Summary

This chapter has covered many topics related to logical extractions of Android devices. As a recap, the various methods and their requirements are as follows:

Method

Requirements

ADB pull
  • USB debugging enabled
  • Secure USB debugging bypassed on 4.2.2+
  • Root access to obtain user data

ADB pull from Recovery Mode
  • Must be a custom recovery to enable ADB access
  • Root access to obtain user data

Fastboot to boot from custom recovery image
  • Unlocked bootloader
  • Boot image for device

ADB backup
  • USB debugging enabled
  • Secure USB debugging bypassed on 4.2.2+
  • Must be done from a running device (not Recovery mode)

ADB dumpsys
  • USB debugging enabled
  • Secure USB debugging bypassed on 4.2.2+
  • Must be done from a running device (not recovery mode)

SIM card extraction
  • None, should be done independent of device

Additionally, valuable user data can be recovered from the SD card, which will be covered in Chapter 5, Extracting Data Physically from Android Devices.

If a screen is locked, an examiner can pull the key files using the methods listed above and crack them in order to bypass it.

There is a lot of data in this chapter. To help simplify it somewhat, a suggested best practices flow chart is shown as follows:

.

Summary

Android Forensics Flow Chart

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset