Articles
Now Reading
Mobile Forensics: UFED vs Magnet ACQUIRE
1

Mobile Forensics: UFED vs Magnet ACQUIRE

Magnet Acquire (Magnet Forensics) is a free forensic tool that is becoming more and more popular. Among other devices, you can use it for forensic acquisition of Android smartphones and tablets. Since extracted data is stored in an archive of its own format, it is not always possible to analyze them with other mobile forensic tools. This article will show you how to analyze a logical image created with Acquire using UFED Physical Analyzer (Cellebrite).

 

How Magnet Acquire works.

When extracting data from an Android mobile device, Magnet Acquire performs the following steps:

1) Creates a backup of this device.

2) Installs an agent app on the device.

3) Uses this app to retrieve some types of data and copies files from the device’s SD card (if present).

4) Repacks all extracted data and files into one file.

Structure of an Acquire logical image.

Here is the image of the folder with an Acquire logical image.

Fig. 1. Samsung smartphone logical image created with Magnet Acquire

 

Where:

– ‘activity_log.txt’ contains extraction log.

– ‘image_info.txt’ contains summary report.

Imager Product: Magnet ACQUIRE

Imager Version: 2.0.1.5875

 

Examiner Name:

Evidence Number:

Description:

 

Relative Activity Log Path: activity_log.txt

Original Activity Log Path: C:\Users\JohnSmith\Desktop\Android Image – 2017-04-15 02-26-12\activity_log.txt

Activity Log MD5 Hash: 2ABDCFDD59D34E68D53B3A1D2B3B7E14

 

Output Directory: Android Image – 2017-04-15 02-26-12

Full Output Directory: C:\Users\JohnSmith\Desktop\Android Image – 2017-04-15 02-26-12

 

Total Segments: 1

 

Relative Segment 1 Path: amsung SAMSUNG-SM-G900A Quick Image.zip

Full Segment 1 Path: C:\Users\JohnSmith\Desktop\Android Image – 2017-04-15 02-26-12\samsung SAMSUNG-SM-G900A Quick Image.zip

Segment 1 MD5 Hash: E52F3AE87812206FC0352B4615B6DD28

Segment 1 SHA1 Hash: E3322B732413DD2E811418B3E0C76EF8AFE13355

 

Imaging Start UTC: 2017-04-15 07:26:24

Imaging Start UTC Ticks: 636278379842607163

Imaging End UTC: 2017-04-15 07:37:57

Imaging End UTC Ticks: 636278386777205242

 

Device Information

Manufacturer: amsung

Product Model: SAMSUNG-SM-G900A

Operating System Version: 6.0.1

Unique Identifier: 8dd665c8

Serial Number: 8dd665c8

 

Additional Device Information

Boot Serial Number: 8dd665c8

Bootloader: G900AUCS4DQC1

Build PDA: G900AUCS4DQC1

Build Date UTC: 1488437396

Hidden Build version: G900AUCS4DQC1

Build ID: MMB29M

SDK Version: 23

Chip Name: MSM8974PRO

GSM Version: 6.0_r8

Device Encryption: unencrypted

Product Board: MSM8974

Product Brand: amsung

CPU ABI: armeabi-v7a

CPU ABI 2: armeabi

Product Device: klteatt

Product Name: klteuc

First Boot: 1492207837383

Fig. 2. Summary report.

File ‘samsung SAMSUNG-SM-G900A Quick Image.zip’ – Samsung smartphone logical image.

 

 

The structure of ‘SAMSUNG-SM-G900A Quick Image.zip’ file.

‘samsung SAMSUNG-SM-G900A Quick Image.zip’ contains the following files and folders:

Fig. 3. ‘SAMSUNG-SM-G900A Quick Image.zip’ contents.

‘Agent Data’ folder contains files: ‘calendar.db’, ‘contacts2.db’, ‘contacts3.db’, ‘mmssms.db’, ‘wifi.db’.

 

NOTE: For QUICK logical images of Android devices, Magnet ACQUIRE is designed to use the ADB process to acquire the application data from the device. It uses the agent application to acquire select application data that may be available to be obtained in addition to the ADB-recovered data (for example, SMS/MMS, Contacts, browser history etc) if it wasn’t found in the ADB backup. As the Wifi details recovered by the ACQUIRE agent are not stored in a database the Wifi.db is a schema created by Magnet development team to house the details which are obtained from the Android WifiManager.

 

 

‘sdcard’ folder contains files copied from the SD card of the Android device.

‘adb-data.tar’ contains the Android device backup.

Preparation for the analysis.

  1. Unzip the file ‘adb-data.tar’.
  2. Transfer databases from the ‘Agent Data’ directory to the appropriate sub-directories of apps:
  • Move the files ‘contacts2.db’, ‘contacts3.db’ from ‘Agent Data’ to the created subfolder ‘com.android.providers.contacts’.
  • Move the file ‘mmssms.db’ into the created subfolder ‘com.android.providers.telephony / databases’.
  • Move the file ‘calendar.db’ into the created subfolder ‘com.android.providers.calendar / db’.
  • Move the file ‘wifi.db’ into the created subfolder ‘databases’.

 

  1. Place the ‘apps’ and ‘sdcard’ directories into the ‘Prepared Magnet Backup’ directory.

 

 

Preliminary analysis.

Start UFED Physical Analyzer.

On the toolbar, select ‘File’ – ‘Open (Advanced) …’.

In the ‘Open (Advanced)’ window, click the ‘Select Device’ button.

In the next window, select ‘Google’ and the device ‘Google Android Filesystem (Generic)’

Fig. 4. The ‘Open (Advanced)’ window.

Click the ‘Next’ button. Click the ‘Next’ button again. In the next window, click the ‘Folder’ button, specify the path to the folder ‘Prepared Magnet Backup’. Click the ‘Finish’ button. Processing will start.

Fig. 5. Results of the preliminary analysis.

Finally, you can see the results of the analysis in UFED Physical Analyzer. Click on the ‘Databases’ category. It shows that ‘contacts3.db’, ‘calendar.db’, ‘wifi.db’ have not been parsed.

Fig. 6.Databases analysis results.

You can use SQLite Wizard to analyze these files.

 

Databases parsing queries creation.

We are going to use ‘wifi.db’ to show you how to parse unknown databases with SQLite Wizard. Similar steps are required to parse other databases.

In the ‘Databases’ category, select the ‘wifi.db’ file. Right-click it and select ‘Open in SQLite Wizard’.

In the ‘SQLite Wizard’ window, fill in two fields: ‘Application’ and ‘Name’. Tick the ‘Include deleted rows’ box, doing it you may extract more evidence, but also it can result in increased number of false-positives. Click the ‘Next’ button.

Fig. 7. ‘SQLite wizard’ window.

In the next window, select ‘wifi_configurations’. In the opened tab ‘wifi_configurations’ put a tick in front of ‘*’. Click the ‘Next’ button.

Fig. 8. ‘SQLite Wizard’ window.

In the next window select ‘Wireless Networks’

Fig. 9. ‘SQLite Wizard’.

Drag field types to the corresponding columns.

In the next window, select ‘Wireless Networks’.

Fig. 10. ‘SQLite Wizard’.

Click the ‘Next’ button. Click the ‘Save’ button.

Repeat the steps for other databases if you want to.

 

Analysis of ‘wifi.db’, ‘contacts3.db’ and ‘calendar.db’ databases.

On the toolbar, choose ‘Tools’ – ‘SQLite wizard’ – ‘Open SQLite query manager’ (or press Ctrl + Q).

In the window that opens, hold down the ‘Ctrl’ key, select ‘wifi.db’, ‘contacts3.db’, ‘calendar.db’. Click the ‘Run’ button.

 

Fig. 11. ‘Open SQLite query manager’.

As a result of the additional analysis:

– a new category ‘Calendar’ has appeared;

– the number of detected and restored records in categories ‘Contacts’ and ‘Wireless Networks’ has  been increased.

Fig. 12. Results of the analysis

 

 

Conclusion

As you can see, you can use not only IEF or Axiom for processing Magnet Acquire Android logical images. In the article we have shown how to do it with UFED Physical Analyzer, including it’s brand new module – SQLite Wizard.

 

Authors:

Igor Mikhaylov & Oleg Skulkin  & Igor Shorokhov

1 Comments
  • 2017-05-13 at 2:51 PM

    Great write up @Igor_Mikhaylov
    We built ACQUIRE with the hopes that people would use it as an acquisition tool and analyze the data with whatever mobile forensics tools they have available (including AXIOM and IEF). We don’t do anything proprietary to our images to make it as easy as possible for users with multiple tools. The one difficulty you get with ACQUIRE images (which are just zip containers btw) comes when you try to integrate the additional agent data that doesn’t get included in a regular Android backup. AXIOM and IEF handle this just fine but some other tools might not recognize the database automatically without it being in the correct path or inside an image. We could just give you an Android backup but you would be missing the extra data that gets pulled from the agent.
    I’m actually writing up a few blogs right now on how to load various images from different tools as they’re all a little different and some are more challenging than others so I’ll definitely reference this write up.
    The key for examiners it to understand how these images are created and how to use them properly. As long as a tool vendor isn’t doing anything weird or proprietary, it should help strengthen their investigation and the tools they have at their disposal.
    Jamie McQuaid – Magnet Forensics

Leave a Response