Viewing extracted Android app data using an emulator

In the previous blog posts I used free and open source forensic tools to view the content and file structure of the Android Discord app. After some testing and validation the presentation of the contents that the tools provide is understandable but not really intuitive nor user friendly.

What if you wanted to view the app content as the Android device presented it to the user without manipulating the device where the data originally came from? By using an Android emulator we can view the contents using the app itself as our viewer. Free tools will be used for this analysis.

Test Device

• Samsung SM-G530T Galaxy Grand Prime
• OS 5.1.1
• Rooted

 Tools

• Android Discord App with test data
• Magnet Forensics Acquire 2.0.3.8168
• Nox Player 5.0.0.1 - Android Emulator
• ADB - Android Debugging Bridge
• FTK Imager 3.4.2.6

Extraction

Using Acquire a physical source image of the phone is created.

Magnet Acquire Acquisition

With FTK imager the following folders are exported from the source image:

• /app/com.discord-1
• /data/com.discord

The app data folder contains the Discord application itself. It is named "base.apk".

Discord APK - base.apk

 The data folder has all the content related to the app. Be aware that different apps will require different folders to be identified and exported. For example some apps use the SD card to store data needed for the app to work properly. Using a test device, identify all the folders needed by the app then export them from the source image.

Discord Data Folder

After exporting the folders start the Nox emulator. Depending on the app you are working with make sure to change the settings on the emulator. By default the emulator starts in tablet mode.

Tablet Mode

If the app being worked on is from a phone, change the mode and resolution accordingly.

Change Mode & Resolution

Since I am using a test phone, here is how the emulator looks after the change.



Leave your emulator running since we will connect to it using ADB.

ADB - Connecting and pushing extracted data to the emulator 

We will use ADB to connect to the emulator and push into it the data repositories we identified previously. Nox comes with ADB already available in the main installation folder. For a default installation the Nox ADB will be found at C:\Program Files(x86)\bin\adb.exe or adb_nox.exe.

Open a command prompt at the previous path and connect to the emulator using the following command:

• adb connect 127.0.0.1:62001

To test connectivity use the following command:

• adb devices

If successful you should see the following on your screen.

Connected to Emulator

In another command prompt open a shell to the emulator using ADB.

• adb shell

ADB Shell

The first command prompt will be used to push/upload the apk. The second command prompt will enable us to interact with the emulator's file system.

Use the following command, in the first command prompt, to push the apk into the emulator into the corresponding directory:

• adb push base.apk /data/app

APK to Emulator

The application will appear on the home screen of the emulator. Press on it to initialize it. By starting the apk, the folder structures needed by the app will be created in the emulator.

After seeing the initial screen, press the Recent Taks button in the emulator (the square above the >> on the lower right side of the screen) and swipe away the app. 

Before we push the app data to the emulator we need to delete the folders that were created by the app when we initialized it.

On the second command prompt, the one with the ADB shell, navigate to the following folder:

• /data/data/com.discord

There you will see all the folders that were created by initialization. Use the following command to delete them:

• rm -r *

Delete App Folders

Go back to the first command prompt and push the extracted data app to the folder we just emptied.

• adb push com.discord /data/data/com.discord

Extracted App Data pushed to Emulator

If the push was successful the following will be seen on the prompt:

Successful Push

On your ADB shell prompt you will now see that the folders extracted from the image are now located within the emulator.

Successful Push - Folder Structure

To summarize so far we have:

1. Made a physical source image from the target device.
2. Extracted the target app and app folders (Discord.)
3. Push the extracted app to the emulator and initialize it.
4. Close the app and delete the app created folders.
5. Push the extracted app folders and their content to the emulator.

Go to the home page on the emulator and press the Discord app. All the content of the app can now be viewed in the emulator.

Discord Direct Message

Considerations

This method of review is really useful for showing the extracted data to non technical people. It is a great visual aid to see the data as the original user would have seen it herself. 

When doing this type of analysis we need to always adhere to best practices. For this example my workstation and emulator were connected to the internet. Notice the green dot next to the username at the bottom of the following image.

Logged In

Make sure your workstation is not connected to the internet since some applications will reach out and log in to the servers that the app uses. This could cause an issue where the analyst might inadvertently conduct a search/download of data from the server without proper legal authorization. 

Be aware that emulator analysis like this one might not work with applications that are closely integrated with the operating system, e.g. Google apps.

In my testing I have found that by closing the app or shutting down the emulator, the pushed data is no longer accessible and the app returns an invalid install error message. Make sure to take screenshots or video capture the pertinent screens before you close the app or shutdown the emulator. To access the app and data after shutdown will require reinstalling Nox and redoing the whole procedure again.

Discord App - Missing values not missing

* Oct 17, 2018 - Update with further insight here. *

Last post I did a quick overview of the Discord app for Android. At the time I commented that "both the messages and the usernames are missing the last letter as represented by the tools." Upon further review I figured out that
the alphabetic value of the last hex number at the end of every sentence can be decoded starting at E1h and ending at FAh.

For example the first 5 alphabetic values would be:

E1h = a
E2h = b
E3h = c
E4h = d
E5h = e

One has to only continue to map letters to hex values sequentially until the whole alphabet is represented.

By looking at the hex at the end of the sentence and comparing it to the corresponding alphabetic value one can figure out what is that last letter the tools used did not show us.

Go figure.

Discord Android App Review - DFIR

What is Discord?

Discord is a communication platform for video gamers. It advertises minimal CPU usage, high voice quality and multiple social media features like friend lists. As part of their communication platform, Discord has corresponding iOS and Android apps.

As a gaming enthusiast myself (Broodwar & SC2 forever!) and DFIR practitioner, there was plenty of motivation to see how this app stores user generated data in Android.

Test Devices and User Generated Data

The following testing devices were used:

• Samsung GSM SM-G530T Galaxy Grand Prime 
• OS 5.1.1
• Privileged Access (root): Yes 
• Samsung SGH-I747 Samsung Galaxy S3
• OS 4.1.2
• Privileged access (root): Yes

Using the same wireless network connection, the Discord app was downloaded and installed on the test phones. Two Discord accounts were created, one for each phone.

To create data for the app to store, I sent the following messages and pictures from one phone to the other using Discord. I also made a short VOIP call in the same manner. Oh and emoticons, of course.

App Interactions

Acquisition Tools

For this analysis I wanted both free and paid for tools.  It goes without saying that paid for tools come with customer support and ease of use that might not be available on a free or open source tool. Still a lack of funding for tools shouldn't be an obstacle to engage in meaningful forensic case work. Ideally an examiner will leverage all the tools at her disposal to paint the most complete picture possible.

 The following software was used for forensic imaging:

• Cellebrite UFED4PC 
• Magnet Forensics Acquire 2.0.1

Magnet Acquire Acquisition

Processing Tools

In order to read the imaged file system/s and for the parsing of artifacts the following tools were used:

• Cellebrite Physical Analyzer (PA)
• Autopsy 4
• FTK Imager 3.4.2.2

Both PA and Autopsy present the file system and parsed artifacts on the left of the screen and the related data on the panes to the right.

Analysis

PA presents the parsed chat artifacts it knows how to handle automatically under the 'Analyzed Data'  section on the left pane of the PA screen. No chats were automatically parsed for Discord. 

With PA it is always good to check the Installed Apps section. One is able to tell which apps are parsed by Cellebrite and which ones are not. Notice that next to the Discord line, under the 'Decoded by' heading there is no entry. If it were parsed by PA it would say 'Cellebrite' and a corresponding entry would have been found under the Chats section. Conveniently the app description itself tells us it is a chat application. The entries in the Installed apps section are pulled by PA from the 'localappstate.db' and the 'AndroidManifest.xml' files as seen in the screenshot below.

Physical Analyzer - Installed Applications

By contrast Autopsy does not parse the installed applications in order to present it in a spreadsheet as PA does. A manual search of the file system is needed to identify apps and data stores of interest. In most cases Android apps' data stores can be found in the 'userdata(ExtX)/Root/data/' directory. That being said, Autopsy does parse text messages and many other Android artifacts. In this particular instance both PA and Autopsy do not parse Discord artifacts automatically. The lesson to be learned is the value of manually traversing the acquired file system to make sure nothing is being missed no matter what tool is being used.

Within the data stores a directory for Discord was found.

Physical Analyzer - Discord App File Structure

Within the 'userdata (ExtX)/Root/data/com.discord/files' directory multiple files with the 'PREF_K' prefix were located. For this analysis we will review the following:

PREF_K_STORE_MESSAGES_CACHE_V15
PREF_K_STORE_USERS_MAP_V7
PREF_K_STORE_USERS_ME_V7,


The PREF_K_STORE_MESSAGES_CACHE_V15 file contained the test messages that were sent.

Autopsy 4 - Indexed Text View

It seems the file, which has no extension, calls some java functions first then below it stores the messages. In my experience most chat apps keep their messages in sqlite databases. In this instance no sqlite databases were found within the Discord directory. It would seem to me that these java related files are the data stores for the app itself. This assumption does require further validation. Note that both the messages and the usernames are missing the last letter as presented by the tools. For example the username 'spotmusic' is presented  in the indexed text view as 'spotmusi' and the 'hello spot' message is presented as 'hello spo'.

For this test three pictures were sent. Two URL paths for every sent picture are contained within the message data store file. Here is an example.

Discord - Shared Media Paths

I was able to access the pictures by copy-pasting the URL on my computer browser. After 5 hours of the pictures being sent, the URL still works. In addition to the picture URLs, Discord keeps the send/received picture thumbnails in the
'userdata (ExtX)/Root/data/com.discord/cache/app_images_cache_small/v2.ols100.1folder.'
The images have an internal naming convention and end with the '.cnt' extension. Autopsy recognizes them under the 'Extension Mismatch Detected' section under 'Extracted Content'.

Autopsy 4 - Extension Mismatch Detected

Saved Discord received images go to the default downloads folder for the device. The file keeps the original file name.

By looking at the data store file, patterns seem to emerge. Further validation is still required.

For messages the following entries appear in the following order:

• Username missing the last letter.
• Message missing the last letter. 
• Time of message. 

For a VOIP call:

• Username missing the last letter.
• Call header
• Time
• Username missing last letter
• Time

FTK Imager - Call entry

For an attachment:

• Attachment header (for the first image)
• Attachment name missing last letter
• URL #1
• URL #2
• User
• Time value

FTK Imager - Attachments

For a pinned messages:

• Username missing last letter
• Unknown value, might denote pinned message
• Time value

FTK Imager - Pinned Message

It is of note that the emoji hex values can be identified in testing by sending the same emoji multiple times and looking for repeating patterns in the message portions of the file.

The PREF_K_STORE_USERS_MAP_V7 file denotes the individuals involved in the chat.

Autopsy 4 - Users Map

The PREF_K_STORE_USERS_ME_V7 stores the username of the logged in user.

Autopsy 4 - Users_ME

Conclusions

Truly no one tool can provide by itself a complete picture of what user activity transpired in a particular device of interest. Further testing and validation can reveal additional artifacts of interest regarding this particular app. There are estimates that indicate that Discord has approximately 25 million users.

By using paid for commercial tools as well as open source ones, the point is made that progress can be made regarding case work without the need of a bottomless budget. 

-Brigs
@AlexisBrignoni

"Hello World"

Hi and thanks for stumbling into my blog. Here I will focus on Information Security, Digital Forensics and Incident Response (DFIR) topics. Hopefully the upcoming content will be useful or at least amusing.

DFIR is a fast moving field and to be current you have to not only learn from others but also try and humbly give back. This is my first effort at doing so online. I hope to hear/share some ideas on:

1) Workflow management. Work smarter not harder. Are there any procedures that take too many steps that you wish took less?

I look to identify workflow issues like those and make them better. Same with with scale. Can a procedure be developed that applies to multiple pieces of evidence or artifacts? If so, lets hear it!

2) Presentation skills. I use Prezi to teach introductory networking and cyber topics. Will share some of those here. What does it take to be a good presenter on tech topics beyond the slides?

3) Programming. What are the most useful programming/scripting languages used for DFIR?

4) Learning. The best way of learning something is to explain it to someone else. Will try to do so here as well.

 -Brigs

SANS Orlando 2017 https://t.co/6X0tjWUigG

SANS Orlando 2017 http://pic.twitter.com/6X0tjWUigG

— Alexis Brignoni (@AlexisBrignoni) April 12, 2017

from Twitter https://twitter.com/AlexisBrignoni