Skip to content

andrebalen/MobileForensics

BranchesTags
Β 
Β 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

90 Commits
README.md
README.md
Β 
Β 

Repository files navigation

logo avilla 800

Avilla Forensics 3.5 - (v1_0_0_264)

⭐️ Project description:

  • I have a passion for mobile digital forensics and the art of data extractions.
  • Free Mobile Forensics Tool that allows you to:
  • It is important that you take the training to ensure greater security and success in acquisitions without data loss (Brief training in the English language).
  • Γ‰ importante que vocΓͺ faΓ§a o treinamento para garantir maior seguranΓ§a e sucesso nas aquisiçáes sem perda de dados, veja no final da pΓ‘gina.
  1. Backup ADB.
  2. APK Downgrade in 15 Apps: WhatsApp (com.whatsapp), Telegram (org.telegram.messenger), Messenger (com.facebook.orca), ICQ (com.icq.mobile.client), Twitter (com.twitter.android), Instagram (com.instagram.android), Signal (org.thoughtcrime.securems), Linkdin (com.linkedin.android), Tiktok (com.zhiliaoapp.musically), Snapchat (com.snapchat.android), Tinder (com.tinder), Badoo (com.badoo.mobile), Mozilla Firefox (org.mozilla.firefox), Dropbox (com.drobox.android), Alibaba (com.alibaba.intl.android.apps.poseidon)).
  3. Parser Chats WhatsApp.
  4. (NEW) Whatsapp .opus audio transcription and transcription plot in CHATS HTML PARSER:
  5. Miscellaneous ADB collections: (System Properties (Full), Dumpsys (Full), Disktats (Disk Information), Android Geolocation Dump (Location Manager State), IMEI (01 ,02), S/N (Serial Number), Processes, TCP (Active Internet connections), Accounts (UserInfo), DUMP Wifi, DUMP Detailed Wifi, CPU Information, Memory Information, Display Information (WINDOW MANAGER DISPLAY CONTENTS), Resources, Resolution (Physical size), Screen Dump (.XML file), Dump Backup (Backup Manager is enabled), List Installed Third-Party Applications, List Native System Applications, Contacts, SMS, System Events, Active Users, Android Version, DB Info (Applications Database Info), On/Off History, LogCat, Space In Use Information, Carrier, Bluetooth (Bluetooth Status), Image File Location, Audio File Location, Video File Location, Face Recognition DUMP, Global Settings, Security Settings a, System Settings, Remove/Add PIN (Requires current PIN), DUMP ADB (ADB Connections), Reboot, Reboot Recovery Mode, Reboot Bootloader Mode, Reboot Fastboot Mode.
  6. Tracking, Downloading and Decryption of Whatsapp .ENC files.
  7. Contact List Search.
  8. Deleted WhatsApp Photos Avatars and Contacts.
  9. (NEW) Decrypting WhatsApp Databases Crypt 14/15
  10. Screenshots.
  11. Screen DUMP.
  12. Chat Capture.
  13. Automatic integration with IPED.
  14. (NEW) Access Through the Tool to IPED Tools.
  15. Automatic integration with AFLogical.
  16. Automatic integration with Alias Connector.
  17. Conversion from .AB to .TAR.
  18. Fast Scan and Real-time Transfer .
  19. Image Finder (Hash, Metadata, Geolocation, Plotting the location on Google Maps and Google Earch).
  20. Plotting (IN BATCHES) of the Geolocation of images on Google Earch (geo.kml) with patch and thumbnails of the images.
  21. Installing and Uninstalling APKs via ADB.
  22. HASH Calculator.
  23. Android Folder Browser (PULL and PUSH).
  24. Device Mirroring.
  25. Instagram Data Scraping.
  26. General single copy
  27. Automatic integration with MVT-1.5.3.
  28. Access Through the Tool to JADX.
  29. Access Through the Tool to WhatsApp Viewer.
  30. Access Through the Tool to the BCV.
  31. Access Through the Tool to SQLStudio.
  32. PRUNE GPS Tool Access.
  33. Access Through the Tool to jExiftool GUI.
  34. Conversion of .csv/.txt files with GEOLIZATION information provided by court decisions into .KML for police investigations.
  35. Merge WhatsApp DATABASES

4

πŸ•΅οΈ Functionalities:

πŸ€– Backup ADB:

  • Android default backup.

πŸ“± APK Downgrade in 15 Applications (Access to root files without the need for ROOT):

APKS

  • WhatsApp (com.whatsapp)

  • Telegram (org.telegram.messenger)

  • Messenger (com.facebook.orca)

  • ICQ (com.icq.mobile.client)

  • Twitter (com.twitter.android)

  • Instagram (com.instagram.android)

  • Signal (org.thoughtcrime.securems)

  • Linkdin (com.linkedin.android)

  • Tiktok (com.zhiliaoapp.musically)

  • Snapchat (com.snapchat.android)

  • Tinder (com.tinder)

  • Badoo (com.badoo.mobile)

  • Mozilla Firefox (org.mozilla.firefox)

  • Dropbox (com.drobox.android)

  • Alibaba (com.alibaba.intl.android.apps.poseidon)

  • Examples:

24

Screenshot_20210621-140950

whats

files-whats

πŸ›  DOWNGRADE APK Test:

  • The tool does a test in a generic application (com.aplicacaoteste.apk) before starting the DOWNGRADE process in the target APP.
  • Tips: XIAOMI phones may come with USB protections, remove these protections without taking the device out of airplane mode by following the steps below:

πŸ’¬ (NEW) Parser Chats WhatsApp from NEW Database SCHEME:

  1. Select the Chats destination folder (Copy the "Media" folder in this same location).
  2. Select the folder: \com.whatsapp\f\Avatars
  3. Select the .DB file: \com.whatsapp\db\msgstore.db

  • (NEW) In the "Generate Whatsapp Chats" modules it is possible to plot the transcripts in HTML.

  • (NEW) You can also transcribe the audios along with Whatsapp parser process.

  • New Schema (Table: message):

  • Fields:

  • _id, chat_row_id, from_me, key_id, sender_jid_row_id, status,broadcast, recipient_count, participant_hash, origination_flags, origin, timestamp received_timestamp, receipt_server_timestamp, message_type, text_data (Mensagens), starred, lookup_tables, message_add_on_flags, sort_id

2022-04-17 (5)

2022-04-17 (8)

chats

πŸ’¬ (NEW) Parser Chats WhatsApp from previous database schema:

  1. Select the Chats destination folder (Copy the "Media" folder in this same location).
  2. Select the folder: \com.whatsapp\f\Avatars
  3. Select the .DB file: \com.whatsapp\db\msgstore.db

  • (NEW) In the "Generate Whatsapp Chats" modules it is possible to plot the transcripts in HTML.

  • (NEW) You can also transcribe the audios along with Whatsapp parser process.

  • Old Schema (Table: messages)

  • Fields:

  • _id, key_remote_jid, key_from_me, key_id, status, needs_push, data (Mensagens), timestamp, media_url, media_mime_type, media_wa_type, media_size, media_name, media_caption, media_hash, media_durationorigin, latitude, longitude, thumb_image, remote_resource, received_timestamp, send_timestamp, receipt_server_timestamp, receipt_device_timestamp, read_device_timestamp, played_device_timestamp, raw_data, recipient_count, participant_hash, starred, quoted_row_id, mentioned_jids, multicast_id, edit_version, media_enc_hash, payment_transaction_id, forwarded, preview_type, send_count, lookup_tables, future_message_type, message_add_on_flags.

2022-04-17

2022-04-17 (4)

πŸ’¬ (NEW) Whatsapp .opus audio transcription and transcription plot in CHATS HTML PARSER:

  • In the "OPUS audio transcription" module you can transcribe one or thousands of audios at the same time.
  • In the "Generate Whatsapp Chats" modules it is possible to plot the transcripts in HTML.
  • You can also transcribe the audios along with Whatsapp parser process.
  • Generate HTML report with transcribed texts, hash, contact linked to audio and chat linked to audio.

Print-Opus

Print-Opus1

parser

Print_relatorio-audios

πŸ“± Miscellaneous ADB collections in .TXT format:

  • System Properties (Full).
  • Dumpsys (Complete).
  • Disktats (Disk information).
  • Android Geolocation Dump (Location Manager State).
  • IMEI (01 .02).
  • Y/N (Serial Number).
  • Law Suit.
  • TCP (Active Internet connections).
  • Accounts (UserInfo).
  • DUMP Wifi.
  • Detailed Wifi DUMP.
  • CPU information.
  • Memory Information.
  • Display Information (WINDOW MANAGER DISPLAY CONTENTS).
  • Resources.
  • Resolution (Physical size).
  • Screen Dump (.XML file).
  • Dump Backup (Backup Manager is enabled).
  • List Installed Third-Party Applications.
  • List Native System Applications.
  • Contacts.
  • SMS.
  • System Events.
  • Active Users.
  • Android version.
  • DB Info (Applications Database Info).
  • On/Off History.
  • LogCat.
  • Space in Use Information.
  • Operator.
  • Bluetooth (Bluetooth Status).
  • Location of Image Files.
  • Location of Audio Files.
  • Location of Video Files.
  • Face Recognition DUMP
  • Global Settings.
  • Security Settings.
  • System Settings.
  • Remove/Add PIN (Requires current PIN).
  • DUMP ADB (Connections ADB).
  • Reboot.
  • Reboot Recovery Mode.
  • Reboot Bootloader Mode.
  • Reboot Fastboot Mode.

2022-04-03 (4)

  • Examples:
  • Dump ADB: ADB.txt, in this example we can check the last computer connected via ADB with the device:

ADBc

  • Dumpsys: dumpsys.txt, in addition to bringing thousands of device information, in this example we can check the uninstall date of an application:

delete

  • Note: The information can be in Unix Timestamp time format, use the link below to convert:
  • 1649374898421 (Unix Timestamp) = Thu Apr 07 2022 23:41:38 GMT+0000 (GMT)
  • https://www.unixtimestamp.com/

⚑️ (NEW) Tracking, Downloading and Decrypting Whatsapp .ENC Files:

2022-04-10

  • Generate the Script and run the generated .bat file.

"C:\Forensics\bin\whatsapp-media-decrypt\decrypt.py"

⚑️ (NEW) Contact List Search, Avatar Photos and Deleted WhatsApp Contacts:

  1. Select the folder: \com.whatsapp\f\Avatars
  2. Select .DB file: \com.whatsapp\db\wa.db

contatos

(NEW) πŸ“ WhatsApp Database Decryption:

  • Crypt14.
  • Crypt15.

3

πŸ“Έ Screenshots, Screen DUMP and Chat Capture:

2022-04-03 (1)

2022-04-03 (2)

πŸš€ Automatic integration with IPED:

  • Indexing of folders, .zip, .tar, .dd, .ufdr.

2022-04-03 (3)

2022-04-03 (11)

πŸš€ (NEW) Access Through the Tool to IPED Tools.

  • "C:\Forensics\bin\IPEDTools\IPEDTools.exe"

2

πŸš€ Automatic integration with AFLogical OSE 1.5.2:

  • Performs the acquisition automatically without user intervention.
  • "C:\Forensics\bin\AFLogicalOSE152OSE.apk"

af

πŸš€ Automatic integration with Alias Connector:

  • Performs the acquisition automatically without user intervention.
  • "C:\Forensics\bin\com.alias.connector.apk"

alias

πŸ“ Conversion from .AB to .TAR:

  • Passworded ADB backups may take longer to convert.
  • Try not to put passwords in the backups requested in "ADB Backup" or "Downgrade", so you speed up the conversion process.
  • If this module doesn't work, try to add the "C:\Forensics" patch to the system variables

variaveis

β™» Fast Scan and Real-time Transfer:

  • Images: .jpg, .jpeg, .png, .psd, .nef, .tiff, .bmp, .tec, .tif, .webp
  • Videos: .aaf, .3gp, .asf, .avi, .m1v, .m2v, .m4v, .mp4, .mov, .mpeg, .mpg, .mpe, .mp4, .rm, .wmv, .mpv , .flv, .swf
  • Audios: .opus, .aiff, .aif, .flac, .wav, .m4a, .ape, .wma, .mp2, .mp1, .mp3, .aac, .mp4, .m4p, .m1a, .m2a , .m4r, .mpa, .m3u, .mid, .midi, .ogg
  • Archives: .zip, .rar, .7zip, .7z, .arj, .tar, .gzip, .bzip, .bzip2, .cab, .jar, .cpio, .ar, .gz, .tgz, .bz2
  • Databases: .db, .db3, .sqlite, .sqlite3, .backup (SIGNAL)
  • Documents: .htm, .html, .doc, .docx, .odt, .xls, .xlsx, .ppt, .pptx, .pdf, .txt, .rtf
  • Executables: .exe, .msi, .cmd, .com, .bat, .reg, .scr, .dll, .ini, .apk

2022-04-03 (5)

πŸ”  Image Finder (Hash, Metadata, Geolocation, Plot location on Google Maps and Google Earch):

  • Note: For this module DO NOT save your acquisitions on the Desktop, save for example in "C:\folder_name\collection_01" to run the image search.

2022-03-31 (2)

2022-03-31 (3)

Video_1648769895.00_00_00-00_01_39.00_00_00-00_01_35.00_00_07-.mp4

πŸ“œ (NEW) Plot (BATCH) of Geolocation of images on Google Earch (geo.kml) with patch and thumbnails of images:

  • Note: To plot the thumbnails along with the yellow points, download Google Earch Pro, if you plot on Google Earch Online, only the blue points will be plotted without the images.
  • Click on GENERATE KML to batch generate the geo.kml file

geo

2022-04-06

2022-04-10 (6)

2022-04-10 (8)

2022-04-10 (9)

πŸ›  Installing and Uninstalling APKs via ADB:

  • .APK files

⏳ HASH Calculator:

  • Note: For this module DO NOT save your acquisitions on the Desktop, save for example in "C:\folder_name\collection_02" to calculate the Hashs of the files.
  • Calculates the Hash of all files in an acquisition.
  • SHA-256.
  • SHA-1.
  • SHA-384.
  • SHA-512.
  • SHA-MD5.

2022-03-28 (9)

πŸ“± (NEW) Android Folder Browser (PULL and PUSH):

  • A Simple folder browser to PULL and PUSH files or folders.

2022-04-10 (1)

πŸŽ₯ Device Mirroring:

  • "C:\Forensics\bin\scrcpy"

espeçhamento

πŸš€ Instagram data scraping:

2022-04-03 (7)

πŸš€ General single copy:

  • If you have problems with "adb pull" or "adb backup", copy all files from the device in separate processes, copying one at a time.

1

πŸš€ Automatic integration with MVT-1.5.3:

  • "C:\Forensics\bin\mvt-1.5.3\mvt.bat"

mvt

πŸš€ Access Through the Tool to JADX (Dex to Java Decompiler):

  • "C:\Forensics\bin\jadx-1.2.0\jadx-gui-1.2.0-no-jre-win.exe"

πŸš€ Access Via Tool to WhatsApp Viewer:

  • "C:\Forensics\bin\WhatsAppViewer.exe"

πŸš€ Access Through the Tool to BCV (Byte Code Viewer):

  • "C:\Forensics\bin\bycodeviewer\GUI-ByteCode.bat"

πŸš€ Access Through the Tool to SQLStudio:

  • "C:\Forensics\bin\SQLiteStudio\SQLiteStudio.exe"

πŸš€ PRUNE GPS Tool Access:

  • "C:\Forensics\bin\gpsprune\GUI-GPSPrune.bat"

πŸš€ Access Through the Tool to jExiftool GUI:

  • "C:\Forensics\bin\exiftoolgui\jExifToolGUI.exe"

πŸ“± Conversion of .csv/.txt files with GEOLIZATION information provided by court decisions into .KML for police investigations.

  • Plotting thousands of points on the map in seconds
  • In this example below, more than 36 thousand points were plotted on the map
  • Example data from .csv file: 2022-04-15T02:59:45.368Z,2022-04-15T02:59:45.368, (Latitude/Column 2) -23.7416538, (Longitude/Column 3) -46.5744873,15,WIFI,1663554331,ANDROID

print-kml-1

plotagem2

plotagem3

(NEW) πŸ“± Merge WhatsApp DATABASES:

  • "C:\Forensics\bin\merge\merge_databases_exe\merge_databases.exe -lv"

merge

βš™οΈ Tool Prerequisites:

  • TECHNICAL knowledge of Forensics in Mobile Devices.
  • Minimal computer knowledge
  • Device with DEBUG mode activated.
  • Windows 10/11 with its proper updates.

βš™οΈ Prerequisites Third-Party Tools:

πŸ“‹ Trainings (Portuguese)

Banner sympla Extração Lógica Avançada com Avilla Forensics

πŸ“‹ Trainings (English)

  • In progress

πŸ’» Installation Avilla Forensics 3.5

  • Extract the tool from "C:\Forensics-3-5".
  • Do not put spaces in the tool folder name.

INSTALL

πŸ’» Installing Third-Party Tools

Requires JAVA (https://www.java.com/pt-BR/):

  • IPED-4.1.1: "C:\Forensics\IPED-4.0.6_and_plugins" (Just install JAVA).
  • IPED Tools: "C:\Forensics\bin\IPEDTools\IPEDTools.exe" Just install JAVA).
  • Bycode Viewer: "C:\Forensics\bin\bycodeviewer" (Just install JAVA).
  • Jadx-1.2.0: "C:\Forensics\bin\jadx-1.2.0" (Just install JAVA).
  • Backup Extractor: "C:\Forensics\backup_extractor" (Just install JAVA).
  • The Backup Extractor module (.AB to .TAR) may require you to add the "C:\Forensics" patch to the system variables.
  • GPS PRUNE: "C:\Forensics\bin\gpsprune" (Just install JAVA).
  • jExiftool GUI: "C:\Forensics\bin\exiftoolgui\jExifToolGUI.exe" (Just install JAVA).

Requires python (https://www.python.org/):

  • Instaloader: To install run the file "C:\Forensics\bin\instaloader-master\install_instaloader.bat" or:

pip install instaloader

  • MVT-1.5.3: To install run the file "C:\Forensics\bin\mvt-1.5.3\install_mvt.bat" or:

pip install mvt

  • Whacipher: To install run the file "C:\Forensics\bin\install_whacipher.bat" or:

pip install --upgrade -r requirements.txt

  • WhatsApp-Crypt14-Crypt15-Decrypt: To install run the file "C:\Forensics\bin\WhatsApp-Crypt14-Crypt15-Decrypter-main\install-Decrypter.bat" or:

pip install -r requirements.txt

🌐 Download

(NEW) Translated into english (v1_0_0_264) - (1.94 GB)

πŸš€ Donate:

py

βš™οΈ Technologies used

  • C#.
  • Python.
  • Java.

πŸš€ License

  • Free Software.

πŸ€– Contacts

πŸ“± Third-party tools included in the package

😎 Thanks

LogoGrandecopy

About

derivated from Avilla Forensics 3.0

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published