Monday, October 13, 2014

Building and Using Mac-Robber on Android

My Android assessments often see users scattering files across the device. It can be tough to track all those files down, so I often resort to using mac-robber to track file system changes. What is mac-robber? It's a tool that walks the file system to determine timestamps (create and modify) for all files on your device. As such, you cannot run mac-robber unless you have a rooted device (it needs access to the full file system). See my other blog posts on rooting your Android device.

Compiling and Installing mac-robber on Android

You can learn more about mac-robber for Android and iOS here. Note that, in Sawyer's article he includes the following instruction for compiling. This is incorrect:
  arm-linux-gnueabi-gcc -static -o -mac-robber mac-robber.c
The - before mac-robber is unneccesary. The correct command is
  arm-linux-gnueabi-gcc -static -o mac-robber mac-robber.c
  1. First step is to download the source files from http://www.sleuthkit.org/mac-robber/download.php. 
  2. Next, add a repo so you can cross-compile mac-robber onto the Android platform:
    sudo add-apt-repository ppa:linaro-maintainers/toolchain
  3. Next, install the GNU compiler:
    sudo apt-get install gcc-arm-linux-gnueabi
  4. Finally, compile the source:
    arm-linux-gnueabi-gcc -static -o mac-robber mac-robber.c
Now that you have it compiled, you need to push the app to your device over ADB. Run the following commands to create a mac-robber app directory, change permissions on the directory, and push mac-robber to the device. The final step verifies to you the status of mac-robber.

john@joe:~/macrobber$ adb shell
root@flo:/ # mkdir /data/mac-robber
root@flo:/ # chmod 755 /data/mac-robber
root@flo:/ # exit
john@joe:~/macrobber$ adb push mac-robber /data/mac-robber
3557 KB/s (603897 bytes in 0.165s)
john@joe:~/macrobber$ adb shell "/data/mac-robber/mac-robber -V"
mac-robber information:
   version: 1.02 
   author: Brian Carrier
   url: http://www.sleuthkit.org
john@joe:~/macrobber$ 

This is the end of the really difficult part of the process.

Running mac-robber

Next, do whatever you're going to do with your test (I generally boot and use my application for a bit, to exercise all of its functionality). This generates a good amount of data - the more functionality you use, the mor./configuree accurate your results will be.

This commands executes mac-robber and covers the entire device:

adb shell "/data/mac-robber/mac-robber /" >attachmentopen.body

This may be more data then you need, but I find it's good to be thorough, at least until you understand the device.

OK - now you have a huge file full of timestamps. How do you interpret it? Easy - use mac-robber's companion, mactime, to scan the file and generate a time-ordered file.

Interpreting the Results

Mac-robber outputs a long text file with file change history. You'd think you could import that into mactime, but the default mactime outputs binary format, so you'll need Sleuthkit's mactime perl script if you want to do anything with the output. To use that:
  1. Download the sleuthkit from http://www.sleuthkit.org/sleuthkit/download.php
  2. CD into the extracted sleuthkit
  3. Build the sleuthkit. Note: I skipped the last step (sudo install) simply because I didn't want to run the risk of clobbering my OS's mactime with the sleuthkit's version
  4. ./configure
  5. ./make
  6. Copy "mactime" into your mac-robber directory
Now that you have a mactime app, running it's pretty simple: just run this command:

mactime -b attachmentopen.body > android.timeline

If you want to constrain to a given start date, run this command:

mactime -b attachmentopen.body 2014-01-01 > android.txt

If you're looking for data about a particular app, you can use grep to grep the output file, like this:

grep -i 'facebook' android.txt > facebook.txt

Happy sleuthing!
Posted by at No comments:
Subscribe to: Posts (Atom)