LabCIF – Forensic Analysis for Mobile Apps

by do son · October 24, 2020

LabCIF – Forensic Analysis for Mobile Apps

Android extraction and analysis framework with an integrated Autopsy Module. Dump easily user data from a device and generate powerful reports for Autopsy or external applications.

Functionalities

Extract user application data from an Android device with ADB (root and ADB required).
Dump user data from an android image or mounted path.
Easily build modules for a specific Android application.
Generate clean and readable JSON reports.
Complete integrated Autopsy compatibility (datasource processor module, ingest module, report module, geolocation, communication, and timeline support).
Export HTML report based on the current case.

Install

Prerequisites

Python (2.7+)
Autopsy (optional)

Download

git clone https://github.com/labcif/FAMA.git

Use

The script can be used directly in terminal or as an Autopsy module.

Running from Terminal

usage: start.py [-h] [-d DUMP [DUMP ...]] [-p PATH] [-o OUTPUT] [-a] app



Forensics Artefacts Analyzer



positional arguments:

  app                                            Application or package to be analyzed <tiktok> or <com.zhiliaoapp.musically>



optional arguments:

  -h, --help                                     show this help message and exit

  -d DUMP [DUMP ...], --dump DUMP [DUMP ...]     Analyze specific(s) dump(s) <20200307_215555 ...>

  -p PATH, --path PATH                           Dump app data in path (mount or folder structure)

  -o OUTPUT, --output OUTPUT                     Report output path folder

  -a, --adb                                      Dump app data directly from device with ADB

  -H, --html                                     Generate HTML report