How to Perform Physical Acquisition in Android Forensics?

Things you need to understand first:

  • Logical Storage:

    Data Acquisition

We need to grasp the idea of a logical disk fundamentally. I will try to explain such notion in a nutshell. Fundamentally, a logical disk is often referred to as a virtual disk as well. A virtual disk is a storage capacity which could utilize several physical disk drives’ storage.

A contiguous storage area is provided to the user following this concept of a logical storage. It is not, of course, a physical storage because it does not rely on only one disk and claim its capacity as its own. It has the capability of storing files on multiple physical units. Most modern operating systems offer logical volume management.

  • System partition & Data partition:

    Data Acquisition

The system partition is where the system root resides. In other words, the operating system folder is contained by such system partition. For instance, the root directory (/) mounts all operating system files for Linux platforms.

Data partition is basically the disk partition which contains all of the data which is stored by the user on the hard disk. It has nothing to do with the operating system since it is all related to the user in the first place.

There is another partition called the boot partition. It fundamentally has the bootloader which is utilized for the sake of making the operating system capable of booting. For instance, the directory of /boot/ mounts boot files (such as the kernel, initrd, and bootloader GRand Unified Bootloader (GRUB)).

  • Data Acquisition Methods:

    Data Acquisition

An interesting topic to know about in the domain of mobile forensics is data acquisition. But why is it important to get to know about it in the first place? Since a logical image is needed for investigating a system, we need to refer to such process of extracting data as data acquisition. There are in fact three main categories of data acquisition which we are to analyze in details.

  1. Manual Acquisition:
    • A mobile device’s user interface is depended on in order to get through the investigation process.
    • Images of each screen are taken or captured by the examiner while the device gets browsed. Although there is no need for any tools to be involved in such process, the manual acquisition has a great pitfall on the other hand. In addition to being a time-consuming process, not all the data could be visualized by the user and therefore not all the data could be recovered by this method in the first place.
  2. Physical Acquisition:
    • A bit-by-bit copy of the whole file system is created.
    • This seems so similar to physical acquisition process on standard digital forensics
    • Data residing on a device plus unallocated space in addition to even deleted data are all copied through such demanding method.
  • Logical Acquisition
    • The application programming interface of an equipment manufacturer is depended on in this process.
    • The phone’s contents get synchronized with a personal computer through such original interface.
    • This method has a plenty of free software tools available.
    • Neither deleted data or unallocated space gets recovered through such method which fundamentally extracts these data accessible to the users of the device.

How to image Android File System using dd?

In fact, there is plenty of free and commercial tools available to take an image of a specific partition. However, all of such tools require that the user should be the root of the device on the emulator. The device gets rooted temporarily even when using commercial tools before an image of a partition is taken through acquiring a physical dump.

Data Acquisition

In this regard, there is a tool called “dd” which is basically specified for getting an image of a rooted device.

  1. Get the device rooted if a real device is connected or on the emulator.
  2. Get to know that the tool of “dd” is located in the following directory “/system/bin” by default on Android system.
  3. Make use of the command “mount” which will familiarize us with the locations of partitions on the device from where we can know our desired partition’s location.

    Data Acquisition

  4. Analyzing the results, we got in the last image, it is apparent how the system partition has the following entry to it:


  1. On the other hand, it is apparent how the data partition has the following entry to it:


  1. It is also obvious though that the sd card pasd-cardn has the following entry to it:


  1. It is essential to understand one point that taking an image of any of the aforementioned partitions will be of the same steps and methodology to accomplish the task properly. However, the data partition will be of our concern for this article.
  2. Extracting the data partition could be performed using the following command which relies on the “dd” tool:

dd if=/dev/block/mtdblock1 of=/mnt/sdcard/output.img

  1. Okay, well we need to get to know the idea of such command. While if means input file, of refers to the output file on the other hand. The position where the image should reside after the command is inside the sdcard, and its name is “output.img”
  2. There is still an option to get the block size customized through the option of “bs” with the “dd” tool.
  3. Pulling the file afterward is pretty straightforward using the command of “adb pull”. Using the upcoming command will result in getting the image file pulled out to our workstation:

adb pull /mnt/sdcard/output.img

The command in the very last line should be cared about because a new SD card destination has to be specified; otherwise, the image file will be overwritten on the same SD card partition of the device.

  1. Note that now the image should be existent on the local machine for investigation. However, the only pitfall of such method is that the use of SD card was a must; otherwise, we couldn’t have been able to proceed with this method.

Try Certified Ethical Hacker for FREE!!!



This post was written by hsamanoudy