Information Technology Reference
In-Depth Information
The/data directory extracted to a forensic workstation
On a non-rooted device, a pull command on the
/data
directory does not extract the files
as shown in the following output, since the shell user does not have permission to access
those files:
C:\android-sdk-windows\platform-tools>adb.exe pull /data
C:\temp
pull: building file list...
0 files pulled. 0 files skipped.
The data copied from a rooted phone through the preceding process maintains the direct-
ory structure, thus allowing an investigator to browse through the necessary files to gain
access to the information. By analyzing the data of the respective applications, a forensic
expert can gather critical information that can influence the outcome of the investigation.
Note that examining the folders natively on your forensic workstation will alter the dates
