Android Forensics

Android Forensics

Android's open nature provides different forensic opportunities:

Android Acquisition Methods:

# ADB backup (logical acquisition)
adb backup -apk -shared -all -system -f backup.ab

# Physical acquisition with dd (requires root)
adb shell
su
dd if=/dev/block/mmcblk0 of=/sdcard/device_image.img

# Extract APKs and data
adb pull /data/app/ ./apps/
adb pull /data/data/ ./appdata/

Android Data Extraction:

import tarfile
import zlib

def extract_android_backup(backup_file):
    # Android backup format parsing
    with open(backup_file, 'rb') as f:
        # Skip header
        f.read(24)
        
        # Decompress if needed
        compressed = f.read()
        if compressed[:2] == b'\x1f\x8b':
            decompressed = zlib.decompress(compressed, 16+zlib.MAX_WBITS)
        else:
            decompressed = compressed
            
        # Extract tar archive
        with open('backup.tar', 'wb') as tar_file:
            tar_file.write(decompressed)
            
        # Extract files
        with tarfile.open('backup.tar') as tar:
            tar.extractall('extracted_backup/')

Key Android Artifacts:

  • SMS/MMS: /data/data/com.android.providers.telephony/databases/
  • Call Logs: /data/data/com.android.providers.contacts/databases/
  • Contacts: contacts2.db
  • Browser History: /data/data/com.android.chrome/
  • Wi-Fi Passwords: /data/misc/wifi/
  • Application Data: /data/data/[package_name]/