Capstone Project: Kindle Fire Forensics
Champlain College 2012 Senior Capstone Project:
Kindle Fire Forensics
By Megan Percy
This project aims to forensically acquire an Amazon Kindle Fire. There is nothing indicating that this has been done before, so of course there is no documented procedure for doing it. This blog post will cover the steps for rooting a Kindle Fire and will be followed shortly for steps to acquire it.
The first step in this project was to try acquiring the Fire using methods typical to the field. The Fire was imaged using FTK Imager and was viewed in EnCase Forensic and did not show any data from the device. The first image is the initial image before registration, the second is the image after registration.
Rooting an Amazon Kindle Fire:
To root a Fire, Android SDK and BurritoRoot must be downloaded to the computer. Links to these downloads can be found in the References section, or the files necessary can be found in the Kindle Fire Root Kit. Image 3 shows the contents of the KFRK.
Next, run the executable installer_r16-windows.exe from the KFRK to install the Android SDK. Click next to install.
Install both packages in the Tools category and the Google USB Driver package in the Extras category.
In Windows Explorer, go to \%USERNAME\.android\ and edit the adb_usb.ini file. On a new line, add: 0X1949
Now navigate to C:\Program Files (x86)\Android\android-sdk\extras\google\usb_driver and edit the android_winusb.inf file.
The lines that need to be added are:
%SingleAdbInterface% = USB_Install, USB\VID_1949&PID_0006
%CompositeAdbInterface% = USB_Install, USB\VID_1949&PID_0006&MI_01
They can also be copied from the kindleFileEdits.txt file in the KFRK.
These lines need to be put under the [Google.NTx86] and [Google.NTamd64] sections of the android_winusb.inf file.
It will likely have to be saved to the desktop and then copied into the folder to replace the original. NOTE: The Save as type option must be switched to All Files (*.*) to maintain the correct file type.
To make accessing the Fire once it is rooted easier, add the paths to the SDK folders to the path. This can be done by going to Control Panel > System and Security > System and clicking on Advanced System Settings.
Under the Advanced tab, click on Environment Variables. Under System Variables scroll to Path and click Edit. The following line needs to be added to the path.
;C:\Program Files (x86)\Android\android-sdk\platform-tools;C:\Program Files (x86)\Android\android-sdk\tools
This can also be copied from the kindlePathAdditions.txt file in the KFRK.
On the Kindle Fire, install ES File Explorer from the Amazon Appstore.
Enable installation of applications from other sources on the Kindle by going to Settings > More > Device and turn on “Allow Installation of Applications”. Click OK when the device warns you about allowing installations from unknown sources.
Plug the Fire into the computer and copy the file kindleroot_rootzwiki.apk from the KFRK to the root of the Fire.
Eject the Fire. From the Fire, open EF File Explorer and click on the kindleroot_rootzwiki.apk file. Click install, then click Done.
Plug the Fire in to the computer and open a command prompt window. Type adb kill-server and press enter. Type adb devices and press enter. If the list is empty, refer to appendix A then try again.
On the Fire, launch BurritoRoot and click Agree, tell them they rock, and choose Root.
From the command line, enter the commands adb kill-server, then adb root, then adb shell.
Congratulations, you have root access to the Kindle Fire!
The next steps for this project are to use this shell access to perform an acquisition of the Fire and analyze the acquired images from a forensic perspective.
If the Fire is not showing up on the adb devices list it is probably a driver issue. You can change the driver using the following steps.
Open device manager and locate the Kindle Fire.
Right-click and select Update Driver Software. Choose to browse your computer for driver software.
Navigate to the folder containing the Google USB Driver. In most cases it will be C:\Program Files (x86)\Android\android-sdk\extras\google\usb_driver.
You should get a confirmation window if the driver updated successfully.
Confirm that it worked in command line by entering adb kill-server and adb devices. You should get a similar result to the one below.
The Windows screenshots were taking with the Snipping Tool preloaded on Windows 7. The method explained in the last link of the references (CNET) was used to take the Kindle Fire screenshots.
Downloads (direct links):
Kindle Fire Root Kit: http://db.tt/3Z6Cy7Gj
Note: BurritoRoot and the SDK Installer are both included in the KFRK.
Android SDK Installer: