Mobile phone forensicsJune 28 2020 18:16:38
A cellphone is basically a linux device that you're always carrying with you. Since I've got root access on mine - why not add a few tools that make my daily tasks easier? To this end I set out to modify my android system image.
I'm somewhat regularly curious about the contents of an android binary ( apk file ) and sometimes the code in JAR files. To this end I've included the tools "unapk" and "unjar" in my new system image. To use these I had to include a JDK - compiled for ARM64 of course. With the command "unjar" you can dissasemble a binary directly from an APK on the system ( found with "pm list packages -f" ) or from a file. Unjar/unapk will run on any computer however - and they're also attached to the bottom of this post for stand alone usage. I've also added reverse engineering tools like strace and binwalk to make debugging and reverse engineering from my phone easier.
To make working with disk volumes possible I've added ntfs3g, libde ( to mount encrypted LUKS systems ), bdemount ( to mount bitlocker volumes) and a lot of NTFS and FAT related tools. To build most of these tools I needed static libraries - which aren't shipped with most distros so I quickly whipped up an arm64 chroot with QEMU on my main machine so I could cross-compile for my phone. One more reason to stick with Gentoo forever :)
For other binaries (like git) the easiest solution was to simply modify the termux packages. I've included the source code to a binary patcher file below which you can use to search a binary or script for termux-specific paths and change them to paths in /system. This allows you to quickly re-use binaries from termux on an android system root.
This is also how I've added Perl and irssi to this system - just steal and patch the termux binaries. All of this does come at a cost to security because these binaries are rarely updated.. So do this at your own peril.
Just goes to show that a mobile phone nowadays is a fully capable computer - even good enough to do modern forensics on :)
Edit: I just checked the kali linux armhf firmware image - as far as command-line hacking tools goes this image has a lot more to offer than even Kali Nethunter :)
| File |
system_new.7z |
| Size |
1.05GB |
| crc32 |
1722423167 |
| md5 |
c5ccb70dd4116975724fd140b4b1108a |
| sha512 |
c9e9df76d634c0474e0c158d9116ad93ad4b0e63520b14a50c5783bd441e35c90cd8b7c7aef4654818adfc202b685f4ebe0d957cedf571eefff171a528994f7b |
| File |
unapk.7z |
| Size |
20.15MB |
| crc32 |
1713248516 |
| md5 |
02215d8e9564b3b84c338bac299d592c |
| sha512 |
289539fc143865cdf3813e25f880744f323118e20dce3b9b8016f71326b50201b0cd61e5fe2cf4f34442324cce0e4df2cdcfc219879d0d2b745a9b09194f3d08 |
| File |
bins.7z |
| Size |
342.58MB |
| crc32 |
612106563 |
| md5 |
3dbc6a916e3ddce743589223061b2540 |
| sha512 |
898fffbdcf5521de3b64155121e002af5a540bb3a5c2682ed882e7312c2ad76bf65ab1adcee0727e46343b2098dca8b7219fe9c6346860ecefbe68ab80ed6cc0 |
| File |
patch_bins.c |
| Size |
3.12kB |
| crc32 |
1497765241 |
| md5 |
2637f78dcbafa60767fd1d715905d2c0 |
| sha512 |
2da14cc088b5cc8564494a49070c8449902e3c91a94c37c659c3b439ef66297678850c5b496f46981a661eda7a985644da1ed0920684c42b5df40a66c2e06835 |