Information Technology Reference
In-Depth Information
Recovered files list
Examiners must understand that Android devices might use space on the SD card to cache
application data, therefore it is important to make sure that as much data as possible is ob-
tained from the device prior to removing the SD card. It is recommended to acquire the
SD card through the device as well as separately to ensure all data is obtained. To achieve
the SD card image,
dd
through adb can be used while the device is running to obtain an
image of the SD card of the device if the device cannot be powered off due to possible
evidence running in the memory. A memory capture can be obtained on the Android
device should data actively be running in the memory be relevant to the investigation.
Tools such as
LiME
can be used to complete the memory capture. LiME can be accessed
on the following site:
https://code.google.com/p/lime-forensics/
.
It is also recommended to check if the device has any backup applications or files in-
stalled. The initial release of Android did not include a mechanism for the users to back
up their personal data. Hence, several backup applications were used extensively by the
users. By using the apps, users have the ability to back up their data either to the SD card
or to the cloud. For example, the
Super Backup
app contains the options to back up call
logs, contacts, SMS, and more as shown in the following screenshot:
