ADB#

The Android Debug Bridge is the operator’s foothold on an Android target. It runs as a daemon on the device, a client on the operator’s host, and a server in between, multiplexing shell, file-transfer, and forensic-collection traffic over USB or TCP. Most mobile triage, package pulls, and rooted-device tradecraft starts here.

On contact#

The first five commands an operator runs when an Android device shows up on the workbench. Confirm the device is alive, learn what it is, and decide whether root is on the table.

$ adb devices -l                # detected devices + product / model
$ adb get-state                 # device | recovery | bootloader | offline
$ adb get-serialno              # serial (unique per device)
$ adb shell getprop ro.build.fingerprint     # ROM fingerprint
$ adb root                      # restart adbd as root (eng / userdebug builds)

If adb root returns “production build”, the kernel image refuses root adbd; pivot to a vendor recovery, Magisk, or a forensic image instead.

Connect and select#

USB, network, or emulator. Multiple devices on one host need explicit selection.

$ adb start-server              # boot the local server
$ adb kill-server               # tear it down (often fixes "device offline")
$ adb -d  <cmd>                 # USB device
$ adb -e  <cmd>                 # emulator
$ adb -s  <serial> <cmd>        # named device
$ adb connect 10.0.0.5:5555     # network adbd (rare; signals a misconfig)

Shell and file moves#

The shell is what the operator wants. push and pull are how they move payloads in and evidence out.

$ adb shell                                  # interactive shell
$ adb shell <cmd>                            # one-shot
$ adb push  ./payload.apk  /sdcard/Download/ # host -> device
$ adb pull  /sdcard/DCIM/  ./loot/           # device -> host
$ adb shell run-as <pkg> cat <file>          # read package-private files
                                             # without root (debuggable apps)

Packages and apps#

What’s installed, where it lives, and how to swap it.

$ adb shell pm list packages          # everything
$ adb shell pm list packages -3       # third-party only (operator interest)
$ adb shell pm list packages -s       # system
$ adb shell pm list packages -u       # include uninstalled
$ adb shell pm path <pkg>             # /data/app path to the apk
$ adb shell pm dump <pkg>             # permissions, intents, activities
$ adb install        ./app.apk        # fresh install
$ adb install -r     ./app.apk        # reinstall, keep data
$ adb uninstall      <pkg>

Data and forensics#

The interesting paths. Application data, shared storage, and the two SD-card mount points devices may expose.

/data/data/<pkg>/databases/      app-private SQLite
/data/data/<pkg>/shared_prefs/   app-private settings (XML)
/data/app/                       third-party APK installs
/system/app/                     vendor / OEM APKs
/sdcard/                         user-visible shared storage
/mnt/sdcard/external_sd/         removable SD (older devices)

For everything else (call logs, contacts, SMS, account stores), the operator either roots, restores from adb backup, or uses an off-device forensic suite.

$ adb backup  -apk -shared -all -f android.ab
$ adb restore android.ab

System inspection#

The dumpsys and service subcommands surface most of the state the operator wants to know about.

$ adb shell ps                                  # processes
$ adb shell service  list                       # registered services
$ adb shell dumpsys  battery                    # power state
$ adb shell dumpsys  wifi                       # SSIDs, scan results
$ adb shell dumpsys  package <pkg>              # permissions on a package
$ adb shell dumpsys  activity activities        # activity stack
$ adb shell dumpsys  window  windows | grep -E 'mCurrentFocus|mFocusedApp'
$ adb shell netstat -tunap                      # sockets

The IMEI used to come from dumpsys iphonesubinfo; on modern Android it needs READ_PHONE_STATE and a privileged shell.

Capture#

Screen and log collection for the report.

$ adb shell screencap -p /sdcard/shot.png
$ adb pull            /sdcard/shot.png ./
$ adb shell screenrecord /sdcard/cap.mp4       # ctrl-c to stop
$ adb logcat -d > device.log                   # dump and exit
$ adb logcat -b crash                          # crash buffer only
$ adb bugreport bugreport.zip                  # full system report

Reboot#

$ adb reboot                  # normal
$ adb reboot recovery         # stock or custom recovery
$ adb reboot bootloader       # fastboot

References#