Android is an operating system designed by Google primarily for mobile devices such as smartphones and tablet computers. Android was first released in 2007, and the first Android-based phone was released in October 2008. The Android operating system is open-source, and Google releases a major version about once per year.
Each of the different operating system versions requires slight modifications for each family of devices for full support. This has led to hundreds (if not thousands) of different distributions in the wild.
Much like Apple’s iTunes Store, Android has a main application repository called the Google Play Store. Analysis of submitted applications for soundness in the store is much lower and has resulted in many rogue applications making their way into the mainstream application pool. Dozens of other Android application repositories exist as well. This has led to thousands of applications that the examiner may encounter.
Most Android user and application data will be found in SQLite tables located in separate folders for each installed application. This may require the examiner to dump all data in all SQLite tables and search for the resultant data searching for relevant material as less than 5% of the applications are supported by most mobile forensic tools.
Since the operating system is designed for touch screen use, the default protection scheme for the device is a gesture password lock. The lock presents a 3×3 grid for the user to trace his/her finger connecting several cells of the grid to form a pattern. Once the correct pattern is traced, the phone is unlocked. Some forensics tools exist to obtain the gesture—key file to unlock the device.
Most of the access methods for a locked Android device rely on debug mode to be active on the device to begin the forensics extraction process. A few tools have been released to enable debug mode from a locked device; however, the number of supported models is very small.
Most Android-based mobile devices have removable microSD memory cards. Do not overlook the data contained on the MicroSD Card, as they frequently contain a great deal of unencrypted and unprotected data. As a best practice, the microSD card should be write-blocked and imaged using standard digital forensic techniques. The image may then be examined using traditional digital forensic tools, as the media is generally a single partition formatted using exFAT.
Getting into locked devices is also possible using JTAG methods and tools to obtain all of the data from the handset’s memory. This bypasses the locked USB port (USB Debugging turned off) and probes Test Access Ports between the USB Port and the CPU. JTAG provides communication to NAND memory through the CPU, allowing memory to be read.
Many tools can parse much of the information presented in the Android OS; however, all tools suffer the same problem as iOS-based devices — multitudes of applications. Hundreds of applications are added every week. Understanding and reverse engineering each one of them one at a time is a time-consuming process. Many vendors have chosen to focus on parsing the data from the more popular communication applications (e.g., WhatsApp, FaceBook, etc.). The more advanced examiner should be aware of this shortcoming and be prepared to perform testing and reverse engineering for some cases where support for specific applications may not yet exist.