Compiling and Installing mac-robber on Android
You can learn more about mac-robber for Android and iOS here. Note that, in Sawyer's article he includes the following instruction for compiling. This is incorrect:arm-linux-gnueabi-gcc -static -o -mac-robber mac-robber.c
The - before mac-robber is unneccesary. The correct command is
arm-linux-gnueabi-gcc -static -o mac-robber mac-robber.c
- First step is to download the source files from http://www.sleuthkit.org/mac-robber/download.php.
- Next, add a repo so you can cross-compile mac-robber onto the Android platform:
sudo add-apt-repository ppa:linaro-maintainers/toolchain - Next, install the GNU compiler:
sudo apt-get install gcc-arm-linux-gnueabi - Finally, compile the source:
arm-linux-gnueabi-gcc -static -o mac-robber mac-robber.c
Now that you have it compiled, you need to push the app to your device over ADB. Run the following commands to create a mac-robber app directory, change permissions on the directory, and push mac-robber to the device. The final step verifies to you the status of mac-robber.
john@joe:~/macrobber$ adb shell
root@flo:/ # mkdir /data/mac-robber
root@flo:/ # chmod 755 /data/mac-robber
root@flo:/ # exit
john@joe:~/macrobber$ adb push mac-robber /data/mac-robber
3557 KB/s (603897 bytes in 0.165s)
john@joe:~/macrobber$ adb shell "/data/mac-robber/mac-robber -V"
mac-robber information:
version: 1.02
author: Brian Carrier
url: http://www.sleuthkit.org
john@joe:~/macrobber$
This is the end of the really difficult part of the process.
Running mac-robber
Next, do whatever you're going to do with your test (I generally boot and use my application for a bit, to exercise all of its functionality). This generates a good amount of data - the more functionality you use, the mor./configuree accurate your results will be.
This commands executes mac-robber and covers the entire device:
adb shell "/data/mac-robber/mac-robber /" >attachmentopen.body
This may be more data then you need, but I find it's good to be thorough, at least until you understand the device.
OK - now you have a huge file full of timestamps. How do you interpret it? Easy - use mac-robber's companion, mactime, to scan the file and generate a time-ordered file.
Interpreting the Results
Mac-robber outputs a long text file with file change history. You'd think you could import that into mactime, but the default mactime outputs binary format, so you'll need Sleuthkit's mactime perl script if you want to do anything with the output. To use that:
- Download the sleuthkit from http://www.sleuthkit.org/sleuthkit/download.php
- CD into the extracted sleuthkit
- Build the sleuthkit. Note: I skipped the last step (sudo install) simply because I didn't want to run the risk of clobbering my OS's mactime with the sleuthkit's version
- ./configure
- ./make
- Copy "mactime" into your mac-robber directory
Now that you have a mactime app, running it's pretty simple: just run this command:
mactime -b attachmentopen.body > android.timeline
If you want to constrain to a given start date, run this command:
mactime -b attachmentopen.body 2014-01-01 > android.txt
If you're looking for data about a particular app, you can use grep to grep the output file, like this:
grep -i 'facebook' android.txt > facebook.txt
Happy sleuthing!
No comments:
Post a Comment