Artifacts missing? Write an ALEAPP module!
Вставка
- Опубліковано 9 чер 2024
- The Android Logs Events And Protobuf Parser (ALEAPP) is a fast triage tool for Android forensic processing. ALEAPP is relatively modular in design, and it is easy to add additional artifacts. We show how to plan out and add a basic artifact (module) to ALEAPP. This method is similar for iLEAPP, WLEAPP, and other *LEAPP projects.
Thank you to all of our Patrons for sponsoring DFIR Science.
Especially The Ranting Geek. Thank you so much!
To add a new artifact, you will need a basic understanding of Python. Next, you will need to identify the data you want to process, as well as its structure. In this example, we show how to process an XML file on an Android phone dump.
You will need the file name and location of the target data. You will then add your module information and the target data location to the file 'ilap_artifacts.py'. The ilap_artifacts file registered your artifact and controls target file search and routing.
Next you will add your artifact script to ALEAPP - scripts - artifacts - [artifact name].py
This is the script that will be called when ALEAPP finds a file that matches the query described in ilap_artifacts.py.
Your artifact has three main parts:
1. Imports and ALEAPP default functions
2. The target data parser
3. Reporting
Also, consider adding a header with information about the artifact's author and version number/date.
Imports and reporting can be copied from other artifacts or the template linked below. The parser, however, will be specific to your target data type.
00:00 Artifacts missing in ALEAPP
00:24 Start writing an ALEAPP module
00:41 ALEAPP structure overview
01:16 Identify your target data
02:34 Adding your module to ilap_artifacts.py
04:38 Writing your parser
05:35 ALEAPP and other libraries import
06:53 Main target data parsing function
07:39 Simple test before full module development
11:25 Writing the HTML and TSV reports
13:35 Code sections review
14:04 Testing the full module
15:18 Module review and final thoughts
bit.ly/2Ij9Ojc - 👍 Subscribe for weekly videos
❤️ Get early access and bonus content - / dfirscience
Links:
* github.com/abrignoni/ALEAPP
* github.com/DFIRScience/LEAPP_...
#DFIR #android #ALEAPP #forensics
010001000100011001010011011000110110100101100101011011100110001101100101
Help make DFIR tutorials
👍 Subscribe → bit.ly/2Ij9Ojc
🛒 Shop → swag.dfir.science
❤️ Patreon → / dfirscience
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFIRScience
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Tools to help manage your UA-cam Channel: www.tubebuddy.com/DFIRScience
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing and will probably allow its use. - Наука та технологія
Really well done. Extremely well done. Thank you so much for this video.
Thank you so much! And thank you for making ALEAPP. It's so useful.
Great work.
Thank you so much!
I want to go through all of your vids eventually. Such great content! Let me know if you are ever looking to mentor someone cause I’d love to be your mentee tbh. Thanks for all the vids
Thanks a lot. I appreciate it. As for mentoring, just let me know if you have any questions or project ideas. I'll try to help!
What’s the point? With hardware solutions and software
I'm not sure I understand your question. If a new data structure is found, or something is just not supported yet, you can write your own parser. The procedure to get it to work in ALEAPP is not very clear, so this video should help anyone that wants to parse additional structures. Even if you are just a beginner at parsing data structures for investigations, it is possible to do.
Also, we are running an *LEAPP #DFIRDev development competition in November, and this might be helpful - dfir.science/2021/11/WIN-100USD-and-PRIZES-Nov-DFIR-Dev.html
Update the tutorial please