Sunday, July 30, 2017

Using Windows to Live Image an Android device

It works but I do not recommend it

All blog posts to date
Introduction Acquisition Analysis
Introduction Imaging an Android Device Examining the image
Picking a Toolkit Live imaging an Android device Some hidden artifacts in a physical image
Why not load ClockworkMod or TWRP to image a device? Using Autopsy to examine an Android image
Identifying your Userdata Partition Some artifacts in the /data/system/ directory
Some non-root methods to learn about a device Viewing SQLite Databases
A quick note on imaging newer Android devices Facebook for Android Artifacts
Using Windows to Live Image an Android device Interpreting data from apps
Obtaining all files in the data partition without a physical image Waze for Android forensics
App Reversing Other Topics
Reverse Engineering an Android App File The differences between a physical image and a logical extraction
Fun with Apktool Dirty cow
Deep dive into an app Imaging and examining an Android car stereo
Unpacking boot and recovery kernels
In a post from a few years ago on live imaging an Android device, I showed how to use Mac or Linux to image your Android device using three main steps: data connection between the computer and the device, an exploit, and an imaging command.  The final step requires netcat, which is built in to both Mac and Linux.  I have never showed a Windows method because netcat is not native in Windows, or it is not included by default.

The problem is everybody in the world uses Windows, except apparently the 2.36% of us geeks who use Linux and the 3.49% of people who have enough spare money to afford a Mac (not me).  So many people have emailed me throughout the years asking for a Windows alternative, and I've always recommended using a Linux VM in Windows to get the job done.  And funny story, when I was in grad school studying the geeky subject of Cyber Forensics, I often had a laptop in class (that is when I was in class and not at football games, researching, grilling steaks, paper writing, or drinking way too much coffee).  Around half of us in class with laptops used Linux.  So when I say that it is geeks who use Linux, that is true.  And I often use Linux at home around my wife, who has no idea how to get around my computer, but it is always funny to watch her try.

A while back, someone commented on one of my pages a link to a Windows build of netcat.  So I've played around using that netcat tool to image devices in Windows.  And yes, it works.  You can make a dd image similar to the Linux/Mac methods but via Windows.  This post will show you how to use Windows to image a device.  I also have caveats and why I genuinely recommend Linux or Mac, and I'll explain why.

How to image the device
First, review my post on live imaging an Android device.  I wont' rehash that post here, but it would be good do understand the content.  This post will be showing the Windows equivalent.

Netcat for Windows
There is a non-native netcat for windows, built into the wireless scanning tool nmap.  Here's a quick writeup on nmap's inclusion of netcat.  That writeup includes a link for downloading and compiling just netcat if you wish.  If you'd rather not compile anything, follow this link to download ready-to-go nmap, including netcat.  I would recommend downloading the "latest stable command-line zipfile" and unzip that file to someplace you'll remember.

Imaging in Windows
The steps to image a device are the same in Windows as in Linux or Mac.  Open two command line windows.  One for interacting with the Android device via adb (cd to whatever directory has your adb if you need to locally call it), and one for outputting the image to your computer locally (cd to wherever you plan to save the file).  Additionally open a Windows Explorer window for checking on the progress, at the same directory you plan to save the file.

Connect your Android device (and of course root it and install busybox), enable adb, and go to Window 1.  Ensure the Windows computer can see the device by entering adb devices.

C:\Users\MarkL>adb devices
List of devices attached
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
08****7d        device

As the above output shows, I can see my device via adb.

Now port forward as normal, and just for kicks I'm going to change around the port number from my normal 8888:

C:\Users\MarkL>adb forward tcp:9876 tcp:9876

And now we do the normal steps:

C:\Users\MarkL>adb shell
shell@flo:/ $ su

root@flo:/ # dd if=/dev/block/mmcblk0 | busybox nc -l -p 9876

Now open Window 2.  This should be at the location where you want the image to be saved.  Enter the following command:

\path\to\where\you\saved\nmap\ncat.exe 9876 > image_name.dd

Here's how it actually looks for me, using real paths:

C:\Users\MarkL\Desktop\imaging_in_windows_demo>C:\Users\MarkL\Downloads\nmap-7.50\ncat.exe 9876 > mmcblk0.dd

And if all goes well, the terminal will stop responding.  I've heard some people say they get a missing dll warning for some dlls using this build of ncat.exe.  I did not get any such issues,but I also have installed so many tools throughout the years that I most likely have all the required dlls.  If you have such an error, just google the dll name and you'll be able to find it.  Download the dll and place it in the directory with ncat.exe and you will be good to go.

Open your Windows Explorer window, which should be at the same location as Window 2  Use the refresh button to ensure the image file is increasing in size.  If so, you're good to go.  Pretty straightforward.

So why do I not recommend using Windows?  Simply, there are some issues, one in particular.  The issue is ncat.exe is not default on Windows.  I've had many times where I've started up an image and it has not completed successfully for unknown reasons.  I did not touch the device to ruin the USB connection, I did not let the computer sleep, I did not in any way impede the connection between the computer and the device, and somehow the imaging process fails and I'm stuck with an image file representing the first few gigs of a 32 gig device, or an imcomplete image.  In Window 2, I get the following error message:

close: Result too large

And oddly enough, if the image is successfully made, I get the same error message.  And yes, the image often is made just fine.  I've successfully imaged 32 gig and larger devices using this method.

If I had to take a guess at the cause of the error, it is this: netcat is generally meant for passing files along networks, either of ethernet cables or wireless networks.  nmap is a network scanning tool, so it makes sense to include netcat.  So this specific build of netcat, an addition to and not native to Windows, was built to be part of a network scanning suite for a specific network related function.  It was not built with USB-based networks passing gigabytes and gigabytes in mind over a USB cable while at the same time running a different protocol (adb).  So we're severely overextending its intended usage.  But that's just my guess.

So there are errors.  This is problematic.  More problematic is I cannot explain the genesis of the errors or develop a reliable workaround.

I'm briefly going to go back to grad school and put on my theoretical hat, thus removing my technical geek hat.

If forensic evidence is being presented in court, the evidence must be admissible.  Admissibility is ruled in federal courts and many state courts by the Daubert Criteria .  One of the requirements is the criteria is if the method has a known error rate.

Let's say this method of using Windows ncat.exe as part of an imaging process were to go through a Daubert test.  I would seriously question the error rate.  I personally do not know the error rate; I do not know how often or why the imaging process fails.  That issue in an of itself leads me to not recommend using Windows command line methods to live image an Android device.

If you want to use this method, more power to you.  I'd just use it with caveats: it may error out while imaging, it may not be reliable in court, and the guy telling you about this method isn't a big fan and would rather recommend Linux or Mac as your imaging system.  But if you're imaging a device for fun or for your own research, go for it.

Putting my tech hat back on now.

  • There is a Windows method to live image an Android device, using a build of netcat found in the nmap tool
  • The netcat tool sometimes fails, and I cannot explain why
Questions, comments, suggestions, or experiences?  Old grad school stories?  Leave a comment below, or send me an email.


Post a Comment