Learning Android Forensics

Reviewed by Scar de Courcier, Forensic Focus

Learning Android Forensics was written by Rohit Tamma and Donnie Tindall, and aims to provide a thorough introduction to the forensic analysis of smartphones running the Android operating system, from the initial setup of a forensic workstation through to analysing some of the more important artefacts. With input from highly experienced reviewers in the digital forensics field, the book is an excellent resource for students and practitioners alike.

The idea for the book was born out of a desire to help practitioners to understand what goes on in the background when they press a ‘Find Evidence’ button on a forensics tool. To make this process easier, the authors have focused on free and open source tools throughout the book, which again makes it an accessible read.Unusually, the book is pitched at both ends of the forensic audience. Those who are just starting out in the field will find the first few chapters interesting, as these provide an in-depth look of Android architecture, from Linux kernels to application frameworks.

There is also an introduction to starting out in forensics: how to prepare for an investigation; seizure and isolation of devices – including the relative merits of Faraday bags and RF isolation boxes – and how to write a basic report.

A series of tables, flow charts and screenshots throughout the book provide useful visual references for each step of the processes described. These range from demonstrating how the Android Virtual Device Manager works, to dealing with questions about the best practices depending on whether custom recovery with boot access is possible.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


After the introduction to digital forensics as a whole, and Android forensics in particular, the second chapter discusses how to set up an Android forensic environment. This, coupled with the fact that all of the tools used in Learning Android Forensics are free and open source, is one of the elements that make it an excellent book not only for the experienced practitioner, but also for individuals and small companies who are just starting out in their digital forensics careers.

For those with a limited amount of experience in back-end forensics, pages 51-59 have a helpful list of commands and options, as well as an overview of log data. This is followed by a brief discussion of device rooting, custom recovery and fastboot mode.

Again, due to the step-by-step layout of the chapters, the advice given in this section of Learning Android Forensics will be accessible to forensic investigators of any level, and would no doubt provide a useful refresher for people who have been working in the field for a while and wish to update their knowledge.

Common Android filesystems are discussed in chapter three, including pseudo filesystems, flash memory filesystems and media-based filesystems.

The remainder of the book is split into two main sections: logical and physical extraction of data from Android devices. Once again both subjects are discussed from the level of a beginner and gradually built upon, with steps clearly laid out allowing anyone to try to run through the various stages and successfully extract data from a given device.

Lock screens are one of the more challenging aspects of Android forensic investigations, and these have their own section in Learning Android Forensics, which deals with slide, pattern, password, PIN, smart, trusted face, trusted location and trusted device lock screens. Although it is not always possible to bypass each of these themselves, all of the smart lock options – the most difficult ones to crack – require a pattern, PIN or passcode as a backup security method. This means that all an investigator needs to do is be able to crack one of these three options, rather than for example having to foil a facial recognition test.

The book was published shortly after the release of Android Lollipop Version 5.0, which has included a number of new strong security features. The various complications and challenges that this brings about for forensic examiners are briefly discussed at the end of chapter four.

Physical extraction, along with verifying a physical image and analysing a full physical image, are the next subjects of discussion. There are also several pages of advice concerning SD card security and what an investigator can expect to find on an SD card. JTAG and chip-off extraction are also briefly dealt with, although since these methods tend to be more complex and intricate, they are not discussed at length.

Deleted data has a section all to itself, including using FTK Imager to extract the contents of an SD card. Other techniques discussed include recovering deleted data from internal memory, parsing SQLite files, and using file carving techniques to uncover data and reconstruct files.

Of course, one of the largest challenges facing any forensic investigator who needs to extract data from a smartphone or tablet device, whether Android or otherwise, is the vast number of applications available and the frequency with which these are updated. Luckily, Learning Android Forensics provides an overview of where to start with application analysis and what to look for. Although it would be impossible to look at every application available in the Play Store, some of the more common ones are dealt with in some detail, including Gmail, Facebook, Skype, Snapchat, Viber, WhatsApp, WeChat, Kik, and the user dictionary.

Reverse engineering applications, and obtaining and disassembling APK files, is also discussed in a way that is both accessible and sufficiently detailed.

Learning Android Forensics concludes with an overview of the free and open source Android forensic tools that have been used throughout the book, and once again this section includes step-by-step instructions with accompanying screenshots to help forensic examiners to be able to start extracting data from Android devices.

Overall, Learning Android Forensics by Rohit Tamma and Donnie Tindall is highly recommendable for digital forensic investigators, whether your goal is to refresh your knowledge or learn about a whole new area.

Learning Android Forensics is written by Rohit Tamma and Donnie Tindall and is available for purchase via Packt Publishing.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:39 pm

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_SE7Cl5jkigk

Maximising Data Collection With SaaS Innovations

Forensic Focus 10th June 2024 12:42 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles