How to Obtain Data from Android Device
Starting with OSForensics V6.1, OSForensics includes support for creating a logical device image and the extraction of text messages, call logs and contact details from an Android device.
Creating a logical Android image allows the investigator to copy files/directories from an Android device to a destination folder or logical image file (.vhd), preserving as much file system metadata (e.g. date/times, attributes) as possible. This is useful for cases where obtaining a complete drive image of the evidence device is not possible (e.g. device not rooted). Note that while the directory structure, file contents, and some metadata are preserved, some data may be lost from the operation such as slack space, fragmentation, unallocated space, deleted files, etc. Files are obtained using adb.exe ‘pull’ command with the '-a' option which will try to preserve file timestamp and mode.
Additional artifacts can be retrieved using the Extract Data with OSFExtract App option. This will install the OSFExtract app onto the Android device and allow the retrieval of Messages (SMS, MMS), Contacts and Call Log from the device, that may not been retrievable using the Logical Copy method.
On your Android Device
Before we begin, make sure your Android Device is placed in Debug Mode and is connected to your computer via USB. OSForensics leverages the use of Android Debug Bridge (adb) application provided by Google to interface with the Android device.
On Android 4.1 and lower, the Developer options screen is available by default in the settings menu, on Android 4.2 and higher it is hidden. To make it visible, you must enable it. On the Android Device: Go to the Settings App (On Android 8.0 or higher, select System), Near the bottom, go to the About phone option. Tap Build number 7 times and now the Developer Options menu should now be available in settings. Enable USB debugging within Developer Options.
On your Computer
The example below will show the use of Create Logical Android Image module in OSForensics.
From the Android Device dropdown list, select your device. Enable Extract Data with OSFExtract App, which will use the companion OSFExtract App to retrieve additional data during the imaging process, and enable Logical Copy with Adb Pull to copy files/directories from an Android device to a destination folder using adb.exe pull command. Specify a destination target location to save the files that will be obtained from the device. Copy to Folder will placed the files on a local directory on the system. Create Logical Image will place the files within Virtual Hard Drive (.vhd). Even with the Logical Image option, some files may be temporarily copied to a local temp directory before appearing in the VHD.
Enable (or disable) Post Imaging Options as desired. Then click the Start button to begin.
OSFExtract Android App Process
With Extract Data with OSFExtract App selected, OSForensics will install and launch the OSFExtract app onto your device.
If this is the first time the app is installed, when the app is started on the device, you will need to grant the requested permissions to allow the app to transfer the data. The following permissions must be allowed for OSFExtract to access data on the device:
Tap the Transfer button within the app to begin the supplemental data transfer to OSForensics. Transfer time will depend on the number of text messages, contacts and call log on device. The current progress will be shown within the app and also on noted by the item count fields in OSForensics. After the process is completed, if Logical Copy with Adb Pull is enabled, it will proceed with the logical copy. If it is not selected, skip the next section.
Creating Logical Device Image
With Logical Copy with Adb Pull selected, OSForensics will now begin to transfer accessible files from the device using Android Debug Bridge. Note: A logical image is different from a physical image. Physical images are bit to bit copy, while due to permissions and access restrictions implemented in Android, a Android logical copy will only contain certain files/folder are not protected by the Android OS.
Post Imaging Options
If Attach Log to Case was selected, OSForensics will prompt for additional information and then allow you to add the log (same as the one displayed in the imaging screen) to the case.
If Add Image as Device to Case was selected, OSForensics will bring up the Add Device dialog prompt with certain fields pre-populated. You can change the Display Name from the default if desired. Once the image is added to the case, it will be selectable as a device in other modules in OSForensics.
If Add to Scan List in Android Artifacts Module was selected, OSForensics will add the directory or newly added device to the scan list in Android Artifacts module and switch over to that module for the investigator to continue their investigation.
Android Artifacts Module
The device or directory would automatically be added to the case if Add to Scan List in Android Artifacts Module option was selected while imaging. If not, you can choose the device from the dropdown or browser to the location on the local computer. Choose Scan to tell OSForensics to start the process of looking for artifacts. Not all Artifact Types listed will be available and greatly depends on what was acquired during imaging. From best to worst in terms of returning artifacts are devices of Physical Image, Logical Image from rooted device, Logical Image (non-rooted).
With the device image acquired, other OSForensics modules that may be useful in locating evidence are File Name Search module for finding pictures and videos and the Create/Search Index module to create a searchable index of the file contents on the device.