Home Articles Android Acquisition and Analysis with Belkasoft Evidence Center

Android Acquisition and Analysis with Belkasoft Evidence Center


As you may already know, one of the most recent updates of Belkasoft Evidence Center is BelkaImager or Belkasoft Acquisition Tool. In recent BEC releases this useful tool is already included in the main product, so we decided how to use it in conjunction.

For testing purposes we used a non-rooted Meizu MX4 Android smartphone. Ok, lets start from creating a new case:

Here you have a few fields to fill in, such as Case name and Investigator, also you you can choose Root folder and Case folder, or leave them default. Don’t forget about setting correct time zone! You should cancel the next window and go straight to Tools – Acquisition…

After clicking on Acquisition… you’ll see BelkaImager window:

As you can see, we have three options here: drive, mobile device and cloud data. We are going to acquire a smartphone, so let’s choose mobile device option.

Here we have two options: Apple and Android. Our MX4 is an Android smartphone for sure, so Android is the right choice.

We are sure that you know how to connect an Android device to acquire data, but even if you don’t, BelkaImager have tips for you: enable “Developer mode” and “USB debugging” before connecting the device to your workstation. Also make sure adb service isn’t running. If you’ve done everything right, you would see the device you connected as source device. Now choose image location, name and options you need.

To start acquisition process you must confirm it tapping “BACK UP MY DATA” on the device.

During the acquisition process you’ll get some tips from Belkasoft, for example, to ignore messages during backup operation.

On the final step of the acquisition process you’ll see the log. As you can see, in our case task is finished successfully.

After clicking Close Add data source window pops up with acquired image already added.

As we have a classic Android backup file with AB extension as the image, we choose all Android data types.

Now you should wait a bit to allow Belkasoft Evidence Center to process the image. You’ll get the results very soon.

In our case we got quite a lot of web browser artifacts. Of course, it depends a lot on the device you imaged and also it’s contents.

Do you have experience with BelkaImager? Write us about it!

And happy forensicating!


Igor Mikhaylov & Oleg Skulkin

Load More Related Articles
Load More In Articles
Comments are closed.