[Windows] Android Acquisition using ADB, root, ncat and DD
ฝัง
- เผยแพร่เมื่อ 21 เม.ย. 2017
- In this video we acquire an android smartphone (Samsung Note II) using Android Debug Bridge (ADB), ncat and dd using a Windows forensic workstation. The system I am using is Windows 10. On the "forensic workstation" you will need ADB and netcat installed.
ncat: nmap.org/ncat/
Android Developer: developer.android.com/studio/...
KingoRoot: root-apk.kingoapp.com/
BusyBox: www.appsapk.com/busybox-app/
FreeAndroidForensics: freeandroidforensics.blogspot...
🚀 Full Digital Forensic Courses → learn.dfir.science
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science
👍 Subscribe → bit.ly/2Ij9Ojc
❤️ YT Member → bit.ly/DFIRSciMember
❤️ Patreon → / dfirscience
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFIRScience
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing. - วิทยาศาสตร์และเทคโนโลยี
![[Linux] Android Acquisition using ADB, root, netcat and DD](http://i.ytimg.com/vi/UQYuaOC5v0I/mqdefault.jpg)
![[Linux] Android Acquisition using ADB, root, netcat and DD](/img/tr.png)
![[TH] Esports World Cup : Knockout Stage Day 2](http://i.ytimg.com/vi/sP-b00j1C58/mqdefault.jpg)
This and your Linux tutorial are genuinely the two easiest tutorials I've ever watched to follow and understand. You are a godsend thank you
Excellent video, you would not believe how long I was struggling to get this working before. xD
Great video, keep it up! :)
Excelente video, Muchas gracias
Excellent video, it helped me a lot! Just one question, with what programs do I analyze that file?
Awesome thx for that.
Thank you so much you have beautiful way of explaining. I am trying to recover lost data from my Android internal storage. I'm using photorec computer application for it. But it can't detect my phone's drive so I needed the disk image of Android phone to recover from it. One question though, does mmcblk0 contain everything, including sdcard? 🤔
Hi, I'm running Android in a VM. Previous testing has worked however now when i try (with both my 7.1 an d 6.0 VM's) I get the same output each time in size, but it's never the full amount.
I don't get an error on either the host or the VM both commands look like they are still running.
Have you ever seen this?
I have updated both vm and host to the latest version of ncat and busybox, also termux. Please let me know, thanks J
Hey, I've tried this experiment with an android J5 2016. OS. 6.0. I can't seem to root the phone with KingoRoot, does this experiment only work with android phones up to a particular OS version?
HELP!!! I'm stuck at the end "Access denied", how do i solve this?
Can we carry out this process without having to root the phone? Can we carry out this process in a one plus phone?
excelent video... thx...
?did you ever use other rooting strategies for android devices (aware of android versions)...
if you know or use others please make a video about it...
also i'm interested in the success percentage you have with kingroot...
in my experience it fails quite often in certain phone models of Huawei, Archos, Doogee, GoClever, etc...
Hello. I usually use Cellebrite and Hancom GMD's products. They work well, but are pretty expensive. I will upload a video about commercial tools, and also another free way.
I'm interested in free/OS tools that have none or minimum impact... the goal would be just add the su*thing to the system... the ideal strategy (in my humble opinion) would be to ADB/download the contents of the phone (as you shown)... add the binaries for the su*thing (attending to the processor type and architecture)... and ADB/upload those binaries (eventually only the changed partition)...
I find the info+tools of this guy an excelent resource :
"github.com/phhusson"
please comment... waiting for your videos with axiety :-) ) ) ...
Nice tutorial !! We can backup boot, system, userdata etc as well but can we dd the same to phone from PC??
If you are not using a write blocker you can copy day from the PC to the phone. I would probably try to set up netcat with DD and send the data over a network. You probably will not be able to change files that are in use. Meaning you probably wont be able to dd a full system backup.
bro,...how i can ininstal magisk root via adb ??
Complete video course?
Wait, did we have to insatll _Nmap_ on the Windows machine prior to extracting _Ncat_ into the platform-tools folder (the 'ncat.exe -h' worked)?
Also 'adb.exe -h' returned "adb: usage: unknown command -h", but 'adb.exe' returned the help menu ('adb.exe help' without the dash also worked). Could be a version or OPsys difference, I guess.
Got stuck at busybox not found after the 10:30 mark (Wait, do I need to go on the phone itself, unlock the screen-lock, open busybox and then push the install button? But what if the screen is not working any more, and the phone isn't USB-mouse compatible, can I enter the screen unlock pin somehow?).
Thank you for the videos and links!
Little late but i can answer those for you.
No Nmap did not need to be installed, if you download the zip file he points to you get ncat.exe and a readme, they have made it so that ncat can be used as a standalone command/tool as opposed to downloading the whole nmap package.
It appears the commands have been updated since the video was made, slightly different but not a big deal. You can use adb and ncat instead of adding the .exe file extension to use the commands as long as you are in that folder in your command prompt. And yes the adb flag seems to have changed from -h to just h or help.
It might be saying busybox not found if you did not do the bit at 5:27 properly. When you install the rooting app you then need to go to your device and open it to execute the root exploit to gain root access. Then you send over busybox and open the app on your phone, there will be a button in the busybox app to install it which allows you to use the commands.
"But what if the screen is not working any more, and the phone isn't USB-mouse compatible, can I enter the screen unlock pin somehow?" - You're going to have some issues there I'm afraid. If the screen is broken how do you know if USB debugging is turned on in the developer menu? your best bet in this case is to download some 'totally legal and not torrented' forensic software that can image the phone from download mode
@@TriMarko
The screen didn't respond to touch, but the picture was OK. As to how did I know about the settings - I set them myself before I bricked it with a bogus picture restoration software.
Eventually I did manage to gain access via some Chrome browser app (it allowed me to use the phone via a PC). It was easier from then on.
sir how it physical image made without root phone ?
Thanks for this excellent informative video👍👍
I'm unable to read/mount the .dd file and see the following error: 'Can not open file test\android_sdc.dd' Also tried as .iso but no joy. Have you encountered this before?
Have you ever acquired data from a device that has been formatted multiple times?
A dd copy of a disk (SDC) is a physical hard drive. It's not formatted like an ISO. You cannot "open" it. Instead you can mount it as a virtual hard disk in your system, or use a tool like FTK Imager to get access to the files inside the image.
How to make forensic image of Android these days?
My phone is rooted still I am not able to get the root access from doing this 'su' command. can anyone help?
Thanks....Is gaining root access to the phone forensically accepted??
As a sr digital forensic examiner, using these two specific tools I would say *no* but, the commercial tools are doing similar, they are 'recognized' since they built their root kit, vs whomever you just gave your data to by installing kingoroot removing it after the fact is too late if you care about what is on the phone and what the accounts (em, etc) are used for..
I am trying to connect to an android running Android 7 in a Galaxy Note5. I tried two different computers and neither computer recognizes the phone. The program is running correctly, as I did some of the test you did. I am in developer mode with USB debugging set and on Stat awake. Any Ideas?
I have had problems with cables before, where a cable would work for one phone but not another. Try one or two other cables. Are both of the computers Windows?
I did. I'm going to try it today at work with one of our forensic computers to see if I get a different response. I used two phones, one above and a Samsung s7 and neither would work. Same settings on both phones. I'll post a reply with the results.
Interesting, but nowadays to root a phone it's necessary to wipe it. So the aqcuisition becomes useless. Am I right?
If you have to wipe the phone, it is going to be very hard to get any interesting data. Modern acquisition tools use (expensive) vulnerabilities to get root access to make their acquisitions. That's one reason commercial mobile acquisition tools are so expensive.
Trying to run ncat I get: libnsock select_loop(): nsock_loop error 10038: An operation was attempted on something that is not a socket.
Jared Kotoff was that on the phone or the computer? Can you give the while command?
That was on the computer (Windows 10) with the latest binary of ncat.exe
ncat 127.0.0.1 8888 > android.dd
But Im on a mac and it seems to be working again.
Sorry, but where would get samples of extracted android images
You can find a lot of data sets here: cfreds.nist.gov/
i cant get adb to run on my pc i am doing adb.exe -h but it doenst recognize the command?? help
Did you download Android Studio from here: developer.android.com/studio
If you are using Windows, then you should have adb.exe after installing studio. If you are using MacOS or Linux it will just be "adb".
hi! im stuck at busybox not found.
Most likely the phone was not rooted properly, so busybox could not be installed or does not have permission to run tools on the phone. Check for rooting.
This is not possible with a phone with broken display and no debugging turned on, more of a real world scenario.
I'm unable to connect devices how to connect can you say
You will need to enabled Android Debugging Mode on the phone first, then connect the phone to the computer. When you connect the phone to the computer and start running ADB you will have to allow connections on the phone (a message will pop-up on the phone). To enable ADB check out this page: www.aiseesoft.com/tutorial/enable-usb-debugging-for-android.html
Aha. This is how we can get disk image of Android devices.
Just one way. Remember this is where the phone is "live" and it will modify some data.