Authors: Katharina De Rentiis, Julian Geus and Felix Freiling
DFRWS EU 2026
Abstract
Due to differing hardware and software security mechanisms, the forensic analysis of smartphones is strongly device-dependent. Given their prevalence in forensic investigations, the research community and tool manufacturers have focused primarily on devices with standard Operating Systems (OSs) from major manufacturers. Consequently, privacy advocates promote devices based on highly configurable OSs, such as the Android Open Source Project (AOSP), or custom ROMs like GrapheneOS, which prioritize privacy and security. These OSs benefit investigators in both private use and covert investigations. However, they present a significant challenge when used by the opposing side. To properly assess the situation, we conduct the first forensic analysis of GrapheneOS: We give an overview of AOSP and the custom ROM ecosystem. We also explain security and privacy features of GrapheneOS and how they compare to Android’s. Finally, we perform a data acquisition analysis, including tool support for GrapheneOS, and a network traffic analysis. Our results demonstrate that GrapheneOS improves upon Android security, and that its privacy features considerably complicate the remote acquisition of user data.