Making good ol' Andriller operational
Konstantia Barmpatsalou
Blue Team Support Team Leader at Obrela Security Industries | Senior Detection Engineer | PhD | GCFA
Not so long ago in some Linux distros far far away...
Lately, you may have witnessed that the availability of Community Edition forensic tools is significantly decreased. Try to recall ViaForensics' -currently NowSecure- CE. Even its limited capabilities were enough in order to provide an adequate view of functionalities to someone who was entering the world of forensic tools. Currently, most limited editions of mobile forensic tools are available after quote requests, and open source ones require an amount of effort and skillsets that might prevent the entry level folk from getting to know the universe.
Andriller used to be a proprietary Android (orly?) and iOS forensic tool, the license of which could be either purchased or the tool could tested for a few days. (You can read more about its specs here; even though I enjoy writing, the description is ready here). However, it recently became open source and can only be git-cloned for the time being. Despite claims of an existing pip automatic installation, the package is nowhere to be found. Since the updates are recent, the specific section will be modified if the package installation becomes available. Installing Andriller turned out to be an adventurous procedure, with many obstacles and this article is here to save you some time if you decide to play with Andriller.
Just a bit of debugging for starters
Let's then quit the chit-chat and move straight to the technical stuff. At first, I downloaded the newest Ubuntu distro (19.10 - Python 3.6.x-rc01) image (VirtualBox), but, despite the fact that the requirements were met, there was an issue with the DISPLAY environment variable and xhost. Despite trying known solutions, such as logging with ssh to create a new xauth entity,the problem persisted. Long story short, Bionic Beaver (18.04 - Python 3.6.9) was the next choice.
You might think that the adventure was over, but the good part is only starting now! As soon as I began downloading the first requirements, the beaver had a different opinion. This part is not relevant to Andriller itself, but it's good to have some insight in case it happens to you too. Just by typing apt-get install android-tools-adb, the following message popped up.
E: Could not get lock /var/lib/dpkg/lock-frontend - open (11: Resource temporarily unavailable) E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it?
One of the first solutions is to finding if the apt process is running and kill the significant process ID.
killall apt apt-get
However, there might be a possibility that this solution won't work as well. Next thing on the list is to run the following commands and see whether a process is used or not.
- lsof /var/lib/dpkg/lock
- lsof /var/lib/apt/lists/lock
- lsof /var/cache/apt/archives/lock
If a process is associated, kill it (with fire) as stated in the example below.
root@tina-VirtualBox:/home/tina# lsof /var/lib/dpkg/lock COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME unattende 3160 root 6uW REG 8,1 0 1192449 /var/lib/dpkg/lock root@tina-VirtualBox:/home/tina# kill -9 3160
Once this step is complete, you can safely proceed to deletion and restoration.
root@tina-VirtualBox:/home/tina# rm /var/lib/apt/lists/lock root@tina-VirtualBox:/home/tina# rm /var/cache/apt/archives/lock root@tina-VirtualBox:/home/tina# rm /var/lib/dpkg/lock root@tina-VirtualBox:/home/tina# dpkg --configure -a
Now that you have finally been able to type: python3 -m andriller, you will notice that not all needed packages are installed. You can proceed without issues to the pip-installations (pip3 install <package_name>) of appdirs, timeout_decorator, jinja2, xlsxwriter and dataclasses.
The ugly stuff...
Once you finish the rather successful installation of the javaobj package and try to rerun Andriller, you will receive this big, fat, ugly message:
Traceback (most recent call last): File "/usr/lib/python3.6/runpy.py", line 193, in _run_module_as_main "__main__", mod_spec) File "/usr/lib/python3.6/runpy.py", line 85, in _run_code exec(code, run_globals) File "/home/tina/andriller/andriller/__main__.py", line 4, in <module> run() File "/home/tina/andriller/andriller/__init__.py", line 34, in run from . import windows File "/home/tina/andriller/andriller/windows.py", line 22, in <module> from . import driller File "/home/tina/andriller/andriller/driller.py", line 16, in <module> from . import decoders File "/home/tina/andriller/andriller/decoders.py", line 3, in <module> import javaobj File "/usr/local/lib/python3.6/dist-packages/javaobj.py", line 171 except Exception, e: ^ SyntaxError: invalid syntax
What else to wish for, other than a syntax error in a software package? As the sheer wisdom of Stack Overlow implies, the raise syntax no longer accepts comma-separated arguments. Worry not, though! All you have to do is to find the guilty file (nano -c /usr/local/lib/python3.6/dist-packages/javaobj.py for inline navigation) and replace the except Exception, e: line with
except Exception as e:
So you think that your problems are solved? Tough luck.
root@tina-VirtualBox:/home/tina/andriller# python3 -m andriller Traceback (most recent call last): File "/usr/lib/python3.6/runpy.py", line 193, in _run_module_as_main "__main__", mod_spec) File "/usr/lib/python3.6/runpy.py", line 85, in _run_code exec(code, run_globals) File "/home/tina/andriller/andriller/__main__.py", line 4, in <module> run() File "/home/tina/andriller/andriller/__init__.py", line 34, in run from . import windows File "/home/tina/andriller/andriller/windows.py", line 22, in <module> from . import driller File "/home/tina/andriller/andriller/driller.py", line 16, in <module> from . import decoders File "/home/tina/andriller/andriller/decoders.py", line 3, in <module> import javaobj File "/usr/local/lib/python3.6/dist-packages/javaobj.py", line 10, in <module> import StringIO ModuleNotFoundError: No module named 'StringIO'
All happy, you will try to install StringIO, or stringio, maybe STRINGIO (*heavy breathing*) in the good old way. But the repo will have a different opinion that will end up in this message.
requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://pypi.org/simple/stringio/
Some googling and few curses later, I found out that StringIO is a part of our beloved io library. All you have to do is to navigate to the /usr/local/lib/python3.6/dist-packages/javaobj.py file and change the import StringIO line to:
from io import StringIO
Problem solved. Or you think so... The big surprise is kept for the end. At this point you will wonder if there is an end after all, but keep reading for the time being.
Oops, it did it again!
root@tina-VirtualBox:/home/tina/andriller# python3 -m andriller Traceback (most recent call last): File "/usr/lib/python3.6/runpy.py", line 193, in _run_module_as_main "__main__", mod_spec) File "/usr/lib/python3.6/runpy.py", line 85, in _run_code exec(code, run_globals) File "/home/tina/andriller/andriller/__main__.py", line 4, in <module> run() File "/home/tina/andriller/andriller/__init__.py", line 34, in run from . import windows File "/home/tina/andriller/andriller/windows.py", line 25, in <module> from . import decrypts File "/home/tina/andriller/andriller/decrypts.py", line 13, in <module> @dataclass File "/home/tina/andriller/andriller/decrypts.py", line 68, in WhatsAppCrypt def aes_9(self, mode=AES.MODE_GCM, iv_from_file=True): AttributeError: module 'Crypto.Cipher.AES' has no attribute 'MODE_GCM'
What else can we wish for? Solving import or syntax problems is one thing, messing up with libraries' functions is another. Long story short, Galois/Counter Mode (GCM) is removed from the newest version of pycrypto, because potatoes. However, you have a selection of modes to choose, MODE_CBC', 'MODE_CFB', 'MODE_CTR', 'MODE_ECB', 'MODE_OFB', 'MODE_OPENPGP', 'MODE_PGP'. It will not ensure that WhatsApp decryption will work flawlessly, but it ensures that finally Andriller will run. All you have to do is to open the <download/installation_path>/andriller/andriller/decrypts.py and replace the occurrences of mode=AES_MODE.GCM to AES_MODE.CBC or any other type you want. Just make sure that you replaced every single instance of it in the file!
It's alive!
I haven't tried to run forensic operations with the tool yet. If it runs smoothly, I will update this article. If not, I will write another one. Feel free to share your experiences if you tried!