email protected]
At this moment, a BACKUP screen will appear on the mobile device, if it is
enabled the option TO BACKUP MY DATA just click on it, if
no, please provide a password of your choice so that the option becomes enabled.
You can use a standard basic password, such as 12345.
Click on Yes.
Emerson Borges Machado
[email protected]
Extraction completed.
CONVERTER .AB TO .TAR AND USE
SOFTWARE IPED OF THE FEDERAL POLICE FOR
INDEXING THE EXTRACTED FILES
After performing the extractions BACKUP ADB eAPK DOWNGRADE, we will now
convert the .AB files to .TAR so that it is possible to carry out
the analysis of the content that was extracted from the mobile device.
Enter the highlighted option to perform the conversion.
SELECT, choose the file. AB that was performed in the extraction
BACKUP ADB, then choose the location where the file will be saved on
extension.TAR.
I save in the same folder that was created when it was done
extraction, so that both the .AB file and the .TAR stay together.
Emerson Borges Machado
[email protected]
Note that the destination of the folder in TAR will be the same as AB.
If at the time of extraction you provided a password to activate the
option TO BACKUP MY DATA, at this moment you should
markBACKUP WITH PASSWORD and when clicking on CONVERT, it will be
requested for the password and you must enter it in the specified field.
Now press OK and the conversion will start.
Conversion completed. Now the file in .TAR format will be inside the folder.
selected.
Emerson Borges Machado
[email protected]
Do the same process for the APK extraction DOWNGRADE (whatsapp).
How we perform two types of extraction: BACKUP ADB eAPK
DOWNGRADE, let's create a new folder and include all the files
necessary for us to carry out the indexing of IPED.
I created a new folder named COLETA.
Notice in the image that there are three folders, namely:
EXTRACTION: folder containing the BACKUP ADB extraction.
WHATSAPP: file containing the APK DOWNGRADE extraction (Whatsapp).
COLLECTION: folder where we will gather the converted files in .TAR
extractionsBACKUP ADBeAPK DOWNGRADEtogether with the folder
com.whatsappouWhatsapp.
When the biometrics of the mobile device are disabled, by default the
media files are saved in the following path:
/sdcard/WhatsApp
Emerson Borges Machado
[email protected]
Now when the user activates biometrics, the media starts to be saved in
path below:
/sdcard/Android/media/com.whatsapp/
That's why it's important to pay attention to this detail to know which folder it should be.
selected at the time of indexing.
On the mobile device used to produce this tutorial, the biometrics were
activated.
So, within the folderCOLLECTIONwe included the extraction files:
1) backup-tar-2022-03-14-13-32-23 (BACKUP ADB);
2)backup-tar-2022-03-14-13-43-50(APK DOWNGRADE);
3) and the pastacom.whatsapp (folder that contains the media files).
Remaining as follows:
Having organized our folder structure, we will now proceed with the indexing of the
folder so that it is possible to carry out the content analysis through the IPED.
Emerson Borges Machado
[email protected]
Access the IPED option.
Check the INDEX FOLDER option.
Please select the path of the folder we created in the case of the tutorial.
the folderCOLLECTION.
Emerson Borges Machado
[email protected]
SAVE IN: select the folder where the IPED indexing will be saved.
Para ficar organizado, cria uma nova pasta e nomeia-a porIPED.
This is how the structure of the process turned out.
Now click on GENERATE.
The indexer will start loading the information.
Emerson Borges Machado
[email protected]
Indexer generated.
Now inside the folder IPED you will have the file of the indexer IPED-SearchAPP,
Just double-click and it will open with the extraction result.
The IPED is a powerful software developed by Criminal Experts of the Police
Federal capable of handling high data processing, it is worth noting that such
The tool was widely used in the Operation Car Wash.
https://servicos.dpf.gov.br/ferramentas/IPED/
https://github.com/sepinf-inc/IPED
Emerson Borges Machado
[email protected]
IPED FABRICS
Emerson Borges Machado
[email protected]
