Information Technology Reference
In-Depth Information
Using root access to acquire an Android device
Android, by default, does not provide access to the internal directories and system-related
files. This restricted access is to ensure the security of the device. For instance, the
/data/data
folder is not accessible on a non-rooted device. This folder is especially of
interest to us because it stores most of the user-created data and many applications write
valuable data into this folder. Hence, to obtain an image of the device, we need to root the
Android device. Rooting a device gives us the
superuser
privileges and access to all the
data. It is important to realize that this topic has been stressing that all the steps taken
should be forensically sound and not make changes to the device whenever possible. Root-
ing an Android device will make changes to it and should be tested on any device that the
examiner has not previously investigated. Rooting is common for Android devices, but get-
ting root access could alter the device in a manner that renders the data changed or worse
yet—wiped. Some Android devices, such as the Nexus 4 and 5, may force the data partition
to be wiped prior to allowing root access. This negates the need to root the device in order
to gain access because all the user data is lost during the process. Just remember that while
rooting provides access to more data when successfully done, it can also wipe the data or
destroy the phone. Hence, you must ensure you have consent or legal rights to manipulate
the Android device prior to proceeding with the root. As rooting techniques have been dis-
cussed in
Chapter 8
,
Android Forensic Setup and Pre Data Extraction Techniques
, we will
proceed with the example assuming that the device is rooted. The following is a step-by-
step process to obtain a forensic image of a rooted Android device.
Install the
Android Terminal Emulator
application. The Android Terminal Emulator ap-
plication helps you to access the Linux command shell. Android Terminal Emulator can be
downloaded from
https://github.com/jackpal/Android-Terminal-Emulator/wiki
. Once in-
stalled, you can run most of the Linux commands on the device. It is recommended to in-
stall it through adb instead of connecting to the Internet to install it from the Google Play
store. The following screenshot shows the installation of the Android Terminal Emulator
application on a Mac running v10.9.2:
Once Android Terminal Emulator is installed, the partitions can be acquired from the
Android device using the following steps:
