How to Install and Use Andriller for Android Forensics Andriller Community Edition (CE) is an open-source, multi-platform software utility tailored for mobile forensics. It allows digital investigators to perform read-only, forensically sound, and non-destructive data acquisition from Android devices. By leveraging Python and Android Debug Bridge (ADB), Andriller extracts system files, decodes application databases, cracks lockscreens, and outputs intuitive HTML reports. Prerequisites and Requirements
Before installing Andriller, verify that your analysis workstation and the target Android device meet the necessary technical requirements. Target Android Device Setup
Developer Options: Enable Developer Options by tapping Build Number 7 times under the device settings.
USB Debugging: Toggle USB Debugging to “On” to allow the workstation to send commands via ADB.
Root Permissions (Optional): While Andriller works on non-rooted devices using the standard ADB backup protocol, rooted devices allow maximum data extraction, including restricted /data app directories. Workstation Dependencies
Ensure your Linux (e.g., Kali Linux) or Windows environment has the following dependencies: Python 3: Verify installation using python3 –version. ADB Tools: Install the Android SDK Platform-Tools package. Step 1: How to Install Andriller
Andriller is primarily distributed via Python Package Index (PyPI) and its official Andriller GitHub Repository. Follow these steps to install it on a Linux-based forensics workstation like Kali Linux: Method A: Quick Installation via PyPI
Open your terminal and execute the following command to download and install Andriller directly: pip3 install andriller Use code with caution. Method B: Manual Git Clone Clone the Repository: git clone https://github.com cd andriller Use code with caution. Install Requirements: pip3 install -r requirements.txt Use code with caution. Launch the GUI: python3 -m andriller Use code with caution. Step 2: Extracting Data Using Andriller
Once installed, Andriller presents a clean graphical user interface (GUI) designed to guide investigators through the acquisition pipeline. 1. Establish the Global Output Location Launch the Andriller GUI. Locate the Global Output Location field.
Click Output or Browse to choose a secure, dedicated directory on your forensic workstation where all extracted evidence will be archived. 2. Connect the Device
Securely connect the target Android device to the workstation using a high-quality data cable. Click the Check option inside Andriller.
If USB debugging is properly configured, Andriller will register the connection and display the device’s unique Serial ID. 3. Configure and Initiate Extraction
Select Extraction Method: Tick the checkbox labeled Use AB method (Android Backup method).
Shared Storage Toggle: Decide whether to select Shared Storage. Ticking this backups the full user media directory (photos, downloads) which is time-consuming. Leaving it unchecked targets system files and application databases first. Click GO or Extract. 4. Authorize on the Target Device Monitor the target Android phone’s screen. A prompt will request permission for a Full Backup.
Tap Back up my data at the bottom right of the phone screen to validate the authorization. Andriller will immediately begin pulling the data stream. Step 3: Analyzing Core Features and Decoders
Andriller is more than an extraction utility; it includes advanced analysis tools that parse data into actionable intelligence. SQLite Decoder
Most communications and logs on Android are saved as SQLite databases. Andriller features custom built-in decoders that automatically read, parse, and structure these databases into readable formats. This lets investigators extract: Cell Phone Forensics: Unlocking Digital Evidence
Leave a Reply