Utilizing Android Debug Bridge (ADB) for Android Data Acquisition

In DFIR progress, data acquisition is most important thing before jump to the next step, differences of media make it more challenges about how to perform data acquisition, but here i’ll try to explain how to perform data acquisition in android devices using ADB with prequisite.

Zuhri

May 14, 2025 | 6 min reads

Introduction #

Data acquisition is part of DFIR progress, data acquisition is most important thing before performing analysis. The different of media (device) make it more difficult to acquisite, android devices for example. Android devices storage are different with HDD, USB, and etc.

Android use eMMC as storage, because eMMC have smaller size rather than other, and eMMC have good reliable speed as media storage, but as we know USB storage are mass general storage we dont need to find adapter or converter for it and HDD too. the converter for eMMC maybe they exist, but i didn’t have one.

Methodology #

The prequisite of this methodology are need to the android have to gaining root access! and i will not gonna explain about how, because the different of device are different how to proceed, find how about what bests within your case.

Gainning root shell #

First thing we gonna try to have root shell (superuser) using adb.

┌[ root@server: ~ ]
└# adb devices
* daemon not running; starting now at tcp:5037
* daemon started successfully
List of devices attached
401fc67d	unauthorized

┌[ root@server: ~ ]
└# adb devices -l
List of devices attached
401fc67d               device usb:1-1 product:qassa_whyred model:Redmi_Note_5 device:whyred transport_id:3

┌[ root@server: ~ ]
└# adb shell

whyred:/ $ whoami
shell

whyred:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0

whyred:/ $ su
/system/bin/sh: su: inaccessible or not found

So we fail have it, now what am gonna do is boot this device into recovery mode.

NOTE: this device have been modified before and because this xiaomi device so the bootloader have been unlocked.

After that back to previous shell (linux machine), then type adb reboot recovery to boot into recovery mode.

┌[ root@server: ~ ]
└# adb devices
List of devices attached
401fc67d	device

┌[ root@server: ~ ]
└# adb reboot recovery

After done it, i will installing root access (magisk), i will not cover the progress here.

┌[ root@server: ~ ]
└# adb devices
List of devices attached
401fc67d	device

┌[ root@server: ~ ]
└# adb shell

whyred:/ $ su

whyred:/ # whoami
root

whyred:/ # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:magisk:s0

So we have root access now, after that we gonna analyse this device partition.

Analysing partition #

Root access has obtained then we need to analyze the storage drive.

127|whyred:/ # lsblk
/system/bin/sh: lsblk: inaccessible or not found

127|whyred:/ # fdisk -l
/system/bin/sh: fdisk: inaccessible or not found

This devices didn’t have fdisk and lsblk command inside, so we need to find the other way to have more information.

127|whyred:/ # blkid
/dev/block/zram0: UUID="efaa708a-9212-400a-b62b-74e3c766e597" TYPE="swap"
/dev/block/mmcblk0p38: SEC_TYPE="msdos" UUID="00BC-614E" TYPE="vfat"
/dev/block/mmcblk0p48: LABEL="dsp" UUID="af32c008-2a39-7e5b-a5dc-201456d93103" TYPE="ext4"
/dev/block/mmcblk0p53: UUID="78ad1555-aaa2-4ea8-922d-889c864277cf" TYPE="ext4"
/dev/block/mmcblk0p54: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p56: SEC_TYPE="msdos" UUID="00BC-614E" TYPE="vfat"
/dev/block/mmcblk0p60: UUID="dac5081a-6128-406c-940c-40f08e34095b" TYPE="ext4"
/dev/block/mmcblk0p61: LABEL="/" UUID="f8ddb990-fb3d-5ab5-aafa-b1b930c54b9d" TYPE="ext4"
/dev/block/mmcblk0p62: LABEL="vendor" UUID="ba61e90c-1a34-5c40-8bba-e791557a102f" TYPE="ext4"
/dev/block/mmcblk0p63: UUID="6d558241-f883-4d90-94c8-27896867b5a2" TYPE="ext4"
/dev/block/mmcblk0p64: UUID="119742b9-6e7d-46f5-9bb0-008d99b815f8" TYPE="f2fs"

This blkid output command, as we know this device use eMMC (mmcblk0p*) as storage, that still unuseful. we need to find more!

whyred:/ # cat /proc/partitions | grep mmcblk0 | head -n 10 ; cat /proc/partitions | wc -l
 179        0   30535680 mmcblk0
 179        1          8 mmcblk0p1
 179        2          8 mmcblk0p2
 179        3          8 mmcblk0p3
 179        4         32 mmcblk0p4
 179        5         32 mmcblk0p5
 179        6         20 mmcblk0p6
 179        7         64 mmcblk0p7
 179        8         64 mmcblk0p8
 179        9        128 mmcblk0p9
65

whyred:/ # df -h
Filesystem            Size  Used Avail Use% Mounted on
tmpfs                 1.3G  1.0M  1.3G   1% /dev
tmpfs                 1.3G     0  1.3G   0% /mnt
tmpfs                 1.3G     0  1.3G   0% /apex
/dev/block/mmcblk0p61 2.9G  1.4G  1.5G  48% /
/dev/block/mmcblk0p62 787M  427M  360M  55% /vendor
magisk                1.3G  4.1M  1.3G   1% /sbin
/dev/block/mmcblk0p64  22G   18G  4.3G  81% /data
/dev/block/mmcblk0p56 192M  106M   86M  56% /vendor/firmware_mnt
/dev/block/mmcblk0p38  64M  512K   63M   1% /vendor/bt_firmware
/dev/block/mmcblk0p48  12M  7.3M  4.4M  63% /vendor/dsp
/dev/block/mmcblk0p60 232M  200K  232M   1% /cache
/dev/block/mmcblk0p53  27M  404K   27M   2% /mnt/vendor/persist
worker                1.3G     0  1.3G   0% /sbin/.magisk/worker
/data/media            22G   18G  4.3G  81% /mnt/runtime/default/emulated

Here we find useful infomation about this device, filesystem, size, and where is mounted on.

Our purpose is we need to find which one is correct partition, this partition will gonna use for analyse in the next step at Digital forensics process, the linux hierarchy filesystem usually named connected device in /dev and df command will show what storage media has mounted, in my formula where is the biggest one that primary one for storage, so! we stick with /dev/block/mmcblk0p64, but why we dont use /data/media? its the same size! the reason is because /data/media part of /data, and /data mounted on /dev/block/mmcblk0p64, and /dev/block/mmcblk0p64 part of /dev/block/mmcblk0 (whole partition).

In advices we should stick with /dev/block/mmcblk0, but my machine dont have such big storage to save it (this important). So, we stick to that one /dev/block/mmcblk0p64. if we use /dev/block/mmcblk0 we clone whole storage that we should do, but we have limited now, sorry.

Data Acquisition (Cloning) #

After we have which one is correct, we need to clone it. Cloned result will use for analysing. To have clone that partition we need to create connection over both, my device and my linux machine. I will create new shell to my machine (terminal), then type this command.

┌[ root@server: ~ ]
└# adb forward tcp:9999 tcp:9999
9999

┌[ root@server: ~ ]
└# ss -antpl
State           Recv-Q          Send-Q                     Local Address:Port                     Peer Address:Port          Process
LISTEN          0               4096                           127.0.0.1:5037                          0.0.0.0:*              users:(("adb",pid=16410,fd=7))
LISTEN          0               128                              0.0.0.0:22                            0.0.0.0:*              users:(("sshd",pid=15208,fd=3))
LISTEN          0               4096                           127.0.0.1:9999                          0.0.0.0:*              users:(("adb",pid=16410,fd=11))
LISTEN          0               128                                 [::]:22                               [::]:*              users:(("sshd",pid=15208,fd=4))

This command will create forward gateway connection into device then forward to port 9999. The connection has created, after that we need to my device to send the partition to my linux machine.

NOTE: Below here is my android device terminal!

127|whyred:/ # dd if=/dev/block/mmcblk0p64 | nc -l -p 9999

This command will forward disk partition into tcp connection that what have we created, if we enter this command that will listening. After that i will create receiver in my linux machine.

NOTE: This my linux machine terminal

┌[ root@server: ~ ]
└# nc 127.0.0.1 9999 > android.dd

This command nc (netcat) will create receiver into port 9999 then pipe the output into android.dd file. Then wait dont distrupt, it take a while.

NOTE: This my another linux machine terminal

┌[ root@server: ~ ]
└# ls
android.dd

┌[ root@server: ~ ]
└# ls -lah android.dd
-rw-r--r-- 1 root root 390M May 14 09:35 android.dd

┌[ root@server: ~ ]
└# ls -lah android.dd
-rw-r--r-- 1 root root 618M May 14 09:35 android.dd

See, the size getting more bigger, to monitoring you can use watch command like here.

┌[ root@server: ~ ]
└# watch -n 1 ls -la android.dd

or you can use watch with du command

┌[ root@server: ~ ]
└# watch -n 1 du -s android.dd

Then cloned process has done, here is the output.

┌[ root@server: ~ ]
└# ls
android.dd

┌[ root@server: ~ ]
└# file android.dd
android.dd: F2FS filesystem, UUID=119742b9-6e7d-46f5-9bb0-008d99b815f8, volume name ""

┌[ root@server: ~ ]
└# ls -lh android.dd
-rw-r--r-- 1 root root 23G May 14 09:53 android.dd

Then the most important thing is, verify the file hash. This will take while because size is big.

┌[ root@server: ~ ]
└# md5sum android.dd

Here is the output.

┌[ root@server: ~ ]
└# md5sum android.dd
2bf51f6d83080c44ff635a95b05a141c2  android.dd

Then now you have it and make sure this hash still same, the next step it you need to make copy this partition, then working (analyze) at the copied one.

The end #

Thanks for being here.

←

Installing Large Language Model on Tvbox with llama.cpp

Linux Server Hardening Guides: IDS and IPS with Fail2ban

→