Extract Android Userdata Partition for Recovery and Forensics
1. Android Data Recovery
There are many tools you can find around the web if you want to recover files from an android device. There are also some play store options, even though downloading anything from the play store will only make more of the data unrecoverable. Some PC-based tools could recover from a single partition of your phone, yet they are pretty much blind against the other partitions of the phone.
When you remove a file from a filesystem, only the metadata gets removed. This metadata consists of everything about the data except the data itself. Metadata marks the beginning, and the end of the data and operating system honors this mark by not writing anything over the disk area while the metadata exists. We often recover files by scanning for known filetype fingerprints in this unmarked area. We have a decent recovery chance if we delete all your photos and music from our mobile device. If we remove all our media and download a large movie to your phone, we are left with a very slim recovery chance. So it is essential to not write any data to the device during a recovery operation.
Most of the tools mentioned, cannot access the userdata partition, which could hold valuable information. In this guide, we will go over methods to extracting raw partitions from android devices for forensic analysis.By doing this, we are no longer limited to android specific recovery tools, and we can use the advanced tools on the missing data.
2. Userdata and Other Partitions.
Android systems split the disk of the phone into multiple partitions. The official documentation explains some of the partition types(https://source.android.com/devices/bootloader/partitions-images). In any given device, you will see dozens of partitions. When we plug our android phones to a computer, Android serves only a single partition of the phone to the computer. In the live system, this partition usually gets mounted to a path like /storage/device.
Most of the userdata, including photos and videos, reside on this partition. But there is also another essential partition. This partition is the data(also known as userdata) partition— this where nearly all of the data you save on the phone stays. Your applications are here with most of their data.
When you reset your android phone back to factory defaults(unless you also select wipe media), only this partition gets effected. Android allows you to read from and write to this partition.
If you can recover from this partition, you can find very surprising data.
- icons and images in applications
- avatars of people that device talked with
- photos from websites that device visited
- database files on the apps (these are often locked, yet they could be unlocked with proper key)
- a lot of trash like ad videos and unimportant caches
Even though it is possible to do file-level operations on this partition, we can't do file recovery yet, as it is a low-level operation. To work properly on this partition we need to extract all the raw data.
2.1 Detecting Partitions
To find the address of userdata partition, enable and authorize debugging on the phone and install ADB on your PC. Without root access, we can figure out the partitions:
adb shell
jasmine:/ $ ls /dev/block/
bootdevice loop6 mmcblk0p15 mmcblk0p24 mmcblk0p33 mmcblk0p42 mmcblk0p51 mmcblk0p60 mmcblk0p7 ram13 ram9
by-name loop7 mmcblk0p16 mmcblk0p25 mmcblk0p34 mmcblk0p43 mmcblk0p52 mmcblk0p61 mmcblk0p8 ram14 vold
dm-0 md0 mmcblk0p17 mmcblk0p26 mmcblk0p35 mmcblk0p44 mmcblk0p53 mmcblk0p62 mmcblk0p9 ram15 zram0
dm-1 mmcblk0 mmcblk0p18 mmcblk0p27 mmcblk0p36 mmcblk0p45 mmcblk0p54 mmcblk0p63 mmcblk0rpmb ram2
loop0 mmcblk0p1 mmcblk0p19 mmcblk0p28 mmcblk0p37 mmcblk0p46 mmcblk0p55 mmcblk0p64 platform ram3
loop1 mmcblk0p10 mmcblk0p2 mmcblk0p29 mmcblk0p38 mmcblk0p47 mmcblk0p56 mmcblk0p65 ram0 ram4
loop2 mmcblk0p11 mmcblk0p20 mmcblk0p3 mmcblk0p39 mmcblk0p48 mmcblk0p57 mmcblk0p66 ram1 ram5
loop3 mmcblk0p12 mmcblk0p21 mmcblk0p30 mmcblk0p4 mmcblk0p49 mmcblk0p58 mmcblk0p67 ram10 ram6
loop4 mmcblk0p13 mmcblk0p22 mmcblk0p31 mmcblk0p40 mmcblk0p5 mmcblk0p59 mmcblk0p68 ram11 ram7
loop5 mmcblk0p14 mmcblk0p23 mmcblk0p32 mmcblk0p41 mmcblk0p50 mmcblk0p6 mmcblk0p69 ram12 ram8
You can also check the folders under /dev/block/platform/
Our internal memory would be something like mmcblk0
and partitions will be like mmcblk0p18 mmcblk0p19
. Getting the mmcblk0
would mean getting all partitions. We can learn more about our partition by inspecting mounts:
jasmine:/ $ mount | grep mmcblk
/dev/block/mmcblk0p69 on /data type ext4 (rw,lazytime,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resgid=1065,data=ordered)
/dev/block/mmcblk0p58 on /vendor/firmware_mnt type vfat (ro,context=u:object_r:firmware_file:s0,relatime,gid=1000,fmask=0337,dmask=0227,codepage=437,iocharset=iso8859-1,shortname=lower,errors=remount-ro)
/dev/block/mmcblk0p38 on /vendor/bt_firmware type vfat (ro,context=u:object_r:bt_firmware_file:s0,relatime,uid=1002,gid=3002,fmask=0337,dmask=0227,codepage=437,iocharset=iso8859-1,shortname=lower,errors=remount-ro)
/dev/block/mmcblk0p48 on /vendor/dsp type ext4 (ro,seclabel,nosuid,nodev,relatime,data=ordered)
/dev/block/mmcblk0p55 on /mnt/vendor/persist type ext4 (rw,seclabel,nosuid,nodev,noatime,data=ordered)
If we were to try to read the low-level data, the system won't allow it
dd if=/dev/block/mmcblk0p69
dd: /dev/block/mmcblk0p69: Permission denied
3. Getting to the Raw Data
Since Android is not willing to give you this permission, we need to force it. To get the low-level access, root privileges are required. The method to get a root shell from a phone depends heavily on the device. An excessive amount of information can be found at xda forums. Most of the rooting guides start with obtaining a temporary root shell and they proceed with making it permanent. We don't need permanent root for recovery, and making the root permanent means writing data to the device. Writing new data means losing more data. If we are serious about recovery, we should stop after the temporary shell.
With root, you can list the partitions with:
cat /proc/partitions
3.1 Getting the Data Out to a Memory Device
If the phone has an external USB drive or SDcard support, getting an image out of your partition is very easy. Just plug a large enough media, mount the media and dump the disk to this volume.
dd if=/dev/block/mmcblk0 of=/external/storagepath/mmcblk0.raw conv=notrunc,noerror,sync
If you were to target this command(of= marks the target) to an internal partition, you would lose most of your data for good. So be careful.
3.2 Getting the Data out Over USB Connection
If the phone does not have external volume support, you might try asking ADB kindly for the image. For this, you need TWRP recovery or something similar. Flashing the recovery won't destroy any of the user data. Yet flashing a recovery has a slight risk of bricking the device. You can't recover from a brick. If we wanted to go this way, we can pull the image with
adb pull /dev/block/mmcblk0 mmcblk0.img
If this command does not work, we can use Netcat to ship the data to your computer. Installing busybox gives you Netcat command, but it might overwrite a few megabytes of the data partition. To make a perfect recovery, we need a working Netcat binary for the device. We can pull the binary from a similar device, or we could cross-compile the binary. We also need to find a place outside of userdata for our binary. With the binary in the place, we are ready to get the image. You can use the ADB port forwarding, or you can send data over wifi. ADB port forwarding is often faster. To move our data, we need to two terminals:
adb forward tcp:5555 tcp:5555
su
/system/xbin/busybox dd if=/dev/block/mmcblk0 | /system/xbin/busybox nc -l -p 8888
From another terminal:
nc 127.0.0.1 8888 | pv > mmcblk0.raw
Now you can just work on mmcblk0.raw for any recovery tasks.