Android Physical Extraction - FAQ

Nadav Horesh June, 2012

Table of Contents

Introduction ...... 3 Android Debugging Bridge (ADB) ...... 4 Q: What does ADB stand for and how does it work? .. ………………………………………………………………………….4 Q: So can ADB be used to extract any Android device? What’s the catch? ……………………………………………4 Q: How do I turn on USB debugging? ...... …………………………………………………………………………………………4 Q: Does this method bypass the unlock password or pattern? Will I be able to reveal it? ...... 4 Q: How do I get Administrator (root) permissions on the device? ...... 4 Q: I turned on USB debugging. What extraction types can I perform? ...... 4 Q: Does this extraction method change any of the data on the device? ...... 5 Q: Can you summarize this entire ADB topic in one sentence? ...... 5 Boot Loader Extraction ...... 5 Q: What is Boot loader extraction? ...... 5 Q: Does this method bypass the unlock password or pattern? Will I be able to reveal it? ...... 5 Q: Does this extraction method change any of the data on the device? ...... 5 Q: Which devices are supported by this method? ...... 5 Technical Terms ...... 5

Introduction

There are many different devices running the Android OS: Phones, MP3 Players, Tablets, eBook Readers and more. There are two main approaches when it comes to extracting Android devices:  ADB (USB Debugging) method which utilizes a built-in protocol within the operating system  Several other methods in which the extraction takes place before the operating system has started running This document will cover the pros and cons of each method and will try to answer frequently asked questions.

Android Debugging Bridge (ADB)

Q: What does ADB stand for and how does it work? A: ADB, or Android Debugging Bridge, is a built-in protocol within the Android operating system. This means that basically every Android-based device should have this protocol. This protocol enables developers to connect to an Android-based device and perform low-level commands used for development. We utilize this protocol to perform an extraction of Android Devices.

Q: So can ADB be used to extract any Android device? What’s the catch? A: Yes and no. In theory, every Android device can be extracted using ADB. However, there are some limitations: The USB debugging option must be enabled on the device and we need to get administrator (root) permissions on it.

Q: How do I turn on USB debugging? A: On most Android devices, do the following: go to “Menu” -> “Settings” -> “Applications” -> “Development” and then click “USB debugging” to enable ADB.

Q: Does this method bypass the unlock password or pattern? Will I be able to reveal it? A: As explained above, USB debugging must be turned on before it’s possible to attempt an extraction, and this cannot be done when the device is locked. However, in some cases the user could have turned on USB debugging before locking the device. In this case you will be able to “bypass” the screen lock. If you successfully perform an extraction you will be able to see the Numeric password or pattern lock protecting the device in the Physical Analyzer.

Q: How do I get Administrator (root) permissions on the device? A: After ADB is turned on, the UFED will automatically detect the Android OS version running on the connected device and whether it is rooted or not. if the device is not rooted the UFED will gain root permissions automatically. . This is currently supported for all available Android OS versions (1.5-4.0.x). It is possible to manually root the device using 3rd party tools, but this is not recommended as it may harm the integrity of the data on the device, potentially even “bricking” it.

Q: I turned on USB debugging. What extraction types can I perform? A: You can currently perform either a Physical Extraction which will extract all the data on the device, or File System Extraction which will extract only relevant files. The advantage of a Physical Extraction is that it retrieves more data from the device, making it possible to recover deleted files such as photos that were saved on the device. The down side is that it takes more time, and that File System reconstruction is not supported for all devices. If you choose to do a File System Extraction you will save time and will still be able to view all vital information including deleted records (but excluding deleted files) even if File System reconstruction is not supported.

Q: Does this extraction method change any of the data on the device? A: Few clients are copied to the device into the “/data/local/tmp” folder. Besides that, nothing is changed. Q: Can you summarize this entire ADB topic in one sentence? A: Sure. It is possible to perform a physical or file system extraction on almost any Android device, provided that it’s not locked (or USB debugging was previously enabled). All currently available Android OS versions are supported (1.5-4.0.x).

Boot Loader Extraction

Q: What is Boot loader extraction? A: This method performs a physical extraction of the device when it's in Boot Loader mode. Many Android devices can be turned on in special modes, used for debugging or for firmware upgrade. In this extraction method the Android OS is not running, so the device can’t connect to the mobile network.

Q: Does this method bypass the unlock password or pattern? Will I be able to reveal it? A: Yes, you will be able to bypass any type of lock, and will be able to reveal a numeric PIN lock or unlock pattern.

Q: Does this extraction method change any of the data on the device? A: No, this method is completely forensically sound.

Q: Which devices are supported by this method? A: Currently supported devices are Most Motorola Android devices, Selected Samsung Android devices, selected Qualcomm devices and selected LG GSM and CDMA.

Technical Terms

Android- Google’s mobile OS. You can find a list of Android devices here: http://en.wikipedia.org/wiki/List_of_Android_devices. Another very helpful resource is http://pdadb.net

Brick- A device that cannot function in any capacity (such as a device with damaged firmware). (http://en.wikipedia.org/wiki/Brick_%28electronics%29)

Client - A program written by Cellebrite that runs on the Android OS itself.

Root/rooting- A process that allows users of cell phones and other devices running the Android operating system to attain privileged control (known as "root access") within Android's Linux subsystem, similar to jailbreaking on Apple devices running the iOS operating system, overcoming limitations that the carriers and manufacturers put on such phones. (http://en.wikipedia.org/wiki/Rooting_%28Android_OS%29)