There is a lot of trust put into your digital forensic tools when it comes to processing data. Many times, the “magic” of the tool remains someone unknown to the end-user. Each company claims to have a special means to capture the data that is seen in the acquisition. However, what is unsaid by tool manufacturers is that often the same foundational methods are used with all tools.
The perfect example is with iOS devices. All the manufacturers, when working with iOS, have limited options when communicating and capturing data from the device. It is why you will see consistent image data from one tool to another. The true “magic” with iOS comes in the tool’s ability to parse and understand the data that is captured. This is true with all types of images done by smartphone forensic tools and the ability to effectively parse should be a significant buying point when selecting a tool.
Another example of consistency seen with smartphone forensic tools comes with Android ADB. Android ADB, or Android Debug Bridge, is a command-line tool that allows communication with an Android device. It is included in the Android SDK Platform-tools and can be downloaded separately from the Android developer website. All Android OS devices despite the manufacturer have the ADB service in the device. Therefore, for smartphone forensic tools this is a consistent path used to process a forensic image of the device.
So, what does ADB do for your forensic tools?
- Get a wide range of device info and properties, i.e., serial number, model, etc.
- Force the device into recovery, fastboot, or bootloader mods.
- Explore available file system artifacts.
- Gather specific data.
- Make device backup that is generally used in logical data extraction.
- Create device screenshots or recordings.
- Obtain device logcat.
The value of the ADB process is obvious with the access that it allows being able to capture valuable Android data. However, the capture is only the first step in the process. Many ADB tools impose some restrictions that make the investigation process inconvenient, for example:
- ADB requires specific knowledge of the command-line tool and its commands.
- A created device backup is stored in the ab format that requires additional utilities to unpack the content.
- Representation of the device file system artifacts lacks details in the ADB console.
- There is no guarantee that data transferred from a device won’t be modified.
This is where you should be asking your tool manufacturers how they are using ADB and managing some of the above-mentioned issues that can exist.
With the Paraben E3 Forensic Platform, the ADB communication is used to open the communication path to the Android device. Then the E3 Forensic Platform uses this path to allow for a unique root privilege ADB communication to capture the data. Once the capture is complete the unique ADB command is removed from the device and it is returned to its original state. This type of method allows for a more forensically sound transfer of data from the device with a higher level of access to the device data.
Other tools capture the raw ADB file, and their tool is used as a parsing engine to recover the data from the image. When looking at the ADB process in most tools there are two core areas that should be questioned and evaluated. First, how are they using ADB to avoid some of the issues that are mentioned above, and second how is their parsing of the raw ADB captured data? With many of the smartphone forensic tools using the same methodology it quickly becomes clear that the value of quality data parsing becomes a significant factor when evaluating different tools and making a purchasing decision.
To learn more about the general evolution of Android.
Forensic-Impact Articles
OSINT and Infidelity with Private Investigations
Guest Blogger: Taylor Weddington Digital footprints are nearly impossible to erase; the art of uncovering infidelity has undergone a profound transformation in 2026. Open-Source Intelligence (OSINT) resources such as social media platforms, public records, online...
Why do tools show different results?
Since I started working in the DFIR space many years ago I always remembered the rule of two tools. That rule, although stated, is not always followed by every examiner. With the rising costs of DFIR tools many organizations have only funded one tool for their teams,...
Inside Malicious Office Documents
Guest Blogger: Luca Garofalo Today whether it is at work, in school or any other context we receive documents. They are very usefull they allow us to keep informations in a more organized way thanks to tables, images and text formatting. However some documents can...