 Welcome back, everyone. Today, we're going to be talking about imaging an Android phone using basically root privileges and DD. So not any special software, just I'm going to be using a Linux computer. We're going to use ADB to be able to access the Android phone. And then we're going to basically just get root access to the phone and run DD on the phone to copy out an image of the hard disk. So let's get started. First off, I am using Linux. You can set up ADB on a Windows environment, but I'm going to be doing everything from Linux. So inside, if you go to source.android.com, you can get instructions on how to set up a build environment for Android. This is the thing you have to do first, just to get all of the utilities that you'll need. For example, the developer kit. On Ubuntu, on Linux, yeah, on Linux, it took very, very little time to install everything. You can usually use App to get for everything. In the repository, there's also ADB. But if you just follow these instructions, and I'll give a link below for this page, it will get you all of the packages that you need installed to be able to make a connection. So once you have the software, the Android development software installed, then you can open up a command line. And if you type ADB-H, then you should get the help menu, and then you know that ADB is installed hopefully correctly. Two other things that we need, which I'll also provide links to, we need at the beginning, is two APKs. I'm going to side load all of the tools that we're going to use, which means that I have the tools downloaded to my computer, and I'm going to load those tools into the phone from my computer. There are ways to install this on the phone directly. If you visit the website using the phone, or you download a package onto the phone, then you can run it. But I don't want to use the phone, or I want to try to use the phone as little as possible. The things that we do will modify the suspect device, but we just have to be aware of what we're actually modifying. Now, two things that we need to download. The first one is called, I'm using right now this KINGO root. I've already tried it, and it works pretty well. It's very easy to use. The problem with KINGO root is that I haven't looked to see if it's actually doing anything nefarious. However, I did run it through antivirus total scan real quick, and it was flagged because most of these, for example, Symantec thinks that it's a Trojan, but a lot of this, like it says, is risk-ware or potentially unsafe because it's allowing root access on the device. So quite a few antivirus companies flagged this as being malicious, but a lot more flagged is either unknown or not malicious. So I guess the point here is whenever you're using rooting software, unless it's a forensic tool, which in this case, KINGO root is not built for forensics. It's built for just rooting your device. You have to be careful that it could very well be malware. So I'm not endorsing KINGO roots. I've used it now once. So just be aware that your root software could potentially be malicious. So make sure that you're testing your software in a test phone like I'm doing now, and then checking your phone afterwards and seeing if there were any strange remnants, or what did it change, what did it not change, that kind of thing. So yeah, I'm using KINGO roots. I'm a little bit leery about it. It's also apparently developed in Beijing, so I don't know if that means anything. So I'm not saying that this is the right rooting software to use, use any software that gives you root access. It doesn't have to be KINGO root, just whatever you're comfortable using, basically. The next thing, which I've also checked, is Busybox APK. And I downloaded the Busybox APK from appsapk.com, Busybox app, which I'll also put a link to. This basically just gives, you can say, more Linux tools onto your phone. Now to install Busybox APK, you have to have rooted your phone already. You need root access to the phone. Luckily, we can probably get access to it. Hopefully it works, especially because our operating system is a little bit older. The next thing you need to know is your phone. You have to have a phone that you're actually going to work with and need to know the version history. So another thing, check the version number. The version of Android that I have on this phone that I'm testing on is 4.4.2. So KitKat 4.4.2, it's basically from 2013. And basically, you need to make sure that your rooting software supports whatever version you have. So you need to know what version of the phone you're dealing with if you can find that information. And just rooting software that will work with a Busybox should work in any basically newer version of Android. OK, so here, I've already installed ADB to access the phone. And I have Busybox APK downloaded and Kingo Root APK downloaded, and I'm inside this test directory with these APKs inside. So now we need to start dealing with the phone. Right, so the first thing I want to do is I'm going to plug the phone into my computer, and I'm going to run ADB devices. ADB devices. And what you should see is a device attached. And this is an identifier that I would not be posting this identifier online if it was actually my phone. But this is a test phone that will never be used, so it's OK. I have this list of devices, so I see the device attached. So now we have the device. So ADB devices, if it's not showing up or if it shows that it's not authenticated, then you might have to log into the phone if you can. And give access to the computer. So once you specify that this computer can have access, then the device should show up as device instead of unauthenticated. OK, so once we have access to the device, or once we see it in our lists of devices, I have in this directory, again, Kingo Root and Busybox APK. So what I want to do is install or push this APK to the phone so I can do ADB-D install, and then the Kingo Root I'll push over first. And if you get this connection, if it's saying that it's transferring, then that's very good. That means that it's actually going through. OK, so what just happened, which didn't happen the first time I installed this, actually. So a vast antivirus just flagged this on the phone. So apparently a vast updated its signatures. And whenever I installed this, then the first time it failed because the antivirus on the phone caught it. The next time I gave it permission, I gave it permission to install, and then it installed successfully. So let me just check the phone real quick. Yeah, so it's at least running. We'll see if we can actually root the device later. OK, so now I have that. Now I need to install, sorry, ADB-D install Busybox APK, and that should push everything over. And hopefully that's not a virus or it's not detected as a virus. Yeah, so now it's installed. So I'm going to switch over to the phone view. OK, so I have the phone connected actually to the network because King O Root needs a network connection. And we see our King O Root and our Busybox free. So we know that our APKs have been installed. So I'm going to go ahead and click on King O Root. And we have Android version 4.4.2 that's detected properly. It also says install recommended apps. I'm going to uncheck install recommended apps. I only want the root functionality. That's all I'm wanting. Then I click one click root. And if it was not connected to the network, it would give me an error right now and say, please connect to the network. OK, so now it says root succeeded. We need to check if it actually did succeed. So I'm going to exit out of this now. And I'm going to go to we see Super User App has been installed. And this is what gives us root access. So we still have to give permissions to all of the apps that we want to access root. And then there's Busybox free. So I'm going to click on that. And we need to install it. Should pop up here. Yeah, OK. So King O Super User is asking, Busybox free is asking for Super User root level access. We need to allow. And then it gives kind of an advertisement. And then it's checking some software now. It says that it's Busybox is installed. But it shouldn't be installed. So we will just call, say, install. OK, so while Busybox is installing the tools on the device, we're going to switch back over to the computer or the main system. And then let's see, we've ran King O root app and we've rooted the phone. We've installed the Busybox app. So we're getting the applications installed. Now we can do adb-shell to get local access to the device itself. Sorry, adb-dshell. OK, so now it says shell at t0. So I know that I'm in the device now. And what I want to do is, first I'm going to try to access a directory that I know is protected. So I'm going to do LS, which is list the direct rate listing. And slash data in the phone is protected. So it says, opened or failed, permission denied. That means that I'm not root right now. So then I want to do su or switch user. And then that switches me to root. And I can already see that the root user showed up. Instead of shell, I get root. And then if I do LS slash data, now I get a directory listing. So this is what I want to see. If I have root access, I should see all of this to be able to access it. I want to figure out which device I want to image. So I need to do cat slash proc partitions. Partitions. Now it goes through. And I can see all of the different partitions that are available. Which one do I actually want? Well, it looks like I probably want MMC BLK0. And I might even want this swap. So this should be basically the physical device in here. And then all of these with the P should be partitions or some sort of other data structure. But if I get this MMC BLK0, I should get basically everything. OK, so now that I know which device I want to image. And this is basically the physical disk. And all of these are partitions or parts of the disk. Now that I know which device I want to image, I need to open up another terminal on the local computer. So this is on my workstation. And this terminal is on the phone. I'm remoteed into the phone. And what I need to do from my local computer is run the command ADB forward TCP 8888, TCP 8888. And what this does is just sets up a connection on TCP port 8888 between my computer and the phone. So now that I have that set up, I can go back into the phone, the shell connection in the phone. Sorry, I need an SU. And then I need to, all right, now I want to run DDIF equals slash dev block MMC BLK0. Remember, that was the physical disk in the device. And then I want to pipe that into busybox, busybox NC-L-P88888. Now what is this command doing? So we have DDIF dev block MMC BLK0. This basically reads the input interface for DD is MMC block 0. So it just reads the disk or reads the block device. And then we pipe that into busybox, which is running NC, which is netcat. And this is for transferring data over a network. So we're running netcat, transferring some sort of data over the network, and it has the dash L switch. So if it says dash L, that means that is listening. That means that we are making the phone listen for a connection. And the port that we are listening on is TCP-8888. So what we're doing here is setting up a netcat connection where it's listening for a connection coming into the phone on port 8888. And whenever that connection comes in, we want to send the contents of this block device or this physical disk. So now I can go back to my computer. So my workstation, not the phone. And I want to run NC 127.0.0.1, 8888. So netcat, we're making a connection to the local host on port 8888, which, remember, is forwarded by ADB. So we're basically just connecting to the phone. And whatever we get out of that, we want to pipe that into, I'm going to call it Samsung Note2BY.DD. So I have this Samsung Note2BY.DD, and I'm going to save whatever the contents are sent to me. I'm going to save that into this DD file. So I'm going to hit Enter. Maybe I spoke for too long. Oh, yeah, I didn't put DD yet. OK, so I need to hit Enter on the phone. So now Enter on the phone, and it's waiting. I'm going to go back to my workstation and try it again. And now, because it's taking a long time, both of these are basically listening for connections. So I can see that it's going. And if I switch back to, if I see the directory structure, we now have this Samsung Note2BY. And if I look at the size of it, I've already copied down 135 meg. And if I do refresh, we can see that the data is copying down. So now I'm making an image of the physical disk of the phone using DD. So I'm going to let that run. And whenever it's finished, I'll show you very basically how to clean up the phone once you're finished. Now that imaging is finished, if we look both sides, basically the connection stopped and we got this disk image that's about 19.6 gig was about right for our internal storage on this phone. Next, what we have to do to finish up is go back into Busybox. And whenever you open up the Busybox app on the phone, there's a button to uninstall the tools. Whenever you uninstall it, then you can remove the app. So once it uninstalls all the utilities, you can remove the app. And then go into Kingo root. And if you go into the Settings menu, you can remove root access and then uninstall the app. So the last things to do are basically to remove the tools that you installed and remove root and then uninstall both of those applications from the device. And that's pretty much it. That gives us a physical disk image. And in another video, I'll show how to analyze the disk image. Thank you very much. If you liked this video, please subscribe for more.