Fama is a tool for android extraction and analysis framework with an integrated Autopsy Module. Dump easily user data from a device and generate powerful reports for Autopsy or external applications.
Functionalities
- Extract user application data from an Android device with ADB (root and ADB required).
- Dump user data from an android image or mounted path.
- Easily build modules for a specific Android application.
- Generate clean and readable JSON reports.
- Complete integrated Autopsy compatibility (datasource processor module, ingest module, report module, geolocation, communication and timeline support).
- Export HTML report based on the current case.
Report Screenshots
Prerequisites
How to use?
The script can be used directly in terminal or as Autopsy module.
Running From Terminal
usage: start.py [-h] [-d DUMP [DUMP ...]] [-p PATH] [-o OUTPUT] [-a] app Forensics Artefacts Analyzer positional arguments: app Application or package to be analyzed <tiktok> or <com.zhiliaoapp.musically> optional arguments: -h, --help show this help message and exit -d DUMP [DUMP ...], --dump DUMP [DUMP ...] Analyze specific(s) dump(s) <20200307_215555 ...> -p PATH, --path PATH Dump app data in path (mount or folder structure) -o OUTPUT, --output OUTPUT Report output path folder -a, --adb Dump app data directly from device with ADB -H, --html Generate HTML report
Running From Autopsy
- Download repository contents (zip).
- Open Autopsy -> Tools -> Python Plugins
- Unzip previously downloaded zip in
python_modulesfolder. - Restart Autopsy, create a case and select the module.
- Select your module options in the Ingest Module window selector.
- Click “Generate Report” to generate an HTML report of the case.
Build An Application Module
Do you need a forensics module for a specific Android application? Follow the instructions here and build a module by yourself.
