We will now take a quick look at some commonly used Linux commands and their usage with respect to an Android device:
- ls: The ls command (with no option) lists the files and directories present in the current directory. With the -l option, this command shows files and directories and also their size, modified date and time, the owner of the file and its permission, and so on, as shown in the following command-line output:
shell@android:/ $ ls -l ls -l drwxr-xr-x root root 2015-01-17 10:13 acct drwxrwx--- system cache 2014-05-31 14:55 cache dr-x------ root root 2015-01-17 10:13 config lrwxrwxrwx root root 2015-01-17 10:13 d -> /sys/kernel/debug drwxrwx--x system system 2015-01-17 10:13 data -rw-r--r-- root root 116 1970-01-01 05:30 default.prop drwxr-xr-x root root 2015-01-17 10:13 dev drwxrwx--x radio system 2013-08-13 09:34 efs lrwxrwxrwx root root 2015-01-17 10:13 etc -> /system/etc ...
Similarly, the following are a few options that can be used along with the ls command:
Option |
Description |
a |
Lists hidden files |
c |
Displays files by timestamp |
d |
Displays only directories |
n |
Displays the long-format listing, with GID and UID numbers. |
R |
Displays subdirectories as well |
t |
Displays files based on timestamp |
u |
Displays the file access time |
Depending on the requirements, one or more of the following options can be used by the investigator to view the details:
- cat: The cat command reads one or more files and prints them to standard output, as shown in the following command lines:
shell@android:/ $ cat default.prop cat default.prop # # ADDITIONAL_DEFAULT_PROPERTIES # ro.secure=1 ro.allow.mock.location=0 ro.debuggable=0 persist.sys.usb.config=mtp
To combine multiple files into one, we can use the > operator. To append to an existing file, we can use the >> operator.
- cd: The cd command is used to change from one directory to another. This is more frequently used while navigating from one folder to another. The following example shows the commands used to change to the system folder:
shell@android:/ $ cd /system cd /system shell@android:/system $
- cp: The cp command can be used to copy a file from one location to another. The syntax for this command is as follows:
$ cp [options] <source><destination>
- chmod: The chmod command is used to change the access permissions to filesystem objects (files and directories). It may also alter special mode flags. The syntax for this command is as follows:
$ chmod [option] mode files
For example, chmod 777 on a file gives read, write, and execute permissions to everyone.
- dd: The dd command is used to copy a file, converting and formatting it according to the operands. With Android, the dd command can be used to create a bit-by-bit image of the Android device. More details of imaging are covered in Chapter 4, Data Acquisition from iOS Backups. The following is the syntax that needs to be used with this command:
dd if=/test/file of=/sdcard/sample.image
- rm: The rm command can be used to delete files or directories. The following is the syntax for this command:
rm file_name
- grep: The grep command is used to search files or output for a particular pattern. The syntax for this command is as follows:
grep [options] pattern [files]
- pwd: The pwd command displays the current working directory. For example, the following command-line output shows that the current working directory is /system:
shell@android:/system $ pwd pwd /system
- mkdir: The mkdir command is used to create a new directory. The following is the syntax for this command:
mkdir [options] directories
- exit: The exit command can be used to exit the shell you are in. Just type exit in the shell to exit from it.
Next, we will see how to handle an Android device efficiently before the investigation.