As opposed to iPhone devices, Android phones are produced by a plethora of makers, brands and models, from very simple to high end devices, they share similar protection security measures when we are dealing with new devices or new Android OS versions. In fact, like iPhones, Android device content is encrypted and protected from being access using other mechanisms different from the ones officially stated by Google (Android) or by the corresponding phone maker. Thus, even if the physical memory was extracted, the decryption key would be required.

The most common way to extract information from Android devices is by using the existing OS interfaces. Known forensics tools (like Cellebrite and Oxygen Forensics) take advantage of ADB (Android Debug Bridge) and/or Content Providers mechanism, to extract Apps’ data existing on the phone. ADB includes a backup feature that allows to backup data from apps, as long as the corresponding developer allowed the process. ADB also allows to create a Shell on the OS, but with very restrictive permits that do not allow to access the \data\data partition, where most of App’s information resides.

Readily Recoverable Content from Android

All information found in Android backups, can be easily acquired. There are several tools that do this job in a forensically sound manner, like Cellebrite, Oxygen Forensics, Magnet Axiom and others. Likewise, as with iOS devices, there also many lower-cost or free tools that extract the same information, although not in a forensically sound manner. For both cases, the passcode of the device is generally needed.

Normally, what can be extracted from an Android device includes: media on the device (picture, audio/music, videos), SMS and MMS messages and attachments, call logs, calendar information. In recent times, data from WhatsApp can only be extracted (when possible) from Google backups, the data is not easily recoverable from the device, although it used to be so in the past.

And the Not-So Easy Content to Recover

Many applications do not store content on the device, only metadata, others, store encrypted data accessible only using the app itself and/or has a cache database or folder where recent data is kept, although not accessible. Telegram, a well-known messaging app is a good example. Telegram chats are nor recoverable through the device, yet by using the Desktop Telegram App and syncing it with the phone, conversations can be extracted. Telegram’s users can set a password and/or 2FA which can prevent or limited the extraction.

In short, forensic collection workflows for smart devices are constantly requiring updates to keep up with the rapid pace of OS updates. In cases where app content cannot be parsed via an Android extraction, the examiner will have to resort to other options such as credentialed cloud-based collections or even screenshot imaging.