This Python script dumps all important SQLite Databases from a
connected Android smartphone to the local disk and analyzes these
files in a forensically accurate workflow. If no smartphone is
connected you can specify a local directory which contains the
databases you want to analyze. Afterwards this script creates a
clearly structured XML report. 

If you connect a smartphone you need a rooted and insecure kernel
or a custom recovery installed on the smartphone. 

Forensic principles: ADEL is intended to treat data in a
forensically correct way. This goal is reached by the fact that
activities are not conducted directly on the phone but on a copy of
the databases. This procedure assures that data does not become
changed, neither by the users of ADEL nor by an uncompromised
operating system. In order to proof the forensic correctness of ADEL,
hash values are calculated prior and after each analysis, to
guarantee that dumped data did not become changed during analysis. 

Extendibility: ADEL has been modularly built and contains
two separate modules: the analysis and the report module. Predefined
interfaces exist between these modules and both of them can be easily
amended by additional functions. The modular structure allows for
dumping and analyzing further databases of smartphones without great
effort and facilitates updates of the system in the future. 

Usability: The use of ADEL is intended to be as simple as
possible to allow its use by both qualified persons and non-experts.
At best, the analysis of the mobile phone is conducted in an
autonomous way so that the user does not receive any notice of
internal processes. Moreover, the report module creates a detailed
report in a readable form, including all of the decoded data. During
the execution, ADEL optionally writes an extensive log file where all
of the important steps that were executed are traced.

ADEL needs a predefined configuration for each device to work
proper. This configuration has to be added in the following file:

xml/phone_configs.xml 

As an example we added the configuration for the Samsung Galaxy S2
running Android 2.3.3, more phone configurations will follow.

Example for the use of ADEL with a connected smartphone:

adel.py -d device -l 4 

Example for the use of ADEL with database backups:

adel.py -d /home/user/backup -l 4 

P { margin-bottom: 0.08in; }

In the current development state, the following databases are
forensically treated and parsed:

• telephone and SIM-card information (e. g. IMSI and serial
  number)
  

• telephone book and call lists,
  

• calendar entries,
  

• SMS messages,
  

• GPS locations from different sources on the smartphone.
  

ADEL now makes use of a custom recovery image based on the
Clockworkmod-Recovery. Due to this change you do not need to modify
the kernel or the adb daemon anymore. Furthermore, on some newer
smartphones you can load the modified recovery to RAM via fastboot,
so you don’t need to do any persistent changes to the smartphone.


Download and more information


Image Credit