Your VM is equipped to allow you to conduct Android extractions using ADB. Here, we are using ADB to pull a backup from the attached device. There are several ways to use ADB to extract a backup file. We are going to start as simple as possible.

1. Type CMD in the Windows Search bar to obtain a Command Prompt

2. Connect your device and ensure you select “allow access” on the phone, or ADB cannot communicate with it

3. To ensure your device is recognized, type adb devices1

4. If you see “device” you are good to go. If you see “unrecognized,” you didn’t “allow access” on the device

5. Type  adb backup –all – shared –system –keyvalue –apk –f backup.ab

6. Your backup.ab will be created and saved to the directory you are running from, unless you specify another location

The command can be broken down as2:

                 adb backup = the command

                -all = backup all installed applications *(1) (2)
                -shared = backup shared storage / SDcard

                -system = backup system apps in -all

                -apk = do backup of .apk files

                -keyvalue = include apps that perform key/value backups *(3)


*(1): Of course, only apps where the "android:allowBackup" in the AndroidManifest.xml is set to "true", that's why we use APK downgrade process.

*(2): On Android 12 new restrictions were added to the ADB Backup Command.3
*(3): Two good references for the "keyvalue" option:

https://www.swiftforensics.com/2019/10/adb-keyvalue-backups-and-data-format.html
https://www.swiftforensics.com/2019/10/part-2-adb-keyvalue-backups-call-logs.html

Play around with ADB on a test device. It’s powerful and can accomplish a lot for you. We will cover some of the capabilities in Section 2, but it’s a good idea to test it yourself.

References:

[1] Heather Mahalik, Rohit Tamma, and Satish Bommisetty, Practical Mobile Forensics, Second Edition (Birmingham, UK: Packt, 2016).

[2] https://for585.com/cmdadb (adb backup commands explained)

[3] https://for585.com/behavior (Android 12 behavior changes)

In the screenshot in the middle, we have an Android that has full disk encryption enabled. Because of this, the option to “Back Up My Data” is grayed out until a password is entered. REMEMBER the password you use if you are faced with this dilemma. After the backup is complete and you attempt to load the image into a forensic tool, it will either fail or prompt you for the password. When a tool fails, it is because it cannot handle parsing an encrypted file. Make sure you know what your tools are doing!

Additionally, this slide shows the interaction required between an Android device and the forensic tool. Make sure you pay attention, so you don’t miss the option to back up the data and have to keep starting from the beginning. It can be a frustrating situation when this occurs.