The first step to connecting with an Android is to validate your connection by typing adb devices that will show all devices detected and the current status for each. These statuses normally include:
• offline: The instance is not connected to adb or is not responding.
• device: The instance is connected to the adb server.
• no device: There is no device connected.
• unauthorized: USB debugging isn't authorized.
dumpsys is a fantastic option when using ADB to obtain a glimpse of all services running on the Android device. Conducting a dumpsys extraction provides us with the opportunity to collect information about apps and services that exist and are running on the device. A good place to start is to obtain a list of all services running so we get a better understanding of what we may want to extract using dumpsys.1
Examiners can interact with devices when the tools just simply cannot provide the access required. This is also a place that may allow you to quickly triage the device. We recommend using ADB to interact with the Android only if you are experienced or as a last-ditch resort after your other acquisition methods have been exhausted. Practice makes you stronger, so get a test device and give it a shot!
Here, we are running adb.exe shell pm list packages to view a list of applications and services present on the Android device. Notice that you will see both system and third-party applications listed here. This is being run right from my command line, as ADB tools have been installed.
Reference:
[1] Mahalik, Tamma, and Bommisetty, Practical Mobile Forensics, Second Edition (Birmingham, UK: Packt, 2016).
Here, I ran adb devices to ensure my device was connected and seen by my workstation. Next, I ran adb.exe shell service list, and the output was provided. We can see that 193 services are running on this Android device. Once we know the services running, we can elect to extract items of interest for further investigation. This process can be quite addicting, as the excavating never seems to end.
