As discussed in Chapter 2, Setting Up the Android Forensic Environment, adb pull is used to transfer files from the device to the local workstation. The following show the format for the adb pull command:

adb pull [-p] [-a] <remote> [<local>]

The optional –p flag shows the transfer's progress, while the optional –a flag will copy the file's timestamp and mode. The <remote> parameter is the exact path to the file on the device. The optional <local> parameter is the path where the file will be written on the examiner's workstation. If no local path is specified, the file will be written to the current working directory. An example adb pull command may look like the following:

adb pull –p /sdcard/Pictures/1.png D:Test

Let's look at the following screenshot:

This command would pull an image file from the device and write it to a directory of our choice. Again, note that the device must be rooted if you want to pull, for example, the mmssms.db database (which contains sent and received SMS and MMS); otherwise, the output would simply show that 0 files were pulled.

The output shows that the file is 599401 bytes in size. As a result of our command, 1.png now resides in the Test folder.

Similarly, if an investigator wishes to pull the files for an entire application, that can be done with adb pull also:

This time, the adb pull command fetched every file in the Pictures directory. As you can see in the preceding screenshot, three files were pulled. The total size of the transfer is shown as 1310468 bytes.

It's even possible to do the following:

adb pull –p /data/data/ D:Test

This would pull every logical file available from the /data/data directory and put them in the examiner's Test folder. This is not equivalent to a physical image, as certain files are skipped and deleted files will not be copied, but it is a simple method for pulling the vast majority of a user's application data.

Another advantage of the adb pull command is that it is highly useful for scripting purposes. A knowledgeable examiner can maintain a list of paths for common files of interest, and write a script that automatically pulls these files from a device, or even have the script automatically pull the entire /data/data directory. The following is a simple example of Python code that will perform this function:

from subprocess import Popen
from os import getcwd
command = "adb pull /data/data " + getcwd() + "data_from_device"
p = Popen(command)
p.communicate()

Note that the code is not very refined; it's only purpose is to illustrate the ease with which adb commands can be scripted. At the very least, properly implementing the code should include the option to specify an output directory and handle any errors. However, the six lines shown previously would be sufficient to pull the entire /data/data directory logically, assuming USB Debugging is enabled and the device is rooted.