Android recovery data acquisition

Android recovery data acquisition

Every Android phone has a "recovery“ partition which is by default used for performing factory resets using an OEM’s preloaded tools. However, this partition can be modified in order to replace the default tools by third-party recovery tools such as TWRP or CWM.
These recoveries are (unlike the stock ones) capable of modifying all the internal system partitions of your phone or tablet (they need this capability in order to flash custom firmware).
TWRP even comes with a built-in file manager with unlimited root access so you can modify, add or delete any system files manually.
The most important thing is that TWRP has a working MTP connection and ADB enabled which allows us to extract almost all data stored on your device and even create physical images from them.
By default, you can flash TWRP (or another recovery) image files to almost any device with an unlocked bootloader (a locked bootloader prevents users from sideloading any software to system partitions, so in order to flash anything on such device, you need to unlock the bootloader first).
You can do so by using the "Fastboot“ mode which allows the user to flash various system partition including recovery. You can control your phone in fastboot mode using Windows or Linux command line (similar to ADB).

The universal commands for flashing recovery images while in fastboot mode are:

- fastboot flash recovery "xxx.img" – flash certain recovery image
- fastboot oem unlock – unlocks bootloader on supported devices
- fastboot boot "xxx.img" – boots straight from IMG file
- fastboot reboot recovery – reboots to recovery
- fastboot reboot – reboots the device

Samsung phones are different. They have "Download mode" instead of regular Fastboot and therefore can be controlled using Odin (tool for flashing software developed by Samsung) or it’s an open-source alternative called Heimdall rather than using fastboot commands which are disabled. Samsung phones also don’t have their own recovery partition like other Android smartphones, instead they have a special ramdisk (a small IMG partition mounted by the kernel before and while booting the system) as a part of "boot.img" dedicated specifically for recovery.
    • Related Articles

    • How to boot into recovery (Android)

      Why do I need to boot into recovery?  Recovery is a tool used to perform factory reset and install system updates by default.  However, there are many custom recoveries (CWM, TWRP, etc.) made especially to flash custom ROMs (unofficial builds of ...
    • Data - Deleted data

      We do offer more ways to recover deleted data. The first one is recovering the data from SQLite databases, the second one is recovering the files and folders from physical images. SQL databases allow you to recover the data which were marked as ...
    • Flash phone with recovery image (TWRP)

      Every Android phone has a "recovery“ partition which is by default used for performing factory resets using an OEM’s preloaded tools. However, this partition can be modified in order to replace the default tools by third-party recovery tools such ...
    • Connecting an Android phone

      To achieve a successful phone connection, there are a few important steps that must be taken for this or any other tool. This is only required for the first time, then you can enjoy the functionality of all our products. An Android phone can be ...
    • How to root an Android phone?

      Why root an Android phone? There are countless ways in which you can use root access on your Android smartphone, but in this article we will focus on those used in conjunction with MOBILedit Forensic Express.  Our software uses root access to obtain ...