Getting started with ALEAPP

In previous blogs, we’ve discussed iLEAPP and some of its wonderful capabilities and how to use it. In this blog, we’ll focus on ALEAPP. And as you might have guessed, ALEAPP is what iLEAPP was, but with a focus on Android. The Android Logs Events And Protobuf Parser is an excellent open-source tool to validate findings and even get support for unsupported apps. One of the strengths of this tool is the community collaboration that goes into updating and maintaining the different apps.

Getting Started

In order to get started with running this on your Windows box, we’ll go to the main GitHub repo and look for the “Releases”.

image 1-Oct-07-2022-07-27-24-90-PM

Once there, you’ll see a zip “” file. This particular version has been compiled to be executable on Windows. Something you should note that Alexis has stated is this version is likely a couple of months behind the main repo since it’s not compiled after every iteration of the update.

image 2-1

Once downloaded, you’ll see two different versions. A command line version and a GUI version. We’ll open the GUI version with a simple double-click.

image 3-2

Running ALEAPP

Once that’s been opened, you’ll be shown the main GUI. It’s nice that it’s not overly complex and is easy to navigate. From here, you can choose to import your backup as a single file or a directory.

image 4-1

For our purposes, we’ll use a zip file backup. You’ll also have to specify an output folder. We saved ours to the desktop.

The left-hand side of the tool also has the different modules listed. You can select or deselect whichever ones you may be interested in. In our example, we’ll leave them all selected.

image 5-1

Once configured, we simply have to hit “Process” in the bottom left. We’ll then see the different modules start processing and we can see the different applications that may have been on the device. They’ll start running down the right side of the GUI.

image 6-1

Once completed, ALEAPP will give us a “Processing completed”.

image 7-1

Once we hit “OK” on the Processing Completed dialogue box, we’re presented with the Summary Report. All the applications and data categories it parsed out will be on the left-hand side.

image 8-1

This is an example of Chromium Browser Search Terms. You can see the artifact category highlighted in blue and the data in the middle of the screen.

image 9-1

Again, for this screenshot, you see the MMS messages category highlighted in blue and the parsed-out data in the middle of the screen.

image 10-1

Upcoming ATRIO Support

ALEAPP is an awesome open-source tool and it has garnered a lot of praise and support within the DFIR community and the project and authors have been up for numerous DFIR awards. In fact, we love it so much that ArcPoint is looking to incorporate mobile support in ATRIO’s workflow and part of that work includes incorporating ALEAPP. If an examiner has numerous mobile extractions on their source drive, ATRIO will be able to iterate through all those images and automatically process them using ALEAPP. This will allow the forensic workflow to be condensed and automatically provide ALEAPP reports.


Whether you’re using ALEAPP as a one-off or within ATRIO, you can follow Alexis on Twitter and you’ll see the numerous updates that he and the community are posting. It’s great to see everyone come together to continually push this free, open-source tool for maximum support of mobile applications.



Related posts

Search Forensic Media Exploitation Training
ArcPoint Forensics and Hexordia LLC Join Forces Search