LabCIF – Forensic Analysis For Mobile Apps

LabCIF Android Forensics

LabCIF – Forensic Analysis for Mobile Apps (FAMA)

Getting Started

Android extraction and analysis framework with an integrated Autopsy Module. Dump easily user data from a device and generate powerful reports for Autopsy or external applications.


  • Extract user application data from an Android device with ADB (root and ADB required).
  • Dump user data from an android image or mounted path.
  • Easily build modules for a specific Android application.
  • Generate clean and readable JSON reports.
  • Complete integrated Autopsy compatibility (datasource processor module, ingest module, report module, geolocation,
  • communication and timeline support).
  • Export HTML report based on the current case.
Lab CIF Android Forensics
Lab CIF Android Forensics
Lab FAMA Timeline
Lab FAMA Timeline


  • Python (2.7+)
  • Autopsy (optional)

How to use

The script can be used directly in terminal or as Autopsy module.

Running from Terminal

usage: [-h] [-d DUMP [DUMP ...]] [-p PATH] [-o OUTPUT] [-a] app

Forensics Artefacts Analyzer

positional arguments:
app Application or package to be analyzed <tiktok> or <com.zhiliaoapp.musically>

optional arguments:
-h, --help show this help message and exit
-d DUMP [DUMP ...], --dump DUMP [DUMP ...] Analyze specific(s) dump(s) <20200307_215555 ...>
-p PATH, --path PATH Dump app data in path (mount or folder structure)
-o OUTPUT, --output OUTPUT Report output path folder
-a, --adb Dump app data directly from device with ADB
-H, --html Generate HTML report

Running from Autopsy

  1. Download repository contents (zip).
  2. Open Autopsy -> Tools -> Python Plugins
  3. Unzip previously downloaded zip in python_modules folder.
  4. Restart Autopsy, create a case and select the module.
  5. Select your module options in the Ingest Module window selector.
  6. Click “Generate Report” to generate an HTML report of the case.

Build an application module

Do you need a forensics module for a specific Android application?

Follow the instructions here and build a module by yourself.

Environments Tested

  • Windows (primary)
  • Linux
  • Mac OS


This project is licensed under the terms of the GNU GPL v3 License.

  • ADB – Android Software Development Kit License Agreement
  • Base64 – GNU GPL v2 License
  • Bootstrap – MIT License
  • feather – MIT License
  • Freepic Icons
  • jQuery – MIT License
  • jQuery.lazy – MIT License
  • leaflet – BSD 2-Clause “Simplified” License
  • pdfmake – MIT License
  • SQLite-Deleted-Records-Parser – GNU GPL v3 License
  • Undark – BSD License 2.0

Download FAMA

Also See- Sherloq- Forensic Image Analysis Suite

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Related Posts