ALEAPP - The Ultimate Android Artifacts Parser

ALEAPP - Android Logs Events And Protobuf Parser is an essential tool for extracting artifacts from Android forensic datasets. In this article we will go through the usecase of ALEAPP tool.

Installation

ALEAPP can run on any system with Python 3.9+ installed and have both CLI and GUI versions. Moreover, it can be compile into a standalone executable.

# Clone the repo and install dependencies

git clone https://github.com/abrignoni/ALEAPP
cd ALEAPP && pip3( pip in Windows) install -r requirements.txt

# Linux specific dependency
sudo apt install -y python3-tk upx

Compile to executable

# Windows
# To create aleapp.exe, run
pyinstaller --onefile aleapp.spec
# To create aleappGUI.exe, run
pyinstaller --onefile --noconsole aleappGUI.spec

# Linux
pip3 install nuitka orderedset
sudo apt install -y ccache
# To create aleapp.bin, run
python3 -m nuitka --follow-imports --include-plugin-directory=scripts/ aleapp.py
# To create aleappGUI.bin, run
python3 -m nuitka --follow-imports --include-plugin-directory=scripts/ aleappGUI.py

# Finally compress the binary with upx
upx -9 aleapp && upx -9 aleappGUI

ALEAPP supports tar,zip and gz compressed Android Filesystem extracts and logical directories for parsing artifacts.

# CLI usage
python aleapp.py --help
usage: aleapp [-h] [-t {fs,tar,zip,gz}] [-o OUTPUT_PATH] [-i INPUT_PATH] [-p] [-w]

ALEAPP: Android Logs, Events, and Protobuf Parser.

options:
  -h, --help            show this help message and exit
  -t {fs,tar,zip,gz}    Input type (fs = extracted to file system folder)
  -o OUTPUT_PATH, --output_path OUTPUT_PATH
                        Output folder path
  -i INPUT_PATH, --input_path INPUT_PATH
                        Path to input file/folder
  -p, --artifact_paths  Text file list of artifact paths
  -w, --wrap_text       do not wrap text for output of data files

# GUI usage
python aleappGUI.py

Practical Scenario

I have extracted couple of apps data from my phone and stored them in ~/Documents/data/ directory.

# Using the standalone executable
./aleapp -t fs -i ~/Documents/data/ -o /tmp/

Accessing index.html from the output folder gives a nice web interface with all extracted artifacts categorised.

GUI version is very sleek and easy to use, upon process completion, it will automatically open the result in default web browser.

In the end, I was able to contribute a little bit to this awesome Project.

New #DFIR #ALEAPP artifact: ProtonVPN
👤 User account name
✉️ User account email
ğŸŒŽ Last known country
🌐 Last known IP
🙇‍♂️ Thanks to Nashid P for the contribution
🔗 Get ALEAPP here:https://t.co/qVhp55hQuO pic.twitter.com/2TI4tHgBMQ

— Brigs 💬 (@AlexisBrignoni) September 5, 2022