Follow

How can I collect physical images from Android devices with MPE+?

Created by: Brendan Bone
Created date:
Last Updated date:

Devices: Most Android devices
Type of Capture: Physical

Procedure:

  1. Install the ADB (Android Debug Bridge) driver for your phone. Most Android drivers can be installed via the "Driver Management" tab on MPE+'s Home screen.
  2. On the device itself, enable USB Debugging.
  3. On the device itself, enable app installations from Unknown Sources.
  4. On the device itself, disable App Verification.
  5. Connect the device with the proper cable.
  6. Unlock the device.
  7. Click the "Select Device" button on the Main toolbar in MPE+.
  8. Select the appropriate Manufacturer and Model, with "(Physical)" next to the model. If the device does not have its own "(Physical)" entry, you can perform a generic Android physical extraction by selecting "Android" and "Other (Physical)" in the Manufacturer and Model drop-downs, respectively.
  9. If prompted on the device itself, "Trust" the connection.
  10. If prompted on the device itself, grant SU/root permissions.
  11. Click "Connect" and proceed to acquire the data you want.

Notes:

  • When extracting physical images of Android devices, MPE+ will try to gain root access to the the device in order to perform the extraction. If it is unable to gain root access, extraction will fail. You will then need to find another method to gain root access and attempt extraction again.
  • When you have the proper ADB driver installed and the device is in Debugging mode, Device Manager will usually list an ADB Interface, Android Phone, or Android USB Device, and the device will not be seen as a mass storage device.
  • If an Android device isn't explicitly listed as supported, you can usually still perform the extraction by selecting "Android" in the Manufacturer drop-down and "Other (Physical)" in the Model drop-down.
  • MPE+ will name an Android device's physical images in the format [partition_name].[sector_size].[file_system] or [partition_name].[file_system]. Changing these file names may result in not being able to correctly read the images.
  • Due to manufacturers' ability to change where data is stored in Android, the Android Parser may not be able to automatically parse out all data types on all physical images.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk