 Welcome back everyone. Today I wanted to talk about acquiring an Android phone on a Windows system. So a prior video I talked about acquiring an Android phone on the Linux, and it's a little bit different. The process is basically the same, but some of the commands are a bit different. So I thought I would go over how to acquire an Android phone on Windows. So the first thing we need for trying to acquire the phone is the Android Studio SDK. So basically go to this website and I'll put a link below the video. Go to the website and go to SDK Platform Tools for Windows and download this. And you'll get a zip folder. So extract that zip folder, I've just extracted it to the desktop. If you're actually doing this on your forensic workstation, extract it into some location, you'll keep it and add it to your path. I'm not going to add this to my path right now, but if I was doing this on a real workstation, I would be adding it to my path. So once we get the SDK and the Android debugging bridge ADB, we look inside the Platform Tools folder and we have this ADB.exe file. The next thing we need on Windows, Windows does not have Netcat built in. So one of the tools I was using for Linux was Netcat. So I am going to download and install from inmap.org incat, which is basically an incat replacement. It works almost exactly the same. It has a few more features, but I'm going to be using incat. So download incat from inmap.org. And whenever you open it up, you also download a zip file from here. You can download a zip file from here. Whenever you download that zip file, you open it up. It's just incat and a readme file. And I copied the incat executable into the same folder as the Android, as ADB, the Android SDK. And the reason that I did that is because it just makes it easier to type. If everything is in one folder, then I can just type the command names instead of the full paths. Again, I have not added any of these to the path in Windows, so I'm just going to do that. Then the next thing we need to do is get the entire location of where the tools are, if it's not in your path, and open up a terminal or a command line. So I'm just going to use standard command line from Windows to CMD, and you get this black command line window. I already have one opened up. And right now I'm in users test, so I'm going to CD change directory and then paste in the location where my tools are located and hit enter. So now I'm inside users test desktop platform tools. And if I do dir, then we can see that I have incat, which is good, and ADB. So once I'm in that directory and I know that the tools are there, then I want to test if I can actually run the tools. Let me expand this a bit. So I want to run ADB.exe-h, and that should show me a help menu if it runs. And okay, that's the help menu. And next I want to try in incat-h, and that should show me a help menu. So I got the help menu on both of them. That means that my applications can run. So now let me check here. So I've already connected the Samsung Android phone to this Windows forensic workstation. What I would do, what I need to do now is run ADB.exe and devices. And we want to get a list of the Android devices connected to this system. Okay, so ADB wasn't running, so it's now connecting, started successfully, and it shows as unauthorized. So if I check the phone, the phone now is asking me if I want to authorize this connection, if I can unlock. It's asking me if I want to authorize this connection, so I say okay on the phone. So once I've authorized the device, I had to disconnect it and reconnect it, and then it's detected. So the reason it wasn't showing up properly is basically because I'm running it in a virtual box, a virtual system. On my main system, there's no problem. So now we have, instead of unauthorized, I have the device itself. So what I would normally do now is send the software, send the APKs for rooting the device and for busybox into the phone and install it in the phone. So I would do that, if I had the APKs downloaded, I would run ADB-D, install KingORoot.APK. Now you can just download this APK, I'll give the link below as well. And then once that's installed, I would run busybox.apk. And then that would send both of these applications to the phone and install them. Then on the phone, I need to run first KingORoot and root the device, get root access to the device. Once the phone is rooted, then I need to run the busybox application and install the utilities into the system, busybox utilities into the system. So even if the applications are installed in the phone, I still have to run them to root the device and install extra utilities. I'm not going to do that now. If you want to see how to do that, see the video about acquiring an image from an Android, sorry, from a Linux computer. So I'll put a link to that as well. It's exactly the same process. It's just how you just running the applications on the phone, very, very straightforward. Okay, so next this phone is already rooted and I already have busybox installed on the phone or the applications, utilities installed on the phone. So I'm going to do ADB-DShell and I'm going to get a shell or shell access to the device itself. Okay, so enter. Okay, so we can see that the command prompt has changed, right? So I have shell at basically the phone name. And I want to test if I have root access already. So I'm going to do ls slash data and I should not be able to access this directory if I'm not root. So it says permission denied. Okay, that's exactly what we expect. That's what we want to see. Next, I'm going to do su to switch user and get root privileges, hopefully. So you see that my username changed from shell to root. Okay, that's what we want to see. So ls slash data. And if I'm root, I should get access to all of the directory, the directories inside data. Okay, so if I see that directory listing, then I have root access and everything is looking good. The next thing I need to do on the phone is do cat slash proc partitions. Cat slash proc partitions. And this is proc partitions is a file that has a list of the disks and partitions in the system and cat just reads that file. So here we see, once we do that, we read all of the disks and partitions that are available. Everything with a P is probably a partition. And then this MMC block zero is most likely the physical disk. Okay, so I want to remember write down MMC block zero. Right. Okay, now, now that we know that we have root access to the device, we have root access to the phone. And we know which device which physical disk we want to image or the physical disk name. So I'm going to open up another command line. Okay, so I need to CD desktop, what was it called tools, platform tools, platform tools. So I'm going to go back into the platform tools. So now this top command line is the phone. I'm accessing the phone. This bottom command line is my local forensic workstation, the windows workstation, and I have all of the tools inside here. So I'm in the platform tools folder and in Caddy XC and ADB are in there. Okay, so from the local computer, the local forensic workstation, I want to run ADB forward TCP 8888 and then TCP 8888. Okay, what this is doing is telling ADB to forward any traffic from TCP port 8888 to basically just forward on port 8888 to and from the phone. Okay, so the phone and the computer have a connection any traffic that goes on 8888 gets forwarded forwarded over. Okay, so now I've sent that command to the phone. So now all of the traffic on 8888 is being forwarded to the computer. Right, and then I need to on the phone, set up a listening connection so that way I can listen on port 8888. So we want to do DDIF equals slash dev block MMC BLK BLK zero busy box NC dash L dash P 8888. Now what this is basically says is NC is net cat. So net cat, listen on port 8888. And whenever a connection comes in on that port, send all of the data like read, read the MMC BLK zero this this disk, read that disk and send all of the data through this. So whenever there's a connection made to the port 8888 on the phone, send all of the hard disk to whoever is making that connection. Okay, so yeah, basically this is just listening for a connection whenever a connection is made, send the data through that connection. Okay, so now I need to hit need to start it. And now it's just waiting for a connection to come in on port 8888. Okay, so back on this was on the phone, back on our forensic workstation, I need to initiate the connection. Okay, so in Linux, I just used in C, but in Windows, we have in cat.exe again, pretty much the same the same procedure, same command just in cat instead of in C. I'm going to do 1270018888. What that says is make a connection on port 8888 to the local host. And because we have forwarding setup, it will make a connection basically to the phone. The phone will then send us back all of the data from the hard drive. So we need to do something with that data. Let's pipe it to a file called Android dot DD. Okay, dot DD is the basically the extension for a raw disk image. I'm just going to call this Android right now because it's a test. So what we're doing is initiating a connection on port 8888. This busy box net cat is listening for the connection whenever it hears it, it will read the hard drive and send the hard drive data back. We will take that data and save it into Android dot DD file on our local computer. Now this Android DD file is going to end up in the platform tools folder, this platform tools folder, and most likely, especially if you're doing a real case, you probably don't want to save it into the same folder that you're using your tools in. So I would save it into a case folder. I would have a case folder set up with a case structure set up. So think about where you're going to save this right now. I'm just saving it inside the platform tools folder. But you really should be saving it in some sort of case file separately. So if we hit enter, now both of these connections are this one's listening and it's sending data. This one is waiting for basically it's receiving all of the response right now. If we go into the folder, we have Android DD and we can see it's 816k. If I refresh, then you can see that the size is going up as the data is copied over. Now copying this will take actually quite a while. It's going over USB. So it will take a good bit to copy everything. But whenever you finish, you will have a full physical disk image. If you go to cybercrime tech, I do a little bit with disk images. I do a little bit with disk images using the sleuth kit and you can see the, for example, the partition structure with sleuth kit. So now we're copying the physical disk image and that's getting copied up. Whenever both of these commands, whenever the command is finished, whenever we've read the entire disk, both of these commands will exit. So you know you're finished whenever the commands exit. Make sure that you check the size of the physical disk that you collected versus the size reported by the phone. And then the first thing we have to do after we collect the image is make a hash of the image. So make sure once you collect this disk image, this android.dd and it's finished, then make a hash of the disk image, document that hash or sign the image. And then to kind of clean up everything, you need to uninstall busybox utilities from the phone and then remove root access from the phone. And then remove both the root application and the busybox application from the phone. So kind of cleaning up our traces a little bit. Now, of course, we've already talked a little bit about the fact that this will change things. It does change things in the phone. So be prepared to explain, you know, why are you changing things? How are you changing things? So that's pretty much it for how to acquire an android physical disk image from Windows. It's almost exactly the same as Linux. I'm just using a few tools that are not built in like in cat that you can easily download. Okay, that's it for today. Thank you very much.