hacktricks/android-forensics.md
2022-05-01 16:17:23 +00:00

3.4 KiB

Android Forensics

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.

Locked Device

To start extracting data from an Android device it has to be unlocked. If it's locked you can:

Data Adquisition

Create an android backup using adb and extract it using Android Backup Extractor: java -jar abe.jar unpack file.backup file.tar

If root access or physical connection to JTAG interface

  • cat /proc/partitions (search the path to the flash memory, generally the first entry is mmcblk0 and corresponds to the whole flash memory).
  • df /data (Discover the block size of the system).
  • dd if=/dev/block/mmcblk0 of=/sdcard/blk0.img bs=4096 (execute it with the information gathered from the block size).

Memory

Use Linux Memory Extractor (LiME) to extract the RAM information. It's a kernel extension that should be loaded via adb.

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.