Android Forensics

Investigation, Analysis and Mobile Security for Google Android


  • Andrew Hoog, is a computer scientist, certified forensic analyst (GCFA and CCE), computer and mobile forensics researcher, former adjunct professor (assembly language) and owner of viaForensics, an innovative computer and mobile forensic firm.

Android Forensics: Investigation, Analysis, and Mobile Security for Google Android examines the Android mobile platform and shares techniques for the forensic acquisition and subsequent analysis of Android devices. Organized into seven chapters, the book looks at the history of the Android platform and its internationalization; it discusses the Android Open Source Project (AOSP) and the Android Market; it offers a brief tutorial on Linux and Android forensics; and it explains how to create an Ubuntu-based virtual machine (VM). The book also considers a wide array of Android-supported hardware and device types, the various Android releases, the Android software development kit (SDK), the Davlik VM, key components of Android security, and other fundamental concepts related to Android forensics, such as the Android debug bridge and the USB debugging setting. In addition, it analyzes how data are stored on an Android device and describes strategies and specific utilities that a forensic analyst or security engineer can use to analyze an acquired Android device. Core Android developers and manufacturers, app developers, corporate security officers, and anyone with limited forensic experience will find this book extremely useful.
View full description


Computer forensic and incident response professionals. This includes LE, federal government, commercial/private sector contractors, consultants, etc.


Book information

  • Published: June 2011
  • Imprint: SYNGRESS
  • ISBN: 978-1-59749-651-3


"If you want to truly understand and perform forensics on Android this is the book. There is no other reference that goes to this level of detail on the Android operating systems idiosyncrasies and quirks. Android Forensics is a must have for the mobile device examiner’s bookshelf."-Jim Steele, Director of Digital Forensics , a Tier 1 Wireless Carrier

"Andrew Hoog in his latest book, Android Forensics, provides exceptionally well written coverage of Android for the Computer Forensics Investigator. No small task given the ever changing nature of Google’s preeminent mobile operating system."--Matthew M. Shannon, Principal, F-Response

"…provides an excellent and comprehensive coverage of the Android platform, including its design, implementation, operation, investigation and analysis. At 364 pages of content, organized over seven chapters, with a focus on the ‘practical’ - demonstrating system design, implementation, operation and investigation, for instance, through hands-on "experiments" - this sizable text will resonate particularly well with readers disposed to activity-centric, learning-by-doing styled narrative. The text is peppered throughout with device and application (GUI) screenshots, as well as command line execution/output and directory listings."

"In conclusion, we feel that Android Forensics is a good introduction to a field that still seems very ‘fresh’ and new to forensic examiners… As a quick reference during forensic analysis, the last chapter proves to be an excellent resource."--Computer and Security

"At 364 pages of content, organized
over seven chapters, with a focus on
the ‘practical’ - demonstrating system design, implementation, operation and investigation, for instance, through hands- on "experiments" - this sizable text will resonate particularly well with readers disposed to activity-centric, learning-by- doing styled narrative…With a practical focus from the outset that includes how to acquire and install the Android SDK and build an Android Virtual Device (AVD), this text is particularly suited to those disposed to
a hands-on approach to learning about the Android platform from a security and investigation perspective."--Best Digital Forensics Book in InfoSecReviews Book Awards

Table of Contents



About the Author

Chapter 1 Android and Mobile Forensics


    Android Platform

         History of Android

         Google’s Strategy

    Linux, Open Source Software, and Forensics

         Brief History of Linux

    Android Open Source Project

         AOSP Licenses

         Development Process

         Value of Open Source in Forensics

         Downloading and Compiling AOSP




         Custom Branches

    Android Market

         Installing an App

         Application Statistics

    Android Forensics




Chapter 2 Android Hardware Platforms


    Overview of Core Components

         Central Processing Unit

         Baseband Modem/Radio

         Memory (Random-Access Memory and NAND Flash)

         Global Positioning System

         Wireless ( and Bluetooth)

         Secure Digital Card





         Universal Serial Bus



    Overview of Different Device Types




         Google TV

         Vehicles (In-board)

         Global Positioning System

         Other Devices

    ROM and Boot Loaders

         Power On and On-chip Boot ROM Code Execution

         Boot Loader (Initial Program Load/Second Program Loader)

         Linux Kernel

         The Init Process

         Zygote and Dalvik

         System Server


    Android Updates

         Custom User Interfaces

         Aftermarket Android Devices

    Specific Devices

         T-Mobile G1

         Motorola Droid

         HTC Incredible

         Google Nexus One



Chapter 3 Android Software Development Kit and Android Debug Bridge


    Android Platforms

         Android Platform Highlights Through 2.3.3 (Gingerbread)

    Software Development Kit (SDK)

         SDK Release History

         SDK Install

         Android Virtual Devices (Emulator)

         Android OS Architecture

         Dalvik VM

         Native Code Development

    Android Security Model

    Forensics and the SDK

         Connecting an Android Device to a Workstation

         USB Interfaces

         Introduction to Android Debug Bridge



Chapter 4 Android File Systems and Data Structures


    Data in the Shell

         What Data are Stored

         App Data Storage Directory Structure

         How Data are Stored

    Type of Memory


    File Systems

         rootfs, devpts, sysfs, and cgroup File Systems



         Extended File System (EXT)



    Mounted File Systems

         Mounted File Systems



Chapter 5 Android Device, Data, and App Security


    Data Theft Targets and Attack Vectors

         Android Devices as a Target

         Android Devices as an Attack Vector

         Data Storage

         Recording Devices

    Security Considerations

         Security Philosophy

         US Federal Computer Crime Laws and Regulations

         Open Source Versus Closed Source

         Encrypted NAND Flash

    Individual Security Strategies

    Corporate Security Strategies


         Password/Pattern/PIN Lock

         Remote Wipe of Device

         Upgrade to Latest Software

         Remote Device Management Features

         Application and Device Audit

    App Development Security Strategies

         Mobile App Security Testing

         App Security Strategies



Chapter 6 Android Forensic Techniques


         Types of Investigations

         Difference Between Logical and Physical Techniques

         Modification of the Target Device

    Procedures for Handling an Android Device

         Securing the Device

         Network Isolation

         How to Circumvent the Pass Code

    Imaging Android USB Mass Storage Devices

         SD Card Versus eMMC

         How to Forensically Image the SD Card/eMMC

    Logical Techniques

         ADB Pull

         Backup Analysis


         Commercial Providers

    Physical Techniques

         Hardware-Based Physical Techniques



         Software-Based Physical Techniques and Privileges

         AFPhysical Technique



Chapter 7 Android Application and Forensic Analysis


    Analysis Techniques

         Timeline Analysis

         File System Analysis

         File Carving


         Hex: A Forensic Analyst’s Good Friend

         Android Directory Structures

    FAT Forensic Analysis

         FAT Timeline Analysis

         FAT Additional Analysis

         FAT Analysts Notes

    YAFFS2 Forensic Analysis

         YAFFS2 Timeline Analysis

         YAFFS2 File System Analysis

         YAFFS2 File Carving

         YAFFS2 Strings Analysis

         YAFFS2 Analyst Notes

    Android App Analysis and Reference

         Messaging (sms and mms)

         MMS Helper Application



         Media Scanner


         Cooliris Media Gallery

         Google Maps



         Adobe Reader