Information Technology Reference
In-Depth Information
Logical data extraction
Logical data extraction techniques extract the data present on the device by accessing the
file system. These techniques are significant because they provide valuable data, work on
most devices, and are easy to use. Once again, the concept of rooting comes into picture
while extracting the data. Logical techniques do not actually require root access for data
extraction. However, having root access on a device allows you to access all the files
present on a device. This means that some data may be extracted on a non-rooted device
while root access will open the device and provide access to all the files present on the
device. Hence, having root access on a device would greatly influence the amount and kind
of data that can be extracted through logical techniques. Logical extraction can be per-
formed on a device in two ways:
• Using adb pull commands
• Using content providers
The following sections explain each of these options and how the data can be extracted.
Using the adb pull command
As seen earlier, adb is a command-line tool that helps you communicate with the device to
retrieve information. Using adb, you can extract data from all the files on the device or only
the relevant files in which you are interested. To access an Android device through adb, it's
necessary that the USB debugging option is enabled. If the device is locked and USB de-
bugging is not enabled, try to bypass the screen lock using the techniques mentioned in
Chapter 8 , Android Forensic Setup and Pre Data Extraction Techniques .
As a forensic examiner, it's important to know how the data is stored on the Android device
and to understand where important and sensitive information is stored so that the data can
be extracted accordingly. Application data often contains a wealth of user data that may be
relevant to the investigation. All files pertaining to applications of interest should be ex-
amined for relevance, as will be explained in Chapter 10 , Android Data Recovery Tech-
niques . The application data can be stored in one of the following locations:
Shared preferences : Data is stored in key-value pairs in a lightweight XML
format. Shared preference files are stored in the shared_pref folder of the ap-
plication /data directory.
Internal storage : Data stored here is private and is present in the device's internal
memory. Files saved to the internal storage are private and cannot be accessed by
other applications.
Search WWH ::




Custom Search