Acquiring Data from Android Devices

adb root
adb pull /data ./phone-data

This will pull the phone’s data partition to a local folder named phone-data. Note that the device must be rooted for this command to work.

Analyze the Data

There are several tools available for analyzing Android data, one of which is ALEAPP

Follow the instructions on the ALEAPP GitHub page to install ALEAPP.

ALEAPP

Select the phone-data folder as the source for analysis in ALEAPP. And set an output folder for the results.

Click Process to start the analysis.

First check the available partitions on the device:

adb shell
ls -l /dev/block/

You want to identify the partition that contains user data, in my emulator it is dm-5.

Next, create a raw image of the partition:

# Inside adb shell
dd if=/dev/block/dm-5 of=/sdcard/userdata.img
exit

Then pull the image to your local machine:

# On your local machine
adb pull /sdcard/userdata.img ./userdata.img

Download and install Autopsy.

Open Autopsy and create a new case. Add the userdata.img file as a data source.

Autopsy will process the image and allow you to analyze the file system, recover deleted files, and examine various artifacts.

Autopsy