Connect
Pair Android devices over USB or wireless debugging.
Collect
Run forensic commands for files, logs, and app artifacts.
Analyze
Review SQLite data and preserve evidence integrity.
Legal note
Only perform forensic analysis on devices you own or have explicit written authorization to examine. Always preserve evidence, maintain chain of custody, and follow legal requirements in your jurisdiction.
Part 1
Installation
Windows
- 1Download Platform Tools from https://developer.android.com/tools/releases/platform-tools
- 2Extract to C:\platform-tools\
- 3Add C:\platform-tools\ to system PATH and restart terminal
- 4Run adb version to verify
adb versionmacOS
- 1Install with Homebrew, or download manually and add to shell profile
- 2Add platform-tools folder to PATH in ~/.zshrc or ~/.bash_profile
brew install android-platform-tools
export PATH=$PATH:~/platform-tools
adb versionLinux (Ubuntu or Debian)
- 1Install from apt or use manual platform-tools ZIP
- 2Ensure platform-tools is in PATH and verify ADB
sudo apt update
sudo apt install adb
unzip platform-tools-latest-linux.zip
export PATH=$PATH:~/platform-tools
adb versionPart 2
Connecting Your Phone via ADB
adb devices
List of devices attached
R5CW301XXXX deviceConnecting Wirelessly
Android 10 and below (USB first)
adb tcpip 5555
adb connect 192.168.1.XXX:5555
adb devicesAndroid 11+ Wireless Debugging
adb pair 192.168.1.XXX:PAIR_PORT
# Enter pairing code when prompted
adb connect 192.168.1.XXX:DEBUG_PORTPart 3
ADB for Android Forensics
Device Identification and Enumeration
Document model, OS build, SDK level, serial details, and properties before acquisition.
# List connected devices
adb devices -l
# Model, manufacturer, Android version
adb shell getprop ro.product.model
adb shell getprop ro.product.manufacturer
adb shell getprop ro.build.version.release
adb shell getprop ro.build.version.sdk
# Serial and full properties
adb shell getprop ro.serialno
adb shell service call iphonesubinfo 1
adb shell getpropLogical Data Acquisition
Pull user-accessible files, external storage, app folders, and optional device backups.
adb pull /sdcard/DCIM/ ./evidence/photos/
adb pull /sdcard/ ./evidence/sdcard/
adb pull /data/data/ ./evidence/appdata/ # root required
adb backup -all -apk -shared -f full_backup.ab
java -jar abe.jar unpack full_backup.ab full_backup.tar
tar -xvf full_backup.tarFile System Browsing
Browse key directories, look for recent modifications, and search artifact extensions.
adb shell
adb shell ls /sdcard/
adb shell ls /data/data/ # root required
adb shell ls /system/
adb shell find /sdcard -newer /sdcard/DCIM -type f
adb shell find /sdcard -name "*.jpg"
adb shell find /sdcard -name "*.db"Extracting SQLite Databases
Extract messaging, contact, and browser SQLite databases then query locally for timeline artifacts.
adb pull /sdcard/Android/media/com.whatsapp/WhatsApp/Databases/ ./evidence/whatsapp/
adb pull /data/data/com.android.providers.telephony/databases/mmssms.db ./evidence/ # root required
adb pull /data/data/com.android.chrome/app_chrome/Default/History ./evidence/ # root required
adb pull /data/data/com.android.providers.contacts/databases/contacts2.db ./evidence/
sqlite3 mmssms.db "SELECT address, body, date FROM sms;"
sqlite3 contacts2.db "SELECT display_name, number FROM raw_contacts;"Live Evidence Commands
Collect process, package, calls, SMS, contacts, and network evidence while device remains active.
adb shell ps -A
adb shell netstat
adb shell pm list packages
adb shell pm list packages -f
adb shell dumpsys package com.whatsapp
adb shell content query --uri content://call_log/calls
adb shell content query --uri content://sms/inbox
adb shell content query --uri content://contacts/phones/Screen and Activity Capture
Capture screenshots, brief video, and UI layout XML for interface-state evidence.
adb shell screencap -p /sdcard/screenshot.png
adb pull /sdcard/screenshot.png ./evidence/
adb shell screenrecord /sdcard/screen_record.mp4
adb pull /sdcard/screen_record.mp4 ./evidence/
adb shell uiautomator dump /sdcard/ui_dump.xml
adb pull /sdcard/ui_dump.xmlLogcat: System and App Logs
Capture real-time and buffered logs, then filter by tag, priority, or crash buffer.
adb logcat > device_logs.txt
adb logcat -s ActivityManager
adb logcat *:E
adb logcat -b crash
adb logcat -d > log_dump.txtPhysical Acquisition: Root Required
If root access is available, capture raw block images for deeper offline forensic analysis.
adb shell su
dd if=/dev/block/mmcblk0p21 of=/sdcard/data_partition.img bs=4096
adb pull /sdcard/data_partition.img ./evidence/Useful Forensic Utilities
Capture supporting context such as battery, Wi-Fi history, location state, and encryption status.
adb shell dumpsys battery
adb shell dumpsys batterystats
adb shell dumpsys wifi | grep "Recent"
adb shell dumpsys location
adb shell dumpsys account
adb shell getprop ro.crypto.state
adb shell which suPart 4
Recommended Forensic Workflow
- 1Document the device, current time/date, battery level, visible state, and connectivity.
- 2Isolate the device with airplane mode or a Faraday bag where appropriate.
- 3Identify the device using getprop and other enumeration commands.
- 4Acquire files, databases, app artifacts, and logs methodically.
- 5Hash collected files with MD5 and SHA256 for integrity and chain of custody.
- 6Analyze evidence using forensic suites, SQLite queries, and manual artifact review.
- 7Document every command, file path, hash value, and observation.
md5sum evidence/mmssms.db
sha256sum evidence/mmssms.dbComplementary Tools That Work Alongside ADB
| Tool | Purpose |
|---|---|
| Autopsy | Full forensic analysis of pulled disk images |
| Cellebrite UFED | Commercial mobile forensics suite |
| Oxygen Forensic Detective | App data and cloud extraction |
| Magnet AXIOM | Artifact parsing and timeline building |
| SQLite Browser | GUI for viewing pulled .db files |
| Wireshark | Analyze network traffic alongside ADB |