Improves documentation

docs/android/backup.md

@@ -0,0 +1,38 @@
+# Checking SMSs from Android backup
+
+Some attacks against Android phones are done by sending malicious links by SMS. The Android backup feature does not allow to gather much information that can be interesting for a forensic analysis, but it can be used to extract SMSs and check them with MVT.
+
+To do so, you need to connect your Android device to your computer. You will then need to [enable USB debugging](https://developer.android.com/studio/debug/dev-options#enable>) on the Android device.
+
+If this is the first time you connect to this device, you will need to approve the authentication keys through a prompt that will appear on your Android device.
+
+Then you can use adb to extract the backup for SMS only with the following command:
+
+```bash
+adb backup com.android.providers.telephony
+```
+
+You will need to approve the backup on the phone and potentially enter a password to encrypt the backup. The backup will then be stored in a file named `backup.ab`.
+
+You will need to use [Android Backup Extractor](https://github.com/nelenkov/android-backup-extractor) to convert it to a readable file format. Make sure that java is installed on your system and use the following command:
+```bash
+java -jar ~/Download/abe.jar unpack backup.ab backup.tar
+tar xvf backup.tar
+```
+
+(If the backup is encrypted, the password will be asked by Android Backup Extractor).
+
+You can then extract SMSs containing links with MVT:
+
+```bash
+$ mvt-android check-backup --output sms .
+16:18:38 INFO     [mvt.android.cli] Checking ADB backup located at: .
+         INFO     [mvt.android.modules.backup.sms] Running module SMS...
+         INFO     [mvt.android.modules.backup.sms] Processing SMS backup
+                  file at ./apps/com.android.providers.telephony/d_f/000
+                  000_sms_backup
+16:18:39 INFO     [mvt.android.modules.backup.sms] Extracted a total of
+                  64 SMS messages containing links
+```
+
+Through the `--iocs` argument you can specify a [STIX2](https://oasis-open.github.io/cti-documentation/stix/intro) file defining a list of malicious indicators to check against the records extracted from the backup by mvt. Any matches will be highlighted in the terminal output.

docs/android/download_apks.md

@@ -0,0 +1,24 @@
+# Downloading APKs from an Android phone
+
+In order to use `mvt-android` you need to connect your Android device to your computer. You will then need to [enable USB debugging](https://developer.android.com/studio/debug/dev-options#enable>) on the Android device.
+
+If this is the first time you connect to this device, you will need to approve the authentication keys through a prompt that will appear on your Android device.
+
+Now you can launch `mvt-android` and specify the `download-apks` command and the path to the folder where you want to store the extracted data:
+
+```bash
+mvt-android download-apks --output /path/to/folder
+```
+
+Optionally, you can decide to enable lookups of the SHA256 hash of all the extracted APKs on [VirusTotal](https://www.virustotal.com) and/or [Koodous](https://www.koodous.com). While these lookups do not provide any conclusive assessment on all of the extracted APKs, they might highlight any known malicious ones:
+
+```bash
+mvt-android download-apks --output /path/to/folder --virustotal
+mvt-android download-apks --output /path/to/folder --koodous
+```
+
+Or, to launch all available lookups::
+
+```bash
+mvt-android download-apks --output /path/to/folder --all-checks
+```

docs/android/methodology.md

@@ -0,0 +1,8 @@
+# Methodology for Android forensic
+
+For different technical reasons, it is more complex to do a forensic analysis of an Android phone.
+
+Currently MVT allows to perform two different checks on an Android phone:
+
+* Download APKs installed in order to analyze them
+* Extract Android backup in order to look for suspicious SMS