Written by: on Mon Jan 15

WARD

Self-service forensics

Go to project
~3 MIN

WARD is a modular, open-source, decentralized tool for behavioral mobile forensics and artifact acquisition using Android ADB–accessible data. It’s developed by BARGHEST, a non-profit supporting the democratization of threat intelligence in the majority world. Heavily inspired by the legendary work that is AndroidQF we wanted to take this further by enhancing coverage to forensics logs and building a heuristics behavioral pattern engine on top for self-service forensics analysis providing a programmatic triaging mechanism. WARD collects and analyzes a wide range of live-state system artifacts — crash logs, process/thread listings, diagnostic outputs, Wi-Fi manager logs, installed apps — to preserve forensic evidence and surface patterns that might indicate spyware or other unwanted activity.

This enables civil society, journalists, and investigators to run self-service device triage, making spyware identification more accessible to many.

Rather than vendor telemetry, malware signatures, or preloaded IOCs, WARD uses behavioral based heuristics to spot patterns of malicious behavior. Our current heuristics cover:

  • Memory analysis: Signals against suspicious in-memory DEX loading, secondary DEX files from external storage, and shell-initiated code compilation that may indicate fileless malware or dynamic code injection.
  • System security: Signals against persistence mechanisms, suspicious app behaviors, unusual service patterns, and malware-like activity patterns across system logs
  • Permission analysis: Identifies dangerous permission abuse, privilege escalation attempts, and apps requesting excessive or suspicious permission combinations
  • Crash analysis: Detects crash patterns that may indicate exploitation attempts, buffer/heap overflows, or targeted attacks against system components
  • Memory exploitation: Attempts to identifies memory exploitation attempts synonymous with zero-click and one-click activity. It performs episode-based temporal analysis to identify memory corruption and exploitation attempts. Monitoring native crashes (SIGSEGV, SIGABRT, SIGBUS), heap exploitation (overflows, UAF, double-free), kernel driver abuse (Binder, GPU, futex, perf events), and high-value zero-click targets like media parsers, WebView, and system services. Related events are grouped within 15-second windows, applying scoring boosts for background zero-click exploits and dampening for user-triggered one-click crashes, while detecting repeated exploitation attempts and post-exploitation artifacts like HPROF dumps, OOM states, and log tampering.
  • User analysis: Detects anomalous user interaction patterns and suspicious user behavior that may indicate compromise
  • System anomalies (disabled by default): Catches general system irregularities and anomalous behaviors that don’t fit other specific categories
  • Process anomalies (disabled by default): Monitors process creation patterns, suspicious process behaviors, and process-level indicators of compromise