Download Android Physical Extraction - FAQ

Android Physical Extraction - FAQ
Nadav Horesh
June, 2012
1
Table of Contents
Introduction ........................................................................................................................................... 3
Android Debugging Bridge (ADB) ............................................................................................................ 4
Q: What does ADB stand for and how does it work? ..………………………………………………………………………….4
Q: So can ADB be used to extract any Android device? What’s the catch? ……………………………………………4
Q: How do I turn on USB debugging? .......... …………………………………………………………………………………………4
Q: Does this method bypass the unlock password or pattern? Will I be able to reveal it? ......................4
Q: How do I get Administrator (root) permissions on the device? .........................................................4
Q: I turned on USB debugging. What extraction types can I perform? ...................................................4
Q: Does this extraction method change any of the data on the device? ................................................5
Q: Can you summarize this entire ADB topic in one sentence? .............................................................5
Boot Loader Extraction ........................................................................................................................... 5
Q: What is Boot loader extraction? ......................................................................................................5
Q: Does this method bypass the unlock password or pattern? Will I be able to reveal it? ......................5
Q: Does this extraction method change any of the data on the device? ................................................5
Q: Which devices are supported by this method? ................................................................................5
Technical Terms...................................................................................................................................... 5
2
Introduction
There are many different devices running the Android OS: Phones, MP3 Players, Tablets, eBook Readers and
more. There are two main approaches when it comes to extracting Android devices:


ADB (USB Debugging) method which utilizes a built-in protocol within the operating system
Several other methods in which the extraction takes place before the operating system has started
running
This document will cover the pros and cons of each method and will try to answer frequently asked questions.
3
Android Debugging Bridge (ADB)
Q: What does ADB stand for and how does it work?
A: ADB, or Android Debugging Bridge, is a built-in protocol within the Android operating system. This means
that basically every Android-based device should have this protocol. This protocol enables developers to
connect to an Android-based device and perform low-level commands used for development. We utilize this
protocol to perform an extraction of Android Devices.
Q: So can ADB be used to extract any Android device? What’s the catch?
A: Yes and no. In theory, every Android device can be extracted using ADB. However, there are some
limitations: The USB debugging option must be enabled on the device and we need to get administrator (root)
permissions on it.
Q: How do I turn on USB debugging?
A: On most Android devices, do the following: go to “Menu” -> “Settings” -> “Applications” -> “Development”
and then click “USB debugging” to enable ADB.
Q: Does this method bypass the unlock password or pattern? Will I be able to reveal it?
A: As explained above, USB debugging must be turned on before it’s possible to attempt an extraction, and
this cannot be done when the device is locked. However, in some cases the user could have turned on USB
debugging before locking the device. In this case you will be able to “bypass” the screen lock. If you
successfully perform an extraction you will be able to see the Numeric password or pattern lock protecting
the device in the Physical Analyzer.
Q: How do I get Administrator (root) permissions on the device?
A: After ADB is turned on, the UFED will automatically detect the Android OS version running on the
connected device and whether it is rooted or not. if the device is not rooted the UFED will gain root
permissions automatically. . This is currently supported for all available Android OS versions (1.5-4.0.x). It is
possible to manually root the device using 3rd party tools, but this is not recommended as it may harm the
integrity of the data on the device, potentially even “bricking” it.
Q: I turned on USB debugging. What extraction types can I perform?
A: You can currently perform either a Physical Extraction which will extract all the data on the device, or File
System Extraction which will extract only relevant files. The advantage of a Physical Extraction is that it
retrieves more data from the device, making it possible to recover deleted files such as photos that were
saved on the device. The down side is that it takes more time, and that File System reconstruction is not
supported for all devices. If you choose to do a File System Extraction you will save time and will still be able
to view all vital information including deleted records (but excluding deleted files) even if File System
reconstruction is not supported.
4
Q: Does this extraction method change any of the data on the device?
A: Few clients are copied to the device into the “/data/local/tmp” folder. Besides that, nothing is changed.
Q: Can you summarize this entire ADB topic in one sentence?
A: Sure. It is possible to perform a physical or file system extraction on almost any Android device, provided
that it’s not locked (or USB debugging was previously enabled). All currently available Android OS versions are
supported (1.5-4.0.x).
Boot Loader Extraction
Q: What is Boot loader extraction?
A: This method performs a physical extraction of the device when it's in Boot Loader mode. Many Android
devices can be turned on in special modes, used for debugging or for firmware upgrade. In this extraction
method the Android OS is not running, so the device can’t connect to the mobile network.
Q: Does this method bypass the unlock password or pattern? Will I be able to reveal it?
A: Yes, you will be able to bypass any type of lock, and will be able to reveal a numeric PIN lock or unlock
pattern.
Q: Does this extraction method change any of the data on the device?
A: No, this method is completely forensically sound.
Q: Which devices are supported by this method?
A: Currently supported devices are Most Motorola Android devices, Selected Samsung Android devices,
selected Qualcomm devices and selected LG GSM and CDMA.
Technical Terms
Android- Google’s mobile OS. You can find a list of Android devices here:
http://en.wikipedia.org/wiki/List_of_Android_devices. Another very helpful resource is http://pdadb.net
Brick- A device that cannot function in any capacity (such as a device with damaged firmware).
(http://en.wikipedia.org/wiki/Brick_%28electronics%29)
Client - A program written by Cellebrite that runs on the Android OS itself.
Root/rooting- A process that allows users of cell phones and other devices running the Android operating system to
attain privileged control (known as "root access") within Android's Linux subsystem, similar to jailbreaking on Apple
devices running the iOS operating system, overcoming limitations that the carriers and manufacturers put on such
phones. (http://en.wikipedia.org/wiki/Rooting_%28Android_OS%29)
5