Saturday, September 7, 2019

Android Live data - Commands and Scripts for Linux and Windows


When handling mobile devices one can start with the acquisition of the logical content, the file system and best get a physical extraction from the device.
Often overseen is the fact that if one has access to the device there can be more data on the device to get. This data is more or less volatile. For example part (e.g. logfiles) of them can be lost when shutting down the device.

I decided to take a bit of my weekend time to write a script for automating the task of getting the most important information from the device and also create a summary about the device. And also to get a deeper knowledge of the existing commands on Android devices.

The script can be found on my github:
https://github.com/kalink0/useful_scripts/tree/master/android

The used commands are not complete but get most of the information out that are useful/necessary. The scripts are a work in progress. The more I learn and test the more I can add and improve.

I will show and shortly explain the used android commands. But this is not a complete list or complete description of the commands with all possible options. For this take a look into the correspondig manuals/command references.

For the adb commands a good source is e.g. the official developer guide from Google: https://developer.android.com/studio/command-line

The used commands

logcat

Logcat dumps the log of system messages including stack traces. Also logs from 3rd-Party Apps can be in there if these apps use the Log class for logging.
It depends on the device for how long these log files are stored on it. Also it is device dependent if the logfiles are deleted when the device is shutdown.

Example:

adb shell logcat -d -b all (or just adb logcat -d -b all)

dumpsys

Dumpsys gives information about system services. When using the command without filtering you will get a whole bunch of data. One can use the command to only output information about specific services.
In my script I use both. First I dump information about all services into a file and then I dump information about specific services into different files. The reason for this is that I can take a fast look into the for me interesting service but I have information about all service in case I need.

Example:

adb shell dumpsys  (Dump information of all services)
adb shell dumpsys input (Dump information of service input)

getprop

Get device properties. For example the chipset, firmware, Android version etc.

Example:

adb shell getprop  (Get all properties)
adb shell getprop ro.build.version.release (Get specific property - here Android version)

pm

PM stands for package manager. It handles the packages on the device. You can list the installed packages on the device.

Example:

adb shell pm list packages

settings

Get the system settings from the device.

Example:

adb shell settings list secure

Linux commands

Additionally to the android specific commands you can also use known Linux commands. It depends on the Android version and the permissions which commands are usable.

Example:

adb shell cat /proc/partitions (Doesn't work on Android 9 - List all partitions)
adb shell df -h (List mounted partitions and their current utilization)

The scripts

There are currently two script. One for Linux (bash) and one for Windows (powershell)


All the information is written into text files in a directory that the user will define at the beginning of the script.

Additionally a summary is shown in the terminal. An example is shown below.
Currently to following files are generated:

Conclusion

It is good to know the available commands on an Android device.
The scripts are just a starting point and not complete.

Future steps

Testing and improving - I've tested the script with two device but there is much more testing required. And with testing there always comes improvement.

Also I want to change the structure in the way that all adb commands will be in a single file and the Linux and Windows scripts just reference to this file. So I don't have to maintain the adb commands in two places.

Get more insight into the running architecture of Android. - At the beginning of my work in the field of Android device extraction and decoding I was told to image the device and than I got everything I can get. Now I know that this is not true. There is more I need to know.