Andriller is a Python3-based tool with a graphical user interface, available for free in its community edition, and runs on Ubuntu systems.
First, you need to install the "adb" package, which Andriller uses to communicate with Android devices, and the "python3-tk" package, which is needed for Andriller's graphical interface:
sudo apt-get install android-tools-adb python3-tk
Then, download the Andriller repository from GitHub:
git clone https://github.com/den4uk/andriller.git
Next, navigate to the downloaded repository directory and use the “pip” command to install the required Python libraries:
cd andrillerpip3 install -r requirements.txt
After these steps, you can run the Andriller tool:
python3 -m andriller
If all goes well, you should see an interface like the one below:
The first thing you need to do is select the directory where Andriller will store the collected data. Click the 'Output' button in the 'Global Output Location' section and select a directory.
After connecting your device to the computer, click the 'Check' button in the 'Extraction (USB)' section. If Andriller successfully connects to the device, the serial number of the connected device will appear next to the button as "Serial ID", indicating that everything is proceeding correctly:
You can now start the data extraction process by clicking the 'Extract' button. Andriller will attempt to retrieve files using the 'Device Backup' method and will ask you to allow the device to perform a backup. At this stage, you will need to go to the device and authorize.
You will see output similar to the following in the information area of the screen when the copy process is complete:
When the process is complete, you will see a directory called "DEVICESERIAL_BACKUPDATE" under the initial "Output" directory we defined:
Within this directory, you will find an HTML summary of the operation in the file "REPORT.html", a list of exported files in the file "REPORT.xlsx" and the "data" directory containing information about the applications on the Android device.
In the next step, you can use the 'Parse (TAR)' and 'Parse (AB)' fields in Andriller to extract the 'DataStore.tar' and 'Backup.ab' files from the obtained image. These folders will also be created in the 'Output' directory:
Under these directories, you can obtain important database files for Digital Forensics, such as:
If you're looking for a hands-on Android Forensics course, you can check this one:
In addition to these, you can also find relevant data in the folders of installed applications under the “/data” directory.
.png)
.png)