legal contact rss
 

While not having the amount of money to spend for sophisticated tools that are available I search for opensource tools to create my autopsy-useable forensic image.

Not having (very) great success yet, but still not having reached the end of the line.  :-)

Hence everything here is still "work in progress"

Imaging using "adb backup"

ADB Cheat Sheet
https://www.automatetheplanet.com/adb-cheat-sheet/

C:\Users\Marcus\AppData\Local\Android\Sdk\platform-tools>adb backup -all -apk -shared -f N:\PIR\Tools\Jella.ab

WARNING: adb backup is deprecated and may be removed in a future release
Now unlock your device and confirm the backup operation…

Using this at a non-rooted device gives a .ab-file that needs to be converted to .tar, unpacked and can then be import as "Logicals files" in Autopsy.
Downside: This does not create a complete image while no right to access /data

Using this at a rooted device gives a .ab-file that needs to be converted to .tar, unpacked and can then be import as "Logicals files" in Autopsy.
Downside: You need to root the android first including the change of evidence.

Covert to .tar

Install JDK 7
https://www.oracle.com/java/technologies/javase/javase7-archive-downloads.html#license-lightbox
set JAVA_HOME=C:\Program Files\Java\jdk1.7.0_80

Install ABE
https://github.com/icepaule/android-backup-extractor
C:\Users\Marcus\AppData\Local\Android\Sdk\platform-tools\android-backup-extractor-master>gradlew.bat

Covert to .tar
C:\Users\xxx\AppData\Local\Android\Sdk\platform-tools\android-backup-extractor-master>"C:\Program Files\Java\jdk1.7.0_80\bin\java" -jar build/libs/abe-all.jar unpack ..\backup.ab ..\backup.tar

Imaging using "andriller"

Extract from a rooted device:

Convert into a tar-file:

Extract the tar file (with 7zip)

Now import as "logical file" into Autopsy:

Imaging a rooted android using busybox

At the target machine (having [target-IP])

nc -l [target-IP] -p 5555 > android_data.dd

at the source android (use "adb -d shell" and then "su -" to connect

dd if=/dev/block/bootdevice/by-name/userdata bs=1024k | busybox nc [target-IP] 5555