Chapter 6 - Android forensic techniques

Abstract

This chapter focuses on Android forensic techniques. There are a number of considerations that influence which technique forensic analysts should use. The different types of investigations, differences between logical and physical techniques, and how to limit or avoid modifications to the device are discussed. There are a variety of situations that might benefit from the results of an Android forensic investigation. While the application of forensics is a commonality in all the situations, each one may require different procedures, documentation, and overall focus. One major challenge for forensic analysts is to devise a protocol for handling the device prior to the analyst taking direct custody. There are several techniques that can be used to perform a forensic acquisition of an Android device. Various physical and logical techniques are given in the chapter. If the device is pass code protected, users must circumvent or bypass the protection to extract data. While a number of techniques to circumvent the pass code exist, it is not possible to achieve this in every circumstance. Once the device is accessible, the forensic analyst can choose from a logical acquisition, which focuses primarily on undeleted data accessible through Content Providers or the more thorough but technically challenging physical acquisition. While the physical acquisition will produce more data, it generally requires more sophisticated analysis techniques.