Andriller - is software utility with a collection of forensic
tools for smartphones. It performs read-only, forensically sound,
non-destructive acquisition from Android devices. It has other features, such
as powerful Lockscreen cracking for Pattern, PIN code, or Password; custom
decoders for Apps data from Android (and some Apple iOS) databases for
decoding communications. Extraction and decoders produce reports in HTML and
Excel (.xlsx) formats.
Basic Setup
Andriller comes as a lightweight Setup installable for Windows
(XP,Vista,7,8). It only requires Microsoft Visual C++ 2010 Redistributable
Package (x86) installed, USB drivers for your Android device, and a web
browser for viewing results. Simple.
Features
·
Automated
data extraction and decoding
·
Data
extraction of non-rooted without devices by Android Backup (Android versions
4.x)
·
Data
extraction with root permissions: root ADB daemon, CWM recovery mode, or SU
binary (Superuser/SuperSU)
·
Data
parsing and decoding for Folder structure, Tarball files (from nanddroid
backups), and Android Backup ('backup.ab' files)
·
Selection
of individual database decoders for Android and Apple
·
Decryption
of encrypted WhatsApp archived databases (msgstore.db.crypt,
msgstore.db.crypt5, msgstore.db.crypt7, msgstore.db.crypt8)
·
Lockscreen
cracking for Pattern, PIN, Password
·
Unpacking
the Android backup files
|
|
Database Decoders
This feature allows importing individual App database files
for automated parsing of the data. There are decoders mainly for Android and
some for Apple iOS Apps. Once successfully decoded, reports will be shown
your web browser. Databases can be exported from mainstream forensic tools,
such as XRY, UFED Cellebite, Oxygen Forensic, and imported into Andriller for
individual decoding. The output from Andriller offers cleaner output data.
For a full list of supported databases see button of this
page, or see decoders
section.
|
|
Data Extraction
from Androids
Connect an Android device by a USB cable, have USB
Debugging enabled; make sure the device drivers are installed.
First, select the [Output] directory where you wish extraction
data to be saved to. Second, click [Check] to see if Andriller detected your
connected device. You may wish Andriller to open the Report on extraction's
completion, or ignore root permissions (would extract by the Android Backup
method for Androids 4.x). To begin an extraction, hit [Go!] button to
commence data extraction. Andriller should run, download any data, and decode
it all at once.
Note 1: Android version 4.2.2+ requires to authorise the PC to
accept RSA fingerprint. Please do so, and tick the box to remember for
future.
Note 2: Devices with Superuser or SuperSU App require to
authorise root access from an unlocked screen. Please grand permissions if
requested.
|
|
Data Parsing
Folder Structure
This will parse folder structures from Android filesystems and will produce
Andriller style reports. These could be exports of filesystem from raw image
files, or from 'adb pull /data' extractions, or unpacked '.tar' files
content.
Tarball Files
This will parse and decode nanddroid backup files such as 'data.tar'
(including concatenated files), and will produce Andriller style reports.
Nanddroid tarball backups are usually produced by custom recoveries, such as
ClockWorkMod and TWRP.
Android Backup Files
This will parse and decode 'backup.ab' files, and will produce Andriller
style reports.
|
|
Report0ing
After the data extraction finishes, all data is saved in the
folder in the directory specified before extraction. The main index file of
extraction is REPORT.html.It
will contain the summary of the device examined, and will list any data
extracted. From there, you can navigate to other data extracted, like SMS or
Contacts. An excel REPORT.xlsx
is also simultaneously produced, which contains all data in one file.
There will also be the following files and folders, which may
be of interest:
db/ - folder where downloaded databases are
extracted to
__backup__/
- folder where decoded databases are backed up before decoding
db/md5sums.txt
- file containing MD5 hashes of the databases after they were downloaded, but
before the content was decoded;
log-errors.txt
- text file containing log of any downloading or decoding failures or errors;
backup.ab
- if a backup method was used, the full backup file also will be stored in
the directory;
|
|
Lockscreens
Bypass
Andriller has the means of decoding pattern locks, and
cracking PIN codes and Passwords.
Pattern, PIN and Password Cracking
These features require a little more processing power, so are best to be
performed locally on your own machine. The methods are explained below.
Get Salt from...
Salt is an integer value, which is required for cracking the passwords. Salt
can be positive as well as negative
integers. The salt value can be obtained by parsing setting.db or
locksettings.db files; when sucessfully fetched, the Salt value will be
printed into the main terminal window.
|
|
//
Gesture Pattern
Decoding
To decode a Pattern lock, click [Browse] and select the
gesture.key file located at /data/system/gesture.key on your Android device.
Else, just submit the gesture pattern hash (hexadecimal string
of the gesture.key file), and click [Decode].
When decoded, the pattern will be shown as a sequence
list. When Pattern is filled, click [Draw] and the pattern displayed in
a visualised form.
Right-click on the drawn pattern to save is as a PostScrip
file.
Tip: if you wish to draw a pattern but don't have a gesture
hash key or value, you can double-click on the disabled Pattern field, this
will re-enable the field for editing. Enter the pattern in a form of a list,
and click [Draw]. The pattern will be drawn, which can be saved as a
file.
|
|
Lockscreen PIN
code cracking
1.
Select
start and max value of the PIN code. By default, the max value is set to
9999, increase if required.
2.
Enter
the value of password.key file
3.
Enter
the salt value as an integer.
4.
Press
Start for cracking to begin
Once Start is clicked, a percentage progress will be
displayed.
You can pause and resume cracking at any time. Last tried PIN
will be shown just to let you know how far you've gone.
Also includes Samsung cracking, which uses different type
of password hashing than other Android vendors.
|
|
Lockscreen
Password cracking
1.
Click
Browse and select a word list file (recommended word list files to download
from here)
2.
Enter
the value of password.key file
3.
Enter
the salt value and an integer.
4.
Press
Start for cracking to begin
Once Start is clicked, tried password will be displayed while
cracking.
You can pause and resume cracking at any time, just like with
PIN cracking.
Also includes Samsung cracking, which uses different type
of password hashing than other Android vendors.
|
|
Lockscreen
Password brute force
1.
Select
the maximum length of a password
2.
Select
characters believed to have been used in the password. Select combinations of
lower/upper case characters, digits, or custom characters.
3.
Enter
the value of password.key file
4.
Enter
the salt value and an integer.
5.
Press
Start for cracking to begin
This cracking method cannot be paused/resumed like with other
methods.
|
|
Decrypt Encrypted
Databases
Andriller supports decryption of encrypted WhatsApp databases:
msgstore.db.crypt
msgstore.db.crypt5
msgstore.db.crypt7
msgstore.db.crypt8
Plain Crypt (msgstore.db.crypt)
The encrypted database is automatically decrypted into an
SQLite3 database. Browse and select the encrypted file, Andriller will decode
to a new file in the same directory.
msgstore.db.crypt ==> msgstore.db
Crypt5 (msgstore.db.crypt5)
To successfully decrypt this type of database, an email
address is required, which is synchronised with the Android
device. Browse and select the encrypted file, you will be prompted to
enter the email address. Once successful, it will decode to a new file
in the same directory.
msgstore.db.crypt5 ==> msgstore.db
Crypt7,Crypt8 (msgstore.db.crypt7/msgstore.db.crypt8)
To successfully decrypt this type of database, an encryption
key file is required for the following location:
'/data/data/com.whatsapp/files/key' <-- absolute path
'apps/com.whatsapp/f/key' <-- from Android backup
This file should be automatically extracted during normal Andriller
extraction (root and AB), and saved in the 'db' folder of the extraction
Browse and select the encrypted file, you will be prompted to
browse and select the key file next. Once successful, it will decode to
a new file in the same directory.
msgstore.db.crypt7 ==> msgstore.db
|
|
Decode &
Merge Multiple Database
Facebook
This utility will decode multiple Facebook databases and
produce combined messages on one report (without duplicates). This is useful
if attempting to combine "threads_db2" databases from com.facebook.katana
and com.facebook.orca applications directories.
WhatsApp
This utility will decode multiple WhatsApp databases and
produce combined messages on one report (without duplicates). Use recovered
(from /data/data/com.whatsapp) and decrypted backup databases (such as
decrypted msgstore.db.crypt8 from /sdcard/WhatsApp/Databases).
|
|
Tools
Andriller has a feature to unpack Android backup files from
Android versions 4.x and above.
AB to TAR
Converts backup.ab file to Tarball.
backup.ab ==> backup.ab.tar
AB to folder
Converts and extracts backup.ab to a folder.
backup.ab ==> backup.ab_extracted/
|
|
Configurations
(Preferences)
Configation preferences is located at File > Configurations
·
Default
Output path - this is the location where Andriller defaults its OUTPUT
location for extractions and database decoding.
·
Cracking
update rate - for Lockscreen cracking, every this amount of passwords tried
the Andriller window will update the progress. The lower the number, slower
cracking performance will be. Samsung type cracking will be lower by factor
of 1000 due to more complex password encoding used.
·
Offline
mode - for every time Andriller starts it checks for the latest version. This
step can be skipped by setting Andriller offline. This may speed up
application's startup.
·
Window
size - this set Andriller log window to "Small" (12 lines) or
"Regular" (20 lines). Smaller window size are better fit on
Netbooks and smaller resolution monitors.
·
Auto
save log - when an extraction is complete, the items in the log will be
automatically saved in the output folder under name
"andriller.log".
|
|
|
