In Android forensics, Android Debug Bridge (ADB) plays a very crucial role. It is present at <sdk_path>/platform-tools. In order to work with ADB, the USB-debugging option needs to be enabled. On a Samsung phone, you can access this by going to Settings | Developer options; as shown in the following screenshot:
The USB debugging option in Android
However, this may not be the case with all the devices, as different devices have different environments and configuration features. Sometimes, the examiner might have to use certain techniques to access the developer options on a few devices. These techniques are device specific and need to be researched and determined by the forensic analyst, based on the device type and model.
Once the USB debugging option is selected, the device will run the adb daemon (adbd) in the background and will continuously look for a USB connection. The daemon usually runs under a non-privileged shell user account and thus does not provide access to internal application data. However, on rooted phones, adbd will run under the root account and thus provide access to the entire data. On the workstation (where the Android SDK) is installed, adbd will run as a background process. Also, on the same workstation, a client program will run that can be invoked from a shell by issuing the adb command. We are going to see this in the following sections. When the adb client is started, it first checks whether the adbd is already running. If it isn't, it initiates a new process to start the abdb. The daemons communicate over their local host on ports 5555 through 5585. The even port communicates with the device's console, while the odd port is for adb connections. The adb client program communicates with the local adbd over port 5037.
As stated earlier, adb is a powerful tool that allows you to communicate with the Android device. We will now look at how to use adb and access certain parts of the device that cannot be accessed normally. It is important to note that the collection of data through adb may or may not be accepted as evidence in court. This will depend on the laws of respective countries. The following sections list some of the commonly used adb commands, their meanings, and usage in a logical sequence.
After connecting the device to the workstation and before issuing other adb commands, it is helpful to know whether the Android device is properly connected to the adb server. This can be done using the adb.exe devices command, which lists out all the devices that are connected to the computer, as shown in the following command. This would also list the emulator if it is running at the time of issuing the command:
C:Program Files (x86)Androidandroid-sdkplatform-tools>adb.exe devices List of devices attached 4df16ac5115e4e04 device
As seen in the preceding commands, the output contains the serial number of the device, followed by the connection state. The serial number is a unique string used by ADB to identify each Android device. The possible values of the connection state and their meaning is explained in the following lines:
offline: The instance is not connected to adb or is not responding.device: The instance is connected to the adb server.no device: There is no device connected.
If more than one device is connected to the system, you must specify the target device while issuing the commands. For example, consider the following case:
C:Program Files (x86)Androidandroid-sdkplatform-tools>adb.exe devices List of devices attached 4df16ac5115e4e04 device 7f1c864544456o6e device
As shown in the preceding command-line output, there are two devices attached to the workstation. In this case, adb needs to be used along with the –s option to issue commands to the device of your choice:
adb shell -s4df16ac5115e4e04
Similarly, the –d command can be used to direct an adb command to the only attached USB device, and the –e command can be used to direct an adb command to the only running emulator instance.
As mentioned in Chapter 1, Introducing Android Forensics, Android runs on a Linux kernel and provides a way to access the shell. Using ADB, you can access a shell to run several commands on an Android device. For those who are not familiar with the Linux environment, the Linux shell refers to a special program that allows you to interact with it by entering certain commands from the keyboard. The shell will execute the commands and display their output.
More details about how things work on the Linux environment have been provided under the Rooting Android device section in this chapter. The adb shell command can be used to enter into a remote shell, as shown in the following command-line output. Once you enter the shell, you can execute most of the Linux commands:
C:Program Files (x86)Androidandroid-sdkplatform-tools>adb.exe shell shell@android:/ $
After executing the command, observe that the shell prompt is displayed to the user. In this shell prompt, commands can be executed on the device. For instance, as shown in the following command line, the ls command can be used to view all the files within a directory:
C:Program Files (x86)Androidandroid-sdkplatform-tools>adb.exe shell shell@android:/ $ ls ls acct cache config d data default.prop dev efs etc factory fstab.smdk4x12
The following section explains some of the widely used Linux commands that are very helpful while interacting with an Android device.
We will now take a look at some of the Linux commands and their usage with respect to an Android device:
ls: The ls command (with no option) lists files and directories present in the current directory. With the-loption, it also shows their size, modified date and time, owner of file and it's permission, and so on as shown in the following command-line output:shell@android:/ $ ls -l ls -l drwxr-xr-x root root 2015-01-17 10:13 acct drwxrwx--- system cache 2014-05-31 14:55 cache dr-x------ root root 2015-01-17 10:13 config lrwxrwxrwx root root 2015-01-17 10:13 d -> /sys/kernel/debug drwxrwx--x system system 2015-01-17 10:13 data -rw-r--r-- root root 116 1970-01-01 05:30 default.prop drwxr-xr-x root root 2015-01-17 10:13 dev drwxrwx--x radio system 2013-08-13 09:34 efs lrwxrwxrwx root root 2015-01-17 10:13 etc -> /system/etc
Similarly, here are a few options that can be used along with the
lscommand. Depending on the requirement, one or more of these options can be used by the investigator to view the details:Option
Description
aLists hidden files
cDisplays files by timestamp
dDisplays only directories
nDisplays the long format listing, with GID and UID numbers
RDisplays subdirectories as well
tDisplays files based on timestamp
uDisplays the file access time
cat: The cat command reads one or more files and prints them to standard output, as shown in the following command lines:shell@android:/ $ cat default.prop cat default.prop # # ADDITIONAL_DEFAULT_PROPERTIES # ro.secure=1 ro.allow.mock.location=0 ro.debuggable=0 persist.sys.usb.config=mtp
The
>operator can be used to combine multiple files into one. The>>operator can be used to append to an existing file.cd: Thecdcommand is used to change from one directory to another. This is used while navigating from one folder to another. The following example shows commands used to change to the system folder:shell@android:/ $ cd /system cd /system shell@android:/system $
cp: Thecpcommand can be used to copy a file from one location to another. The syntax for this command is as follows:$ cp [options] <source><destination>chmod: Thechmodcommand is used to change the access permissions to filesystem objects (files and directories). It may also alter special mode flags. The syntax for this command is as follows:$ chmod [option] mode filesFor example,
chmod 777on a file gives permission to everyone to read, write, and execute it.dd: Theddcommand is used to copy a file, converting and formatting according to the operands. With Android, theddcommand can be used to create a bit-by-bit image of the Android device. More details about the imaging are covered in Chapter 5, Extracting Data Physically from Android Devices. Here is the syntax that needs to be used with this command:dd if=/test/file of=/sdcard/sample.imagerm: Thermcommand can be used to delete files or directories. Here is the syntax for this command:rm file_namegrep: Thegrepcommand is used to search files or output for a particular pattern. The following example shows searching adefault.propfile for the wordsecure:shell@android:/ # cat default.prop | grep secure ro.secure=1
pwd: Thepwdcommand displays the current working directory. For example, the following command-line output shows that the current working directory is/system:shell@android:/system $ pwd pwd /system
mkdir: Themkdircommand is used to create a new directory. The syntax for this command is as follows:mkdir [options] directoriesexit: Theexitcommand can be used to exit the shell you are in. Just typeexitin the shell to exit from it.
During forensic analysis, there might be cases where you need to install a few applications on the device in order to extract some data. To do so, you can use the adb.exe install command. Along with this command, as shown in the following command-line output, you need to specify the path to the .apk file that you want to install:
C:Program Files (x86)Androidandroid-sdkplatform-tools>adb.exe install C: ohit est.apk 4311 KB/s (13855934 bytes in 3.138s) pkg: /data/local/tmp/test.apk Success
However, it is important to note that installing third-party apps may not be accepted in a court of law. Hence, a forensic investigator needs to be cautious before installing any third-party app on the device.
You can use the adb pull command to pull the files present on the Android device to the local workstation. Here is the syntax to use this command:
adb pull <remote><local>
Here, <remote> refers to path of the file on the Android device, and <local> refers to the location on the local workstation where the file needs to be stored. For instance, the following command-line output shows a Sample.png file being pulled from the Android device to a temp folder on computer:
C:Program Files (x86)Androidandroid-sdkplatform-tools>adb.exe pull /sdcard/Pictures/MyFolder/Sample.png C: emp 1475 KB/s (145039 bytes in 0.096s)
However, on a normal Android phone, you will not be able to download all the files using the adb pull command, because of the inherent security features enforced by the operating system. For example, files present under the /data/data folder cannot be accessed in this manner on an Android device that is not rooted. More details about this topic have been covered in Chapter 4, Extracting Data Logically from Android Devices.
You can use the adb push command to copy files from the local workstation to the Android device. Here is the syntax to use this command:
adb push <local><remote>
Here, <local> refers to location of the file on the local workstation, and <remote> refers to the path on the Android device where the file needs to be stored. For instance, the following command-line output shows a test.png file copied from the computer to the Pictures folder of an Android device:
C:Program Files (x86)Androidandroid-sdkplatform-tools>adb.exe push C: emp est.png /sdcard/Pictures 2950 KB/s (145039 bytes in 0.048s)
You can only push the files to the folders for which the user account has privileges.
In some cases, you might need to terminate the adb server process and then restart it. For example, if adb does not respond to a command. This may resolve the problem.
To stop the adb server, use the kill-server command. You can then restart the server by issuing any other adb command.
In Android, the logcat command provides a way to view the system debug output. Logs from various applications and portions of the system are collected in a series of circular buffers which then can be viewed and filtered by this command:
C:Program Files (x86)Androidandroid-sdkplatform-tools>adb.exe logcat --------- beginning of /dev/log/main I/InputReader( 2841): Touch event's action is 0x0 (deviceType=0) [pCnt=1, s=0.40234 ] I/InputDispatcher( 2841): Delivering touch to current input target: action: 0x0 I/InputDispatcher( 2841): Delivering touch to current input target: action: 0x0 I/InputDispatcher( 2841): Delivering touch to current input target: action: 0x0 ... I/SecCamera-JNI-Java( 2841): stopPreview V/SecCamera-JNI-Cpp( 2841): release camera V/SecCamera-JNI-Cpp( 2841): release ... D/STATUSBAR-BatteryController( 3162): onReceive() - ACTION_BATTERY_CHANGED D/STATUSBAR-BatteryController( 3162): onReceive() - level:48 D/STATUSBAR-BatteryController( 3162): onReceive() - plugged:2 D/STATUSBAR-BatteryController( 3162): onReceive() - BATTERY_STATUS_CHARGING:
The log message shown here is just a sample message. During investigation, logs need to be carefully analyzed to gather information on location details, data/time information, application details, and so on. Each log begins with a message type indicator, as described in the following table:
|
Message Type |
Description |
|---|---|
|
|
Verbose |
|
|
Debug |
|
|
Information |
|
|
Warning |
|
|
Error |
|
|
Fatal |
|
|
Silent |
The logcat command can also be used to view full cellular radio debugging, as shown in the following command-line output:
C:Program Files (x86)Androidandroid-sdkplatform-tools>adb.exe shell logcat –b radio –v time 03-22 17:06:22.155 E/RIL (12513): RX: 01 03-22 17:06:22.155 D/RILJ ( 2815): [UNSL]< UNSOL_RESPONSE_VOICE_NETWORK_STATE_CHANGED 03-22 17:06:22.155 D/RILJ ( 2815): [7100]> OPERATOR 03-22 17:06:22.155 D/RILJ ( 2815): [7101]> DATA_REGISTRATION_STATE 03-22 17:06:22.155 E/RIL (12513): TX: Time: 1095039892 / 164875824 03-22 17:06:22.155 E/RIL (12513): TX: M:IPC_NET_CMD S:IPC_NET_SERVING_NETWORK T:IPC_CMD_GET l:7 m:5e a:0 03-22 17:06:22.160 D/RILJ ( 2815): [7102]> VOICE_REGISTRATION_STATE 03-22 17:06:22.160 D/RILJ ( 2815): [7103]> QUERY_NETWORK_SELECTION_MODE 03-22 17:06:22.160 E/RIL (12513): RX: Time: 1095039894 / 164875826 03-22 17:06:22.160 E/RIL (12513): RX: M:IPC_NET_CMD S:IPC_NET_SERVING_NETWORK T:IPC_CMD_RES P l:12 m:ff a:5e 03-22 17:06:22.160 E/RIL (12513): RX: 02 02 04 34 30 34 34 39 23 19 79 03-22 17:06:22.160 D/RILJ ( 2815): [7100]< OPERATOR {Airtel, Airtel, 40449} 03-22 17:06:22.170 E/RIL (12513): TX: Time: 1095039906 / 164875839 03-22 17:06:22.170 E/RIL (12513): TX: M:IPC_NET_CMD S:IPC_NET_REGIST T:IPC_CMD_GET l:9 m:5f a:0 03-22 17:06:22.170 E/RIL (12513): TX: FF 03 03-22 17:06:22.175 E/RIL (12513): RX: Time: 1095039909 / 164875841 03-22 17:06:22.175 E/RIL (12513): RX: M:IPC_NET_CMD S:IPC_NET_REGIST T:IPC_CMD_RESP l:12 m: ff a:5f 03-22 17:06:22.175 E/RIL (12513): RX: 04 03 02 0B 19 79 E1 4A 2E 01 00 03-22 17:06:22.175 E/RIL (12513): TX: Time: 1095039909 / 164875841 03-22 17:06:22.175 E/RIL (12513): TX: M:IPC_NET_CMD S:IPC_NET_REGIST T:IPC_CMD_GET l:9 m:60...