We will need two Terminal windows open, with the ADB shell open in one of them. The other will be used to listen to the data being sent from the device.
Now, we need to enable port forwarding over ADB from the examiner's computer:
adb forward tcp:9999 tcp:9999
9999 is the port we chose to use for netcat; it can be any arbitrary port number between 1023 and 65535 on a Linux or macOS system (1023 and below are reserved for system processes, and require root permission to use). Windows will allow any port to be assigned.
In the Terminal window with ADB shell, run the following:
dd if=/dev/block/mmcblk0p24 bs=1024 | toybox nc –l –p 9999
mmcblk0p24 is the userdata partition on this device, however, the entire flash memory or any other partition could also be imaged with this method. In most cases, it is best practice to image the entirety of the flash memory in order to acquire all possible data from the device. Some commercial forensic tools may also require the entire memory image, and may not properly handle an image of a single partition.
In the other Terminal window, run the following:
nc 127.0.0.1 9999 > userdata.dd
The userdata.dd file should have been created and in the current directory of the examiner's computer. When the data has finished transferring, netcat in both Terminals will terminate and return to the Command Prompt. This process can take a significant amount of time, depending on the size of the image.