androidqf (Android Quick Forensics) helps quickly gathering forensic evidence from Android devices, in order to identify potential traces of compromise.

Overview

androidqf

Go Report Card

androidqf (Android Quick Forensics) is a portable tool to simplify the acquisition of relevant forensic data from Android devices. It is the successor of Snoopdroid, re-written in Go and leveraging official adb binaries.

androidqf is intended to provide a simple and portable cross-platform utility to quickly acquire data from Android devices. It is similar in functionality to mvt-android. However, contrary to MVT, androidqf is designed to be easily run by non-tech savvy users as well.

Download androidqf

Build

Executable binaries for Linux, Windows and Mac should be available in the latest release. In case you have issues running the binary you might want to build it by yourself.

In order to build androidqf you will need Go 1.15+ installed. You will also need to install make. When ready you can clone the repository and run any of the following commands, for your platform of choice:

make linux
make darwin
make windows

These commands will generate binaries in a build/ folder.

How to use

Before launching androidqf you need to have the target Android device connected to your computer via USB, and you will need to have enabled USB debugging. Please refer to the official documentation on how to do this, but also be mindful that Android phones from different manufacturers might require different navigation steps than the defaults.

Once USB debugging is enabled, you can proceed launching androidqf. It will first attempt to connect to the device over the USB bridge, which should result in the Android phone to prompt you to manually authorize the host keys. Make sure to authorize them, ideally permanently so that the prompt wouldn't appear again.

Now androidqf should be executing and creating an acquisition folder at the same path you have placed your androidqf binary. At some point in the execution, androidqf will prompt you some choices: these prompts will pause the acquisition until you provide a selection, so pay attention.

The following data can be extracted:

  1. A list of all packages installed and related distribution files.
  2. (Optional) Copy of all installed APKs or of only those not marked as system apps.
  3. The output of the dumpsys shell command, providing diagnostic information about the device.
  4. The output of the getprop shell command, providing build information and configuration parameters.
  5. The output of the ps shell command, providing a list of all running processes.
  6. (Optional) A backup of SMS and MMS messages.

Encryption & Potential Threats

Carrying the androidqf acquisitions on an unencrypted drive might expose yourself, and even more so those you acquired data from, to significant risk. For example, you might be stopped at a problematic border and your androidqf drive could be seized. The raw data might not only expose the purpose of your trip, but it will also likely contain very sensitive data (for example list of applications installed, or even SMS messages).

Ideally you should have the drive fully encrypted, but that might not always be possible. You could also consider placing androidqf inside a VeraCrypt container and carry with it a copy of VeraCrypt to mount it. However, VeraCrypt containers are typically protected only by a password, which you might be forced to provide.

Alternatively, androidqf allows to encrypt each acquisition with a provided age public key. Preferably, this public key belongs to a keypair for which the end-user does not possess, or at least carry, the private key. In this way, the end-user would not be able to decrypt the acquired data even under duress.

If you place a file called key.txt in the same folder as the androidqf executable, androidqf will automatically attempt to compress and encrypt each acquisition and delete the original unencrypted copies.

Once you have retrieved an encrypted acquisition file, you can decrypt it with age like so:

$ age --decrypt -i ~/path/to/privatekey.txt -o .zip .zip.age

Bear in mind, it is always possible that at least some portion of the unencrypted data could be recovered through advanced forensics techniques - although we're working to mitigate that.

License

The purpose of androidqf is to facilitate the consensual forensic analysis of devices of those who might be targets of sophisticated mobile spyware attacks, especially members of civil society and marginalized communities. We do not want androidqf to enable privacy violations of non-consenting individuals. Therefore, the goal of this license is to prohibit the use of androidqf (and any other software licensed the same) for the purpose of adversarial forensics.

In order to achieve this androidqf is released under MVT License 1.1, an adaptation of Mozilla Public License v2.0. This modified license includes a new clause 3.0, "Consensual Use Restriction" which permits the use of the licensed software (and any "Larger Work" derived from it) exclusively with the explicit consent of the person/s whose data is being extracted and/or analysed ("Data Owner").

You might also like...
WhiteSource Log4j Detect is a free CLI tool that quickly scans your projects to find vulnerable Log4j versions

Log4jDetect WhiteSource Log4j Detect is a free CLI tool that quickly scans your projects to find vulnerable Log4j versions containing the following kn

Open source forensic software to analyze and present digital evidence.
Open source forensic software to analyze and present digital evidence.

Go Forensics Core Open source forensic software to analyze digital evidence to be presented in court. The core of Go Forensics PostgreSQL The core use

Tracee: Linux Runtime Security and Forensics using eBPF
Tracee: Linux Runtime Security and Forensics using eBPF

Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.

Red team tool that emulates the SolarWinds CI compromise attack vector.
Red team tool that emulates the SolarWinds CI compromise attack vector.

SolarSploit Sample malicious program that emulates the SolarWinds attack vector. Listen for processes that use the go compiler Wait for a syscall to o

Project helps to identify the network, broadcast address and no of possible hosts

network_identifier Project helps to identify the network, broadcast address and no of possible hosts for Ipv4 address To use it directly as a go file

Metrics package helps to create ydb-go-sdk traces with monitoring internal state of driver

metrics metrics package helps to create ydb-go-sdk traces with monitoring internal state of driver Usage import ( "fmt" "sync/mutex" "time

scrapligo -- is a Go library focused on connecting to devices, specifically network devices (routers/switches/firewalls/etc.) via SSH and NETCONF.
scrapligo -- is a Go library focused on connecting to devices, specifically network devices (routers/switches/firewalls/etc.) via SSH and NETCONF.

scrapligo -- scrap(e c)li (but in go!) -- is a Go library focused on connecting to devices, specifically network devices (routers/switches/firewalls/etc.) via SSH and NETCONF.

Courier Order Provider is a service that receives signals from core server in order to emit this orders to courier groups.

Courier Order Provider Courier Order Provider is a service that receives signals(messages) from core server in order to emit this orders to courier gr

Andrews-monitor - A Go program to monitor when times were available to order for Brown's Andrews dining hall. Used during the portion of the pandemic when the dining hall was only available for online order.

Andrews Dining Hall Monitor A Go program to monitor when times were available to order for Brown's Andrews dining hall. Used during the portion of the

Limit-order-book - Limit order books keep records of orders for a given symbol to be traded

Limit Order Book Limit order books keep records of orders for a given symbol to

"I do" stops interactive command if there is any potential risky pattern

Description ido (I do) executes your shell command provided as its input, but it may wait for you to confirm when there is some potential risky patter

Scan systems and docker images for potential spring4shell vulnerabilities.
Scan systems and docker images for potential spring4shell vulnerabilities.

Scan systems and docker images for potential spring4shell vulnerabilities. Will detect in-depth (layered archives jar/zip/tar/war and scans for vulnerable Spring4shell versions. Binaries for Windows, Linux and OsX, but can be build on each platform supported by supported Golang.

Quick and simple Go application that fixes updates on non TPM, UEFI devices on the latest insider builds.
Quick and simple Go application that fixes updates on non TPM, UEFI devices on the latest insider builds.

W11-Updater Quick and simple Go application that fixes updates on non TPM, UEFI devices on the latest insider builds. Sick of this bullshit? Build Ins

The android-go project provides a platform for writing native Android apps in Go programming language.
The android-go project provides a platform for writing native Android apps in Go programming language.

android-go The android-go project aims to provide a platform (namely an SDK) for writing native Android apps in Go programming language. All things he

End-to-end encrypted file transfer for Android. An Android Magic Wormhole client.
End-to-end encrypted file transfer for Android. An Android Magic Wormhole client.

wormhole-william-mobile This is a Magic Wormhole client for Android. (Perhaps someday this will also support iOS). Some current limitations: Receiving

Wg-android - Android GUI for WireGuard

Android GUI for WireGuard Download from the Play Store This is an Android GUI fo

Open source Observability Platform. 👉 SigNoz helps developers find issues in their deployed applications & solve them quickly
Open source Observability Platform. 👉 SigNoz helps developers find issues in their deployed applications & solve them quickly

SigNoz SigNoz is an opensource observability platform. SigNoz uses distributed tracing to gain visibility into your systems and powers data using Kafk

x-crafter is used to quickly create templates from your prototype, also come with a builder to quickly regenerate your code

XCrafter 😄 x-crafter is used to quickly create templates from your prototype, also come with a builder to quickly regenerate your code. Install Using

Stargather is fast GitHub repository stargazers information gathering tool

Stargather is fast GitHub repository stargazers information gathering tool that can scrapes: Organization, Location, Email, Twitter, Follow

Comments
  • Notification Error

    Notification Error

    Hi After using the program(latest version) my phone notification keeps on showing USB connected and keeps trying to enable OTG even though nothing is plugged to it, restarted several times still the same issue.

    I use infinix note, android version 10, not rooted

    Kindly assist Screenshot_20220222-070113.png

    opened by MugenJosea 0
  • Instructions missing

    Instructions missing

    I am "semi-tech savvy" and I have been using mvt-android for some time now, which has helped me here. Still, I spent close to half hour troubleshooting the upgrades etc., so my tips:

    1. Instead of "here are the install" do tell the users what to do with them, as they are not that obvious - a one-liner or another script would help.
    2. As I thought it would be quicker to just clone and compile I went this route, but then I have run into small snags, so here are solutions the other potential users: A. Probably the quickest and most fool-proof way to upgrade one's Go is via
    git clone https://github.com/udhos/update-golang
    cd update-golang
    sudo ./update-golang.sh
    

    B. If you then have run into: bash: /usr/bin/go: No such file or directory then the most elegant hash -r may help.

    C. The obvious:

    go: updates to go.mod needed; to update it:
    	go mod tidy
    make: *** [Makefile:70: linux] Error 1
    
    

    -> go mod tidy , another line which may be good to also include in this script here.

    opened by Manamama 0
Owner
Nex
Head of Security Lab at Amnesty International. Creator of Cuckoo Sandbox, Viper Framework, Hardentools, PhishDetect, MVT and more.
Nex
"I do" stops interactive command if there is any potential risky pattern

Description ido (I do) executes your shell command provided as its input, but it may wait for you to confirm when there is some potential risky patter

Ky-Anh Huynh 3 Mar 30, 2022
Scan systems and docker images for potential spring4shell vulnerabilities.

Scan systems and docker images for potential spring4shell vulnerabilities. Will detect in-depth (layered archives jar/zip/tar/war and scans for vulnerable Spring4shell versions. Binaries for Windows, Linux and OsX, but can be build on each platform supported by supported Golang.

null 10 Nov 9, 2022
End-to-end encrypted file transfer for Android. An Android Magic Wormhole client.

wormhole-william-mobile This is a Magic Wormhole client for Android. (Perhaps someday this will also support iOS). Some current limitations: Receiving

Peter Sanford 88 Nov 9, 2022
Advanced information gathering & OSINT framework for phone numbers

PhoneInfoga is one of the most advanced tools to scan international phone numbers using only free resources. It allows you to first gather standard information such as country, area, carrier and line type on any international phone number.

Abhishek Singh Salaria 1 Oct 13, 2021
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

Vuls: VULnerability Scanner Vulnerability scanner for Linux/FreeBSD, agent-less, written in Go. We have a slack team. Join slack team Twitter: @vuls_e

Future Corp 9.6k Nov 18, 2022
A CLI tool that can be used to disrupt wireless connectivity in your area by jamming all the wireless devices connected to multiple access points.

sig-716i A CLI tool written in Go that can be used to disrupt wireless connectivity in the area accessible to your wireless interface. This tool scans

Narasimha Prasanna HN 73 Oct 14, 2022
Order TLS certificates using ACME TLS-ALPN-01

Order TLS certificates using ACME TLS-ALPN-01

Chris Webb 2 Feb 2, 2022
HTTP middleware for Go that facilitates some quick security wins.

Secure Secure is an HTTP middleware for Go that facilitates some quick security wins. It's a standard net/http Handler, and can be used with many fram

Cory Jacobsen 2k Nov 19, 2022
🗺 Allows quick generation of basic network plans based on nmap and scan6 output.

NPlan Transforms nmap XML into intermediate JSON and generates a basic network plan in the DrawIO XML format. Installation Just run go install github.

Richard Keil 4 Mar 10, 2022