Information Technology Reference
In-Depth Information
Data extraction techniques
Data residing on an Android device may be an integral part of civil, criminal, or internal in-
vestigations done as part of a corporate company's internal probe. While dealing with in-
vestigations involving Android devices, the forensic examiner needs to be mindful of the
issues that need to be taken care of during the forensic process; this includes determining if
root access is permitted (via consent or legal authority) and what data can be extracted and
analyzed during the investigation. For example, in a criminal case involving stalking, the
court may only allow for the SMS, call logs, and photos to be extracted and analyzed on
the Android device belonging to the suspect. In this case, it may make the most sense to lo-
gically capture just those specific items. However, it is best to obtain a full physical data
extraction of the device and only examine the areas admissible by the court. You never
know where your investigation may lead and it is best to obtain as much data off the device
immediately rather than wish you had a full image should the scope of consent change.
The data extraction techniques on an Android device can be classified into three types:
• Manual data extraction
• Logical data extraction
• Physical data extraction
The extraction methods for each of these types will be described in detail in the following
sections. Some methods may require the device be rooted in order to fully access the data.
Each method has different implications and success rates will depend on the tool, method
used, and device make and model.
