Users root their Android devices to gain full read/write access to the smartphone. Rooting the device allows the user to have superuser access, which means they have all rights to the smartphone.¹ It is rare to find a device already rooted in the wild today. If you are lucky enough to have a rooted Android device as part of your investigation, you should consider yourself extremely fortunate. You are going to be able to acquire that device with ease! You could pull the entire USERDATA partition for free via ADB.

If you aren’t sure if the device is rooted, a forensic examination should provide you clues. Applications are available for verifying rooted Android devices; however, this is not a forensically sound method. This method would require you to install an app on the user’s device, thus changing the USERDATA Partition. Examples of these apps include Root Checker or Root Checker Basic.² The best way to determine root access to the Android is to perform forensic analysis on the device. This is covered in the analytical section. Root access can also be determined using ADB Shell to examine the Android.

To use ADB Shell, use the command line to determine if the root symbol is present (#). If it isn't, run the "su" command and see if it's there, as explained in the following steps.

Using an ADB Shell, examine the following:

1. Does the prompt show $ - means not a root user

2. Type “su” or “sudo” into the prompt – what happens?

3. Does the prompt show # - means you have root!

References:

[1] https://for585.com/rooted (How to tell if your phone is rooted)

[2] https://for585.com/rootcheck (Play Store Root Checker)