Andriller CE (Community Edition) – A Comprehensive Guide To Mobile Forensics

Andriller – is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices.

It has features, such as powerful Lockscreen cracking for Pattern, PIN code, or Password; custom decoders for Apps data from Android (some Apple iOS & Windows) databases for decoding communications.

Extraction and decoders produce reports in HTML and Excel formats.

Features

• Automated data extraction and decoding
• Data extraction of non-rooted without devices by Android Backup (Android versions 4.x, varied/limited support)
• Data extraction with root permissions: root ADB daemon, CWM recovery mode, or SU binary (Superuser/SuperSU)
• Data parsing and decoding for Folder structure, Tarball files (from nanddroid backups), and Android Backup (backup.ab files)
• Selection of individual database decoders for Android apps
• Decryption of encrypted WhatsApp archived databases (.crypt to .crypt12, must have the right key file)
• Lockscreen cracking for Pattern, PIN, Password (not gatekeeper)
• Unpacking the Android backup files
• Screen capture of a device’s display screen

Python Requirements

• 3.6-3.10 (64-bit version recommended)

System Dependencies

• adb
• python3-tk

[Ubuntu/Debian] Install from Terminal:

sudo apt-get install android-tools-adb python3-tk

[Mac] Install from Homebrew:

brew install android-platform-tools

[Windows] : Included.

Installation (Recommended Way)

Create a virtual environment using Python 3:

python3 -m venv env

Activate the virtual environment (Linux/Mac):

source env/bin/activate

Activate the virtual environment (Windows):

.\env\Scripts\activate

Install Andriller with its Python dependencies (same command to upgrade it):

pip install andriller -U

Quick Start (Run GUI)

python -m andriller