Android Worn

Project to find all possible forensic traces left on an Android Wear device.

Run 'forensic_capture.sh' to perform the following forensic capture steps:

Verify ADB connection to the Android Wear device
Reboot the device into the bootloader
Fastboot into TWRP OS (NOTE: the LG G Watch (dory) image is default, for other devices download the image at: https://twrp.me/Devices/)
Perform a DD of the entire flash storage
List all partitions as reported by ADB and as found in the image
Calculate hashes of the entire flash.img as well as the most important partitions
Mount the userdata, cache, and system partitions
Generate forensic timelines for the userdata, cache, and system partitions
Run Photorec (deleted) file recovery on the userdata partition
Calculate hashes of all the recovered files

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
README.md		README.md
capture_screenshot.sh		capture_screenshot.sh
extract_wear.py		extract_wear.py
forensic_analysis.sh		forensic_analysis.sh
forensic_capture.sh		forensic_capture.sh
install.sh		install.sh
mount_flash.sh		mount_flash.sh
run.sh		run.sh
twrp-2.8.6.0-dory.img		twrp-2.8.6.0-dory.img

Provide feedback