The Android Logs Events And Protobuf Parser (ALEAPP) is a fast triage tool for Android forensic processing. ALEAPP is relatively modular in design, and it is easy to add additional artifacts. We show how to plan out and add a basic artifact (module) to ALEAPP. This method is similar for iLEAPP, WLEAPP, and other *LEAPP projects.
Thank you to all of our Patrons for sponsoring DFIR Science.
Especially The Ranting Geek. Thank you so much!
To add a new artifact, you will need a basic understanding of Python. Next, you will need to identify the data you want to process, as well as its structure. In this example, we show how to process an XML file on an Android phone dump.
You will need the file name and location of the target data. You will then add your module information and the target data location to the file 'ilap_artifacts.py'. The ilap_artifacts file registered your artifact and controls target file search and routing.
Next you will add your artifact script to ALEAPP - scripts - artifacts - [artifact name].py
This is the script that will be called when ALEAPP finds a file that matches the query described in ilap_artifacts.py.
Your artifact has three main parts:
1. Imports and ALEAPP default functions
2. The target data parser
3. Reporting
Also, consider adding a header with information about the artifact's author and version number/date.
Imports and reporting can be copied from other artifacts or the template linked below. The parser, however, will be specific to your target data type.
00:00 Artifacts missing in ALEAPP
00:24 Start writing an ALEAPP module
00:41 ALEAPP structure overview
01:16 Identify your target data
02:34 Adding your module to ilap_artifacts.py
04:38 Writing your parser
05:35 ALEAPP and other libraries import
06:53 Main target data parsing function
07:39 Simple test before full module development
11:25 Writing the HTML and TSV reports
13:35 Code sections review
14:04 Testing the full module
15:18 Module review and final thoughts
bit.ly/2Ij9Ojc - 👍 Subscribe for weekly videos
❤️ Get early access and bonus content - / dfirscience
Links:
* github.com/abrignoni/ALEAPP
* github.com/DFIRScience/LEAPP_...
#DFIR #android #ALEAPP #forensics
010001000100011001010011011000110110100101100101011011100110001101100101
Help make DFIR tutorials
👍 Subscribe → bit.ly/2Ij9Ojc
🛒 Shop → swag.dfir.science
❤️ Patreon → / dfirscience
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFIRScience
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Tools to help manage your KZread Channel: www.tubebuddy.com/DFIRScience
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing and will probably allow its use.