viaExtract is distributed as a virtual machine appliance. This allows us to setup the system with the anticipated software, drivers and configuration, and support many host operating systems including Microsoft Windows, Apple OS X and Linux. We have tested both the VMWare Player and VirtualBox virtual machine software.
To acquire viaExtract, you must first register on viaForensics’ website to gain access to the download site. To register, please visit https://viaforensics.com/register. At this point, you have two options. You can:
-
Download the virtual machine appliance which provides most of the components already installed and configured. To download the viaExtract appliance, visit https://viaforensics.com/products/viaextract/download. Once downloaded, you will need to extract the files from the package.
-
Install viaExtract on a Linux workstation which satisfies the following requirements (XUbuntu 10.04 has been the primary test platform):
-
Python 2.7
-
Gnome and GTK
-
The following Ubuntu packages (or equivalent in your Linux distro of choice)
-
gcc python-setuptools python-dev wkhtmltopdf python-jinja2 python-pip
-
-
pycrypto and paramiko Python libraries (from source)
-
Java SDK
-
Android SDK (make sure you put adb in your path)
-
dc3dd
To install viaExtract, download the viaExtract.ins file from https://viaforensics.com/files/viaExtract/viaExtract.ins
You will need to change permissions on the file to ensure it is an executable, and the workstation will need Internet connectivity. Run it using the following command:
sh viaExtract.ins -
To run viaExtract, you must install virtual machine software. For this section, we will use VMWare Player version 4.0.1, which is available free from VMWare’s website, as well as VirtualBox version 4.1.1 (4.1.2 was available at the time, but had issues with Guest Additions). Make sure you download the appropriate file depending on the host operating system. The links to each of these downloads are as follows:
http://www.virtualbox.org/wiki/Downloads
http://downloads.vmware.com/d/info/desktop_end_user_computing/vmware_player/4.0
Download and install the virtual machine software on your forensic work station, then follow the next steps to start the viaExtract virtual machine (VM).
For VMWare, you will want to take the following steps.
-
Select the Open a Virtual Machine option.
-
Navigate to the location where you extracted the viaExtract folder and select the viaExtract.vmx file.
-
The VM should now appear in VMWare Player. Simply select it and press Play virtual machine. You will be asked if you moved or copied the virtual machine and you should accept the default setting (I copied it).
-
There is sometimes a notification to install VMWare Tools. You should postpone this step until after you login to the VM. The password for the Forensic Analyst user is “forensics”. VMware Tools should have been downloaded as part of the VMware Player installation. Once logged in, you can then initiate the process to install VMware tools by going to Virtual Machine > Install VMware Tools. This is a one-time setup, and will allow for improved graphic performance, shared folders, and other features within the VM. To continue the VMware Tools install, select “Install” when you are prompted to connect the VMware Tools installer CD to the VM.
Now you should see the VMware Tools CD icon on the Desktop. Double click it to mount the CD.
Next, you will need to open a Terminal window located under Applications > Accessories > Terminal (we have also created a shortcut to the Terminal window on the top status bar of the VM). Once open, navigate to VMware Tools which was mounted in the previous step, find the VMwareTools archive, and copy it to another directory, and extract it by running the following commands (do NOT type the “$”. This is intended to signify the beginning of a command prompt. We need to copy the archive to another directory because VMware Tools gets mounted as Read-Only. In this case the archive is VMwareTools-8.8.1-528969.tar.gz. The numbers following VMwareTools may vary. Also, here the Downloads directory is used, but any directory with write and execute permissions will suffice.):
$ cd /media/VMWare\ Tools/ $ ls $ cp VMwareTools-8.8.1-528969.tar.gz /home/analyst/Downloads/ $ cd /home/analyst/Downloads/ $ tar xvf VMwareTools-8.8.1-528969.tar.gz
After the extraction, navigate to the newly created directory and execute the install script accepting all defaults by running the following commands (If defaults which to be modified, remove the -default flag from the install script command.):
$ cd vmware-tools-distrib/ $ sudo ./vmware-install.pl –default
You may need to ender the analyst password, which was ‘forensics’ by default. Finally, the VM may need to be restarted for the changes to take effect.
For VirtualBox, follow these steps:
-
Select “New” to create a new VM
-
Going through the wizard, create a name for your VM and select the Linux/Ubuntu Operating System and Version
-
Select an appropriate amount of memory for the VM. 512MB is standard, however increasing the memory size will typically make your VM run faster (but your host machine run slower).
-
At the “Virtual Hard Disk” screen, you want to select “Use existing hard disk” then select the folder icon on the right-hand side in order to select a file.
-
Complete the process by clicking “Create”. You can then click “Start” on the main VirtualBox screen to load the VM, then login using the Forensic Analyst user and the password “forensics”.
-
Once logged in, you can then initiate the process to install VirtualBox Guest Additions by going to Devices -> Install Guest Additions. This is a one-time setup, and will allow for improved graphic performance, shared folders, and other features within the VM. You will see the Guest Additions icon appear on the Desktop. Right click it and select “Mount Volume”.
Next, you will need to open a Terminal window located under Applications > Accessories > Terminal (we have also created a shortcut to the Terminal window on the top status bar of the VM). Once open, navigate to the VBOSADDITIONS directory which was mounted in the previous step, and execute the install script by running the following commands (do NOT type the “$”. This is intended to signify the beginning of a command prompt. Also, in this case it is VBOXADDITIONS_4.1.8_75467. The numbers following VBOXADDITIONS may vary.):
$ cd /media/VBOXADDITIONS_4.1.8_75467/ $ sudo sh VBoxLinuxAdditions.run
You may need to ender the analyst password, which was ‘forensics’ by default. Finally, the VM may need to be restarted for the changes to take effect.
Upon starting the VM, you will need to login to the Forensic Analyst account, password is forensics. It is recommended that each user change this password to something unique. To do this, go to the top-left corner of the VM and select Applications > System > Users and Groups
Select “Change” next to the password option:
Enter both the current password as well as the one you wish to change it to:
In order to properly connect your Android device to your workstation and use viaExtract, you need to make sure that USB debugging is enabled on the Android device. From the main menu on the device, go to Settings > Applications > Development. Make sure there is a check mark next to USB debugging.
Next, you must connect the Android device to your forensic workstation using a compatible USB cable. The host OS may automatically start to download the necessary drivers for the device. It is likely that you will get a message saying that the device failed to install which will not impact the forensic acquisition. While the host operating system may not have the full drivers installed, once the connection is passed through to the viaExtract virtual machine, the device can be successfully accessed.
Next, you need to pass the Android USB connection through to the viaExtract virtual machine. At the top of the VM, select Virtual Machine > Removable Devices-> “Android Device” –> Connect. In this case, the Android device was a Droid (Motorola A855), however this will be different depending on the phone.
Upon selecting the device, check the menu again to make sure that it now says Disconnect next to the Android device. This means that the VM should be able to see the Android device.
When you start viaExtract for the very first time, you will be asked whether you wish to purchase the software, continue using the demo version, or activate the software using an existing license file or activation code.
To purchase viaExtract, select the “I want to purchase viaExtract” option in the Licensing Manager. This will provide the user with the opportunity to purchase viaExtract over the phone (312-268-0551) or via e-mail at sales@viaforensics.com.
viaExtract may also be purchased online at http://viaforensics.com/products/order/.
The user has the option to activate a license by entering their activation code (Internet required) or uploading a license file (no Internet connection necessary). If you do not wish to connect the VM to the Internet, you will need to follow the steps within this section, then continue on to the “Install license file” section.
Upon purchasing the software, the user will receive an e-mail containing the license activation code (if you do not receive this e-mail, please check your Spam folder or send an e-mail to support@viaforensics.com). The user should select the option that says “I have purchased viaExtract, and want to activate a license” which will display the following screen. Fill out each of the fields with the appropriate information, and select “Forward.”
The next screen should display a confirmation that the license installation completed successfully. At this time, the examiner should re-start viaExtract and it will then be ready for use.
If the VM is not connected to the Internet (or if some other error occurs), the license installation will not be successful. In this case, a license file (“license_request.json”) is created on the users desktop, and the user is instructed to e-mail this file to support@viaforensics.com.
In return, you will receive a license file which can be loaded into viaExtract (see next section).
At this point, the examiner should have received an e-mail containing both a “bundle.tar.gz” file and the following text:
Thanks again for purchasing viaExtract. The license file that corresponds to license activation code (XXXXXX) is attached to this email. Follow the instructions in viaExtract to install the file.
If you did not receive the e-mail, please be sure to check your Spam folder or contact support@viaforensics.com.
The bundle.tar.gz file must somehow be copied to the VM. One way would be to use a USB drive. Next, the examiner should start viaExtract and select the option that says “I have a license file that I would like to install.” At this time, browse to the bundle.tar.gz file that was just saved to the VM and click OK.
After selecting the file, the user should see a confirmation screen such as the following. At this time, the software will be ready for use upon restart.
When running viaExtract in demo mode, you will still be able to complete a logical acquisition of an Android device, however each data category is limited to ten records. For example, you will only see 10 text messages, call logs, contacts, etc. Also, access to utilities such as Gesture key decode and Image storage device is only provided to licensed users.
Select New to start a new case.
Step 1: Enter case details – Enter in the various details pertaining to your particular case. If you have the output data folder from a previous case extract using our free AFLogical tool or from a previous viaExtract acquisition, you can save it to the viaExtract VM file system and then load it from there (without the device present). Otherwise, make sure that Extract data from device is selected. You can also designate the location for the acquisition files to be saved to. The default location is /home/analyst/.viaextract/reports. After you have made your selection and chose whether or to save the preference, click Forward.
Step 2: Load data - Here is where you need to make sure you followed the previous setup steps. Make sure you have USB debugging enabled, the storage areas aren’t mounted, and the device shows up as connected to the VM. If everything is ready to go, you should see *USB device connection OK, *ADB communication OK, and *Android device (path, Not mounted – okay for logical). If there is an issue or failure, press the Back key and correct it. Once everything is as desired, select OK. When the bar is 100% complete, select Forward.
Step 3: Select report sections – Here you will most likely select all the sections, but if you choose to, you can manually select which sections of the device you want to include in the report output. Also at this step, the Image storage device utility can be launched.
Step 4: Logs and debug info – Here you will have 4 options.
-
The default option is to send sanitized data back to viaForensics. This means that all we get is essentially a blank spreadsheet with the column names generated by the report. We get no actually data from the device, only the way the data appears in the report. This allows us to improve the functionality of viaExtract by noting how certain devices arrange their own internal data. Basically, it helps us create a better product while still allowing for confidentiality.
-
The next option is to send sanitized data with debug logs. In addition to what is sent with the sanitized data option, we also get sent debug info that allows us to check for any errors that may arise in the actual program itself. Again, no user data from the device is sent to viaForensics.
-
The third option is to send complete data with debug logs. This sends us all data acquired during the acquisition as well as the debug info. We suggest that you only select this option if you are comfortable with sending us all the data. This option is primarily used to debug issues with an acquisition.
-
The final option is to turn the logs off. This means that nothing is sent to viaForensics. It is entirely at the users discretion as to what option to select. We ask that you select either the first or second option, only because it helps us to create a better product.
When you have made your selection and chose whether or not to save this preference for all future reports, select Apply. When the extraction is complete, select close and view your full report.
Now you can browse through the extraction report and look for any data that pertains to your case.
The report along with acquired data is saved to the location selected in Step 1. Should you need to reference the report at a later date, simply start viaExtract, select Open, browse to the location of the report and data, and then select the case number you wish to view.
viaExtract has a utility for imaging a storage device such as a SD card or location such as an internal location that presents as a USB device. This utility can be launched at Step 3 during a logical acquisition or by going to Tools -> Image storage device. Once the utility has been launched a list of mounted devices is presented. All devices that are present will be presented including devices that may not be a part of the case such as an external USB drive. Select the device or location to image, enter the Case name and Evidence/Item ID (which may be pre-populated if the utility was launched during a logical acquisition), select the location to store the resulting image and related files, and then click Forward.
You may be prompted for the VM password as the utility runs some tasks with super user privileges. When the bar is 100% complete, select Forward and you will presented the option to open the location containing the image file and a log folder containing logs of the imaging.
viaExtract has a utility for decoding a gesture key (or pattern lock) file. The file is usually located on a device at /data/system/ and must be obtained or accessible (manually readable if the device has been rooted). If the file has been extracted from the device, then chose option 1. Select a gesture.key file. This will allow you to navigate to the location of the file and select it. If the file is not directly accessible, but the contents are known, chose option 2. Enter a 20-byte sha1 hash and input the contents of the file into the text box.
After clicking Forward, the results are displayed as a set of numbers representing the pattern.
viaExtract receives updates regularly. Updates can include minor bug fixes, extended data sources for extraction, and enhanced reporting capabilities. viaExtract will less regularly receive major version upgrades. All updates and upgrades as of version 1.1 are received through the “Update” icon within viaExtract. This button will be enabled when updates are available. If the VM is unable to be connected to the Internet, please contact support@viaforensics.com for update options.
Q. What is viaExtract?
A. viaExtract is a forensic application developed by viaForensics. Currently, it supports the logical acquisition from an Android device and includes additional utilities such as a gesture key decode utility and a utility to image storage devices such as SD cards. Over time, additional modules will be added which can be purchased and provide additional features such as support for Android Physical acquisitions. Additional functionality is planned and will be announced on viaForensics’ website.
Q. What can be obtained from a logical acquisition?
A. From the logical acquisition, viaExtract can obtain a number of items. These include browser bookmarks, browser searches, call logs, contact phone numbers, contacts, IM Accounts, IM Contacts, IM Messages, MMS Messages, SMS Messages as well as images and videos stored on the device.
Q. Why is there an option to send info back to viaForensics every time I run viaExtract?
A. This is because you are a nice person. viaExtract is an extremely powerful program, but it is also a new program, which means there are going to be bugs to fix. There are so many Android devices out on the market and each one has subtle differences to it. By sending us the sanitized data, you are sending us the information on how the device you are testing groups its own internal data. This is helpful to us because we can then update the program to properly display information for all devices.
Q. Why are there some blank fields in the case report?
A. This relates back to the previous question regarding sending info back to viaExtract. Because there are so many Android devices out on the market with their own subtle nuances, we programmed viaExtract with a very broad range of groups to obtain information from the device. This was done to cover our bases so that viaExtract with work early on with the majority of the Android devices. As we get more and more info and logs from users like you, we will update the software to display only the necessary groups for each particular device.
