Welcome to ADEL.
We developed a tool named ADEL which is meant as an abbreviation of “Android Data Extractor Lite”. ADEL was developed for versions 2.x of Android and is able to automatically dump selected SQLite database files from Android devices and extract the contents stored within the dumped files. Recently we have updated it to also work with Android 4.x and some more devices.
About
ADEL makes use of the Android Software Development Kit (Android SDK) and especially the adb deamon to dump database files to the investigator's machine.
To extract contents contained within a SQLite database file ADEL parses the low-level data structures. After having opened the database file that is to be parsed in read-only mode, ADEL reads the database header (first 100 bytes of the file) and extracts the values for each of the header fields. Not all, but some of the values in the header fields are necessary to be able to parse the rest of the database file. An important value is the size of the pages in the database file which is required for parsing the b-tree structures (page-wise). After having read the database header fields, ADEL parses the b-tree that contains the “sqlite_master” table for which the first page of the database always is the root page. The SQL CREATE statement and the page number of the b-tree root page are extracted for each of the database tables. Additionally, the SQL CREATE statement is further analyzed to extract the name and the data type for each column of the corresponding table. Finally the complete b-tree structure is parsed for each table, beginning at the b-tree root page that was extracted from the “sqlite_master” table. Every leaf page of the b-tree is identified by following the pointers of all of the interior pages. Finally the row contents of each table are extracted from the cells found in any leaf page that belongs to the same table b-tree.
In the current development state, the following databases are forensically treated and parsed:
- telephone and SIM-card information (e. g. IMSI and serial number)
- telephone book and call lists,
- calendar entries,
- SMS messages,
- GPS locations from different sources on the smartphone.
Data retrieved this way is written to an XML-File by the report module in order to ease further use and depiction of the data. As the analysis module, it can be easily updated regarding possible changes in future Android versions or in the underlying database schemas. Therefore, we have created different tuple – e. g. [table, row, column] – to define the data that is exchanged between both modules. If the database design changes in the future, only the tuple have to be adapted. The report module automatically creates XML-files for each of the data types listed above. In addition, a report is created which contains all data extracted from the analyzed databases. With the help of a XSL-file the report will be graphically refurbished. All files created by ADEL are stored in a subfolder of the current project.
How to use ADEL
If you connect a smartphone you need a rooted and insecure kernel or a custom recovery installed on the smartphone.
ADEL needs a predefined configuration for each device to work proper. This configuration has to be added in the following file: xml/phone_configs.xml
Example for the use of ADEL with a connected smartphone:
adel.py -d device -l 4
Example for the use of ADEL with database backups:
adel.py -d /home/user/backup -l 4