Summary

This chapter has covered many topics related to logical extractions of Android devices. As a recap, the various methods and their requirements are as follows:

Method

Requirements

ADB pull

 
  • USB Debugging enabled
  • Secure USB Debugging bypassed on 4.2.2+
  • Root access to obtain user data

ADB pull from Recovery Mode

 
  • Must be a custom recovery to enable ADB access
  • Root access to obtain user data

 

Fastboot to boot from custom recovery image

 
  • Unlocked bootloader
  • Boot image for device

 

 

ADB backup

 
  • USB Debugging enabled
  • Secure USB Debugging bypassed on 4.2.2+
  • Must be done from a running device (not Recovery Mode)

 

ADB Dumpsys

 
  • USB Debugging enabled
  • Secure USB Debugging bypassed on 4.2.2+
  • Must be done from a running device (not Recovery Mode)

 

SIM card extraction

 
  • None, should be done independent of device

 

 

Additionally, valuable user data can be recovered from the SD card, which will be covered in Chapter 5Extracting Data Physically from Android Devices.

If a screen is locked, an examiner can remove the key files or remove some records from the locksettings.db database using the methods listed previously.

There is a lot of data in this chapter and to help simplify it somewhat, a suggested best practices flowchart is shown as follows:

Android Forensics flowchart
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.14.240.252