[code] [blog] [VNC] [GPS Tracker]

Mobile phone forensicsJune 28 2020 18:16:38

A cellphone is basically a linux device that you're always carrying with you. Since I've got root access on mine - why not add a few tools that make my daily tasks easier? To this end I set out to modify my android system image.
I'm somewhat regularly curious about the contents of an android binary ( apk file ) and sometimes the code in JAR files. To this end I've included the tools "unapk" and "unjar" in my new system image. To use these I had to include a JDK - compiled for ARM64 of course. With the command "unjar" you can dissasemble a binary directly from an APK on the system ( found with "pm list packages -f" ) or from a file. Unjar/unapk will run on any computer however - and they're also attached to the bottom of this post for stand alone usage. I've also added reverse engineering tools like strace and binwalk to make debugging and reverse engineering from my phone easier.

To make working with disk volumes possible I've added ntfs3g, libde ( to mount encrypted LUKS systems ), bdemount ( to mount bitlocker volumes) and a lot of NTFS and FAT related tools. To build most of these tools I needed static libraries - which aren't shipped with most distros so I quickly whipped up an arm64 chroot with QEMU on my main machine so I could cross-compile for my phone. One more reason to stick with Gentoo forever :)
For other binaries (like git) the easiest solution was to simply modify the termux packages. I've included the source code to a binary patcher file below which you can use to search a binary or script for termux-specific paths and change them to paths in /system. This allows you to quickly re-use binaries from termux on an android system root.
This is also how I've added Perl and irssi to this system - just steal and patch the termux binaries. All of this does come at a cost to security because these binaries are rarely updated.. So do this at your own peril.

Just goes to show that a mobile phone nowadays is a fully capable computer - even good enough to do modern forensics on :)

Edit: I just checked the kali linux armhf firmware image - as far as command-line hacking tools goes this image has a lot more to offer than even Kali Nethunter :)

File system_new.7z
Size 1.05GB
crc32 1722423167
md5 c5ccb70dd4116975724fd140b4b1108a
sha512 c9e9df76d634c0474e0c158d9116ad93ad4b0e63520b14a50c5783bd441e35c90cd8b7c7aef4654818adfc202b685f4ebe0d957cedf571eefff171a528994f7b
File unapk.7z
Size 20.15MB
crc32 1713248516
md5 02215d8e9564b3b84c338bac299d592c
sha512 289539fc143865cdf3813e25f880744f323118e20dce3b9b8016f71326b50201b0cd61e5fe2cf4f34442324cce0e4df2cdcfc219879d0d2b745a9b09194f3d08
File bins.7z
Size 342.58MB
crc32 612106563
md5 3dbc6a916e3ddce743589223061b2540
sha512 898fffbdcf5521de3b64155121e002af5a540bb3a5c2682ed882e7312c2ad76bf65ab1adcee0727e46343b2098dca8b7219fe9c6346860ecefbe68ab80ed6cc0
File patch_bins.c
Size 3.12kB
crc32 1497765241
md5 2637f78dcbafa60767fd1d715905d2c0
sha512 2da14cc088b5cc8564494a49070c8449902e3c91a94c37c659c3b439ef66297678850c5b496f46981a661eda7a985644da1ed0920684c42b5df40a66c2e06835