Call me Ash Ketchum: Open Source Forensics with Pokemon Go
Like it or not Pokemon Go has managed to captivate a large audience in a short period of time. Lately I have sen a few excellent posts (which I have linked at the end of this post) which dive into obtaining forensic artefacts from Pokemon Go. I noticed that all of these posts use 3rd party tools to obtain forensic artefacts from Pokemon Go.
Since I don't play games that often I decided to contribute to the Pokemon Go craze in my own special way. This involves performing some forensic analysis on the cheap with Open Source tools on Pokemon Go.
This post contains findings from my journey to become a Pokemon Go Forensics Master.
Acquisition
I found the acquisition the most fun part of this Tutorial. I haven't really worked on Android Forensics in depth so all of this was new to me. Its important to note all of the steps that follow require you to use a rooted Android Phone there are ways to acquire Android data on non-rooted devices with other tools but thats not covered in this post.
To get started I launched adb:
$ adb devices
Once this is run it means that adb is officially running now we need to make an image of the android Filesystem. To do this we run the following command to create an adb backup image (its important to note you will have to accept the full device backup on your android screen to kick it off):
$ adb backup -apk -shared -all -f \media\DRIVE\PokemonGoForensics\backup.ab
After the backup is complete it will save the image as a file with the .ab filetype extension. We wont be able to easily browse the .ab file so to take a look at the contents we will need to unpack it. so to unpack it we will need to open up some of the permissions on the .ab file and then unpack it with the following commands:
$ ( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 backup.ab ) | tar xfvz -
That it the end of the acquisition phase lets move onto the analysis of Pokemon Go.
Analysis
For the Bulk of my analysis I used Santoku Linux. Santoku is a Live Forensic system tailored to Security, Development and Forensics with Smartphones (Android and iOS) Its been in my toolkit for quite a few years but I haven't really had much of a chance to play with it till now.
First lets list out the rough structure of the App:
The key points to know about the filesystem and files are:
The root directory contains the following files folders:
the "a" folder contains the .apk file which is called base.apk"
The "db" folder contains a simple DB and DB related metadata:
The "ef" Folder has a few configuration / progress files heres a look at one of them at best guess it looks like this stores your game progress:
The "f" folder and associated subdirectories store some of the juiciest details it shows usefull diagnostic and tracking information this includes records of app crashes and most importantly what time the app was launched heres a sample from the file on my phone:
["session_start","2016-07-30T06:51:23.728+0000"]
Theres a significant amount of additional details in these directories, if you are a performing an investigation that is related to Pokemon Go i highly suggest looking through the "f" directory first.
The "sp" folder contains a number of settings and config .xml files here a brief overview of some of the interesting finds:
There is a file ending in ".usermetadata.xml" which holds the users login id in plaintext (This can either be a Pokemon Go login or an email address)
The file ending in ".v2.playerprefs.xml" contains some basic user preferences such as screens resolution and such:
The file ending in ".usersettings.xml" also contains a device ID's of your Pokemon Go devices:
If you want to learn more about Santoku Linux you can do so here.
Decompiling the .apk
After receiving a number of errors with the java decompiler on Santoku I used http://www.javadecompilers.com/apk to decompile the base.apk file. This will generate the full apps Java code and class files for your perusal. I'm only going to gloss over this section but if you want to see it covered in more depth please comment on this post or reach to me on Twitter.
Online Java Decompiler I used is below:
Quick Overview of the File Structure:
The Android Manifest File:
You can see that it requests the Following permissions:
<uses-permission android:name="com.android.vending.BILLING" /> <uses-permission android:name="android.permission.VIBRATE" /> <uses-permission android:name="android.permission.BLUETOOTH" /> <uses-permission android:name="android.permission.BLUETOOTH_ADMIN" /> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
Some of the libraries the game uses:
Lots of resources!
As I said above, please reach out if you want another post investigating the code.
Links to other Pokemon Masters
Works of other great Pokemon masters can be found below:
https://www.gillware.com/forensics/blog/mobile-forensics/oh-no-pokemon-go-forensic-artifacts
https://digital-forensics.sans.org/blog/2016/08/09/a-sneak-peek-at-pokemon-go-application-forensics
https://www.gillware.com/forensics/blog/forensics/pokemon-go-tracking-forensic-artifacts
http://www.intaforensics.com/blog/2016/08/pokemon-go-introductory-forensic-study1/
Conclusion
I hope you found this post interesting. All of the tools and techniques in this post can be reused for trying to analyse any android .apk so hopefully the tools and steps shown here make Forensics a little easier on a budget.
Until Next Time!
The Security Sleuth

















