hacktricks/android-forensics.md
carlospolop f0e09e3f54 social
2023-03-06 00:16:20 +01:00

4.1 KiB

Android Forensics

HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch Wed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥

Locked Device

To start extracting data from an Android device it has to be unlocked. If it's locked you can:

Data Adquisition

Create an android backup using adb and extract it using Android Backup Extractor: java -jar abe.jar unpack file.backup file.tar

If root access or physical connection to JTAG interface

  • cat /proc/partitions (search the path to the flash memory, generally the first entry is mmcblk0 and corresponds to the whole flash memory).
  • df /data (Discover the block size of the system).
  • dd if=/dev/block/mmcblk0 of=/sdcard/blk0.img bs=4096 (execute it with the information gathered from the block size).

Memory

Use Linux Memory Extractor (LiME) to extract the RAM information. It's a kernel extension that should be loaded via adb.

HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch Wed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥