What is Android ADB with smartphone forensics?

Written by Amber Schroader

October 5, 2021

There is a lot of trust put into your digital forensic tools when it comes to processing data. Many times, the “magic” of the tool remains someone unknown to the end-user. Each company claims to have a special means to capture the data that is seen in the acquisition. However, what is unsaid by tool manufacturers is that often the same foundational methods are used with all tools.

The perfect example is with iOS devices. All the manufacturers, when working with iOS, have limited options when communicating and capturing data from the device. It is why you will see consistent image data from one tool to another. The true “magic” with iOS comes in the tool’s ability to parse and understand the data that is captured. This is true with all types of images done by smartphone forensic tools and the ability to effectively parse should be a significant buying point when selecting a tool.

Another example of consistency seen with smartphone forensic tools comes with Android ADB.  Android ADB, or Android Debug Bridge, is a command-line tool that allows communication with an Android device. It is included in the Android SDK Platform-tools and can be downloaded separately from the Android developer website. All Android OS devices despite the manufacturer have the ADB service in the device. Therefore, for smartphone forensic tools this is a consistent path used to process a forensic image of the device.

So, what does ADB do for your forensic tools?

  • Get a wide range of device info and properties, i.e., serial number, model, etc.
  • Force the device into recovery, fastboot, or bootloader mods.
  • Explore available file system artifacts.
  • Gather specific data.
  • Make device backup that is generally used in logical data extraction.
  • Create device screenshots or recordings.
  • Obtain device logcat.

The value of the ADB process is obvious with the access that it allows being able to capture valuable Android data. However, the capture is only the first step in the process. Many ADB tools impose some restrictions that make the investigation process inconvenient, for example:

  • ADB requires specific knowledge of the command-line tool and its commands.
  • A created device backup is stored in the ab format that requires additional utilities to unpack the content.
  • Representation of the device file system artifacts lacks details in the ADB console.
  • There is no guarantee that data transferred from a device won’t be modified.

This is where you should be asking your tool manufacturers how they are using ADB and managing some of the above-mentioned issues that can exist.

With the Paraben E3 Forensic Platform, the ADB communication is used to open the communication path to the Android device. Then the E3 Forensic Platform uses this path to allow for a unique root privilege ADB communication to capture the data. Once the capture is complete the unique ADB command is removed from the device and it is returned to its original state. This type of method allows for a more forensically sound transfer of data from the device with a higher level of access to the device data.

Other tools capture the raw ADB file, and their tool is used as a parsing engine to recover the data from the image. When looking at the ADB process in most tools there are two core areas that should be questioned and evaluated.  First, how are they using ADB to avoid some of the issues that are mentioned above, and second how is their parsing of the raw ADB captured data?  With many of the smartphone forensic tools using the same methodology it quickly becomes clear that the value of quality data parsing becomes a significant factor when evaluating different tools and making a purchasing decision.

To learn more about the general evolution of Android.


smartphone forensic training
smartphone forensic training

Forensic-Impact Articles

Investigating and Capturing Google Data

Investigating and Capturing Google Data

There are so few people on the planet now that don’t have something to do with Google. With parents selecting Gmail accounts for their kids prior to being born to the proliferation of Google in the classroom the searching giant is everywhere. With this level of...

Forensically Imaging Bitlocker

Forensically Imaging Bitlocker

Guest Blogger, Michael Zinn with Micro Systems Management BitLocker is Microsoft’s Full Volume Encryption (FVE) feature in Windows. BitLocker can be used to encrypt operating system volumes, non-Operating System fixed drive volumes, and removable drive volumes.[1]...

The Role of Psychology in Digital Forensics

The Role of Psychology in Digital Forensics

 Written by Riley Anne JohnsAs more people depend on technology for both personal and professional endeavors, digital forensics has never been more important. Digital forensics is a branch of forensic science specifically focused on cybercrime, using computer evidence...