Andriller - Android Forensic Tools

Andriller - is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. It has features, such as powerful Lockscreen cracking for Pattern, PIN code, or Password; custom decoders for Apps data from Android (some Apple iOS & Windows) databases for decoding communications. Extraction and decoders produce reports in HTML and Excel formats.

Basic Setup

Andriller is a cross-platform application for Microsoft Windows and Ubuntu Linux. The Windows lightweight setup installer only requires Microsoft Visual C++ 2010 Redistributable Package (x86) installed, USB drivers for your Android device, and a web browser for viewing results. Ubuntu version needs the "android-tools-adb" package installed. Simple.

Features


  • Automated data extraction and decoding

  • Data extraction of non-rooted without devices by Android Backup (Android versions 4.x)

  • Data extraction with root permissions: root ADB daemon, CWM recovery mode, or SU binary (Superuser/SuperSU)

  • Data parsing and decoding for Folder structure, Tarball files (from nanddroid backups), and Android Backup ('backup.ab' files)

  • Selection of individual database decoders for Android and Apple

  • Decryption of encrypted WhatsApp archived databases (msgstore.db.crypt to *.crypt12)

  • Lockscreen cracking for Pattern, PIN, Password

  • Unpacking the Android backup files

  • Screen captures of device display

Database Decoders

This feature allows importing individual App database files for automated parsing of the data. There are decoders mainly for Android and some for Apple iOS Apps. Once successfully decoded, reports will be shown your web browser. Databases can be exported from mainstream forensic tools, such as XRY, UFED Cellebite, Oxygen Forensic, and imported into Andriller for individual decoding. The output from Andriller offers cleaner output data.

Data Extraction from Androids

Connect an Android device by a USB cable, have USB Debugging enabled; make sure the device drivers are installed.

First, select the [Output] directory where you wish extraction data to be saved to. Second, click [Check] to see if Andriller detected your connected device. You may wish Andriller to open the Report on extraction's completion, or ignore root permissions (would extract by the Android Backup method for Androids 4.x). To begin an extraction, hit [Go!] button to commence data extraction. Andriller should run, download any data, and decode it all at once.

Note 1: Android version 4.2.2+ requires to authorise the PC to accept RSA fingerprint. Please do so, and tick the box to remember for future.

Note 2: Devices with Superuser or SuperSU App require to authorise root access from an unlocked screen. Please grand permissions if requested.

Data Parsing

Folder Structure
This will parse folder structures from Android filesystems and will produce Andriller style reports. These could be exports of filesystem from raw image files, or from 'adb pull /data' extractions, or unpacked '.tar' files content.

Tarball Files
This will parse and decode nanddroid backup files such as 'data.tar' (including concatenated files), and will produce Andriller style reports. Nanddroid tarball backups are usually produced by custom recoveries, such as ClockWorkMod and TWRP.

Android Backup Files
This will parse and decode 'backup.ab' files, and will produce Andriller style reports.

Reporting

After the data extraction finishes, all data is saved in the folder in the directory specified before extraction. The main index file of extraction is REPORT.html.It will contain the summary of the device examined, and will list any data extracted. From there, you can navigate to other data extracted, like SMS or Contacts. An excel REPORT.xlsx is also simultaneously produced, which contains all data in one file.

There will also be the following files and folders, which may be of interest:

db/ - folder where downloaded databases are extracted to
__backup__/ - folder where decoded databases are backed up before decoding
db/md5sums.txt - file containing MD5 hashes of the databases after they were downloaded, but before the content was decoded;
log-errors.txt - text file containing log of any downloading or decoding failures or errors;
backup.ab - if a backup method was used, the full backup file also will be stored in the directory;

Cookies disclaimer

I agree Our site saves small pieces of text information (cookies) on your device in order to deliver better content and for statistical purposes. You can disable the usage of cookies by changing the settings of your browser. By browsing our website without changing the browser settings you grant us permission to store that information on your device.