Andriller - is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. It has other features, such as powerful Lockscreen cracking for Pattern, PIN code, or Password; custom decoders for Apps data from Android (and some Apple iOS) databases for decoding communications. Extraction and decoders produce reports in HTML and Excel (.xlsx) formats.


Basic Setup

Andriller comes as a lightweight Setup installable for Windows (XP,Vista,7,8). It only requires Microsoft Visual C++ 2010 Redistributable Package (x86) installed, USB drivers for your Android device, and a web browser for viewing results. Simple.


Features

  • Automated data extraction and decoding
  • Data extraction of non-rooted without devices by Android Backup (Android versions 4.x)
  • Data extraction with root permissions: root ADB daemon, CWM recovery mode, or SU binary (Superuser/SuperSU)
  • Selection of individual database decoders for Android and Apple
  • Decryption of encrypted WhatsApp archived databases (msgstore.db.crypt, msgstore.db.crypt5, msgstore.db.crypt7)
  • Lockscreen cracking for Pattern, PIN, Password
  • Unpacking the Android backup files

Database Decoders

This feature allows importing individual App database files for automated parsing of the data. There are decoders mainly for Android and some for Apple iOS Apps. Once successfully decoded, reports will be shown your web browser. Databases can be exported from mainstream forensic tools, such as XRY, UFED Cellebite, Oxygen Forensic, and imported into Andriller for individual decoding. The output from Andriller offers cleaner output data.

  • Synchronised accounts
  • Phonebook contacts
  • Call logs register
  • Call logs (Samsung) register
  • SMS (Samsung) snippets
  • SMS messages
  • Wi-Fi passwords (WPA-PSK/WEP)
  • Android browser saved passwords
  • Android browser browsing history
  • Google Chrome saved passwords
  • Google Chrome browsing history
  • BBM BlackBerry Messenger (Android, Apple iOS) chat messages
  • Dolphin browser history
  • E-mails (default app)
  • Facebook chat/messenger messages
  • Facebook user notifications
  • Facebook user viewed photographs
  • Kik Messenger chat messages
  • WhatsApp contacts list
  • WhatsApp chat messages
  • Viber call logs
  • Viber chat messages
  • Tinder chat messages
  • MeowChat messages
  • Skype calls logs
  • Skype messages
  • Grindr (Apple iOS) messages/users

This list will be getting bigger in the future!


Data Extraction from Androids

Connect an Android device by a USB cable, have USB Debugging enabled; make sure the device drivers are installed.

First, select the [Output] directory where you wish extraction data to be saved to. Second, click [Check] to see if Andriller detected your connected device. You may wish Andriller to open the Report on extraction's completion, or ignore root permissions (would extract by the Android Backup method for Androids 4.x). To begin an extraction, hit [Go!] button to commence data extraction. Andriller should run, download any data, and decode it all at once.

Note 1: Android version 4.2.2+ requires to authorise the PC to accept RSA fingerprint. Please do so, and tick the box to remember for future.

Note 2: Devices with Superuser or SuperSU App require to authorise root access from an unlocked screen. Please grand permissions if requested.


Reporting

After the data extraction finishes, all data is saved in the folder in the directory specified before extraction. The main index file of extraction is REPORT.html. It will contain the summary of the device examined, and will list any data extracted. From there, you can navigate to other data extracted, like SMS or Contacts.

There will also be the following files and folders, which may be of interest:

db/ - folder where downloaded databases are stored
db/md5sums.txt - file containing MD5 hashes of the databases after they were downloaded, but before the content was decoded;
log-errors.txt - text file containing log of any downloading or decoding failures or errors;
backup.ab - if a backup method was used, the full backup file also will be stored in the directory;


Lockscreens Bypass

Andriller has the means of decoding pattern locks, and cracking PIN codes and Passwords.

Pattern, PIN and Password Cracking
These features require a little more processing power, so are best to be performed locally on your own machine. The methods are explained below.

Get Salt from...
Salt is an integer value, which is required for cracking the passwords. Salt can be positive as well as negative integers. The salt value can be obtained by parsing setting.db or locksettings.db files; when sucessfully fetched, the Salt value will be printed into the main terminal window.


Gesture Pattern Decoding

To decode a Pattern lock, click [Browse] and select the gesture.key file located at /data/system/gesture.key on your Android device.

Else, just submit the gesture pattern hash (hexadecimal string of the gesture.key file), and click [Decode].

When decoded, the pattern will be shown as a sequence list. When Pattern is filled, click [Draw] and the pattern displayed in a visualised form.

Right-click on the drawn pattern to save is as a PostScrip file.

Tip: if you wish to draw a pattern but don't have a gesture hash key or value, you can double-click on the disabled Pattern field, this will re-enable the field for editing. Enter the pattern in a form of a list, and click [Draw]. The pattern will be drawn, which can be saved as a file.


Lockscreen PIN code cracking

  1. Select start and max value of the PIN code. By default, the max value is set to 9999, increase if required.
  2. Enter the value of password.key file
  3. Enter the salt value as an integer.
  4. Press Start for cracking to begin

Once Start is clicked, a percentage progress will be displayed.

You can pause and resume cracking at any time. Last tried PIN will be shown just to let you know how far you've gone.

Also includes Samsung cracking, which uses different type of password hashing than other Android vendors.


Lockscreen Password cracking

  1. Click Browse and select a word list file (recommended word list files to download from here)
  2. Enter the value of password.key file
  3. Enter the salt value and an integer.
  4. Press Start for cracking to begin

Once Start is clicked, tried password will be displayed while cracking.

You can pause and resume cracking at any time, just like with PIN cracking.

Also includes Samsung cracking, which uses different type of password hashing than other Android vendors.


Lockscreen Password brute force

  1. Select the maximum length of a password
  2. Select characters believed to have been used in the password. Select combinations of lower/upper case characters, digits, or custom characters.
  3. Enter the value of password.key file
  4. Enter the salt value and an integer.
  5. Press Start for cracking to begin

This cracking method cannot be paused/resumed like with other methods.


Decrypt Encrypted Databases

Andriller supports decryption of encrypted WhatsApp databases:

msgstore.db.crypt
msgstore.db.crypt5
msgstore.db.crypt7

Plain Crypt (msgstore.db.crypt)

The encrypted database is automatically decrypted into an SQLite3 database. Browse and select the encrypted file, Andriller will decode to a new file in the same directory.

msgstore.db.crypt ==> msgstore.db

Crypt5 (msgstore.db.crypt5)

To successfully decrypt this type of database, an email address is required, which is synchronised with the Android device. Browse and select the encrypted file, you will be prompted to enter the email address. Once successful, it will decode to a new file in the same directory.

msgstore.db.crypt5 ==> msgstore.db

Crypt7 (msgstore.db.crypt7)

To successfully decrypt this type of database, an encryption key file is required for the following location:
'/data/data/com.whatsapp/files/key'  <-- absolute path
'apps/com.whatsapp/f/key'  <-- from Android backup
This file should be automatically extracted during normal Andriller extraction (root and AB), and saved in the 'db' folder of the extraction

Browse and select the encrypted file, you will be prompted to browse and select the key file next. Once successful, it will decode to a new file in the same directory.

msgstore.db.crypt7 ==> msgstore.db

 

Tools

Andriller has a feature to unpack Android backup files from Android versions 4.x and above. 

AB to TAR

Converts backup.ab file to Tarball.

backup.ab ==> backup.ab.tar

AB to folder

Converts and extracts backup.ab to a folder.

backup.ab ==> backup.ab_extracted/


Configurations (Preferences)

Configation preferences is located at File > Configurations

  • Default Output path - this is the location where Andriller defaults its OUTPUT location for extractions and database decoding.
  • Cracking update rate - for Lockscreen cracking, every this amount of passwords tried the Andriller window will update the progress. The lower the number, slower cracking performance will be. Samsung type cracking will be lower by factor of 1000 due to more complex password encoding used.
  • Offline mode - for every time Andriller starts it checks for the latest version. This step can be skipped by setting Andriller offline. This may speed up application's startup.
  • Window size - this set Andriller log window to "Small" (12 lines) or "Regular" (20 lines). Smaller window size are better fit on Netbooks and smaller resolution monitors.
  • Auto save log - when an extraction is complete, the items in the log will be automatically saved in the output folder under name "andriller.log".

Supported data extraction

Table below represents what types of data can be extracted and automatically decoded. These should be used as a guidelines, since variations of the operating systems by the vendors.

Data typeAndroid ver 2.x
(unrooted)
Android ver 4-5.x
(unrooted, via AB extraction)
Android ver 2-5.x
(rooted, adbd or su)
Android ver 2-5.x
(via CWM recovery)
Android device make and model + + + ?
IMEI, build version, OS version + + + ?
Wifi mac address + + + -
Time and date check + + + -
SIM card details (for a some Galaxy Sx devices only) + + + ?
Synchronised accounts + + + -
Lockscreen Gesture patter decoding - - + +
Lockscreen PIN cracking up to 4 digits - - + +
Bluetooth mac address and name - - + +
Wi-Fi passwords (WPA-PSK/WEP) - + + +
Phonebook contacts - - + +
Call logs register - - + +
SMS messages - - + +
Call logs (Samsung) register - + + +
SMS (Samsung)snippets - + + +
Android browser saved passwords - ? + +
Android browser browsing history - ? + +
Google Chrome saved passwords - ? + +
Google Chrome browsing history - ? + +
Dolphin web browsing history - + + +
Skype Calls - + - -
Skype Messages - + - -
ChatOn messages - + + +
Facebook chat messages - ? + +
Facebook user viewed photographs - ? + +
Facebook user notifications - ? + +
WhatsApp contacts list - + + +
WhatsApp chat messages - + + +
Kik Messenger chat messages - + + +
BBM (Blackberry Messenger) chat messages - - + +
Viber calls register - + + +
Viber chat messages - + + +
Tinder matches - + + +
Tinder chat messages - + + +
MeowChat messages - + + +

" + " Supported for the extraction method
" ? " May be supported for extraction method (Android version, App version or vendor dependant)
" - " Not supported for the extraction method

© 2014 Andriller. All rights reserved.

We use cookies to improve our website and your experience when using it. Cookies used for the essential operation of this site have already been set. To find out more about the cookies we use and how to delete them, see our privacy policy.

  I accept cookies from this site.
EU Cookie Directive Module Information