Table of Contents
ForensicEye is a tool for non-root forensic data acquisition on Android devices. Unlike traditional approaches that rely on ADB or root access, ForensicEye operates directly on the device, enabling data extraction by non-expert users without the need for additional hardware.
- Non-root Data Acquisition: Retrieve data without the need for root access or ADB.
- User-Friendly: Designed for non-expert users to easily extract data.
- Comprehensive Data Retrieval: Access nearly all data available through system APIs, including:
- Device information
- Contacts
- SMS
- Calls
- Calendars
- Health data
- Usage Statistics
- Many more...
- Modular Architecture: Supports extensibility and maintainability.
- Auto-Run from PC: Ability to be launched automatically using a script for streamlined data collection.
- Restricted Access: Limited access to system-only APIs and third-party app data due to Android’s permission and sandboxing model.
- Fragmented Environment: Challenges posed by Android’s fragmented and evolving environment, including undocumented features and unstable APIs.
- Manual Validation: The need for manual validation due to the evolving nature of Android APIs.
- Usage Statistics Source: The usage statistics data source relies on GPLv3 code from UsageDirect and is available in a GPLv3 licensed branch
- Download and Install the latest APK from
the releases page or use the
auto_run.shscript. - Open the app and grant the necessary permissions, either by clicking "Grant all permissions" or
clicking selected data source buttons with their names on it. If
Shizukuis installed and running all permissions can be granted at once. - The icon indicator next to the data source button can have the following states:
- Unsupported: The data source is not supported on the current device or Android version.
- Permissions: The data source requires additional permissions.
- Can Start: The data source is ready to be started. To start it press the button with the data source name.
- Success/Failure: The data source has finished successfully or with an error.
- Click on Copy to export the data to the device's storage.
- Access the exported data in the selected folder on your device.
ForensicEye can be started automatically from a connected PC using the auto_run.sh script. This
script downloads and installs the APK, launches the app and runs a specific view to start data
collection. After data collection is complete the script pulls the exported data to the PC.
- Make sure you have
adbinstalled and your device connected with USB debugging enabled. - Download the
auto_run.shscript and run it in a terminal. - The script will handle the rest. The extracted data is in a director named
ForensicEyeDatain the current working directory.
- Set as default SMS or phone app to access BlockedNumbers
- Shizuku integration to access system only APIs
- Implement device owner to bypass restrictions
- Add more data sources (e.g., third-party apps) via Acessibility Services
- Encrypt the extracted data before storing them in the app internal directory
- Compatibility of the data format with other tools, like AndroidQF
- Multi user and work profile support
- Introduction screen on first app launch
- Automatic upload to virus total or check with known IoCs
Felix Hollederer - @flxholle - flxholle@posteo.com
Project Link: https://github.com/flxholle/ForensicEye
- Rubik Glitch Font under the SIL Open Font License
- Aldrich Font under the SIL Open Font License
- Shizuku under the Apache License 2.0
- ACRA under the Apache License 2.0
- AndroidX
- Kotlin
- Gradle
Distributed under the Apache License 2.0. See LICENSE.txt for more information.