Skip to content

RealityNet/android_triage

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
README.md
README.md
 
 
android_triage.sh
android_triage.sh
 
 

Repository files navigation

Android Triage

Bash script to extract data from an Android device

Developed and tested on Mac OS X Mojave (10.14.6), but works also on Linux

Mandatory Requirements

How to use it

  • Activate ADB on the Android Device
  • Connect and pair the Android Device and the host
  • Make the script executable (chmod +x android_triage.sh)
  • Execute the script and follow the instructions

See also the original blog post here

https://blog.digital-forensics.it/2021/03/triaging-modern-android-devices-aka.html

Version 1.0 [30/3/2021]

First release

Version 1.1 [30/3/2021]

  • Added "-keyvalue" in the ADB backup commant (Thanks Yogesh Khatri - @SwiftForensics)
  • Added option 10 to dump file system folders and files not requiring root privileges
  • Minor fixes

Version 1.2 [3/4/2021]

Version 1.3 [6/9/2021]

  • Added "dumpsys notification --noredact" to extract notification text
  • Added "dumpsys dbinfo -v"
  • Added "dumpsys bluetooth_manager | grep 'BOOT_COMPLETED|AIRPLANE'" to extract boot and airplane mode information
  • Changed "dumpsys meminfo -a" with "dumpsys -t 60 meminfo -a"
  • Minor fixes

Version 1.4 [11/2/2022]

  • Added full "/data/app" acquisition (not only APKs, but also libs and other files)
  • Add "-obb" option to the ADB Backup command
  • Added "References" section
  • Added "Special thanks" section
  • Minor fixes

Version 1.5 [28/10/2022]

  • Added various dumpsys commands
  • Added some "telecom" commands
  • Minor fixes

List of executed commands

Option 1 - Collect basic information

  • adb shell getprop
  • adb shell settings list system
  • adb shell settings list secure
  • adb shell settings list global
  • adb shell getprop ro.product.model
  • adb shell getprop ro.product.manufacturer
  • adb shell settings get global airplane_mode_on
  • adb shell getprop ro.serialno
  • adb shell getprop ro.build.fingerprint
  • adb shell getprop ro.build.version.release
  • adb shell getprop ro.build.date
  • adb shell getprop ro.build.id
  • adb shell getprop ro.boot.bootloader
  • adb shell getprop ro.build.version.security_patch
  • adb shell settings get secure bluetooth_address
  • adb shell settings get secure bluetooth_name
  • adb shell getprop persist.sys.timezone
  • adb shell getprop ro.product.manufacturer
  • adb shell getprop ro.product.device
  • adb shell getprop ro.product.name
  • adb shell getprop ro.product.code
  • adb shell getprop ro.chipname
  • adb shell getprop ril.serialnumber
  • adb shell getprop gsm.version.baseband
  • adb shell getprop ro.csc.country_code
  • adb shell getprop persist.sys.usb.config
  • adb shell getprop storage.mmc.size
  • adb shell getprop ro.config.notification_sound
  • adb shell getprop ro.config.alarm_alert
  • adb shell getprop ro.config.ringtone
  • adb shell getprop rro.config.media_sound
  • adb shell date
  • adb shell getprop ro.crypto.state
  • adb shell uptime -s
  • adb shell getprop ro.crypto.type
  • adb shell dumpsys iphonesubinfo
  • adb shell service call iphonesubinfo
  • adb shell id
  • adb shell su -c id

Option 2 - Execute live commands

  • adb shell id
  • adb shell uname -a
  • adb shell cat /proc/version
  • adb shell uptime
  • adb shell printenv
  • adb shell cat /proc/partitions
  • adb shell cat /proc/cpuinfo
  • adb shell cat /proc/diskstats
  • adb shell df
  • adb shell df -ah
  • adb shell mount
  • adb shell ip address show wlan0
  • adb shell ifconfig -a
  • adb shell netstat -an
  • adb shell lsof
  • adb shell ps -ef
  • adb shell top -n 1
  • adb shell cat /proc/sched_debug
  • adb shell vmstat
  • adb shell sysctl -a
  • adb shell ime list
  • adb shell service list
  • adb shell logcat -S -b all
  • adb shell logcat -d -b all V:*

Option 3 - Execute package manager commands

  • adb shell pm get-max-users
  • adb shell pm list users
  • adb shell pm list features
  • adb shell pm list instrumentation
  • adb shell pm list libraries -f
  • adb shell pm list packages -f
  • adb shell pm list packages -d
  • adb shell pm list packages -e
  • adb shell pm list packages -f -u
  • adb shell pm list permissions -f
  • adb shell pm list permission-groups
  • adb shell cat /data/system/uiderrors.txt

Option 4 - Execute bugreport,dumpsys,appops

  • adb shell bugreport
  • adb shell dumpsys
  • adb shell dumpsys account
  • adb shell dumpsys accessibility
  • adb shell dumpsys activity
  • adb shell dumpsys alarm
  • adb shell dumpsys app_binding
  • adb shell dumpsys app_hibernation
  • adb shell dumpsys application_policy
  • adb shell dumpsys appwidget
  • adb shell dumpsys appops
  • adb shell dumpsys audio
  • adb shell dumpsys autofill
  • adb shell dumpsys backup
  • adb shell dumpsys battery
  • adb shell dumpsys batteryproperties
  • adb shell dumpsys batterystats
  • adb shell dumpsys batterystats -c
  • adb shell dumpsys biometric
  • adb shell dumpsys blob_store
  • adb shell dumpsys bluetooth_manager
  • adb shell dumpsys bluetooth_manager | grep 'BOOT_COMPLETED|AIRPLANE'
  • adb shell dumpsys cacheinfo
  • adb shell dumpsys carrier_config
  • adb shell dumpsys clipboard
  • adb shell dumpsys color_display
  • adb shell dumpsys connectivity
  • adb shell dumpsys connmetrics
  • adb shell dumpsys content
  • adb shell dumpsys content_capture
  • adb shell dumpsys cover
  • adb shell dumpsys cpuinfo
  • adb shell dumpsys desktopmode
  • adb shell dumpsys dbinfo
  • adb shell dumpsys dbinfo -v
  • adb shell dumpsys device_policy
  • adb shell dumpsys device_state
  • adb shell dumpsys devicestoragemonitor
  • adb shell dumpsys diskstats
  • adb shell dumpsys display
  • adb shell dumpsys dropbox
  • adb shell dumpsys gfxinfo
  • adb shell dumpsys graphicsstats
  • adb shell dumpsys hardware_properties
  • adb shell dumpsys input
  • adb shell dumpsys isub
  • adb shell dumpsys iphonesubinfo
  • adb shell dumpsys jobscheduler
  • adb shell dumpsys location
  • adb shell dumpsys lock_settings
  • adb shell dumpsys meminfo -t 60 -a
  • adb shell dumpsys mount
  • adb shell dumpsys netpolicy
  • adb shell dumpsys netstats
  • adb shell dumpsys netstats detail
  • adb shell dumpsys network_management
  • adb shell dumpsys network_score
  • adb shell dumpsys notification
  • adb shell dumpsys notification --noredact
  • adb shell dumpsys overlay
  • adb shell dumpsys package
  • adb shell dumpsys password_policy
  • adb shell dumpsys permission
  • adb shell dumpsys permissionmgr
  • adb shell dumpsys phone
  • adb shell dumpsys power
  • adb shell dumpsys print
  • adb shell dumpsys procstats --full-details
  • adb shell dumpsys procstats --full-details -c
  • adb shell dumpsys restriction_policy
  • adb shell dumpsys role
  • adb shell dumpsys rollback
  • adb shell dumpsys sdhms
  • adb shell dumpsys sec_location
  • adb shell dumpsys secims
  • adb shell dumpsys search
  • adb shell dumpsys sensorservice
  • adb shell dumpsys settings
  • adb shell dumpsys shortcut
  • adb shell dumpsys stats
  • adb shell dumpsys statusbar
  • adb shell dumpsys storaged
  • adb shell dumpsys telecom
  • adb shell dumpsys thermalservice
  • adb shell dumpsys time_detector
  • adb shell dumpsys time_zone_detector
  • adb shell dumpsys usagestats
  • adb shell dumpsys user
  • adb shell dumpsys usb
  • adb shell dumpsys vibrator
  • adb shell dumpsys voip
  • adb shell dumpsys wallpaper
  • adb shell dumpsys wifi
  • adb shell dumpsys wifiaware
  • adb shell dumpsys wifiscanner
  • adb shell dumpsys window
  • adb shell telecom get-default-dialer
  • adb shell telecom get-system-dialer
  • adb shell telecom get-max-phones
  • adb shell telecom get-sim-config
  • adb shell appops get $pkg

Option 5 - Acquire an ADB Backup

  • adb backup -all -shared -system -keyvalue -apk -obb -f backup.ab

Option 6 - Acquire /system folder

  • adb pull /system/
  • adb pull /system/apex
  • adb pull /system/app
  • adb pull /system/bin
  • adb pull /system/cameradata
  • adb pull /system/container
  • adb pull /system/etc
  • adb pull /system/fake-libs
  • adb pull /system/fonts
  • adb pull /system/framework
  • adb pull /system/hidden
  • adb pull /system/lib
  • adb pull /system/lib64
  • adb pull /system/media
  • adb pull /system/priv-app
  • adb pull /system/saiv
  • adb pull /system/tts
  • adb pull /system/usr
  • adb pull /system/vendor
  • adb pull /system/xbin

Option 7 - Acquire /sdcard folder

  • adb pull /sdcard

Option 8 - Acquire /data/app folder

  • adb pull /data/app/${app_path}/

Option 9 - Extract data from content providers

  • adb shell dumpsys package providers
  • adb shell content query --uri content://com.android.calendar/calendar_entities
  • adb shell content query --uri content://com.android.calendar/calendars
  • adb shell content query --uri content://com.android.calendar/attendees
  • adb shell content query --uri content://com.android.calendar/event_entities
  • adb shell content query --uri content://com.android.calendar/events
  • adb shell content query --uri content://com.android.calendar/properties
  • adb shell content query --uri content://com.android.calendar/reminders
  • adb shell content query --uri content://com.android.calendar/calendar_alerts
  • adb shell content query --uri content://com.android.calendar/colors
  • adb shell content query --uri content://com.android.calendar/extendedproperties
  • adb shell content query --uri content://com.android.calendar/syncstate
  • adb shell content query --uri content://com.android.contacts/raw_contacts
  • adb shell content query --uri content://com.android.contacts/directories
  • adb shell content query --uri content://com.android.contacts/syncstate
  • adb shell content query --uri content://com.android.contacts/profile/syncstate
  • adb shell content query --uri content://com.android.contacts/contacts
  • adb shell content query --uri content://com.android.contacts/profile/raw_contacts
  • adb shell content query --uri content://com.android.contacts/profile
  • adb shell content query --uri content://com.android.contacts/profile/as_vcard
  • adb shell content query --uri content://com.android.contacts/stream_items
  • adb shell content query --uri content://com.android.contacts/stream_items/photo
  • adb shell content query --uri content://com.android.contacts/stream_items_limit
  • adb shell content query --uri content://com.android.contacts/data
  • adb shell content query --uri content://com.android.contacts/raw_contact_entities
  • adb shell content query --uri content://com.android.contacts/profile/raw_contact_entities
  • adb shell content query --uri content://com.android.contacts/status_updates
  • adb shell content query --uri content://com.android.contacts/data/phones
  • adb shell content query --uri content://com.android.contacts/data/phones/filter
  • adb shell content query --uri content://com.android.contacts/data/emails/lookup
  • adb shell content query --uri content://com.android.contacts/data/emails/filter
  • adb shell content query --uri content://com.android.contacts/data/emails
  • adb shell content query --uri content://com.android.contacts/data/postals
  • adb shell content query --uri content://com.android.contacts/groups
  • adb shell content query --uri content://com.android.contacts/groups_summary
  • adb shell content query --uri content://com.android.contacts/aggregation_exceptions
  • adb shell content query --uri content://com.android.contacts/settings
  • adb shell content query --uri content://com.android.contacts/provider_status
  • adb shell content query --uri content://com.android.contacts/photo_dimensions
  • adb shell content query --uri content://com.android.contacts/deleted_contacts
  • adb shell content query --uri content://downloads/my_downloads
  • adb shell content query --uri content://downloads/download
  • adb shell content query --uri content://media/external/file
  • adb shell content query --uri content://media/external/images/media
  • adb shell content query --uri content://media/external/images/thumbnails
  • adb shell content query --uri content://media/external/audio/media
  • adb shell content query --uri content://media/external/audio/genres
  • adb shell content query --uri content://media/external/audio/playlists
  • adb shell content query --uri content://media/external/audio/artists
  • adb shell content query --uri content://media/external/audio/albums
  • adb shell content query --uri content://media/external/video/media
  • adb shell content query --uri content://media/external/video/thumbnails
  • adb shell content query --uri content://media/internal/file
  • adb shell content query --uri content://media/internal/images/media
  • adb shell content query --uri content://media/internal/images/thumbnails
  • adb shell content query --uri content://media/internal/audio/media
  • adb shell content query --uri content://media/internal/audio/genres
  • adb shell content query --uri content://media/internal/audio/playlists
  • adb shell content query --uri content://media/internal/audio/artists
  • adb shell content query --uri content://media/internal/audio/albums
  • adb shell content query --uri content://media/internal/video/media
  • adb shell content query --uri content://media/internal/video/thumbnails
  • adb shell content query --uri content://settings/system
  • adb shell content query --uri content://settings/system/ringtone
  • adb shell content query --uri content://settings/system/alarm_alert
  • adb shell content query --uri content://settings/system/notification_sound
  • adb shell content query --uri content://settings/secure
  • adb shell content query --uri content://settings/global
  • adb shell content query --uri content://settings/bookmarks
  • adb shell content query --uri content://com.google.settings/partner
  • adb shell content query --uri content://nwkinfo/nwkinfo/carriers
  • adb shell content query --uri content://com.android.settings.personalvibration.PersonalVibrationProvider/
  • adb shell content query --uri content://settings/system/bluetooth_devices
  • adb shell content query --uri content://settings/system/powersavings_appsettings
  • adb shell content query --uri content://user_dictionary/words
  • adb shell content query --uri content://browser/bookmarks
  • adb shell content query --uri content://browser/searches
  • adb shell content query --uri content://com.android.browser
  • adb shell content query --uri content://com.android.browser/accounts
  • adb shell content query --uri content://com.android.browser/accounts/account_name
  • adb shell content query --uri content://com.android.browser/accounts/account_type
  • adb shell content query --uri content://com.android.browser/accounts/sourceid
  • adb shell content query --uri content://com.android.browser/settings
  • adb shell content query --uri content://com.android.browser/syncstate
  • adb shell content query --uri content://com.android.browser/images
  • adb shell content query --uri content://com.android.browser/image_mappings
  • adb shell content query --uri content://com.android.browser/bookmarks
  • adb shell content query --uri content://com.android.browser/bookmarks/folder
  • adb shell content query --uri content://com.android.browser/history
  • adb shell content query --uri content://com.android.browser/bookmarks/search_suggest_query
  • adb shell content query --uri content://com.android.browser/searches
  • adb shell content query --uri content://com.android.browser/combined

Option 10 - Extract system dump (no root)

  • Option 6 + Option 7 + Option 8

About

Bash script to extract data from an Android device

Resources

Readme
Activity
Custom properties

Stars

209 stars

Watchers

20 watching

Forks

44 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages