How to Acquire Digital Evidence with Android Screen Capturer in Belkasoft X

Introduction

Screenshots of application data on devices are a valuable asset in digital investigations. Belkasoft X streamlines both the acquisition and analysis of this data source type:

  • It provides the "Android screen capturer" method that enables you to obtain fully automated screenshots of popular messengers (Signal, Telegram, WhatsApp); when analyzing them, Belkasoft X uses text recognition algorithms to reconstruct captured chats for easier examination
  • When you run this method for other applications, the tool automatically scrolls and captures their screens one by one; you can also use text recognition during their analysis and then search for specific keywords in the indexed text

In this article, we will explore the benefits of screen capturing as an acquisition method and provide you with details on how to use the "Android screen capturer" in Belkasoft X.

Why use screen capturing?

There are several reasons to opt for the screen capture method on Android devices:

  • Basic Android acquisition methods like Android Debug Bridge (ADB) backup or Agent backup have limitations. Forensic images obtained through these methods do not include many applications, while you can access and screenshot their contents on devices.
  • Application files are often protected by encryption. Even if you acquire their backup copies, there is no straightforward way to extract the data they include without the decryption key which may not be part of the backup.
  • Advanced methods, such as APK downgrade, can extract unencrypted application data, but they come with a set of risks. Belkasoft's screen capturer, on the contrary, is based on standard ADB commands and is perfectly safe. According to established device handling strategies, like the SANS "Six Steps" guidelines, investigators should prioritize the least intrusive data extraction methods. Thus, it is a good practice to take device screenshots before trying to downgrade applications or use other advanced acquisition methods.

Lastly, it is possible to take screenshots manually by scrolling through applications and photographing the device with a camera, but this approach may be time-consuming and error-prone. Automation eliminates these drawbacks, providing a more efficient and reliable solution.

The Android screen capturer in Belkasoft X gives you a number of advantages:

  • It is quick. Unlike manual scrolling and photographing, the product completes the capture of each screen in just a couple of seconds.
  • It is precise. Screens are positioned to avoid overlapping or "holes" between screenshots that can lead to data loss—a common pitfall during manual screenshotting.
  • It is flexible. You can limit the number of screens to capture, preventing potential stalls in the process. For instance, by choosing only to capture the last ten messages, you can limit the capturing time to a few minutes.

How to run the Android screen capturer

  1. Connect an Android device to a computer running Belkasoft X.
  2. Go to the device Settings and, under Developer options, enable the USB debugging and Install via USB options.

    We also recommend putting the device into Airplane mode, as notifications may interfere with screen capturing. However, some applications that store data on web servers (for example, Telegram or email clients), may need internet access for loading earlier data. If you plan to capture such applications, you can preload their data before enabling Airplane mode.

  3. Launch Belkasoft X and create a new case or open an existing one.
  4. Click Add a data source, then select Acquire → Mobile → Android and choose your device model.
  5. In the following window, select the Screen Capturer method.
  6. Choose one of the supported messengers or select the Generic app option and click Next.
  7. Your following steps depend on the application you want to acquire:
    • For supported messengers, if needed, set limits on the amount of data to capture. Note that these settings will differ based on the app:

      Then click Next and follow the on-screen instructions to begin the acquisition.

    • For generic apps, open the application screen you want to capture on the device and proceed with Belkasoft X's prompts. Define the scrolling options and click OK to begin the acquisition.

Do not touch the device during the entire acquisition process. The process log will help you understand the acquisition stages:

How to analyze Android application screenshots

When the tool completes the acquisition, it offers to analyze the acquired screenshots. Your strategy will depend on the application you have acquired.

Signal, Telegram, WhatsApp

When analyzing supported messengers, you can accept the default options and proceed with the analysis.

After the process is complete, the results are conveniently displayed in text format under the messenger profile in the "Artifacts" window.

You can search and filter chats, calls, and contacts by keywords, participants, dates, and more. Keep in mind that some recent messages may not have timestamps since, within the application, their dates are marked as "Yesterday," "Friday," "Thursday," and so on.

To double-check your findings, use the original screen captures located under the Pictures profile.

Generic app

When analyzing screenshots from other applications, you can use text recognition to facilitate your further examination. To do so, when defining the analysis options, go to the Media tab, select Text, and specify the Recognition language.

When Belkasoft X completes the analysis, the acquired screenshots are displayed in the "Artifacts" window under the Pictures profile. You can select screenshots and view the text they include in the Item text tab below.

All recognized text is indexed, so you can search it for specific keywords using the Search artifacts action on the case dashboard.

Conclusion

Screen capturing proves to be a straightforward and valuable method for extracting textual and graphical data from numerous applications. Its reliability and safety make it a good initial choice for device acquisition before venturing into more technically demanding and unpredictable methods.

Belkasoft X takes the efficiency of screen capturing on Android devices to the next level by automating the process. It also provides advanced analysis options to streamline further examination of acquired screenshots. This comprehensive approach enhances the speed and precision of digital forensic analysis.

Did you like the article?

See also