androidqf - Android Quick Forensics

androidqf (Android Quick Forensics) is a portable tool designed to make acquiring relevant forensic data from Android devices easier. It is Snoopdroid's successor, rewritten in Go and using official ADB binaries.

The goal of androidqf is to provide a simple and portable cross-platform utility for quickly acquiring data from Android devices. It functions similarly to mvt-android. However, unlike MVT, androidqf is intended to be used by non-technical users as well.

Build

The most recent release should include executable binaries for Linux, Windows, and Mac. If you are having trouble running the binary, you may want to build it yourself.

To build androidqf, you must have Go 1.15+ installed. Make will also need to be installed. When you're ready, clone the repository and run any of the following commands for your preferred platform:

make linux

make darwin

make windows

 These commands will generate binaries in a build/ folder.

How to use

Before running androidqf, make sure the target Android device is connected to your computer via USB and that USB debugging is enabled. Please consult the official documentation for instructions, but keep in mind that different Android phones from different manufacturers may require different navigation steps than the defaults.

You can now launch androidqf after enabling USB debugging. It will first attempt to connect to the device via the USB bridge, which should prompt the Android phone to manually authorise the host keys. Make sure to authorize them, preferably permanently, so the prompt does not appear again.

Now androidqf should be running and creating an acquisition folder in the same directory where you put your androidqf binary. Androidqf will prompt you with some options at some point during the execution: these prompts will pause the acquisition until you provide a selection, so pay attention.

The following information can be extracted:

1. A list of all installed packages and related distribution files.
2. (Optional) Make a copy of all installed APKs or just those that aren't marked as system apps.
3. The dumps shell command's output contains diagnostic information about the device.
4. The getprop shell command's output includes building information and configuration parameters.
5. Every system setting.
6. The output of the ps shell command provides a list of all currently running processes.

Encryption & Potential Threats

Carrying the androidqf acquisitions on an unencrypted drive may expose you, and those from whom you obtained data, to significant risk. For example, you could be stopped at a dangerous border and your androidqf drive seized. The raw data may not only reveal the purpose of your trip, but it may also contain highly sensitive information (for example list of applications installed, or even SMS messages).

Ideally, the drive should be fully encrypted, but this may not always be possible. You could also put androidqf inside a VeraCrypt container and bring a copy of VeraCrypt with you to mount it. VeraCrypt containers, on the other hand, are typically protected only by a password, which you may be required to provide.

Alternatively, androidqf allows you to encrypt each acquisition with a public key of your choosing. Preferably, this public key is part of a key pair for which the end-user does not have, or does not carry, the private key. In this manner, even under duress, the end-user would be unable to decrypt the acquired data.

If you put a file called key.txt in the same folder as the androidqf executable, androidqf will try to compress and encrypt each acquisition and delete the original unencrypted copies.

After retrieving an encrypted acquisition file, decrypt it with age as follows:

$ age --decrypt -i ~/path/to/privatekey.txt -o <UUID>.zip <UUID>.zip.age

 Keep in mind that it is always possible that some of the unencrypted data could be recovered using advanced forensics techniques - though we are working to mitigate this risk.

androidqf Tool Download