The Android Debug Bridge (ADB) can be used to communicate with the device. ADB requires that USB Debugging be enabled to pull data from the device. For rooted devices, the /Data Partition can be pulled through ADB.¹ Commercial tools even rely on ADB when their traditional acquisition methods fail. For example, Cellebrite UFED Touch and UFED4PC have two options to acquire the devices physically; one is ADB Pull.²  ADB can be installed on your forensic workstation for free. We have already set everything up in VM so that you can run ADB commands from any location within your course SIFT workstation. Don’t forget that these options exist the next time your tools cannot acquire an Android. We will discuss more ADB options for accessing data from Androids later in this section.

In order to pull the /USERDATA partition or /data/data, you’ll need to have root access to the device. This will make more sense as you dive into the file systems if the concept isn’t something you are familiar with.

References:

[1] Mahalik, Tamma, and Bommisetty, Practical Mobile Forensics, Second Edition (Birmingham, UK: Packt, 2016).

[2] Tamma and Tindall, Learning Android Forensics (Birmingham, UK: Packt, 2015).