'How can i extract the userdata partition of my android emulator?

How can i extract the (unencrypted and complete) userdata partition of my android emulator (AVD)?

Due to some research i want to extract the userdata and system partition of my emulator. There are several possibilities to do so, yet i was unable to extract a complete and unencrypted userdata partition. I tried the following:

  1. Extract using adb pull: adb pull /dev/block/dm-X DESTINATION_PATH. Results in being able to analyze the partition using autopsy. The image seems semi-complete as the important folders exist but are basically empty (i am using the SANS digital forensics & incident response poster to look up the most important data).
  2. Extract using abd shell: adb shell "su root dd if=/dev/block/dm-X" > DESTINATION_PATH. The image seems corrupt. "File system is corrupt (extXfs_group_load: Group 1 descriptor block locations too large at byte offset 4128)" according to fsstat.
  3. Access the partition via the file system: C:\Users\USER\.android\avd\EMULATED_DEVICE_NAME\userdata-qemu.img. The image seems incomplete as there are only a few folders to analyze.

What's really confusing to me are the three partitions userdata.img, userdata-qemu.img and userdata-qemu.img.qcow2 located in the folder stated in 3). According to the emulator help-page (emulator -help-disk-images), userdata.img is "the initial data partition image". userdata-qemu.img is "the persistent data partition image". There is no information about the userdata-qemu.img.qcow2. It seems that any data after the initial bootup will be saved in userdata-qemu.img.qcow2. I also tried to convert this file using qemu-img -f qcow2 -O raw userdata-qemu.img.qcow2 userdata.img to a raw file format (backing file from adb pull (method 1)), which can be analyzed using autopsy. However, the output seemes encrypted as the entropie is very high and you cannot detect any data using xxd/HxD.

I tested this on Android 11 and Android 12 rooted and emulated devices (Google Play API).

Thanks in advance!

androidadbemulation


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Is there any mobile testing tools? [closed]

"Failed to create Context 0x3005" for Android Emulator

UEFI Memory location

Android avd emulator - how to save "Do you want to save the current state for the next quick boot?" in config.ini file

How to use my phone as ''emulator'' on Android Studio?

How to start an android emulator in ubuntu 16.04?

Cannot run emulator in a container on a windows host

How does GameRanger works?

Waiting for Target Device to Come Online

Problem with devTools.send(Emulation.setDeviceMetricsOverride selenium 4

Firebase AppCheck when working with Emulator on localhost

D/EGL_emulation( 6380): app_time_stats: avg=1505.58ms min=1505.58ms max=1505.58ms count=1

scrcpy not working while VISUAL STUDIO CODE is working

How can I use a virtual audio sink on an android emulator in headless mode? Getting pulseaudio init error when launching emulator

Unable to install and run Android Emulator for VSCode without Installing Android Studio