ACQUIRE is a free tool by Magnet Forensics that can be used for the acquisition of a wide range of potential digital evidence sources, from hard drives and smartphones to cloud data. Of course, it supports both logical and physical acquisition of Android devices, up to the latest of those running Android Pie. The tool can be downloaded after registration here: https://www.magnetforensics.com/magnet-acquire/.
In this example, we are going to image a rooted smartphone running Android Oreo:
- Start by choosing the appropriate device from the list:
As you can see, our device has privileged access—this means that it's rooted. Also, we immediately have some metadata, such as OS version, device serial number, and so on. If the device you are going to image isn't listed for some reason, you can use the The device I'm looking for isn't showing up option. This contains step-by-step guides on how to make the tool detect it.
- Once you have chosen the right device, you can select the image type:
- There are two options: Full and Quick. The first one is a physical acquisition and is not always available, while the second is logical—it's available for any Android device. As our device is rooted, we can choose the Full option.
- Finally, choose the folder and image names, destination, and fill in the other fields if necessary:
- Clicking the ACQUIRE button will start the acquisition process. In our example, the imaging of 16 GB of storage only took 10 minutes. If you look in the log file (activity_log.txt), you will notice that the same tools are actually used—dd and toybox:
As you can see, imaging an Android device with Magnet ACQUIRE is much easier than with dd and netcat, but under the hood, the process is the same. Sometimes, the tool may even help you to perform physical acquisition of non-rooted devices, as it contains a number of exploits that are capable of getting temporary privileged access, as well as TWRP custom recoveries that can be used to obtain the full images of unencrypted devices.