Showing posts from March, 2021

Triaging modern Android devices (aka android_triage bash script)

When dealing with mobile devices, you need to follow a procedure that includes various stages from identification to reporting. One of the key-point in this process is the  acquisition , where we extract a copy of the data stored in the mobile device.  While evaluating your acquisition method, you should always consider the old but gold rule of the  order of volatility  ( RFC 3227  - " When collecting evidence you should proceed from the volatile to the less volatile "). Our general goal is to obtain a physical dump of the internal memory, from the very first to the very last bit. On most modern smartphone devices, where file-based encryption (FBE) is in use, a full file system is typically our "best evidence".  These extraction methods often rely on vulnerabilities and exploits (either at the hardware or the software level) developed to overcome device security. We use various tools and techniques and sometimes also a physical approach. In some cases, especially