Android Forensics book cover

Android Forensics

Investigation, Analysis and Mobile Security for Google Android

Android Forensics: Investigation, Analysis, and Mobile Security for Google Android examines the Android mobile platform and shares techniques for the forensic acquisition and subsequent analysis of Android devices. Organized into seven chapters, the book looks at the history of the Android platform and its internationalization; it discusses the Android Open Source Project (AOSP) and the Android Market; it offers a brief tutorial on Linux and Android forensics; and it explains how to create an Ubuntu-based virtual machine (VM). The book also considers a wide array of Android-supported hardware and device types, the various Android releases, the Android software development kit (SDK), the Davlik VM, key components of Android security, and other fundamental concepts related to Android forensics, such as the Android debug bridge and the USB debugging setting. In addition, it analyzes how data are stored on an Android device and describes strategies and specific utilities that a forensic analyst or security engineer can use to analyze an acquired Android device. Core Android developers and manufacturers, app developers, corporate security officers, and anyone with limited forensic experience will find this book extremely useful.


Computer forensic and incident response professionals. This includes LE, federal government, commercial/private sector contractors, consultants, etc.

Paperback, 432 Pages

Published: June 2011

Imprint: Syngress

ISBN: 978-1-59749-651-3


  • "If you want to truly understand and perform forensics on Android this is the book. There is no other reference that goes to this level of detail on the Android operating systems idiosyncrasies and quirks. Android Forensics is a must have for the mobile device examiner’s bookshelf."-Jim Steele, Director of Digital Forensics , a Tier 1 Wireless Carrier

    "Andrew Hoog in his latest book, Android Forensics, provides exceptionally well written coverage of Android for the Computer Forensics Investigator. No small task given the ever changing nature of Google’s preeminent mobile operating system."--Matthew M. Shannon, Principal, F-Response

    "…provides an excellent and comprehensive coverage of the Android platform, including its design, implementation, operation, investigation and analysis. At 364 pages of content, organized over seven chapters, with a focus on the ‘practical’ - demonstrating system design, implementation, operation and investigation, for instance, through hands-on "experiments" - this sizable text will resonate particularly well with readers disposed to activity-centric, learning-by-doing styled narrative. The text is peppered throughout with device and application (GUI) screenshots, as well as command line execution/output and directory listings."

    "In conclusion, we feel that Android Forensics is a good introduction to a field that still seems very ‘fresh’ and new to forensic examiners… As a quick reference during forensic analysis, the last chapter proves to be an excellent resource."--Computer and Security

    "At 364 pages of content, organized
over seven chapters, with a focus on
the ‘practical’ - demonstrating system design, implementation, operation and investigation, for instance, through hands- on "experiments" - this sizable text will resonate particularly well with readers disposed to activity-centric, learning-by- doing styled narrative…With a practical focus from the outset that includes how to acquire and install the Android SDK and build an Android Virtual Device (AVD), this text is particularly suited to those disposed to
a hands-on approach to learning about the Android platform from a security and investigation perspective."--Best Digital Forensics Book in InfoSecReviews Book Awards


  • Acknowledgments


    About the Author

    Chapter 1 Android and Mobile Forensics


        Android Platform

             History of Android

             Google’s Strategy

        Linux, Open Source Software, and Forensics

             Brief History of Linux

        Android Open Source Project

             AOSP Licenses

             Development Process

             Value of Open Source in Forensics

             Downloading and Compiling AOSP




             Custom Branches

        Android Market

             Installing an App

             Application Statistics

        Android Forensics




    Chapter 2 Android Hardware Platforms


        Overview of Core Components

             Central Processing Unit

             Baseband Modem/Radio

             Memory (Random-Access Memory and NAND Flash)

             Global Positioning System

             Wireless ( and Bluetooth)

             Secure Digital Card





             Universal Serial Bus



        Overview of Different Device Types




             Google TV

             Vehicles (In-board)

             Global Positioning System

             Other Devices

        ROM and Boot Loaders

             Power On and On-chip Boot ROM Code Execution

             Boot Loader (Initial Program Load/Second Program Loader)

             Linux Kernel

             The Init Process

             Zygote and Dalvik

             System Server


        Android Updates

             Custom User Interfaces

             Aftermarket Android Devices

        Specific Devices

             T-Mobile G1

             Motorola Droid

             HTC Incredible

             Google Nexus One



    Chapter 3 Android Software Development Kit and Android Debug Bridge


        Android Platforms

             Android Platform Highlights Through 2.3.3 (Gingerbread)

        Software Development Kit (SDK)

             SDK Release History

             SDK Install

             Android Virtual Devices (Emulator)

             Android OS Architecture

             Dalvik VM

             Native Code Development

        Android Security Model

        Forensics and the SDK

             Connecting an Android Device to a Workstation

             USB Interfaces

             Introduction to Android Debug Bridge



    Chapter 4 Android File Systems and Data Structures


        Data in the Shell

             What Data are Stored

             App Data Storage Directory Structure

             How Data are Stored

        Type of Memory


        File Systems

             rootfs, devpts, sysfs, and cgroup File Systems



             Extended File System (EXT)



        Mounted File Systems

             Mounted File Systems



    Chapter 5 Android Device, Data, and App Security


        Data Theft Targets and Attack Vectors

             Android Devices as a Target

             Android Devices as an Attack Vector

             Data Storage

             Recording Devices

        Security Considerations

             Security Philosophy

             US Federal Computer Crime Laws and Regulations

             Open Source Versus Closed Source

             Encrypted NAND Flash

        Individual Security Strategies

        Corporate Security Strategies


             Password/Pattern/PIN Lock

             Remote Wipe of Device

             Upgrade to Latest Software

             Remote Device Management Features

             Application and Device Audit

        App Development Security Strategies

             Mobile App Security Testing

             App Security Strategies



    Chapter 6 Android Forensic Techniques


             Types of Investigations

             Difference Between Logical and Physical Techniques

             Modification of the Target Device

        Procedures for Handling an Android Device

             Securing the Device

             Network Isolation

             How to Circumvent the Pass Code

        Imaging Android USB Mass Storage Devices

             SD Card Versus eMMC

             How to Forensically Image the SD Card/eMMC

        Logical Techniques

             ADB Pull

             Backup Analysis


             Commercial Providers

        Physical Techniques

             Hardware-Based Physical Techniques



             Software-Based Physical Techniques and Privileges

             AFPhysical Technique



    Chapter 7 Android Application and Forensic Analysis


        Analysis Techniques

             Timeline Analysis

             File System Analysis

             File Carving


             Hex: A Forensic Analyst’s Good Friend

             Android Directory Structures

        FAT Forensic Analysis

             FAT Timeline Analysis

             FAT Additional Analysis

             FAT Analysts Notes

        YAFFS2 Forensic Analysis

             YAFFS2 Timeline Analysis

             YAFFS2 File System Analysis

             YAFFS2 File Carving

             YAFFS2 Strings Analysis

             YAFFS2 Analyst Notes

        Android App Analysis and Reference

             Messaging (sms and mms)

             MMS Helper Application



             Media Scanner


             Cooliris Media Gallery

             Google Maps



             Adobe Reader





advert image