Belkasoft

Before you begin, make sure that you have extracted the Android data archive.
I. Add the Android image from the Screencapturer WhatsApp subfolder as a

data source to your case (see the video tutorial below).
1. In the "Add a data source" window, select Add existing → Mobile image.
If you have already closed this window, go to the case dashboard, and
under Actions, select Add data source.
2. Browse to the "Screencapturer WhatsApp" folder, locate and select the

"Niko's Galaxy S9+.belkaml" file.
3. Сlick Next till the application displays the “Add data source | Select
advanced analysis options” window.
4. From the Profile drop-down, select the Custom analysis profile, and
verify that all Artifact types are selected.
5. Click Next a few times skipping the following selection options. If the
“Create or update a profile” window displays, click No.
6. Click Complete and close the confirmation message.
II. Add one more data source to your case. Select Add existing → Folder.
Select the "Android app data" subfolder. Repeat steps 3-6 from the previous
list.
Belkasoft displays the data source analysis progress in the “Tasks” window. You
can find more information about it here: https://belkasoft.com/tasks.
Smartphone devices are evolving rapidly and often use proprietary technology,
making it difficult to retrieve data from them. Mishandling a device or using
improper techniques during the acquisition and extraction can result in
invalidating or losing data, or even bricking the device. To avoid it, digital
examiners should adhere to a set of fundamental rules in their work.
Experts from SysAdmin, Audit, Network, and Security (SANS) Institute have
established a set of guidelines that digital examiners should keep in mind to
conduct investigations successfully.
In this section, we provide a summary of their recommendations:

1. Ensure that the seizure is legally authorized via consent, warrant, title, etc.
2. Document everything you do and consider the preservation of evidence.

How you handle the device matters. Make sure you understand how to
protect the data and document every step of the way.
3. Keeping the device powered on and the network isolated increases the
chances of accessing the device, so please try to accommodate that. Note
that some devices will turn on when plugged in, enabling them to be
remotely wiped when they connect to a network.
4. Ideally, interact with the device as little as possible before carrying out any
extraction, given the possibility of triggering database changes, and
altering logs and usage records. Ensure that interaction with the target
device, which may change settings or data, is necessary, proportionate,
and deliberate.
5. Learn as much as possible about the target device to be able to choose

the most appropriate extraction method and tool(s). For most devices,
several different methods exist, and they may complement each other.
Evaluate all possible risks for each, start with the safest method, and work
to the most comprehensive (which may be the most risky), if time allows.
Time is often the critical factor and there are cases when you may need to
review some data manually (which may take just a few seconds) and only
then make a decision on which method to use.
6. If using an acquisition technique that is either new, unconventional, or

known to be unreliable, begin with a less invasive acquisition so that in
the event of a technique going wrong, you are not left with nothing. If the
tools use proprietary acquisition methods, make sure you understand
how the tool functions and ask the vendor, where needed. When possible,
test the methodology on an exemplar device before attempting the
method on evidence.
7. Use more than one tool or method to extract data that may be the focal
point or key artifact of the crime. Understand that mobile log and system
data (clock, etc.) constantly change (user-created artifacts should not
change assuming the device is properly isolated), and two data extractions
may not be exactly the same, nor necessary.
8. Always check which applications are installed on the device and

determine the level of support your chosen tools offer. Document the
versions of tools used to ensure your report stands valid based on the
level of support for applications at the time of examining the evidence.
9. Obtain extractions from external components of the mobile device.

Remove UICC (SIM) cards after the extraction of the device and acquire
them separately using your tool of choice.
Android devices come in various brands and models, featuring different chipsets
and operating system flavors. This diversity poses challenges when you acquire
them as a source of evidence in digital forensics and cyber incident response
(DFIR) investigations. Despite the open-source architecture of Android, which
provides advanced ways to interact with devices, ongoing enhancements in OS
and application security create additional complexities.
Most modern mobile devices are equipped with File-Based Encryption (FBE), a
security feature that protects each file using a unique key derived from user
credentials and the device hardware keys. This encryption level significantly
complicates the extraction of device contents through physical acquisition, once
considered the most efficient method. While you can still use physical
acquisition on older Android devices, for FBE-protected ones, you can choose
methods that obtain unencrypted system and application files.
To successfully acquire mobile devices, it is important to understand device and

software specifics. This knowledge helps you assess the possibilities and risks of
different methods and organize your investigative tasks accordingly.
In this and the following sections, we will explore Android device acquisition
methods available in Belkasoft X, and cover the following aspects of their usage:
 How the method works

 Which devices it supports
Currently, the following standard acquisition methods are available for Android
devices (arranged from the safest to riskier ones):
 Automated screen capturing

 File copy via Media Transfer Protocol (MTP) and Picture Transfer Protocol
(PTP)
 SIM card acquisition
 ADB backup acquisition
 Agent-based acquisition (including SD card acquisition)
 Advanced ADB acquisition
 APK downgrade method
 Logical and physical acquisition of rooted Android devices
Note: Many acquisition methods require enabling Developer options on the

device. These include such settings as "USB debugging" and "Install via USB".
Some Android device models (for example, Xiaomi and Huawei) allow enabling
"Install via USB" only after the device is signed into the manufacturer-specific
account (MI or Huawei ID). This operation requires the device to be online and
have a SIM card inserted.
Some methods may not work at the first attempt, and even common
methods may stall on some device models. If an acquisition method does
not work as expected, verify the prerequisite settings on the device, and
then repeat the steps exactly as prompted by Belkasoft X and described in
the lessons.
To begin the acquisition of a mobile device, create or open a case in Belkasoft X.
On the case dashboard, click Add data source. In the window that displays,
select Acquire > Mobile > Android.
The "Select device model to acquire" window displays Android device models.
Start typing the name of your device in the Filter field to quickly find it in the list.
If you cannot locate your model, select the Android Generic option. Click Next.
The "Please select the acquisition method" window displays the list of acquisition
types available for the selected device model. Click the one you want to run.
Note that you can run the Android file system copy and Physical
dump methods only for rooted Android devices.
In the following lessons, we will explore each method in detail.
Android Debug Bridge (ADB) is a tool designed for communicating with Android
devices through commands. Among its functionalities is the "backup" command.
Belkasoft X employs it to provide the ADB backup acquisition method, allowing
you to copy backup files from a wide array of Android devices.
Through this method, you can typically obtain media files, SMS, calendar
records, application data, and other artifacts stored within the device's internal
memory and on SD cards. The amount of files you can obtain may vary based on
the settings of the applications installed on the device since the extent of data
saved through this mechanism is determined by the application developers.
Pros and cons of the ADB backup method
In digital forensic and incident response investigations, a standard ADB backup

is like a common denominator: it is a safe and standard method of acquiring
device data without the risks of making the device non-functional and
invalidating obtained evidence due to the use of exploits.
The drawback of ADB backup is that it contains a limited amount of information

compared to a so-called "full file system image" of a device. And this drawback
becomes even worse as newer versions of applications stop saving their data to
the backup.
How to make an ADB backup in Belkasoft X
Before you begin:
 On the device you want to acquire, go to Settings > Developer

options and enable the USB debugging and Install via USB options.
 Set the device screen lock timeout to the maximum possible value.
1. Select the ADB backup acquisition method:

2. When you connect the device you want to acquire to your forensic
workstation, you will see the window below:
3. Unlock the smartphone and click Next.
4. When the device displays a message asking whether to allow USB debugging,
select OK.
5. In the "Full backup" window on the smartphone screen, you will be asked if
you would like to back up your data. Do not select anything. Just wait, the
backup creation will start automatically.
When you use the Agent backup acquisition method in Belkasoft X, the tool
installs the agent application on the device you are acquiring to copy its files via
USB. When the acquisition is complete, Belkasoft X automatically uninstalls the
agent. The information you obtain typically includes contacts, SMS, calendar
records, the list of installed applications, and more. The extent of data depends
on the device chipset vendor.
How to use the Agent backup method in Belkasoft X
Before you begin:

1. Select the Agent backup acquisition method:
2. Unlock the device and click Next.

3. In the following window, click Start to begin the acquisition.
4. When the device displays prompts to authorize the ADB service and asking
whether to allow USB debugging, select OK.
Watch your device screen closely; in some cases, you have very limited time to
give the required permission (e.g. 10 seconds on the Redmi 7).
The Agent SD card acquisition method in Belkasoft allows you to extract device
files without connecting the device to the workstation with USB. Instead, you use
an SD card to copy and deploy the Belkasoft agent onto a device, subsequently
exporting data to the same card.
How to run the Agent SD card acquisition method
The acquisition process comprises three stages:
 First, you copy the Belkasoft agent to an SD card

 Next, you insert the SD card into the device and run the agent
 Finally, you extract the acquired data from the SD card to your forensic
workstation
Copy the acquisition agent to an SD card

1. Insert the SD card into a card reader.
2. Connect the card reader to your forensic workstation that runs Belkasoft X.
3. Select the Agent SD card option:

4. In the following window, select Prepare an SD card.
5. Specify the folder where you want to save the agent on the SD card. Click Next.
6. When the copying process completes, you can find the BelkasoftAgent file in
the selected folder:
7. Remove the SD card and click Next. If you do not plan to acquire a device right
away, you can click Cancel to stop the process.
Acquire a device using the agent on SD card

1. Insert the SD card into the device.
2. Use a file manager to navigate to the folder with the Belkasoft agent and run the
agent.
3. Select the checkboxes next to the data categories you want to acquire.
4. Select CAPTURE and wait while the agent completes the acquisition.
5. Remove the SD card from the device
Extract acquired data from the SD card
1. Connect the SD card to your workstation and continue the acquisition process in
Belkasoft X.
Note: If you have closed the acquisition screen, go to the "Select

acquisition method" window, click Agent SD card and then select
the Analyze an SD card option.
2. Specify the path to the folder with extracted data on the SD card (the folder
name typically contains a date).
3. Select the path where you want to save the acquired data on your workstation
and click Start to extract the files.
The Android screen capturer method is based on the ADB protocol and has
the same requirements as for a backup: the phone must be unlocked and have
Developer mode enabled.
Screenshots of application data on devices are a valuable asset in digital

investigations. Belkasoft X streamlines both the acquisition and analysis of this
data source type:
 It enables you to obtain fully automated screenshots of popular messengers

(Signal, Telegram, WhatsApp); when analyzing them, Belkasoft X uses text
recognition algorithms to reconstruct captured chats for easier examination
 When you run this method for other applications, the tool automatically scrolls
and captures their screens one by one; you can also use text recognition during
their analysis and then search for specific keywords in the indexed text
In this lesson, we will explore the benefits of screen capturing as an acquisition

method and provide you with details on how to use the Android screen
capturer in Belkasoft X.
Why use screen capturing?
There are several reasons to opt for the screen capture method on Android
devices:
 Basic Android acquisition methods like Android Debug Bridge (ADB) backup or
Agent backup have limitations. Forensic images obtained through these methods
do not include many applications, while you can access and screenshot their
contents on devices.
 Application files are often protected by encryption. Even if you acquire their
backup copies, there is no straightforward way to extract the data they include
without the decryption key which may not be part of the backup.
 Advanced methods, such as APK downgrade, can extract unencrypted
application data, but they come with a set of risks. Belkasoft's screen capturer,
on the contrary, is based on standard ADB commands and is perfectly safe.
According to established device handling strategies, like the SANS "Six Steps"
guidelines, investigators should prioritize the least intrusive data extraction
methods. Thus, it is a good practice to take device screenshots before trying to
downgrade applications or use other advanced acquisition methods.
Lastly, it is possible to take screenshots manually by scrolling through

applications and photographing the device with a camera, but this approach
may be time-consuming and error-prone. Automation eliminates these
drawbacks, providing a more efficient and reliable solution.
The Android screen capturer in Belkasoft X gives you a number of advantages:
 It is quick. Unlike manual scrolling and photographing, the product completes

the capture of each screen in just a couple of seconds.
 It is precise. Screens are positioned to avoid overlapping or "holes" between
screenshots that can lead to data loss—a common pitfall during manual
screenshotting.
 It is flexible. You can limit the number of screens to capture, preventing
potential stalls in the process. For instance, by choosing only to capture the last
ten messages, you can limit the capturing time to a few minutes.
How to run the Android screen capturer
Before you begin:
 Go to the device Settings and, under Developer options, enable the USB
debugging and Install via USB options.
 We also strongly recommend putting the device into Airplane mode, as
notifications may interfere with screen capturing. However, some applications
that store data on web servers (for example, Telegram or email clients), may
need internet access for loading earlier data. If you plan to capture such
applications, you can preload their data before enabling Airplane mode.
1. Connect an Android device to a computer running Belkasoft X.

2. Launch Belkasoft X and create a new case or open an existing one.
3. Click Add a data source, then select Acquire → Mobile → Android and choose
your device model
4. In the following window, select the Screen Capturer method.
5. Choose one of the supported messengers or select the Generic app option and
click Next.
6. Your following steps depend on the application you want to acquire:

o For supported messengers, if needed, set limits on the amount of data to
capture. Note that these settings will differ based on the app:
Then click Next and follow the on-screen instructions to begin the acquisition.
o For generic apps, open the application screen you want to capture on the device
and proceed with Belkasoft X's prompts. Define the scrolling options and click OK to
begin the acquisition.
Do not touch the device during the entire acquisition process. The process log
will help you understand the acquisition stages:
Keep in mind that the screen capturer may not work on certain devices. If
you encounter issues during the acquisition, make sure you have enabled
the prerequisite options on the device and try again.
How to analyze Android application screenshots
When the tool completes the acquisition, it offers to analyze the acquired
screenshots. Your strategy will depend on the application you have acquired.
Signal, Telegram, WhatsApp
When analyzing supported messengers, you can accept the default options and
proceed with the analysis.
After the process is complete, the results are conveniently displayed in text
format under the messenger profile in the "Artifacts" window.
You can search and filter chats, calls, and contacts by keywords, participants,
dates, and more. Keep in mind that some recent messages may not have
timestamps since, within the application, their dates are marked as "Yesterday,"
"Friday," "Thursday," and so on.
To double-check your findings, use the original screen captures located under
the Pictures profile.
Generic app
When analyzing screenshots from other applications, you can use text
recognition to facilitate your further examination. To do so, when defining the
analysis options, go to the Media tab, select Text, and specify the Recognition
language.
When Belkasoft X completes the analysis, the acquired screenshots are

displayed in the "Artifacts" window under the Pictures profile. You can select
screenshots and view the text they include in the Item text tab below.
All recognized text is indexed, so you can search it for specific keywords using
the Search artifacts action on the case dashboard.
Conclusion
Screen capturing proves to be a straightforward and valuable method for

extracting textual and graphical data from numerous applications. Its reliability
and safety make it a good initial choice for device acquisition before venturing
into more technically demanding and unpredictable methods.
Belkasoft X takes the efficiency of screen capturing on Android devices to the

next level by automating the process. It also provides advanced analysis options
to streamline further examination of acquired screenshots. This comprehensive
approach enhances the speed and precision of digital forensic analysis.
With Belkasoft X, you can acquire both physical and logical images of Android devices
where administrative rights are obtained ('rooted device'). A logical image, which is a full file
system copy, is useful when your device has built-in encryption and a physical image makes
no sense.
The Android file system copy method can help you extract the most comprehensive data set
from Android devices, including system files, application files, and many other valuable
artifacts.
You can check whether a seized device is rooted in the Settings. In the search bar, type
"phone status" and select the related result. If the Phone status displays as Official, you are
dealing with an unrooted device. Other values, for example, Custom, indicate that the device
is rooted.
WARNING: The file system copy method is generally safe for already rooted devices, but if
you decide to perform rooting yourself, it may cause bricking of the device and complete loss
of data.
How to make an Android file system copy (logical image)
Before you begin:
 On the device you want to acquire, go to Settings > Developer options and enable
the USB debugging and Install via USB options.
1. Select the Android file system copy option.

2. Connect the device you want to acquire to your workstation and unlock it. Disconnect all
other mobile devices.
3. Follow the tool's prompts. In the "Review Android device properties" window, verify that
the correct device is detected:
4. Specify the target path for the image and click Start to begin the acquisition.
5. Follow the onscreen instructions. When the device displays prompts to authorize the ADB
service and asking whether to allow USB debugging, select OK.
How to create a physical dump
This method creates a physical image and is only available for rooted Android devices.
You can carve physical images in Belkasoft X. However, keep in mind that if your device is
protected with File-Based Encryption, the data will be acquired in an encrypted form.
The Physical dump method works essentially the same as the file system copy. The only
difference is that after the tool detects the device, you can select the partitions to acquire.
Android Package or APK is the standard Android operating system format for
installing applications. Modern-day mobile applications use security mechanisms
and encryption to protect their data from direct access within the device.
However, in earlier versions of many applications, these measures were not in
place. The APK downgrade method in Belkasoft X is based on this catch.
When you use this method, the tool replaces application packages on the device
with their earlier versions, which enables it to extract the folders and files with
the available data from the downgraded applications, including the files stored
on SD cards. Upon completing the acquisition process, Belkasoft X restores the
original versions of applications, even in cases where errors occur during the
procedure.
Belkasoft X supports the downgrade and acquisition of multiple Android

applications, including Facebook Messenger, Instagram, KakaoTalk, Opera,
Signal, Skype, Telegram, Twitter, Viber, WeChat, WhatsApp, Zello, and others.
In this lesson, we will explain how to run APK downgrade.
WARNING: While APK downgrade is a relatively safe method and is unlikely to

brick your device, under certain circumstances it may affect its state. It may
cause logging out of application accounts and loss of some data, so you must
use this method after obtaining data with other possible options.
How to use the APK downgrade method in Belkasoft X
Before you begin:

1. Select the APK Downgrade acquisition method:
2. Connect the Android device you want to acquire to the computer via USB and
unlock it. The tool will detect your device:
3. Select one or more applications to acquire using their checkboxes. Note that
this window only displays the apps installed on a particular device and
supported by the method.
Once you start the acquisition process, Belkasoft X will do the following:
 Back up the current versions of the applications
 Install the old versions of the applications. The user data is preserved
 Reboot the device (it is required for Android 6.0 or newer)
 Make an ADB backup
 Restore the original app versions
If anything works incorrectly, the next APK downgrade (or Advanced ADB)
attempt will fix the problem by recovering original app versions, safely stored in
a temporary location. You need to select the APK downgrade method again, and
then select the Recover from failed attempt option.
If a subsequent attempt does not work either, you can manually recover original
versions from the [Application folder]/Options/[unique name] folder on the
device or use Google Play Store to restore it.
4. Review the acquired data in the "Artifacts" window:

Android APK downgrade method is an effective and safe enough way to get data
from various applications even if their current versions do not allow data to get
included in an ADB backup. Belkasoft X helps an investigator to automate this
process without employing a manual routine. The product will robustly handle
numerous potential problem situations and roll back original versions of apps
upon the acquisition is completed.
Learn more about APK downgrade

troubleshooting: https://belkasoft.com/android-apk-downgrade-troubleshooting
(please read this article as it will help you in the following lessons and
quizzes).
In this lesson, we will briefly discuss other available Android acquisition methods.
SIM card acquisition
SIM cards typically include device-related data, such as IMEIs and installed software
versions, as well as cellular data, such as the mobile subscriber's ID and phone number. They
may also contain contact records and SMS texts if the device owner chooses to store them on
the SIM card.
You can use the Android SIM device method in Belkasoft X to acquire this information
from SIM cards within Android devices. Alternatively, you can use the SIM Reader method
to acquire SIM data through a SIM card reader device.
Before the acquisition make sure that 3GPP AT commands are switched on in the Developer
options:
Advanced ADB acquisition
This acquisition method is a combination of several methods into a single task:
 Performs an ADB backup

 Creates an agent backup
 Copies data from a SIM card
The resulting image will include all data you can acquire with these three methods when
running them separately.
MTP/PTP
Media Transfer Protocol (MTP) and Picture Transfer Protocol (PTP) are standard
communication protocols used to transfer files between a device and a computer over USB.
While PTP is limited to interacting with graphic formats, MTP allows sending and receiving
various types of media files.
Belkasoft X provides the MTP/PTP acquisition method that copies Android device files
available through these protocols. The files can include pictures, audio and video files, and
other document types, such as PDFs. Since MTP and PTP are standard protocols, this method
will work for most Android devices.
Before you start acquisition, connect the device to the computer and select the
appropriate mode in the settings:
Acquisition mechanisms depend not only on the operating system but also on
the device hardware. In particular, the chipset plays a significant role. Belkasoft X
provides a number of chipset-specific acquisition methods to accommodate this
challenge:
 Support for MTK-based devices

 Support for Qualcomm-based devices
 Support for Spreadtrum-based devices
Note that some chipset-specific methods may not work at the first attempt
and may stall on some device models. If an acquisition method does not
work as expected, verify the prerequisites and repeat the steps exactly as
prompted by Belkasoft X and described in the lessons.
Watch an overview of advanced Android acquisition methods:
Belkasoft X allows you to acquire a physical image from a wide range of mobile devices
running on Qualcomm Snapdragon SoC and not protected with File-Based Encryption.
Qualcomm acquisition is based on the emergency download mode (EDL).
You can use this method to acquire more than 250 smartphone types, including various
models of Samsung, Xiaomi, Meizu, ZTE, Vivo, and others. Find the full list of supported
devices at https://belkasoft.com/supported_qualcomm_devices.
How to create a physical image from devices on Qualcomm Snapdragon SoC using the EDL mode
Before you begin:
1. Install the EDL driver on your forensic workstation running Belkasoft X.
If you see the message: "The COM-port is not open. The EDL driver may not be
installed or doesn't have digital signature. Please, try rebooting the system with driver
signature verification disabled," disable Driver Signature Verification on Windows.
Here is how you can do it:
a. Restart your computer and then keep pressing the F8 key before Windows starts.
You will see the Advanced Options screen.
b. Go to Troubleshoot > Advanced options > Startup Settings and click Restart.
c. When your computer restarts you will see a list of options. Press F7 on your
keyboard to select Disable driver signature enforcement.
d. After your computer restarts, you will be able to install unsigned drivers. Install the
EDL driver.
Log in to your account on belkasoft.com, go to Downloads and download Android

programmers.
1. Save the belkax-android-resources.zip archive to your machine in ..\
Belkasoft Evidence Center X\Resources\Android. Do not extract it.
2. Fully charge the device you want to acquire.
To run the acquisition:
1. Launch Belkasoft X, create a case. On the case dashboard, under Actions,

select Add data source.
2. In the window that displays, select Acquire > Mobile > Android, and
choose your Qualcomm-based device model.
3. In the following window, select the Qualcomm method.

The tool then displays a prompt to connect the device.
4. Now, switch the phone to EDL mode. You can do it using one of the
following methods:
o Take the phone apart and short the test pins.
o Connect the device to your machine, launch the ADB console, and
run the following commands:
 adb reboot bootloader
 fastboot oem edl
Note that the second method may not work on some devices
and under certain conditions (the bootloader may be locked).
For example, in Xiaomi smartphones, most commands are
locked by default.
5. Connect the device to your workstation with a USB cable if it is not already
connected. When the tool detects your device, click Next.
6. In the following window, select a Firehose programmer corresponding to
your device model and click Next.
7. Select a path for the device image and click Start to begin the acquisition.
Belkasoft X provides several chipset-specific acquisition methods for devices

powered by MediaTek. These methods cover a variety of chipset models and
devices, including popular smartphones, such as LG, HTC, Sony Experia, and also
exotic devices like Gionee, Oppo, and Umidigi.
MTK-specific methods differ by technical requirements and the range of

acquired data (logical file system image, physical dump).
How to run the MTK acquisition method
The MTK acquisition option in Belkasoft X allows you to create a physical image
from devices based on MediaTek chipsets that include the Preloader
component. You can find the list of chipsets supported by this method in the
Belkasoft X User Reference document.
To interact with Preloader on a MediaTek smartphone, you do not even have to

turn it on. Therefore, the MTK method allows you to create images from devices
that lack screens, batteries, or cases. Technically, the smartphone board and a
USB port (to connect the device to a PC) are the only essential hardware items
you needed for acquisition.
Before you begin, verify the presence of the Preloader component in the
MediaTek smartphone you want to acquire:
1. On a PC machine, open the Device Manager application.
2. Expand either the Universal Serial Bus controllers or the Ports category
to view the devices it includes.
3. Connect the MediaTek smartphone to the machine using a USB cable and
watch out for changes under the expanded category in the Device
Manager window. After you connect the smartphone to the PC,
the MediaTek PreLoader USB driver will appear for a short period of
time and then disappear.
If the driver does not appear, double-check that the device chipset is
supported by the method and that your USB cable is working.
Note that Preloader activates only for a short period of time after the device is
connected via USB. For this reason, when you run the acquisition, you must not
connect the MediaTek device to the PC before the process starts. You must do it
at the right moment (when the flash memory wizard is expecting the
connection).
1. Launch Belkasoft X and create a case. On the case dashboard,

2. In the window that displays, select Acquire > Mobile > Android and
choose your MTK-based device model or use
the Generic Mediatek device option.
3. In the following window, select the MTK method.

4. Then, select the MediaTek chip version or click Detect chip. Specify
the Storage type technology.
5. Optionally, select a Download agent executable to load into the
smartphone memory and select an Authentication file to use for the
acquisition. Click Next.
6. Specify the Target path where you want to save the smartphone image.
Click Start.
7. Turn off the mobile device, remove is battery, and connect the device to
your computer with a USB cable.
he Agent backup MTK (physical) and Agent backup MTK (logical) methods
help you create device images using an agent designed to acquire data from
MTK-based devices. This method supports more than 150 devices and 25
chipsets, including various models of Huawei, Lenovo, LG, Meizu, Sony, ZTE, and
others. Find the full list of supported devices
at https://belkasoft.com/supported_mtk_devices.
How to run agent-based acquisition of MTK devices
Before you begin:
 On your forensic workstation, stop the antivirus software.
 On the device you want to acquire, go to Settings > Developer options and
enable the USB debugging and Install via USB options.
1. Select the Agent backup MTK (physical) method.

2. Connect the smartphone to your machine and unlock it. Click Next.
3. Next, select the device partitions you want to acquire and click Next.
4. Specify the Target path where you want to save the smartphone image and
click Start.
5. When the device displays a message asking whether to authorize the ADB
service, select OK.
The Agent backup MTK (logical) method works essentially the same. The only
difference is that you do not need to select the device partitions to acquire.
Belkasoft X also allows you to create a physical image of Spreadtrum-based

Android devices that are not protected with File-Based Encryption.
The method supports almost 90 phone models, including various models of

Archos, ARK, BLU, Intex, Micromax, and others. Find the full list of supported
Spreadtrum devices at https://belkasoft.com/supported_spreadtrum_devices.
How to create a physical image of a Spreadtrum-based device
Before you begin:
1. Download Spreadtrum drivers and install them on your forensic workstation

running Belkasoft X.
2. Log in to your account on belkasoft.com, go to Downloads and

download Android programmers.
3. Save the belkax-android-resources.zip archive to your machine in ..\Belkasoft
Evidence Center X\Resources\Android. Do not extract it.
1. Launch Belkasoft X, create a case. On the case dashboard, under Actions,

select Add data source.
2. In the window that displays, select Acquire > Mobile > Android, and select your
Spreadtrum-based device model.
3. In the following window, select the Spreadtrum method.

4. Follow Belkasoft X's instructions to handle the device:
o Do not connect the device, turn it off

o Remove the battery from the device
o Insert the battery into the device
o Hold down a combination of buttons (depending on the phone, typically
vol + and vol-)
o Connect the device to your machine using a USB cable
5. Select the path where you want to save the acquired data and click Start to
begin the acquisition.
After you acquire and extract data from a mobile device, it is usually
recommended that you process it with more than one tool and compare the
artifact results, especially for anything that is considered essential evidence,
whether exculpatory or inculpatory.
In this training, we only use Belkasoft X, however, you should keep in mind that
different tools might parse different data types from the same applications.
Most tools support the import of extractions from other tools and are able to
process them. You can use it to verify your primary tools' findings after the
device is returned to the owner.
Artifacts
The "Artifacts" window is your starting point for examining various pieces of
forensically important data. Belkasoft X automatically extracts these pieces,
known as artifacts, from the data sources that you add to your case. Examples of
artifacts are a chat, a document, an email, a picture, a registry key, a video, and
so on.
The window is divided into several panes, with the Structure and Overview tabs
on the left.
Structure
On the Structure tab, you can see where your artifacts are stored: at the top
level, there is a data source that may include various artifact types like Audio,
Chats, Documents, and more. Under the subnodes, you can find artifact profiles,
for example, Skype, Facebook, Telegram, and so on.
Overview
Unlike Structure, the Overview tab contains all artifacts of the same type under
the same node. For example, if you have several data sources and each has
several chat applications such as WhatsApp, Skype, and Telegram, all these chats
will be shown under the Chats node in the Overview while in Structure they all
will have different nodes. To summarize, Overview is more lightweight and gives
you an easier overview, while Structure gives you more details about artifact
origins.
Artifact list
In the middle pane of the "Artifacts" window, you can view the list of artifacts
belonging to the profile selected in the Structure tab or the artifact type
selected in the Overview tab. The items can have different views depending on
the selected artifact type. For example, if you select a chat, there is a bubble view
and a table view. The bubble view mimics chat representation on the device and
is easier to share with non-technical people, while the table view allows you to fit
more information on the screen and select the columns you need.
Note that by default, chat profiles display all available conversations as one set
of records. If you right-click a profile and select Show contacts, Belkasoft X
breaks down the records by groups and private chats as they display on the
device:
In the table view, you can sort the list by any column. To do so just click on the
column header. You can also filter by any column having the funnel icon.
Tools
At the bottom of the middle part, you will find Tools.
It includes Item text, Hex viewer, and other viewers depending on the type of the
item in focus. If you select a record that is part of an SQLite database, there will
be an SQLite viewer. If it is a registry or a Plist item, a corresponding viewer will
display.
To open a viewer full screen, click on the corresponding icon at the right of
the viewer name.
You can hide the Tools pane using the icon.
Properties
On the right side of the Artifacts window, there is the Properties pane. Here
you can review the properties of an item currently selected in the item list. You
can also copy any property or its part.
Top part
At the top, there is the Report button, the mini-timeline, and the global filter
button.
The report button creates a report for all items checked in the currently shown
tab at the left, either Structure or Overview. If you need to create a report for
items checked in the item list, right-click there.
Mini-timeline shows you how artifacts spread over time. You can click inside
and select a date range. The product will filter all items and show only those
which fall under the selected range. You can adjust the range by dragging its left
and right border. Clear the selection by single-clicking anywhere on the timeline.
At the right of the mini-timeline, there is a global filter icon. Click on it to apply,
edit, or reset global filters. When a filter is applied, this icon turns orange. Find
more information in the Filtering chapter.
The source: https://belkasoft.com/artifacts_full.

Searching artifacts
Once you have extracted artifacts, you may want to search through them using
different criteria. Along with filtering, search allows you to narrow the number of
items to review. Belkasoft X automatically indexes all text-based properties of
artifacts, such as their texts, dates and times, metadata, and so forth. So,
running a search query against extracted artifacts data is a quick process.
Note: Do not confuse the search of profiles and the search inside artifact texts.
Search for application profiles is performed during analysis of a data source and
the main goal is to find all artifacts for a specific application. For instance,
Belkasoft X will find an Outlook mailbox (and will extract all emails) and 1000
documents (and will extract texts and metadata for every one of those items).
Once that mailbox and the documents within are analyzed, you can search for
particular texts extracted from them.
To run a search in artifacts, you can either press the Ctrl+F key combination or
go to the "Dashboard" window and under Actions, select the Search
artifacts option.
The search window is displayed:

The available search options include:
 Word or phrase. Select this option to find all data containing a certain
word or phrase.
o This search is not case-sensitive.
o This search is carried out by exact match of the whole word. If you
need to find artifacts by part of a word, use the * symbol.
o Select the Treat as a regex checkbox if you want to use a regular
expression. Regular expression is a powerful mechanism to
perform complicated searches. You can choose this option when
you do not know exactly what you are looking for, for example,
while searching for emails or credit cards when you do not yet
know the exact email address or card number. More details about
the syntax of writing regular expressions will be discussed below.
 Words from file. Select this option when you have a keyword file
containing all words of interest. Having such a file saves a lot of time if you
have numerous words for which you need to search—all the keywords
can be searched for in a single search operation.
Select the Treat as a regex checkbox if you would like to use a file
containing a list of regular expressions.
 Predefined search. Belkasoft X offers you a set of predefined searches

based on vocabulary, for example, adult sites, city names, disposable
(one-time) email addresses, steganography app names, and so on. Note
that these searches are customizable: you can find them under the
product folder (for example, C:\Program Files\Belkasoft Evidence Center
X\App\Resources\Search\Names\ AmericanNames.txt) and edit them as
you need.
At the bottom of this window, you can see two drop-downs:
 Select a data source. Here you can specify in which data sources to run
the search
 Select types to search in. Here you can specify which artifact types to
look for; for example, only perform a search in Documents and
Downloads
Both panes have root checkboxes helping you to do mass selection operations.
Tip: Typically, investigators run searches in all data sources and profiles because
it is more efficient to find all the results and only then to narrow them down
using filters inside the "Search Results" window.
When you click on OK, the search task will start and be shown in the "Tasks"
window.
If it is not entirely clear what to look for, use special search operators.
 Wildcard operator, type an asterisk (*) in place of the word you're not
sure about. It replaces zero or more characters.
Example: win* Matching: win, wine, wineglass, etc.
Example: *in* Matching: win, wine, skin, instagram, etc.
 Wildcard ? operator will replace any single character.
Example: ?hat Matching: what, that, etc.
Example: h?t Matching: hat, hot, etc.
 Fuzzy ~ operator. Find all terms with a maximum of two changes, where a
change is the insertion, deletion, or substitution of a single character or
transposition of two adjacent characters.
Example: what~ Matching: what, that, hat, wat, etc.
To speed up the search, all found artifacts (words, dates, document content,
passwords, etc.) are indexed. Due to this, the search even on huge amounts of
data is fast. A list of all indexed artifacts is placed in the Key dictionary. It can be
created from the Dashboard actions.
The Android operating system governs multiple processes on devices: it keeps

track of user accounts and settings, creates logs, and collects various device and
application usage statistics, saving this information into system files. In digital
investigations, these files can reveal additional details about device users and
help corroborate other findings.
In this chapter, we will overview forensically interesting Android system artifacts
and explore what data they uncover.
We will explain how to examine these artifacts in Belkasoft X and provide tips on
using them in criminal and cybersecurity investigations.
Note that, as part of the system files, all these data sources are only
available in "file system copy" images of Android devices.
You can begin examining Android system artifacts by reviewing the properties of the
acquired device in the "File System" window. In the tree view, right-click the image data
source node and select Show properties.
The set of details you can find in the Device properties dialog depends on the data source
type. The window below displays the properties of a Samsung Galaxy file system copy that
includes such information as IMEI, IMSI, ICCID, OS version, last boot time, factory reset
time, Bluetooth address and name, and more.
Belkasoft X collects these details about the device from a number of system files:
 Android ID, Bluetooth name, Bluetooth address: ..\data\system\users\

%USERNUMBER%\settings_secure.xml
 OS version, Build codename, Build version: ..\data\system\usagestats\
%USERNUMBER%\version
 IMEI: ..\data\drm\pvt\ahrh
 Display name, ICCID, IMSI, Country (SIM card details): ..\data\user_de\
%USERNUMBER%\com.android.providers.telephony\databases\telephony.db
 Factory reset time (UTC): ..\data\misc\bootstat\factory_reset
 Last boot time (UTC): ..\data\misc\bootstat\last_boot_time_utc
You can also find them summarized in the "Artifacts" window. Go to the Overview tab
under System files > Device info.
SIM Card Details
Details of SIM cards used on an Android device are stored in an SQLite database
located in ..\data\user_de\%USERNUMBER%\
com.android.providers.telephony\databases\ telephony.db. According to
our observations, this database retains records of all SIM cards ever used with
the device.
In Belkasoft X, you can locate this artifact in the Structure tab

under telephony.db → Device info. This profile displays such details as the
code of the country where the SIM card is registered and the mobile carrier
name. The Integrated Circuit Card Identification (ICCID) is the unique ID of the
card, and the International Mobile Subscriber Identity (IMSI) identifies its carrier.
The telephony.db artifact can offer insights into the history of SIM card usage
on the device. In digital investigations, it helps to identify the mobile networks
where the device was used with those SIM cards and provides SIM card IDs that
can be used to request information about their owners.
External connections
Android Debug Bridge is a command-line tool that allows communication with

Android devices via USB or through Transmission Control Protocol (TCP) over Wi-
Fi networks. When a host connects to a device, the system caches connection
details into a file and stores them in ..\data\misc\adb\adb_keys.
In Belkasoft X, you can find this artifact profile on the Structure tab
under adb_keys → ADB hosts. It displays the host computer name and the user
name of the account that has interacted with the device through ADB.
ADB allows performing various actions on the device, including application

installation. In digital investigations, the ADB_keys artifact can help understand
if an external user could manipulate the device and reveal this user's details.
Mobile applications that provide access to online services (like messengers,

social networking apps, and email agents) typically require users to authenticate
before accessing their data. To facilitate repeated access to applications, Android
devices store users’ application account details, including login credentials,
account IDs, authentication tokens, and more. In the Android file system copy,
you can find these records in SQLite databases stored in the following locations:
 ..\data\system_ce\%USERNUMBER%\accounts_ce.db
 ..\data\system_de\%USERNUMBER%\accounts_de.db
When analyzing Android artifacts in Belkasoft X, you can find these database
profiles on the Structure tab under System files:
The accounts_ce.db → Android accounts profile includes details of the
authentication accounts used on the device:
 Type of account specifies the ID of the application associated with the

account
 Account description includes the user’s account ID; this description may
be different depending on how the application identifies users (for
example, it may be the user’s login name, email, internal ID number, a
generic application description, and so on)
 Password may include an encrypted account password or its generic

description
The accounts_ce.db → Android account authtokens profile displays the

application accounts that use tokens for user authentication. The notable
column to inspect here is Authtoken type. It includes token configuration data
that may reveal in which applications and services the user authenticated with
their Google
account.
The accounts_de.db → Android accounts profile provides a valuable addition to

account data: Last logon time indicates when the user provided their account
credentials for the last time.
To sum it up, the accounts_ce.db and accounts_de.db artifacts found in the

Android file system can help you figure out which applications were in use on
the device at the time of the acquisition, the accounts used to log into them, and
the last logon time details.
Application usage statistics

The Android OS includes internal services that keep track of hardware and
software usage statistics. Among the data generated through device health
monitoring is a file containing timestamps of recent activity in various
applications. You can find it in ..\data\user\%USERNUMBER%\
com.google.android.apps.turbo\shared_prefs\app_usage_stats.xml.
When analyzing the file system of an Android device in Belkasoft X, you can
locate this artifact on the Structure tab under System files →
app_usage_stats.xml → Usage statistics. The tool displays the package names
of the applications and the recent timestamps of when they were in use.
The app_usage_stats.xml artifact can contribute to building a timeline of events

and establishing patterns of behavior that may be relevant to the investigation.
However, it keeps records for a limited time period and does not include details
on deleted applications.
Application usage events

Many Android devices also include the Digital Wellbeing service that collects
usage statistics and provides users with insights into their interactions with the
device and the time spent in various applications. Most devices store data
recorded by this service in an SQLite database located at ..\data\data\
com.google.android.apps.wellbeing\databases\app_usage.
Samsung devices store similar data records in an alternative location: ..\data\

data\com.samsung.android.forest\databases\dwbCommon.db.
In Belkasoft X, you can find Digital Wellbeing data on the Structure tab
under System files → app_usage → Digital Wellbeing or System files →
dwbCommon.db → Digital Wellbeing, depending on the device model. The
profile displays the records of the device and application events, including their
timestamps. For example, ACTIVITY_RESUMED indicates that an application was
moved to the foreground, meaning that it was in active use at a specified
moment. You can find descriptions of events in Android developer
documentation.
The range of events recorded by the Digital Wellbeing services varies depending
on the device manufacturer. For instance, on some devices, such as Samsung
phones and tablets, you can additionally find details on when the device was
powered on (DEVICE_STARTUP) or off (DEVICE_SHUTDOWN), and when it
displayed the lock screen (KEYGUARD_SHOWN).
Digital Wellbeing records can add precision to the timeline of events in a digital
investigation by providing information on the application and device states at
certain periods of time. Nonetheless, there are a few caveats when you should
consider this artifact:
 Device owners can opt out of sharing their usage statistics. The absence of
Digital Wellbeing records does not mean that the user did not interact with the
device and applications.
 Not all event records imply the user’s interaction with the device. For example,
some NOTIFICATION records may indicate internal communication events that
are not visible to the user. DEVICE_SHUTDOWN may both suggest that the user
turned the device off and that the device battery ran out.
 Like app_usage_stats.xml, Digital Wellbeing records only include recent activities
and exclude deleted application data.
Application installations and updates

Android users can install applications from the Google Play Store and other
sources. When an application is installed or updated, the system records this
event into an SQLite database located in ..\data\data\com.android.vending\
databases\frosting.db.
Belkasoft X displays this artifact on the Structure tab under System files
→ frosting.db → Android app updates. When inspecting this profile, you can
find the list of applications installed on the device at the time of the acquisition,
their resource folder location on the file system, and the last time they were
installed or updated.
The frosting.db artifact provides information about applications on an Android

device, including those installed from the Google Play Store and other sources. It
can be valuable in digital investigations for tracking and identifying sideloaded,
and thus potentially suspicious applications.
Also note that the Google Play Store can be set to auto-update installed
applications, so the timestamps in the database do not necessarily indicate that
the user interacted with the device at the specified time.
Google Play Store searches

When Android users look for applications in the Google Play Store, the system
records their searches into an SQLite database at ..\data\data\
com.android.vending\databases\suggestions.db.
When examining a file system copy of an Android device in Belkasoft X, you can
locate this database artifact on the Structure tab under System files
→ suggestions.db → Google Play searches. It includes the details of the
application suggestions displayed to the users and the associated timestamps.
The suggestions.db artifacts can provide insights into the device user’s
intentions and contribute to building the timeline of events in digital
investigations.
In this chapter, we intend to examine a few popular Android chat apps from a forensic
standpoint. We will briefly review extracting data from these apps and the artifacts
associated with them. You will learn what data you can obtain from a suspect’s Android
smartphone and how to examine it in Belkasoft X.
WhatsApp emerged in 2009, rapidly becoming the go-to communication app for
iOS users. When its Android version was launched a year later, the app was
already popular enough to quickly grow a large Android user base that has
substantially increased over time. Today’s global popularity of WhatsApp and the
wide usage of Android mobile devices make Android WhatsApp one of the
foremost sources of evidence in criminal and cybersecurity investigations.
Watch the following video to learn how to approach WhatsApp forensics.
In this lesson, we will continue to explore Android WhatsApp forensics, focusing

on how to obtain WhatsApp data from an Android device:
 How Android WhatsApp stores and backs up data

 Forensically important WhatsApp files in the Android file system
 How to acquire Android WhatsApp data
 Best practices for acquisition of Android WhatsApp
How Android WhatsApp stores data
Device file system
On Android devices, WhatsApp houses its resources in the Application Sandbox.

The resource folder within the device file system contains chat databases in an
unencrypted form, but you can only access this folder on rooted devices.
Backup folders within the device
Android WhatsApp creates daily backups of chat databases within the device,
encrypting them with a key stored in the Application Sandbox. WhatsApp backup
files are accessible through the Media Transfer Protocol (MTP) when connecting
a device to a computer via USB. Depending on how the device is set up to store
application data, you can find backups either within its internal memory or on
the SD card in it.
Chat databases in the backup folder are encrypted in the CRYPT14 or CRYPT15
format, while media files are stored as-is.
Google Account cloud storage
Users can opt to upload WhatsApp backups to their Google Account cloud
storage. Like on devices, media files in these backups are stored as-is, and
databases are by default encrypted in the CRYPT14 format.
End-to-end encrypted backups

The WhatsApp end-to-end backup encryption option offers additional protection
for backups. It involves securing access to backup files with a password or 64-
digit encryption key and encrypting the database file in CRYPT15 format. If a user
activates this protection, the application chats can only be restored from a
backup with the additional password or key. Note that this setting affects both
the files uploaded to the cloud and those stored on the device.
Android WhatsApp files of interest
Databases
On Android devices, WhatsApp stores account data in several SQLite databases

and their transactional files. They are located in the application resource
folder ..\data\data\com.WhatsApp\databases. The following are the key
databases that contain forensically relevant information:
 msgstore.db is typically of primary interest; it includes records of calls, message

texts, and details of other information exchanged in the conversations (locations,
media file names, and so on)
 wa.db is another important table that includes the names of contacts, group
chats, channel names, and other details
 companion_devices.db contains information about other clients (devices) linked
to the account (at the time of the device acquisition)
We will take a closer look at these databases in the second part of this article.
Configuration file
In ..\data\data\com.WhatsApp\shared_prefs, you can find

the com.whatsapp_preferences_light.xml file with account settings and
timestamps of various application events enclosed in XML tags. For example,
here are some tags that may provide insights for your investigation:
 <string name="registration_jid"/> includes the WhatsApp account owner's

registration phone number
 <string name="my_current_status"/> encloses the account's "About"
information at the time of the acquisition
 <string name="gdrive_account_name"/> specifies the Google Account email
address used for cloud backups
 <long
name="gdrive_last_successful_backup_timestamp:account@gmail.com"
value="0000000000000"/> shows the UTC timestamp of the last cloud backup in
the Unix format.
Backup encryption key
WhatsApp encrypts and decrypts database backups with a key that is generated
when the user authenticates in the application using their phone number. You
can find this key in ..\data\data\com.WhatsApp\files.
Note that this key only works to decrypt files with the .crypt14 extension. When
end-to-end backup encryption is on (files have the .crypt15 extension), the
second key or password required to decrypt the backup is only known to the
user and it is not stored in the application folders
Media files
WhatsApp saves exchanged media files into the backup folders it creates on the
device. You can find them in ..\Android\media\com.whatsapp\WhatsApp\
Media. Other media files, such as contact avatars, are part of the application
resource folders.
How to acquire Android WhatsApp data
The way Android WhatsApp stores data and creates backups allows for several
approaches to data acquisition. In this section, we will explore these approaches
and look into the files they let you extract.
Due to security measures, not all acquisition methods can provide you with
access to messaging data. Obtaining the complete WhatsApp data set requires a
specialized tool that can acquire unencrypted WhatsApp data. For this purpose,
we will use Belkasoft X that includes advanced Android device acquisition and
cloud acquisition methods.
Backup copy
Copying the WhatsApp backup folder from the device is a good starting point.
Here is why:
 You can copy these files without specialized tools

 Though databases are encrypted, you can still view the exchanged media files
(even with end-to-end backup encryption in place)
 For encrypted databases, you may be able to obtain the decryption key later
using other acquisition methods
How to acquire:
Connect the device to your workstation and unlock it. Navigate to ..\Android\
media and copy the com.whatsapp folder to your machine. WhatsApp backups
can reside either within the device internal memory or on the SD card, so you
may need to check both of these storages to locate the files.
What you get:
The Android WhatsApp backup comprises two folders with database backups
and a structure of media file folders. The Databases folder
includes msgstore.db.crypt14, the latest backup of the main WhatsApp
database. It may also contain a few versions of this backup created earlier,
named similar to msgstore-yyyy-mm-dd.db.crypt14. These earlier files may be
of use for recovering messages that were deleted after these backups were
made (if you manage to get hold of the decryption key).
The Backups folder includes wa.db.crypt14 that, when decrypted, can help you
identify the users with whom the account owner communicated.
All database backups are encrypted with the same key tied to the WhatsApp
account phone number. You can acquire this key from the device using the APK
downgrade and Android file system copy methods that we will discuss later.
Note that if a WhatsApp account has end-to-end backup encryption activated,

the application uses a more advanced cryptography format, CRYPT15. It applies
this format to backup files on the device as well.
Cloud backup copy
If WhatsApp is configured to upload backups to its user's Google Account, you

can find its data in the associated Google Drive storage.
Google Drive does not provide a way to download the files directly, so you will
need a specialized tool to obtain them.
How to acquire:
To begin the acquisition, launch Belkasoft X and create a case. Add a new data
source either from the "Create case" window or the Actions menu on the case
dashboard:
In the "Add a data source" window, select Acquire → Cloud → WhatsApp:
Provide the Android WhatsApp user's Google account login and password,
click Next, and follow the on-screen instructions to complete the acquisition:
What you get:
The Android WhatsApp backup is stored in a folder named after the phone
number registered with the account. The files you can obtain from a Google
Account are typically the same as those stored on the device but with only one
version of the encrypted msgstore.db.crypt14.
WhatsApp QR
WhatsApp QR is a cloud acquisition method. It emulates linking a device to a

WhatsApp account to download application data. This method is useful for
obtaining recent conversations and media files. The extent of information you
can acquire is limited due to the specifics of the mechanism governing data
transfer to connected clients.
How to acquire:
Before you begin the acquisition, you should verify that the device camera is
working. You will need it to scan the authentication QR code. The device must
also be online for the linking functionality to work.
To start the acquisition, launch Belkasoft X and create a case. Add a new data
source either from the "Create case" window or the Actions menu on the case
dashboard. In the "Add a data source" window, select Acquire → Cloud →
WhatsApp QR and follow the on-screen instructions to complete the acquisition.
What you get:
Belkasoft X writes the acquired conversations into a Cloud.belkaml file (in XML
format) and downloads a WhatsApp folder with files exchanged in those
conversations.
Automated screen capture
The Android screen capturer method takes automated screenshots of chats

and images within the application and saves them to your workstation.
How to acquire:
You can find detailed information on using this method in lesson "2.6.
Automated screen capturing."
What you get:

When analyzing WhatsApp screenshots, Belkasoft X uses text recognition
algorithms to reconstruct captured chats and display them under the messenger
profile in the "Artifacts" window.
When exploring WhatsApp data acquired from an Android device, you should
understand what kind of information you can find and how to interpret it. In this
lesson, we will explore the following topics:
 Forensically important features of WhatsApp

 Evidence in Android WhatsApp databases
 How to analyze Android WhatsApp in Belkasoft X
Forensically important features of WhatsApp
You may be curious to know that the initial idea behind WhatsApp was to show
its user's status updates—hence the name; though, quite quickly it grew into a
messenger. Present-day WhatsApp users can engage in one-to-one and group
chats by exchanging:
 Text messages
 Media files such as pictures, video, audio, and documents
 Location pins and live locations
 Contact cards
 Polls
The WhatsApp status transformed into several one-way communication

features:
 The multimedia status that lasts 24 hours

 The broadcast feature that allows sending messages to multiple conversations
individually
 Channels used to post content for a group of followers
The application also supports VoIP and video calls, including conferences.
Additionally, in some countries, it can be used for making payments. With such a
variety of features, WhatsApp users leave numerous digital traces that provide
insights into their connections, interactions, behaviors, locations, and more.
Moreover, a single WhatsApp account can be used across multiple devices. This
feature can aid in identifying additional devices involved with the account usage.
Evidence in Android WhatsApp databases
Now that you know how to obtain WhatsApp databases, let us delve into their
records and explore how they can help you reconstruct users' activities within
the application.
wa.db
The wa.db table is your source of information about the account owner's
contacts and groups.
wa_contacts can reveal the names of the account owner's contacts, their phone
numbers, "about" information, and other details. When exploring the jid column
containing user's chat IDs, you may notice that several types of contact records
are available:
 @broadcast indicates broadcast groups, with status@broadcast being reserved

for the user's multimedia statuses
 @s.whatsapp.net stands for one-to-one chats
 @g.us indicates group chats
 @newsletter identifies channels
wa_bloc_list offers insights into the unwanted contacts in the user's list.
Interestingly, it may also include the blocked contact's internal WhatsApp ID
indicated by @lid:
wa_group_admin provides one more notable piece of
information. creator_jid helps you to define the admins of the group chats
where the user participates:
companion_devices.db
By analyzing companion_devices.db, you can find additional details about

WhatsApp account usage. It reveals information about the devices connected to
the account through the linking functionality:
 device_id includes the account phone number appended by a connection ID.

 device_os indicates the type of operating system where the account is or was
used. In the screenshot below, you can notice that some records list Belkasoft
in device_os records. These records appeared when we used the WhatsApp QR
method to acquire account data.
 platform_type specifies the type of WhatsApp client used to link an
account. 1 represents a web browser client, and 21 indicates a Windows desktop
client.
 place_name reveals the approximate location of where the linking took place.
 last_active, login_time, and logout_time contain UTC timestamps of the linking
events in the Unix format; in the screenshot below, they are converted for easier
examination.
These records can provide insights into additional devices used by the WhatsApp
account owner and help with a timeline of events. In some cases, they may also
indicate that a third party had access to the account's conversations and could
exchange messages on their behalf.
msgstore.db
msgstore.db is the largest database in the Android WhatsApp dataset. It

contains the account owner's conversations stored in the message table and all
associated information spread across other tables. Here are the columns of
primary interest in the message table:
 chat_row_id indicates in what chat a message was exchanged; it is a foreign key

that links to the chat table that stores chat details
 sender_jid_row_id indicates the contact that sent the message; it is a foreign key
to the jid table that stores contact IDs
 from_me specifies it the message is incoming or outgoing
 message_type indicates what kind of data the message includes; it may be a text
(0), an image (1), a voice message (2), a video (3), a contact card (4), location (5),
group (6), system message (7), file (9), deleted message (15), and so on
 timestamp contains the Unix timestamp (UTC) of when the message was sent or
received
 text_data includes the text of the exchanged message
You can find the details of non-text messages in the following tables:
 message_location stores the geolocation data exchanged in the messages

 message_media reveals the paths to the exchanged files stored in WhatsApp
backup folders and other details
 message_tumbnail stores the thumbnails of the graphic previews of the
exchanged non-text messages
 message_vcard includes the details of the exchanged contact cards
As for the call records, you can locate them in the call_log table:
You can find more details on how to examine and query Android WhatsApp
databases in this insightful article: https://thebinaryhick.blog/2022/06/09/new-
msgstore-who-dis-a-look-at-an-updated-whatsapp-on-android/.
How to analyze Android WhatsApp with Belkasoft X
Belkasoft X analyzes WhatsApp folders available in the device image and extracts
the conversations for easy examination.
Explore the artifacts
When you add an Android device image as a data source in Belkasoft X, the tool
presents extracted findings in the "Artifacts" window. You can locate the
WhatsApp profile on the Structure tab under Chats:
The profile appearance depends on the type of the device image you analyze.
The screenshot above displays the analyzed "file system copy" image. Such
images typically include two or more profiles:
 the main database profile extracted from the application folder; it is identified by
the user's phone number without the country code
 msgstore.db.crypt14 that originates from the automatically decrypted database
backup and its earlier versions, if available
If you have an APK downgrade image, you will only find the main database
profile since this method does not copy backup folders.
The middle pane in Belkasoft X reveals the user's sent and received messages in
the bubble chat view. You can select a message and inspect its details in
the Properties pane. You can also find its source SQLite record highlighted in
the SQLite viewer.
Examine chats individually
By default, the "Artifacts" window displays messages from all user's chats in one
view. If you want to look into each chat individually, in the Structure tab, right-
click a WhatsApp profile and select Show contacts:
The database may also include cached chats with which the user did not
interact. For example, such records are created when the user browses
WhatsApp channels. To avoid scrolling through multiple empty nodes, you can
right-click the profile and select Hide empty conversations:
As a result, Belkasoft X only displays the chats that have message history. You
can understand the types of these chats by their "@ suffixes," which we have
covered when exploring the wa.db database records:
Apply search filters
When you need to narrow down your search, you can switch to the grid view and
apply search filters. For example, you may want to search the exchanged
messages for specific keywords or check which files the account owner received
in the conversations:
Locate attachments
When WhatsApp users exchange media files, the database records their binary
representation and location on the device file system. When Belkasoft X analyzes
these records, it marks messages with attachments with the "transfer" tag that
also includes the description of the exchanged file type (for example, [VIDEO
TRANSFER], [FILE TRANSFER], and so on). When examining such messages, you
can find the representations of exchanged files in the Attachments pane.
Note that the original files stored in WhatsApp backup folders may be missing
from some device images, such as those acquired with the APK downgrade
method. They may also be missing from the artifact view if you analyze This is
why, in the previous lesson on WhatsApp acquisition, we emphasized the
importance of copying backup folders from the device as the first step in
WhatsApp data acquisition. You can import these folders as an additional data
source to your case to complete the application dataset.
Conclusion
Analyzing WhatsApp data from Android devices provides valuable insights into
users' interactions, behaviors, and connections. The examination of databases
such as wa.db, companion_devices.db, and msgstore.db uncovers a detailed
picture of WhatsApp usage, including contacts, groups, linked devices,
conversations, and media exchanges. With tools like Belkasoft X, you can
efficiently explore and interpret this data, identifying key details and
reconstructing timelines of events for your digital investigation.
Android file system copy
If the Android device you are investigating is rooted, you can use the Android
file system copy method. It extracts a wide range of artifacts, including the
WhatsApp resource folder.
How to acquire:
You can find detailed instructions on how to run this method in lesson "2.8.
Logical and physical acquisition of rooted Android devices."
What you get:
In a file system copy of an Android device, WhatsApp stores its resources

under ..\data\data\com.whatsapp\. You get the full dataset, including the
unencrypted databases:
There is more to explore:
 In the files folder, you will find the key file to use for decrypting database
backups
 The \files\Avatars folder contains the profile pictures of the user's contacts
 The shared_prefs folder includes
the com.whatsapp_preferences_light.xml configuration file
Note that WhatsApp does not store the exchanged media files in the application
resource folder. You can locate them in the backup folders.
For the backup files, go to ..\data\media\0\Android\media\com.whatsapp:
APK Downgrade
If you are dealing with a non-rooted device, you can acquire an unencrypted
backup copy of WhatsApp data using the APK downgrade method. It relies on
the ADB backup mechanism through which, in the past, many applications
allowed users to create backup copies of their data. Since security was not such
a concern in those times, most applications did not encrypt their ADB backups.
When running APK downgrade, Belkasoft X replaces the current WhatsApp

application package on the device with its older version that was set up to back
up its data through ADB. Then, it runs the backup command that copies the
application files. Importantly, the tool does not launch the downgraded
application, ensuring that the databases on the device remain unaffected.
How to acquire:
You can find detailed instructions and safety notes for this method in lesson
"2.9. APK downgrade acquisition."
What you get:
The resulting image is an ADB backup (.ab) archive that includes a copy of
WhatsApp files from the application resource folder under ..\apps\
com.whatsapp. The ADB backup folder structure differs from the one stored on
the device but contains essentially the same files:
 The db folder includes the application databases

 In the f folder, you can find the key file and the Avatars folder
 The sp folder contains the com.whatsapp_preferences_light.xml configuration
file
Best practices for Android WhatsApp acquisition
Here are a few ideas on how to build your WhatsApp acquisition workflow based
on the SANS Institute guidelines we covered in lesson "2.0. Before you begin":
 Begin with copying backup folders directly from the device, which is the safest
way to obtain data
 Next, if the device is rooted, go for the Android file system copy method
 If you are dealing with a non-rooted Android device:
o After copying WhatsApp backup files, use all possible cloud methods
o Then, run the Android screen capturer
o Finish the acquisition with the APK downgrade method as the riskiest
one
This way, you will have a few copies of the WhatsApp databases and will be able
to corroborate their contents with screenshots and data acquired from the
cloud.
Telegram is one of the world's most popular messaging applications with over
700 million monthly active users. It has evolved from a simple messenger into a
comprehensive ecosystem offering features like groups and channels, making it
akin to a social media platform. However, not all users and entities on Telegram
are legitimate. Those channels and groups are extremely easy to create and
delete, and there are cases when they are used to sell illicit goods and run
fraudulent activities.
In the context of criminal and cyber investigations, Telegram can hold a wealth
of valuable evidence, from users' conversations and activities to potential traces
of malicious content. Navigating this data can be challenging, especially for those
unfamiliar with the platform.
Watch an overview of the Telegram app on the Android platform.
Introduction
Viber is a cross-platform VoIP and instant messaging application distributed

across multiple mobile and PC platforms, including Android, iOS, Microsoft
Windows, macOS, and Linux. There are over 1.1 billion Viber users worldwide
and more than 820 million monthly active users.
Viber provides users with instant messaging functionality and allows users to
exchange media such as images and video records.
An important factor that separates Viber from other popular services requiring
only an Internet connection for communication, is their Viber Out subscription
plan. It allows calls to all mobiles and landlines in 50 countries around the world.
Viber is also considered to be a secure messenger app since it provides end-to-
end encryption based on Open Whisper Signal security architecture.
In this lesson, we will focus mainly on the Viber app installed on Android devices.
We will cover the following topics:
 Viber security features and limitations

 Location of Viber artifacts on Android-based devices
 Older and newer formats of a Viber database and the differences between them
 The most important evidence to analyze during a digital forensic or incident
response investigation
We will also examine the techniques and tools which can be used to analyze
Viber artifacts. Along with it, we will describe how artifacts can be extracted and
displayed in Belkasoft X, a DFIR tool by Belkasoft.
Viber security features and limitations
One of the most notable features of Viber is end-to-end encryption.
Viber does not store any chat information on its servers once it is delivered to a
recipient. If there is a problem delivering a message, it will remain encrypted
until the receiver gets it and will disappear from the server once it has been
delivered.
However, messages sent to and from chatbots and the Chat Extensions feature
are not protected by end-to-end encryption. Messages from bots are identified
with a bot icon.
Public chats on Viber are not encrypted at all, however, Viber offers secret chats.
Thanks to this feature users can communicate in an encrypted channel and their
communication history will not be synchronized with the cloud service or with
Viber Desktop. In secret chats there is a feature of the self-destructing messages
as well as screenshot notifications. It is also a wide practice in chat apps
including Viber to allow users to delete a chat for everyone.
A really unique Viber feature is the ability to hide any chat by setting a PIN code
for it in the Viber settings. Once the chat is hidden you need to enter the PIN
code in the messenger search field to unhide it.
Where Viber leaves digital traces on Android-based devices
The target artifacts that are mostly wanted by digital investigators in chat apps
are:
 Content data, or the actual content of a communication, which can be text,

audio, video, or any other format of data
 User profile data that commonly includes the chat app user name, surname,
birth date, gender, picture, address, phone number and email
 User authentication data—a password, session key, etc.
 Contact database, or the list of contacts associated with the chat app user
 Attachments and files exchanged, or any kind of data that were exchanged via a
file transfer functionality
 Location data, or geographical position of the device
Most of the data from the Viber app can be obtained through a file system
acquisition, it is also possible to manually download a specific folder containing
Viber data using the ADB backup extraction method.
Viber data is stored in the directory /data/data/com.viber.voip/
One of the folders inside this directory (‘f/.Fabric/preferences/’) contains

the 'reg_viber_phone_num' and 'reg_viber_phone_num_canonized' files,
which contain the unique identifier of the chat app user—the phone number the
entry is linked to.
The number occupies the last bytes of files. There is a 7-byte header in front of
it. The number in the canonical form includes the country code and the actual
phone number without spaces, hyphens, brackets, and other symbols. The non-
canonical number is commonly stored by a Viber user in a free form.
The files in '/files/preferences' also contain the name the user displays in the
app (Display_name) and the SIM card's ICCID (Activated_sim_serial).
The files in the '/sdcard/viber/media' path are the profile photos (/User
Photos/) of people in the user's contact list who use Viber, regardless of
whether they have been added as friends in the app. Under the path images
(/Viber Images/) and videos (/Viber Videos/) sent through the app are stored
as well.
The database containing a meaningful part of communications is located in

the 'viber_messages' file, which is located in a subdirectory
named 'databases' or 'db' (the subdirectory's name depends on the Viber
version).
Information about calls and contacts is stored in a separate database—

the 'viber_data' file.
'viber_messages' database structure
As has already been mentioned, 'viber_messages' stores the most meaningful

part of the data related to the Viber app on Android.
This database stores contacts, all the sent or received messages, and
geographical location information.
There are two possible versions of the 'viber_messages' database—the old one
and the new one. The structure of the older Viber versions differed a bit from
the structure of the new one.
First, we will describe the older version of the database structure.
There is a table 'participants', where active contacts are kept. This table
includes:
 'thread_id' column, which contains an identifier of a chat between an account

owner and this contact
 'number' column, where the phone number of a contact (used as the unique
identifier) is kept. This column can also contain predefined string values
—'viber' (system contact) and 'owner' (account owner contact)
 'display_name' for the contact display name
The next table 'messages' will help an investigator to get the required data
about the communications of the account owner with their contacts. The main
columns here are:
 'address', the identifier of the interlocutor

 'body', the text of the message
 'date', the date and time in milliseconds of the Unix epoch
 'type', the direction of the message (1—for outgoing)
 'unread', if the message was read by the recipient (1—for unread messages)
Using the 'thread_id' from the 'participants' table and 'address' field from
the 'messages' table, you can find the interlocutor in the
table 'participants' and retrieve their ID and display name from this table.
However, not only text messages can be of interest to an investigator. There are
non-text messages, which can be either the data about the calls through the
service or the geolocation data.
For non-text messages information is stored in additional fields:

 Text in the 'msg_info' field stores system messages
 Fields 'location_lat' and 'location_lng' or data in JSON format in the
field 'msg_info' store geolocation data
 Fields 'extra_mime' and 'extra_duration' are used for calls
 A link to a file in the 'extra_uri' field and additional data in JSON format in
the 'msg_info' field is used for file transfer
The key difference between the older version of the database structure and the
new one is that the database in the older format does not contain
tables 'stickers' and 'conversations'.
Active contacts are stored in the new 'participants_info' table. The account
owner's contact is stored there as well and is marked with the value 0 in
the 'participant_type' column.
The main fields of the 'participants_info' table are:
 'contact_name', 'display_name' and 'viber_name', each column can contain a

display name
 'number', which stores a telephone number
 'contact_id', a link to the 'phonebookcontact' table, which contains additional
data
The 'messages' table in general has the same structure as the corresponding
table in the old format. However, there are some differences:
 The 'type' field is replaced by the field 'send_type' (1 stands for outgoing
messages, and messages with any other value are interpreted as incoming),
and the 'date' field is replaced by the 'msg_date' field
 The 'conversation_id' field has a link to the 'conversations' table, which
contains information about individual chats
The new 'conversations' table has the following fields:
 'recipient_number' is a telephone number or predefined chat identifier

 'participant_id_1', 'participant_id_2', <...>, 'participant_id_8' are identifiers of
the participants chat in the 'participants_info' table
Information about calls now can be stored in the 'messages_calls' table. The
main fields of the table are:
 'canonized_number' is the phone number of an interlocutor

 'date' is a call start time
 'duration' is a call duration
 'type' is the direction of a call (zero first bit means outgoing calls
'viber_data' database structure
There is a table 'phonebookdata', where additional phone numbers are stored.

The most useful columns are:
 'contact_id' column, which contains the unique identifier of the corresponding

contact from the abovementioned 'phonebookcontact' table
 'data1', 'data2', 'data3' and 'data5' columns containing the phone numbers
The contact list is kept in the table 'phonebookcontact'. Every contact inside
has a unique identifier '_id' and 'display_name' for the contact display name.
The next table of interest is the 'calls' table. The main fields inside are:
 'number', the identifier of an interlocutor
 'date', the start time of a call
 'duration', the duration of a call in seconds
 'type', the direction of a call (the first bit is zero for outgoing calls)
 'viber_call_type', the call type (4—for video calls, any other value stands for
audio calls)
Carving as a method to search for deleted or destroyed data
We suggest using carving to recover deleted Viber data. Carving is an

indispensable technique while searching for deleted data and looking for
destroyed evidence.
Carving of Viber data in the physical image of an Android device is carried out
using three-byte signatures of the following type. For the old format '00 0X 2Y' is
used, where X can be 1, 2, and 9, and Y is 3 for 11-digit phone numbers, 5 for 12-
digit phone numbers, and 7 for 13-digit phone numbers. For the new format '00
2Y 05' is used, where Y takes values according to the same rule as in the old
format.
Each found signature is an entry from the 'messages' table of the messages
database. Record fields are stored sequentially and can be read one by one.
The length of a field is determined by the value of its first byte. You can extract
the ID of an interlocutor, direction, and text of the message, but it is quite
possible to extract the date as well.
In this lesson, we will demonstrate how to analyze Viber data in Belkasoft X.
Belkasoft X supports both older and newer Viber database formats. All the data
mentioned below is extracted and presented by Belkasoft X. In the screenshot
below, you can see how the evidence (in this case there are text and non-text
messages) appears within Belkasoft X.
Non-text messages have the following indication:
 [PICTURE TRANSFER]
 [CALL]
 [VIDEO CALL]
 [LOCATION]
 [SYSTEM INFO]
Apart from the bubble chat view, messages are presented in the grid view. This
view allows for fitting more data columns, and the messages can be sorted and
filtered by various columns.
In the right pane in the Belkasoft X user interface, it is possible to review the
properties of the selected message. Both participants’ phone numbers and
display names are shown. You can also find the Delivery status of the message.
The Origin properties of the selected message are shown in the right bottom
column. Among them, you can find the profile name and path, and define if the
data is available in the file system or was extracted by carving.
If a message has linked geolocation information (e.g. location sent), geolocation

data could be found under the Origin properties. One could also opt to see all
Viber geolocation information on a map.
Every Viber database file could be reviewed in the SQLite Viewer built in
Belkasoft X. Journal and freelist records would be marked correspondingly.
Conclusion
Viber is a truly secure messenger with such security features as end-to-end

encryption of 1-to-1 and group chats. It also has features like secret chats, self-
destructing messages, and the ability to hide any chat by setting a PIN code for
it.
The most meaningful part of the data related to the Viber app on Android is
stored in the database 'viber_messages', in which you can find contacts, all the
sent or received messages, and geographical location information. This database
can be stored in two possible versions—the old one and the new one,
depending on the Viber app version.
Belkasoft X allows extraction of important artifacts from the databases, which

were described in the lesson, as well as helps an examiner to deal with the
situations when there are deleted or self-destructing messages in the case.
Browsers Forensics Analysis is a separate large area of knowledge. Web
Browsers are used on various devices, such as mobile devices, tablets, netbooks,
desktops, etc. Web browsers could be used not only for web surfing but also for
navigation on the device's file system. Web Browser's cache can contain
downloaded images, videos, documents, executable files, and scripts. Web
Browsers can store data entered into forms: search requests, logins and
passwords from web email accounts, social networks, and other websites, and
financial information (credit card numbers). Favorites and searches can give the
researcher an idea of the device owner's interests.
Browser forensics plays a significant role in case of incident response and helps
to answer the following questions: how the attack began on the computer or
computer network, when the attack began, what was the source, etc.
The main sources of malware/spyware/adware are emails (including webmails),

social networks, others compromised sites. One usually provides access to all
these sources (web emails, social networks, sites) using web browsers.
Google Chrome has the following features and characteristics:
 Integration with Google services.

 Synchronization of user's passwords between devices.
 Ability to use extensions and plugins.
 It is fast.
 Collects user data.
 Consumes a large amount of memory.
Google Chrome can work in Incognito mode. Incognito mode prevents the
browser from permanently storing any history information, cookies, site data, or
form inputs.
Third-party developers have created a huge amount of web browsers based on

Chrome Engine, such as 360 Extreme Explorer, Avast!SafeZone, Chromium,
Comodo Dragon, CoolNovo, Cốc Cốc, Epic Browser, Flock, Vivaldi, Rockmelt,
Sleipnir, SRWare Iron, Titan Browser, Torch Browser, Yandex.Browser, Opera,
Orbitum, Breach, Nihrome, Perk, QIP Surf, Baidu Spark, Uran, Chromodo,
Sputnik, Amigo, etc. All these browsers have a functionality similar to Google
Chrome’s functionality and support the same web browser artifacts. These
browsers are also supported by most of Google Chrome's extensions and
plugins.
We will use an image from BelkaCTF #2, however, the tasks will be different than
those performed during the CTF. If you have not participated in this CTF, you can
do that now and gain additional knowledge and experience, however, it is not
necessary. If you have completed the CTF, this will help you to pass the practical
exercises more efficiently.
The plot:
A man was detained on the street because he looked suspicious, walking around
late at night with a backpack in the middle of a suburban area.
The police found traces of drugs on his seemingly empty backpack. The man had
an Android phone with him, which was later imaged in a digital forensics lab.
Now, you are tasked with identifying if the person has any connections to drug
dealing.
We suggest you review this case with Belkasoft X and answer several questions.
Please note that the case is artificial and does not involve real data.
reate a new case with the "Drug dealer case" name.
Add the Android image from the "BelkaDayUS_CTF_IMAGE" folder, downloaded

and unpacked in lesson 1.3 as a data source for your case (see the video tutorial
in 1.4).
1. In the "Add a data source" window, select Add existing → Mobile image.
If you have already closed this window, go to the case dashboard, and
2. Browse to the "BelkaDayUS_CTF_IMAGE" folder, locate and select the

"ASUS_X00TDB.belkaml" file.
3. Сlick Next till the application displays the “Add data source | Select
advanced analysis options” window.
4. From the Profile drop-down, select the Custom analysis profile, and
verify that all Artifact types are selected.
5. Click Next a few times skipping the following selection options. If the
“Create or update a profile” window displays, click No.
6. Click Complete and close the confirmation message.
7. Decrypt the Signal data
o Wait until the analysis is finished
o Switch to the Tasks window (https://belkasoft.com/tasks), find the

Signal analysis task
o Click the Enter missing data button and enter 04049 19810 47697
72485 91554 88046 to unencrypt the data

Belkasoft

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Belkasoft

Uploaded by

Copyright:

Available Formats

Before you begin, make sure that you have extracted the Android data archive.

I. Add the Android image from the Screencapturer WhatsApp subfolder as a

2. Browse to the "Screencapturer WhatsApp" folder, locate and select the

6. Click Complete and close the confirmation message.

In this section, we provide a summary of their recommendations:

2. Document everything you do and consider the preservation of evidence.

5. Learn as much as possible about the target device to be able to choose

6. If using an acquisition technique that is either new, unconventional, or

8. Always check which applications are installed on the device and

9. Obtain extractions from external components of the mobile device.

To successfully acquire mobile devices, it is important to understand device and

 How the method works

 Automated screen capturing

Note: Many acquisition methods require enabling Developer options on the

In the following lessons, we will explore each method in detail.

In digital forensic and incident response investigations, a standard ADB backup

The drawback of ADB backup is that it contains a limited amount of information

How to make an ADB backup in Belkasoft X

Before you begin:

 On the device you want to acquire, go to Settings > Developer

1. Select the ADB backup acquisition method:

How to use the Agent backup method in Belkasoft X

Before you begin:

 On the device you want to acquire, go to Settings > Developer

1. Select the Agent backup acquisition method:

2. Unlock the device and click Next.

How to run the Agent SD card acquisition method

The acquisition process comprises three stages:

 First, you copy the Belkasoft agent to an SD card

Copy the acquisition agent to an SD card

3. Select the Agent SD card option:

Acquire a device using the agent on SD card

Extract acquired data from the SD card

Note: If you have closed the acquisition screen, go to the "Select

Screenshots of application data on devices are a valuable asset in digital

 It enables you to obtain fully automated screenshots of popular messengers

In this lesson, we will explore the benefits of screen capturing as an acquisition

Lastly, it is possible to take screenshots manually by scrolling through

The Android screen capturer in Belkasoft X gives you a number of advantages:

 It is quick. Unlike manual scrolling and photographing, the product completes

How to run the Android screen capturer

Before you begin:

1. Connect an Android device to a computer running Belkasoft X.

6. Your following steps depend on the application you want to acquire:

How to analyze Android application screenshots

Signal, Telegram, WhatsApp

When Belkasoft X completes the analysis, the acquired screenshots are

Screen capturing proves to be a straightforward and valuable method for

Belkasoft X takes the efficiency of screen capturing on Android devices to the

How to make an Android file system copy (logical image)

Before you begin:

1. Select the Android file system copy option.

Belkasoft X supports the downgrade and acquisition of multiple Android

In this lesson, we will explain how to run APK downgrade.

WARNING: While APK downgrade is a relatively safe method and is unlikely to

Before you begin:

 On the device you want to acquire, go to Settings > Developer

1. Select the APK Downgrade acquisition method:

4. Review the acquired data in the "Artifacts" window:

Learn more about APK downgrade

SIM card acquisition

Advanced ADB acquisition

This acquisition method is a combination of several methods into a single task:

 Performs an ADB backup

Example: in Matching: win, wine, skin, instagram, etc.