Authors: Chengye Zhang and Nicolas Christin
DFRWS USA 2011
The Android platform has been deployed across a wide range of devices, predominately mobile phones, bringing unprecedented common software features to a diverse set of devices independent of carrier and manufacturer. Modern digital forensics processes differentiate collection and analysis, with collection ideally only occurring once and the subsequent analysis relying upon proper collection. After exploring special device boot modes and Android’s partitioning schema we detail the composition of an Android bootable image and discuss the creation of such an image designed for the forensic collection. The major contribution of this paper is a general process for data collection of Android devices and related results of experiments carried out on several specific devices.