Installing an alternate recovery mode is very device specific. If you are a security researcher working on mobile work, I definitely recommend installing a custom recovery mode (unless doing so interferes with research). Digital forensics can be involved in law enforcement, federal government, research, and IT security.

Now that I've explained how to image a device using recovery mode, I'll go over whether or not it is a good idea. What I'm saying here is the purpose of imaging the device dictates whether or not using recovery mode to image your device is a good idea. You may have good uses for some of the advanced functionality which the alternate recovery mode offers. In this post, I'll show how to install alternate recovery modes, how to image a device using an alternate recovery mode, and why this method of imaging may or may not be appropriate.

You can treat an alternate recovery mode as a root exploit, then boot into recovery mode and image the device while the Android operating system is not even running.

If you are imaging a device where the device is evidence in a case and the device already has an alternative recovery mode loaded, then you can use the alternative recovery mode to image the device. I say this paragraph with a caveat: users can write their own alternative recovery modes, and it is conceivable that an advanced user could bake some special sauce into recovery mode to, say, wipe the device.

Now, just like on my post on live imaging an Android device, we'll image the device using netcat. This command reads the contents of /dev/block/mmcblk0 (the head block of my device) and writes it via port 8888 across adb using netcat. The window will "freeze", or not allow any more commands because it is busy executing this command. The tunnel path-mtu-discovery command allows the GRE tunnel IP MTU to be further reduced if there is a lower IP MTU link in the path between the IPsec peers.