Android Forensics
Android Forensics
Android's open nature provides different forensic opportunities:
Android Acquisition Methods:
# ADB backup (logical acquisition)
adb backup -apk -shared -all -system -f backup.ab
# Physical acquisition with dd (requires root)
adb shell
su
dd if=/dev/block/mmcblk0 of=/sdcard/device_image.img
# Extract APKs and data
adb pull /data/app/ ./apps/
adb pull /data/data/ ./appdata/
Android Data Extraction:
import tarfile
import zlib
def extract_android_backup(backup_file):
# Android backup format parsing
with open(backup_file, 'rb') as f:
# Skip header
f.read(24)
# Decompress if needed
compressed = f.read()
if compressed[:2] == b'\x1f\x8b':
decompressed = zlib.decompress(compressed, 16+zlib.MAX_WBITS)
else:
decompressed = compressed
# Extract tar archive
with open('backup.tar', 'wb') as tar_file:
tar_file.write(decompressed)
# Extract files
with tarfile.open('backup.tar') as tar:
tar.extractall('extracted_backup/')
Key Android Artifacts:
- SMS/MMS: /data/data/com.android.providers.telephony/databases/
- Call Logs: /data/data/com.android.providers.contacts/databases/
- Contacts: contacts2.db
- Browser History: /data/data/com.android.chrome/
- Wi-Fi Passwords: /data/misc/wifi/
- Application Data: /data/data/[package_name]/