This chapter will be covering logical data extraction by using free and open source tools wherever possible. The majority of the material covered in this chapter will use the ADB methods previously discussed in Chapter 2, Setting Up an Android Forensic Environment.
By the end of this chapter, the reader should be familiar with the following:
- What logical extraction means
- What data to expect from logical extractions
- What data is available with and without root
- Manual ADB data extractions
- ADB Backup extractions
- ADB dumpsys information
- How to bypass Android lock screens
- SIM card extractions
In digital forensics, the term logical extraction is typically used to refer to extractions that do not recover deleted data, or do not include a full bit-by-bit copy of the evidence. However, a more correct definition of logical extraction, also defined in Chapter 1, Introducing Android Forensics, is any method that requires communication with the base operating system. Because of this interaction with the operating system, a forensic examiner cannot be sure that they have recovered all of the data possible; the operating system is choosing which data it allows the examiner to access.
In traditional computer forensics, logical extraction is analogous to copying and pasting a folder in order to extract data from a system; this process will only copy files that the user can access and see. If any hidden or deleted files are present in the folder being copied, they will not be in the pasted version of the folder.
As you will see, however, the line between logical and physical extractions in mobile forensics is somewhat blurrier than in traditional computer forensics. For example, deleted data can routinely be recovered from logical extractions on mobile devices, due to the prevalence of SQLite databases being used to store data. Furthermore, almost every mobile extraction will require some form of interaction with the Android operating system; there is no simple equivalent to pulling a hard drive and imaging it without booting the drive. For our purposes, we will define a logical extraction as the process that obtains data visible to the user, and may include data that has been marked for deletion.
For the most part, any and all user data may be recovered logically:
- Contacts
- Call logs
- SMS/MMS
- Application data
- System logs and information
The bulk of this data is stored in SQLite databases, so it is even possible to recover large amounts of deleted data through a logical extraction.
When forensically analyzing an Android device, the limiting factor is often not the type of data being sought, but rather whether or not the examiner has the ability to access the data. Root access has been covered extensively in Chapter 2, Setting Up an Android Forensic Environment, but it is important enough to warrant repetition. All of the data listed above, when stored on the internal flash memory, is protected and requires root access to read. The exception to this is application data that is stored on the SD card, which will be discussed later in this book.
Without root access, a forensic examiner cannot simply copy information from the data partition. The examiner will have to find some method of escalating their privileges in order to gain access to the contacts, call logs, SMS/MMS, and application data. These methods often carry many risks, such as the potential to destroy or "brick" the device (making it unable to boot), and may alter data on the device in order to gain permanence. The methods commonly vary from device to device, and there is no universal, one-click method to gain root access to every device. Commercial mobile forensic tools such as MicroSystemation XRY and Cellebrite UFED have built-in capabilities to temporarily and safely root many devices, but do not cover the wide range of all Android devices.
Throughout this chapter, we will make note of situations where root is required for each technique demonstrated.