ADB#
The Android Debug Bridge is the operator’s foothold on an Android target. It runs as a daemon on the device, a client on the operator’s host, and a server in between, multiplexing shell, file-transfer, and forensic-collection traffic over USB or TCP. Most mobile triage, package pulls, and rooted-device tradecraft starts here.
On contact#
The first five commands an operator runs when an Android device shows up on the workbench. Confirm the device is alive, learn what it is, and decide whether root is on the table.
$ adb devices -l # detected devices + product / model
$ adb get-state # device | recovery | bootloader | offline
$ adb get-serialno # serial (unique per device)
$ adb shell getprop ro.build.fingerprint # ROM fingerprint
$ adb root # restart adbd as root (eng / userdebug builds)
If adb root returns “production build”, the kernel image
refuses root adbd; pivot to a vendor recovery, Magisk, or a
forensic image instead.
Connect and select#
USB, network, or emulator. Multiple devices on one host need explicit selection.
$ adb start-server # boot the local server
$ adb kill-server # tear it down (often fixes "device offline")
$ adb -d <cmd> # USB device
$ adb -e <cmd> # emulator
$ adb -s <serial> <cmd> # named device
$ adb connect 10.0.0.5:5555 # network adbd (rare; signals a misconfig)
Shell and file moves#
The shell is what the operator wants. push and pull are how
they move payloads in and evidence out.
$ adb shell # interactive shell
$ adb shell <cmd> # one-shot
$ adb push ./payload.apk /sdcard/Download/ # host -> device
$ adb pull /sdcard/DCIM/ ./loot/ # device -> host
$ adb shell run-as <pkg> cat <file> # read package-private files
# without root (debuggable apps)
Packages and apps#
What’s installed, where it lives, and how to swap it.
$ adb shell pm list packages # everything
$ adb shell pm list packages -3 # third-party only (operator interest)
$ adb shell pm list packages -s # system
$ adb shell pm list packages -u # include uninstalled
$ adb shell pm path <pkg> # /data/app path to the apk
$ adb shell pm dump <pkg> # permissions, intents, activities
$ adb install ./app.apk # fresh install
$ adb install -r ./app.apk # reinstall, keep data
$ adb uninstall <pkg>
Data and forensics#
The interesting paths. Application data, shared storage, and the two SD-card mount points devices may expose.
/data/data/<pkg>/databases/ app-private SQLite
/data/data/<pkg>/shared_prefs/ app-private settings (XML)
/data/app/ third-party APK installs
/system/app/ vendor / OEM APKs
/sdcard/ user-visible shared storage
/mnt/sdcard/external_sd/ removable SD (older devices)
For everything else (call logs, contacts, SMS, account stores),
the operator either roots, restores from adb backup, or uses
an off-device forensic suite.
$ adb backup -apk -shared -all -f android.ab
$ adb restore android.ab
System inspection#
The dumpsys and service subcommands surface most of the
state the operator wants to know about.
$ adb shell ps # processes
$ adb shell service list # registered services
$ adb shell dumpsys battery # power state
$ adb shell dumpsys wifi # SSIDs, scan results
$ adb shell dumpsys package <pkg> # permissions on a package
$ adb shell dumpsys activity activities # activity stack
$ adb shell dumpsys window windows | grep -E 'mCurrentFocus|mFocusedApp'
$ adb shell netstat -tunap # sockets
The IMEI used to come from dumpsys iphonesubinfo; on modern
Android it needs READ_PHONE_STATE and a privileged shell.
Capture#
Screen and log collection for the report.
$ adb shell screencap -p /sdcard/shot.png
$ adb pull /sdcard/shot.png ./
$ adb shell screenrecord /sdcard/cap.mp4 # ctrl-c to stop
$ adb logcat -d > device.log # dump and exit
$ adb logcat -b crash # crash buffer only
$ adb bugreport bugreport.zip # full system report
Reboot#
$ adb reboot # normal
$ adb reboot recovery # stock or custom recovery
$ adb reboot bootloader # fastboot
References#
man adb(Android SDK platform-tools).Malware Resources for Android malware sample sources and analysis pipelines.
Android Resources for broader Android tradecraft references.