Listen to this Post

Introduction:
Mobile devices have become the central repository of modern digital life—containing communications, location history, application usage, and sensitive personal data. For cybersecurity analysts, law enforcement investigators, and incident responders, the ability to systematically extract and analyze Android device artifacts is a critical skill in the digital forensics arsenal. The Android Debug Bridge (ADB) provides a powerful, built-in interface for acquiring this data without requiring root access, making it an accessible and repeatable methodology for security audits and investigations.
Learning Objectives:
- Master the setup and configuration of ADB for forensic data acquisition from Android devices
- Execute systematic extraction of system information, installed applications, logs, and communication data
- Understand the legal, ethical, and technical limitations of ADB-based forensics on non-rooted devices
- Apply OSINT principles to correlate extracted mobile data with broader threat intelligence frameworks
You Should Know:
1. Understanding ADB Forensics: Core Concepts and Prerequisites
The Android Debug Bridge (ADB) is a versatile command-line tool that enables communication between a computer and an Android device. In a forensic context, ADB allows investigators to pull system-level data, application information, and user-generated content in a structured, repeatable manner. Before initiating any forensic acquisition, three critical prerequisites must be satisfied:
First, ADB must be installed on the examination workstation. On Linux systems, this can be accomplished with sudo apt install adb -y. Windows users can download the Platform Tools from Google’s developer site and add the directory to their system PATH. Second, USB debugging must be enabled on the target device—this is found in Developer Options within the Android settings menu. Third, and most importantly, proper legal authorization must be obtained before accessing any device; unauthorized forensic analysis constitutes a violation of privacy laws and computer fraud statutes.
Step‑by‑step guide:
Linux ADB Installation:
sudo apt update sudo apt install adb -y adb --version
Windows ADB Setup:
1. Download `platform-tools.zip` from the Android Developer website
2. Extract to `C:\adb`
- Add `C:\adb` to System Environment Variables under Path
- Open Command Prompt and verify with `adb version`
Enabling USB Debugging on Android:
1. Navigate to Settings > About Phone
- Tap Build Number seven times to unlock Developer Options
- Return to Settings > System > Developer Options
4. Toggle USB Debugging to ON
- Confirm the authorization prompt when connecting to the workstation
2. Establishing Connection and Gathering System Intelligence
Once ADB is installed and USB debugging is enabled, the first step is verifying the connection. The `adb devices` command lists all connected devices and their states—a response showing “device” indicates successful authorization. With the connection confirmed, the forensic workflow begins with extracting comprehensive system information that forms the foundation of any investigation report.
The `getprop` command exposes the device’s entire property map, including hardware specifications, firmware versions, and build fingerprints. For focused intelligence gathering, specific properties such as ro.product.model, ro.build.version.release, and `ro.serialno` provide the device identity, Android version, and unique hardware serial number respectively. This metadata is essential for documenting the chain of custody and establishing the device’s configuration at the time of acquisition.
Step‑by‑step guide:
Verify ADB Connection:
adb devices Expected output: List of devices attached RZ8N1234XYZ device
Extract Comprehensive System Properties:
adb shell getprop > device_properties.txt
Extract Specific Forensic Identifiers:
adb shell getprop ro.product.model >> device_identity.txt adb shell getprop ro.build.version.release >> device_identity.txt adb shell getprop ro.serialno >> device_identity.txt adb shell getprop ro.build.fingerprint >> device_identity.txt
3. Application Inventory and Package Analysis
Understanding what applications are installed on a device provides crucial context for threat hunting and incident response. Malicious applications, unauthorized monitoring tools, or vulnerable software versions can all be identified through systematic package enumeration. The package manager interface within ADB (pm) allows investigators to list all installed packages with their installation paths.
The command `adb shell pm list packages -f` outputs every application package with its associated APK file path. Redirecting this output to a text file creates a permanent record for offline analysis. For deeper inspection, specific package information can be extracted using adb shell dumpsys package <package_name>, which reveals permissions, version codes, signatures, and installation timestamps—valuable for identifying sideloaded or suspicious applications.
Step‑by‑step guide:
Export Complete Application List:
adb shell pm list packages -f > installed_apps.txt
Extract Detailed Package Information for Analysis:
adb shell dumpsys package > all_package_details.txt
Search for Specific Package Indicators:
adb shell pm list packages | grep -i "malware|spy|tracker" adb shell dumpsys package com.suspicious.app > suspicious_app_analysis.txt
4. System Logs and Runtime Artifact Collection
System logs captured via `logcat` provide a real-time record of system events, application crashes, network activity, and user interactions. The `-d` flag dumps the entire log buffer to stdout without blocking, making it suitable for forensic acquisition without interfering with ongoing device operations. These logs are invaluable for timeline reconstruction, identifying anomalous behavior, and correlating events with other extracted artifacts.
The `dumpsys` command offers granular access to individual system services. Battery statistics reveal charging patterns and power consumption anomalies. Network configuration data exposes connected interfaces, routing tables, and active connections. Usage statistics and settings histories reconstruct user behavior patterns over time. Each of these data sources contributes to a comprehensive forensic picture of device activity.
Step‑by‑step guide:
Capture System Logs:
adb logcat -d > system_logs.txt adb logcat -d -v time > system_logs_timeline.txt With timestamps
Extract Battery and Power Metrics:
adb shell dumpsys battery > battery_stats.txt adb shell dumpsys batterystats > battery_history.txt
Collect Network Configuration:
adb shell dumpsys connectivity > network_config.txt adb shell ifconfig > network_interfaces.txt adb shell netstat > network_connections.txt
Gather Usage and Activity Data:
adb shell dumpsys usagestats > usage_timeline.txt adb shell settings list system > system_settings.txt
5. Data Acquisition: Contacts, Call Logs, and Messages
Android’s content provider framework exposes communication data through system services, enabling extraction of contacts, call history, and SMS messages via ADB. On Android 10 and earlier, these commands typically succeed without root access. However, beginning with Android 11, Google implemented stricter permissions that may restrict access to these content providers without additional authorization or root privileges.
When accessible, the `content query` command provides structured output of the underlying databases. Contacts are stored with names, phone numbers, email addresses, and organizational details. Call logs capture timestamps, durations, and caller/recipient identifiers. SMS messages contain sender/receiver information, timestamps, and message bodies. This data is often the most probative in investigations involving communication patterns, harassment cases, or missing persons.
Step‑by‑step guide:
Extract Contacts:
adb shell content query --uri content://contacts/phones/ > contacts.txt adb shell content query --uri content://contacts/data/emails > contact_emails.txt
Extract Call Logs:
adb shell content query --uri content://call_log/calls > call_logs.txt
Extract SMS Messages:
adb shell content query --uri content://sms/ > sms_messages.txt adb shell content query --uri content://sms/sent > sms_sent.txt adb shell content query --uri content://sms/inbox > sms_inbox.txt
Note: On Android 11+, these commands may return permission errors. Alternative acquisition methods include forensic imaging tools or leveraging the device’s backup functionality.
6. File System Acquisition and Directory Extraction
Physical file extraction complements logical data collection by capturing user-generated content stored in accessible directories. The `adb pull` command transfers files and directories from the device to the local workstation. Common targets include the DCIM folder containing camera photos and videos, the Downloads directory for user-initiated file transfers, and the Pictures folder for additional media content.
Access to `/data` directories typically requires root privileges or a forensic boot image. However, the `/sdcard` partition (often symlinked to /storage/emulated/0/) is generally readable without root and contains the bulk of user-generated content. For comprehensive acquisition, investigators should also consider pulling browser histories, application-specific directories, and any external storage cards present.
Step‑by‑step guide:
Extract User-Generated Media:
adb pull /sdcard/DCIM ./forensics_images adb pull /sdcard/Pictures ./forensics_pictures adb pull /sdcard/Download ./forensics_downloads adb pull /sdcard/Movies ./forensics_movies adb pull /sdcard/Music ./forensics_music
Extract Application-Specific Data (Non-Root):
adb pull /sdcard/Android/data ./app_data
Extract System Package List:
adb pull /data/system/packages.list ./packages_list May require root
7. Leveraging OSINT Rack for Complementary Intelligence
The OSINT Rack platform aggregates hundreds of curated intelligence tools that complement mobile forensic findings. When an investigation identifies email addresses, usernames, or phone numbers from an Android device, these can be cross-referenced against OSINT tools to correlate identities, discover associated accounts, and identify breach exposures.
Tools such as BehindTheEmail correlate email addresses with public profiles, employment history, and breach records. IGDetective enables social media intelligence on Instagram accounts without leaving a footprint. Revealer provides comprehensive breach monitoring and infostealer log lookup. For timeline reconstruction, Jimpl extracts and removes EXIF metadata from photographs. These tools transform isolated mobile artifacts into actionable intelligence across the broader digital ecosystem.
Step‑by‑step guide for OSINT Correlation:
- Extract email addresses from contacts and account settings:
adb shell content query --uri content://contacts/data/emails > emails.txt
-
Extract phone numbers from call logs and contacts:
adb shell content query --uri content://contacts/phones > phones.txt
3. Cross-reference extracted identifiers against OSINT platforms:
- BehindTheEmail: https://behindtheemail.com/
- Revealer: https://revealer.us/
- IntelBase: https://intelbase.is/
4. Monitor for breach exposure:
- HaveIBeenRansom: https://haveibeenransom.com/
- Breach House: https://breach.house/
What Undercode Say:
-
Key Takeaway 1: ADB-based forensics provides a remarkably capable, zero-cost acquisition methodology that works on locked and non-rooted Android devices, democratizing access to mobile evidence for security practitioners at all levels.
-
Key Takeaway 2: The forensic value lies not in any single command but in the systematic aggregation of disparate data sources—system properties, application manifests, runtime logs, communication histories, and file artifacts—to construct comprehensive timelines and behavioral profiles.
Analysis: The AndroidForensics toolkit represents a paradigm shift in mobile investigative capability. Traditional commercial forensic solutions cost thousands of dollars and require specialized training; this ADB-based approach delivers comparable logical acquisition capabilities at zero cost. For security teams conducting insider threat investigations, incident responders triaging compromised devices, or law enforcement conducting preliminary examinations, this methodology provides immediate, actionable intelligence without vendor lock-in.
However, practitioners must remain cognizant of the inherent limitations. Android’s evolving permission model increasingly restricts access to sensitive content providers, with Android 11 and above presenting significant barriers to contact, call log, and SMS extraction without root. Additionally, ADB acquisition is inherently volatile—the act of connecting and issuing commands modifies system state, potentially altering evidence. Chain of custody documentation and forensic soundness principles must be rigorously maintained.
The integration with OSINT frameworks amplifies the investigative impact exponentially. A device-extracted email address becomes a pivot point for uncovering associated accounts, breach histories, and social media footprints across dozens of platforms. This convergence of mobile forensics and open-source intelligence creates a force multiplier for investigators, enabling them to move from isolated device artifacts to comprehensive threat actor or victim profiles.
Prediction:
- +1 The continued evolution of ADB-based forensic toolkits will accelerate democratization of mobile investigation capabilities, enabling smaller security teams and independent researchers to conduct sophisticated analyses previously reserved for well-funded agencies.
- +1 Integration between mobile forensic extraction and automated OSINT correlation platforms will become standard practice, with tools emerging that automatically pivot extracted identifiers against breach databases and social media intelligence services.
- -1 Android’s increasing security hardening—particularly around content provider permissions and scoped storage—will progressively erode the effectiveness of non-root ADB forensics, forcing investigators toward more invasive acquisition methods or commercial solutions.
- -1 The legal landscape surrounding mobile forensic acquisition remains fragmented and ambiguous, with evolving privacy regulations potentially criminalizing certain extraction techniques even when conducted with device owner consent.
- +1 The open-source nature of the AndroidForensics repository and similar projects will foster community-driven innovation, with new extraction techniques and artifact interpretations continuously emerging to address evolving Android versions.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mariosantella Forensic – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


