# Android Data Acquisition Guide

**Methods:** 12 | **Generated:** 2026-03-07

---

## Physical Acquisition

### Chip-Off Physical Extraction

Physically remove the NAND/eMMC flash memory chip from the device PCB and read it directly using a chip reader. Provides a complete raw image including deleted data.

**Tools:** Hot air rework station, eMMC/UFS chip reader, BGA reballing kit

**Prerequisites:**
- Specialized chip-off equipment and trained personnel
- Device schematic or board layout for chip identification
- Understanding that modern FBE encryption limits usefulness

**Steps:**
1. Document and photograph the device before disassembly.
2. Carefully disassemble the device to access the PCB.
3. Identify the NAND/eMMC/UFS flash chip.
4. Desolder the chip using a hot air rework station.
5. Clean the chip contacts and seat in appropriate chip reader.
6. Read the chip contents using the reader software.
7. Verify the read with multiple passes and hash comparison.
8. Attempt to decrypt and parse the raw image.

**Pros:** Accesses all data including deleted content and wear-leveled blocks | Works on damaged or non-booting devices | Bypasses software-level locks and protections
**Cons:** Destructive process -- chip removal is irreversible | Requires specialized equipment and highly skilled personnel | Full disk encryption (FDE/FBE) means raw data may be unreadable | Risk of chip damage during removal
**Notes:** Chip-off is a last-resort method typically used on damaged devices or when all other methods fail. With modern Android file-based encryption (FBE), raw chip reads produce encrypted data unless the encryption keys can be recovered.

### JTAG Physical Extraction

Use the JTAG (Joint Test Action Group) debug interface on the device PCB to read flash memory without removing chips. Less destructive than chip-off.

**Tools:** JTAG adapter (Riff Box, EASY-JTAG, Medusa Pro), Soldering equipment

**Prerequisites:**
- JTAG adapter and soldering equipment
- JTAG pinout documentation for the target device
- Micro-soldering skills

**Steps:**
1. Identify JTAG test points on the device PCB.
2. Solder fine wires to the JTAG TAPs (Test Access Points).
3. Connect the JTAG adapter to the soldered points.
4. Configure the JTAG software for the specific chipset.
5. Read the flash memory through the JTAG interface.
6. Verify the dump with hash values.
7. Remove solder connections and reassemble if needed.

**Pros:** Less destructive than chip-off -- device can potentially be reassembled | Reads raw flash content including deleted data | Works on devices that do not boot to OS
**Cons:** Requires identifying and soldering to tiny test points | Not all devices have accessible JTAG interfaces | Slow read speeds compared to chip-off | Encrypted data remains encrypted
**Notes:** JTAG is preferred over chip-off when the device needs to remain functional or when chip removal is too risky. Many modern devices disable JTAG in production, making ISP a better alternative.

### ISP (In-System Programming) Extraction

Read flash memory by connecting directly to the eMMC/UFS chip data lines on the PCB without removing the chip. Also known as in-situ chip reading.

**Tools:** ISP adapter (EASY-JTAG, Medusa Pro), Soldering equipment

**Prerequisites:**
- ISP-capable adapter
- PCB documentation or ISP point identification guides
- Micro-soldering skills

**Steps:**
1. Identify ISP connection points on the device PCB (CMD, CLK, DAT0, VCC, GND).
2. Solder fine wires to the ISP points.
3. Connect the ISP adapter.
4. Configure the software for the specific eMMC/UFS chip.
5. Read the flash memory contents.
6. Verify hash integrity.

**Pros:** Non-destructive -- chip stays on the board | Faster than JTAG for flash reading | Works on devices with disabled JTAG | Device can be reassembled after extraction
**Cons:** Requires precise soldering to tiny pads | Not all PCB layouts expose ISP points | Encrypted data remains encrypted
**Notes:** ISP has largely replaced JTAG as the preferred hardware-level extraction method. EASY-JTAG Plus and Medusa Pro are the most widely used ISP adapters in mobile forensics.

### EDL (Emergency Download) Mode Extraction

Exploit Qualcomm Emergency Download (EDL/9008) mode to read flash memory on Qualcomm-based Android devices. EDL mode provides low-level access bypassing the Android OS.

**Tools:** Qualcomm EDL tools, EASY-JTAG, Cellebrite UFED

**Prerequisites:**
- Qualcomm-based Android device
- Appropriate firehose programmer for the chipset
- EDL-capable extraction tool

**Steps:**
1. Put the device into EDL mode (hardware button combination or ADB command).
2. The device appears as Qualcomm HS-USB QDLoader 9008 on the computer.
3. Load the appropriate programmer/firehose for the specific chipset.
4. Use the EDL tool to read all flash partitions.
5. Extract the userdata partition for forensic analysis.
6. Hash and verify all extracted partitions.

**Pros:** Bypasses Android OS and screen lock | Can access data on non-booting Qualcomm devices | Reads raw partition data including deleted content (if not encrypted)
**Cons:** Only works on Qualcomm chipset devices | Requires chipset-specific programmer/firehose files | FBE encryption means data partitions are encrypted | Newer devices have signed programmers limiting third-party access
**Notes:** EDL mode is Qualcomm-specific. MediaTek devices have a similar mode (MTK BROM/preloader). Samsung uses their own Odin/Download mode. Check the chipset before attempting this method.

## Logical Acquisition

### ADB Logical Extraction

Use Android Debug Bridge (ADB) to extract accessible data from an Android device including app data (via backup), file listings, and system information.

**Tools:** ADB (Android Debug Bridge)

**Prerequisites:**
- USB Debugging enabled on the device
- Device unlocked (screen lock) or ADB already authorized
- ADB installed on the forensic workstation

**Steps:**
1. Enable USB Debugging on the device (Settings > Developer Options).
2. Connect the device via USB and authorize the computer.
3. Pull accessible files: adb pull /sdcard/ /evidence/sdcard/
4. Create a backup: adb backup -all -f /evidence/backup.ab
5. Extract system info: adb shell dumpsys > /evidence/dumpsys.txt
6. List installed packages: adb shell pm list packages -f > /evidence/packages.txt
7. Extract logcat: adb logcat -d > /evidence/logcat.txt

**Pros:** Free tool included in Android SDK | Non-destructive and relatively simple | Access to SD card contents, app data (if backup allowed), and system info | Works on any Android version with USB Debugging enabled
**Cons:** Requires USB Debugging to be enabled (may require device unlock) | adb backup is deprecated and many apps opt out of backup | Limited to user-accessible data without root | Cannot access app internal storage of non-backed-up apps
**Notes:** ADB backup is deprecated since Android 12 and many apps set allowBackup=false. For more complete extraction, consider commercial tools or root-based methods. Always document which data was and was not accessible.

### Root Filesystem Extraction

With root access on the Android device, extract the full filesystem including app internal data, system partitions, and databases.

**Tools:** ADB, Root access (Magisk/SuperSU)

**Prerequisites:**
- Root access on the device
- ADB connection established
- Understanding of Android partition layout

**Steps:**
1. Ensure the device is rooted (Magisk, SuperSU, or exploit-based).
2. Connect via ADB with USB Debugging enabled.
3. Use adb shell with su to access root shell.
4. Copy the full data partition: adb shell "su -c dd if=/dev/block/dm-0 bs=4M" > /evidence/data.dd
5. Alternatively, use tar: adb shell "su -c tar czf - /data/" > /evidence/data.tar.gz
6. Extract specific databases: adb shell "su -c cat /data/data/com.app/databases/db.sqlite" > /evidence/app.db
7. Hash all extracted files.

**Pros:** Access to all data including app-internal storage | Can create partition images for comprehensive analysis | Access to system databases (contacts, SMS, call logs)
**Cons:** Rooting modifies the device and may void warranties | Rooting process could trigger factory reset on some devices | Root exploits may not be available for all device/OS combinations | May be challenged legally as modifying evidence
**Notes:** Rooting should only be done on a forensic copy if possible, or with full documentation of the process. Some commercial tools (Cellebrite, MSAB) include built-in rooting for supported devices.

### Cellebrite UFED Extraction

Cellebrite UFED is the industry-leading commercial mobile forensic tool supporting logical, filesystem, and physical extractions for thousands of Android device models.

**Tools:** Cellebrite UFED, Cellebrite Physical Analyzer

**Prerequisites:**
- Cellebrite UFED license and hardware
- Updated device support packages
- Physical access to the device

**Steps:**
1. Connect the device to UFED Touch/4PC.
2. Select the device make and model.
3. Choose extraction type: logical, filesystem, or physical (based on support matrix).
4. Follow on-screen instructions (may require enabling USB Debugging, bootloader exploit, etc.).
5. Wait for extraction to complete.
6. Analyze the extraction using Cellebrite Physical Analyzer or AXIOM.

**Pros:** Broadest device support in the industry | Automated exploitation and rooting for supported devices | Integrated parsing and analysis workflow | Regular updates for new device and OS support
**Cons:** Very expensive commercial license | Extraction capabilities vary significantly by device model | Black-box exploitation raises reproducibility concerns
**Notes:** Cellebrite is the most widely used mobile forensic platform globally. Always check the Cellebrite support matrix for your specific device model and OS version before attempting extraction.

### MSAB XRY Extraction

MSAB XRY is a commercial mobile forensic tool that supports logical and physical extractions from Android devices with integrated analysis capabilities.

**Tools:** MSAB XRY, XAMN (analysis)

**Prerequisites:**
- MSAB XRY license and hardware
- Physical access to the device

**Steps:**
1. Connect the device to the XRY hardware.
2. Select the device model in XRY software.
3. Choose extraction type based on supported methods.
4. Follow the guided extraction workflow.
5. Wait for extraction to complete.
6. Analyze with XAMN or export for third-party tools.

**Pros:** Strong extraction capabilities especially for Samsung devices | Integrated analysis with XAMN | Good customer support and regular updates
**Cons:** Expensive commercial license | Smaller device support matrix than Cellebrite
**Notes:** XRY is particularly strong with Samsung devices due to close partnership with Samsung for forensic access methods.

### Oxygen Forensic Detective Extraction

Oxygen Forensic Detective provides mobile device extraction with strong cloud data acquisition capabilities, supporting logical and physical Android extractions.

**Tools:** Oxygen Forensic Detective

**Prerequisites:**
- Oxygen Forensic Detective license
- Physical access to the device

**Steps:**
1. Connect the Android device to the forensic workstation.
2. Select the device in Oxygen Forensic Detective.
3. Choose extraction method (logical, agent, or physical where supported).
4. Follow the extraction workflow.
5. Optionally perform cloud extraction for associated accounts.
6. Analyze data within Oxygen or export.

**Pros:** Strong cloud data extraction alongside device data | Supports agent-based extraction for deeper access | Unified analysis of device and cloud data
**Cons:** Commercial license required | Physical extraction support more limited than Cellebrite
**Notes:** Oxygen excels at combining device and cloud data into a unified analysis. Its cloud extraction capabilities are among the best in the industry.

## Cloud Acquisition

### Google Account Cloud Acquisition

Acquire data synced to Google services including Gmail, Drive, Photos, Location History, Chrome data, and device backups through Google Account access or Takeout.

**Tools:** Google Takeout, Elcomsoft Cloud Explorer, Legal Process

**Prerequisites:**
- Google Account credentials with 2FA access, OR
- Valid legal process for law enforcement, OR
- User consent for internal investigations

**Steps:**
1. Determine which Google services contain relevant data.
2. For consent-based: use Google Takeout (takeout.google.com) to export all account data.
3. For law enforcement: submit legal process to Google Legal Investigations Support.
4. For tool-based: use Elcomsoft Cloud Explorer with account credentials.
5. Download and organize the exported data.
6. Parse Google Takeout archives using forensic tools.

**Pros:** Accesses vast amounts of synced data without device access | Location History provides detailed movement tracking | Google Takeout exports all associated data in organized format | Includes data from all devices signed into the account
**Cons:** Two-factor authentication complicates third-party tool access | Google Takeout may not include all data categories | Legal process can take weeks for law enforcement requests | User can delete data before preservation
**Notes:** Issue a preservation request to Google immediately if litigation is anticipated. Google Takeout is the fastest path for consent-based investigations and can be initiated by the account holder.

## Triage Acquisition

### MVT (Mobile Verification Toolkit)

Amnesty International MVT checks Android devices and ADB backups for indicators of compromise from known mobile spyware like Pegasus.

**Tools:** MVT

**Prerequisites:**
- Python environment with MVT installed
- ADB access to the device or existing backup

**Steps:**
1. Install MVT: pip install mvt
2. For ADB backup analysis: mvt-android check-backup --output /evidence/results backup.ab
3. For live device: mvt-android check-adb --output /evidence/results
4. Review the generated reports for indicators of compromise.
5. Cross-reference findings with known spyware indicator lists.

**Pros:** Free and open-source | Specifically designed to detect mobile spyware | Maintained by Amnesty International Security Lab | Supports both Android and iOS
**Cons:** Focused on spyware detection, not general forensics | Limited to known indicators -- cannot detect unknown threats | Requires ADB backup or direct ADB access
**Notes:** MVT is essential for investigations involving potential state-sponsored surveillance. Update indicator lists regularly from the Amnesty International repository.

### AndroidQF (Android Quick Forensics)

AndroidQF is a portable tool for quick forensic acquisition of Android devices via ADB, collecting packages, services, settings, and filesystem data.

**Tools:** AndroidQF

**Prerequisites:**
- USB Debugging enabled on the device
- AndroidQF binary for the examiner platform

**Steps:**
1. Download AndroidQF for your platform.
2. Enable USB Debugging on the target device.
3. Connect the device and run AndroidQF.
4. AndroidQF automatically collects: installed packages, running services, device settings, dumpsys output, and accessible files.
5. Output is stored in a structured ZIP archive.
6. Analyze with MVT or manual review.

**Pros:** Free and open-source | Automated collection with minimal interaction | Structured output compatible with MVT | Cross-platform (Windows, macOS, Linux)
**Cons:** Requires USB Debugging enabled | Limited to ADB-accessible data | Does not perform deep extraction
**Notes:** AndroidQF is designed as a companion tool for MVT. Use it for rapid triage collection followed by MVT analysis for spyware indicators.

---
*Generated by DFIR Assist*