Mobile Forensics: UFED vs Magnet ACQUIRE

Magnet Acquire (Magnet Forensics) is a free forensic tool that is becoming more and more popular. Among other devices, you can use it for forensic acquisition of Android smartphones and tablets. Since extracted data is stored in an archive of its own format, it is not always possible to analyze them with other mobile forensic tools. This article will show you how to analyze a logical image created with Acquire using UFED Physical Analyzer (Cellebrite).

 

How Magnet Acquire works.

When extracting data from an Android mobile device, Magnet Acquire performs the following steps:

1) Creates a backup of this device.

2) Installs an agent app on the device.

3) Uses this app to retrieve some types of data and copies files from the device’s SD card (if present).

4) Repacks all extracted data and files into one file.

Structure of an Acquire logical image.

Here is the image of the folder with an Acquire logical image.

Fig. 1. Samsung smartphone logical image created with Magnet Acquire

 

Where:

– ‘activity_log.txt’ contains extraction log.

– ‘image_info.txt’ contains summary report.

Imager Product: Magnet ACQUIRE Imager Version: 2.0.1.5875   Examiner Name: Evidence Number: Description:   Relative Activity Log Path: activity_log.txt Original Activity Log Path: C:\Users\JohnSmith\Desktop\Android Image – 2017-04-15 02-26-12\activity_log.txt Activity Log MD5 Hash: 2ABDCFDD59D34E68D53B3A1D2B3B7E14   Output Directory: Android Image – 2017-04-15 02-26-12 Full Output Directory: C:\Users\JohnSmith\Desktop\Android Image – 2017-04-15 02-26-12   Total Segments: 1   Relative Segment 1 Path: amsung SAMSUNG-SM-G900A Quick Image.zip Full Segment 1 Path: C:\Users\JohnSmith\Desktop\Android Image – 2017-04-15 02-26-12\samsung SAMSUNG-SM-G900A Quick Image.zip Segment 1 MD5 Hash: E52F3AE87812206FC0352B4615B6DD28 Segment 1 SHA1 Hash: E3322B732413DD2E811418B3E0C76EF8AFE13355   Imaging Start UTC: 2017-04-15 07:26:24 Imaging Start UTC Ticks: 636278379842607163 Imaging End UTC: 2017-04-15 07:37:57 Imaging End UTC Ticks: 636278386777205242   Device Information Manufacturer: amsung Product Model: SAMSUNG-SM-G900A Operating System Version: 6.0.1 Unique Identifier: 8dd665c8 Serial Number: 8dd665c8   Additional Device Information Boot Serial Number: 8dd665c8 Bootloader: G900AUCS4DQC1 Build PDA: G900AUCS4DQC1 Build Date UTC: 1488437396 Hidden Build version: G900AUCS4DQC1 Build ID: MMB29M SDK Version: 23 Chip Name: MSM8974PRO GSM Version: 6.0_r8 Device Encryption: unencrypted Product Board: MSM8974 Product Brand: amsung CPU ABI: armeabi-v7a CPU ABI 2: armeabi Product Device: klteatt Product Name: klteuc First Boot: 1492207837383

Fig. 2. Summary report.

File ‘samsung SAMSUNG-SM-G900A Quick Image.zip’ – Samsung smartphone logical image.

 

 

The structure of ‘SAMSUNG-SM-G900A Quick Image.zip’ file.

‘samsung SAMSUNG-SM-G900A Quick Image.zip’ contains the following files and folders:

Fig. 3. ‘SAMSUNG-SM-G900A Quick Image.zip’ contents.

‘Agent Data’ folder contains files: ‘calendar.db’, ‘contacts2.db’, ‘contacts3.db’, ‘mmssms.db’, ‘wifi.db’.

 

NOTE: For QUICK logical images of Android devices, Magnet ACQUIRE is designed to use the ADB process to acquire the application data from the device. It uses the agent application to acquire select application data that may be available to be obtained in addition to the ADB-recovered data (for example, SMS/MMS, Contacts, browser history etc) if it wasn’t found in the ADB backup. As the Wifi details recovered by the ACQUIRE agent are not stored in a database the Wifi.db is a schema created by Magnet development team to house the details which are obtained from the Android WifiManager.

 

 

‘sdcard’ folder contains files copied from the SD card of the Android device.

‘adb-data.tar’ contains the Android device backup.

Preparation for the analysis.

1. Unzip the file ‘adb-data.tar’.
2. Transfer databases from the ‘Agent Data’ directory to the appropriate sub-directories of apps:

• Move the files ‘contacts2.db’, ‘contacts3.db’ from ‘Agent Data’ to the created subfolder ‘com.android.providers.contacts’.
• Move the file ‘mmssms.db’ into the created subfolder ‘com.android.providers.telephony / databases’.
• Move the file ‘calendar.db’ into the created subfolder ‘com.android.providers.calendar / db’.
• Move the file ‘wifi.db’ into the created subfolder ‘databases’.

 

3. Place the ‘apps’ and ‘sdcard’ directories into the ‘Prepared Magnet Backup’ directory.

 

 

Preliminary analysis.

Start UFED Physical Analyzer.

On the toolbar, select ‘File’ – ‘Open (Advanced) …’.

In the ‘Open (Advanced)’ window, click the ‘Select Device’ button.

In the next window, select ‘Google’ and the device ‘Google Android Filesystem (Generic)’

Fig. 4. The ‘Open (Advanced)’ window.

Click the ‘Next’ button. Click the ‘Next’ button again. In the next window, click the ‘Folder’ button, specify the path to the folder ‘Prepared Magnet Backup’. Click the ‘Finish’ button. Processing will start.

Fig. 5. Results of the preliminary analysis.

Finally, you can see the results of the analysis in UFED Physical Analyzer. Click on the ‘Databases’ category. It shows that ‘contacts3.db’, ‘calendar.db’, ‘wifi.db’ have not been parsed.

Fig. 6.Databases analysis results.

You can use SQLite Wizard to analyze these files.

 

Databases parsing queries creation.

We are going to use ‘wifi.db’ to show you how to parse unknown databases with SQLite Wizard. Similar steps are required to parse other databases.

In the ‘Databases’ category, select the ‘wifi.db’ file. Right-click it and select ‘Open in SQLite Wizard’.

In the ‘SQLite Wizard’ window, fill in two fields: ‘Application’ and ‘Name’. Tick the ‘Include deleted rows’ box, doing it you may extract more evidence, but also it can result in increased number of false-positives. Click the ‘Next’ button.

Fig. 7. ‘SQLite wizard’ window.

In the next window, select ‘wifi_configurations’. In the opened tab ‘wifi_configurations’ put a tick in front of ‘*’. Click the ‘Next’ button.

Fig. 8. ‘SQLite Wizard’ window.

In the next window select ‘Wireless Networks’

Fig. 9. ‘SQLite Wizard’.

Drag field types to the corresponding columns.

In the next window, select ‘Wireless Networks’.

Fig. 10. ‘SQLite Wizard’.

Click the ‘Next’ button. Click the ‘Save’ button.

Repeat the steps for other databases if you want to.

 

Analysis of ‘wifi.db’, ‘contacts3.db’ and ‘calendar.db’ databases.

On the toolbar, choose ‘Tools’ – ‘SQLite wizard’ – ‘Open SQLite query manager’ (or press Ctrl + Q).

In the window that opens, hold down the ‘Ctrl’ key, select ‘wifi.db’, ‘contacts3.db’, ‘calendar.db’. Click the ‘Run’ button.

 

Fig. 11. ‘Open SQLite query manager’.

As a result of the additional analysis:

– a new category ‘Calendar’ has appeared;

– the number of detected and restored records in categories ‘Contacts’ and ‘Wireless Networks’ has  been increased.

Fig. 12. Results of the analysis

 

 

Conclusion

As you can see, you can use not only IEF or Axiom for processing Magnet Acquire Android logical images. In the article we have shown how to do it with UFED Physical Analyzer, including it’s brand new module – SQLite Wizard.

 

Authors:

Igor Mikhaylov & Oleg Skulkin  & Igor Shorokhov