Sunday, August 10, 2014


In the form of Q&A

All blog posts to date
Introduction Acquisition Analysis
Introduction Imaging an Android Device Examining the image
Picking a Toolkit Live imaging an Android device Some hidden artifacts in a physical image
Why not load ClockworkMod or TWRP to image a device? Using Autopsy to examine an Android image
Identifying your Userdata Partition Some artifacts in the /data/system/ directory
Some non-root methods to learn about a device Viewing SQLite Databases
A quick note on imaging newer Android devices Facebook for Android Artifacts
Using Windows to Live Image an Android device Interpreting data from apps
Obtaining all files in the data partition without a physical image Waze for Android forensics
Magnet Forensics App Simulator
App Reversing Other Topics
Reverse Engineering an Android App File The differences between a physical image and a logical extraction
Fun with Apktool Dirty cow
Deep dive into an app Imaging and examining an Android car stereo
Unpacking boot and recovery kernels
Thank you for visiting my blog! This website is devoted to documenting free Android forensics techniques. In lieu of a mission statement of this blog, I'm going to provide a Q&A for what this blog is, what I intend it to be, and how you, the reader, can help.

What is this blog about?
This blog is a website for me to document some free Android forensics techniques. In the world of mobile forensics, there are all kinds of expensive tools that claim to handle all your mobile-related needs, like this, this, and this. It is my goal with this blog to demonstrate that there is (generally) another way. With some Linux knowledge (or willingness to learn it), a Windows computer and a Linux computer (or virtual machines), some free software (and I actually mean free, not 30 day trials), and some spare time and motivation to learn, you can do some outstanding work with Android forensics.

Who is the intended reader of this blog?
For starters, you. Thank you for reading! I wrote this blog for the following audiences:
  • intending to target anybody who wants to do some Android forensics
  • anyone who needs to do Android forensics on a budget (and if you do, I respect you and please do not hesitate to contact me for any help)
  • smartphone enthusiasts
  • researchers
  • anyone stuck trying to get past an Android related challenge
  • the curious person who just wants to learn more about their phone
    • If this is you, you are awesome and keep doing what you are doing

Will this blog contain information specific to XYZ phone?
Normally not, but sometimes. I'll be looking at Android in a more general way, but I may reference a specific device from time to time. I am more likely to reference a specific version of Android. That being said, if you are looking for help with a specific phone, please reach out to me!

Will you cover mobile operating systems besides Android?
No, but I am knowledgeable in others. I have done a fair amount of iOS work, I won an award for best paper at an international forensics conference for work on the Maemo OS, I've dabbled around with Blackberry, but I've worked with Android far, far more than any other mobile OS. If you have a question about other mobile operating systems, contact me and I might either know the answer or know who to have you contact.

Will this be more of a technical blog or more about admissibility / best practices / forensic soundness?
This will be technical.
The word “forensics” has a lot of connotations when proceeded by the words “cyber,” “computer,” or “mobile.” The word “forensics” in its purest sense means the application of science to law. “Computer forensic science” is the study of digital media and its relation with court of law. Computer forensic examiners always think about admissibility in a court of law and follow documented best practices in order to avoid having digital evidence being declared inadmissible by a judge.
In the world of IT security, “forensics” is more often comparable to the words / phrases “incident response”, “exploits,” or “reverse engineering.” Traditional forensic examiners cringe when they hear IT folks toss the word “forensics” around.
Regardless of your perspective on “forensics,” you will need a strong technical background to be successful in the field of “Android forensics.”
To be honest, the best term to use to describe this blog is “CELLEX”, or “Cellular Phone Exploitation.” CELLEX is the technical field of creating tools and techniques to exploit the security of cellular phones and use those exploits to extract data. So ...

Why am I calling this blog “Free Android Forensics” instead of “Free Android-based CELLEX”?
I went with “Free Android Forensics” because the word “Forensics” is a better known word than CELLEX.

What is your background?
My background includes extensive work in mobility with a strong slant towards Android, including forensics, security, and research, in academia and in industry. Please check out my about the author page.

How can I help?
I am always looking for input from the field. The Android community is large and diverse. Every page on my blog has a comments page, and I encourage comments and interaction from the field. If you have a real life story similar to the content of the page, please post! If you have a question, please post! If you have a question but do not want it made public, contact me! If you have a different strategy than I use, post it! If you see an error in my work, please post and I'll address it.
Android forensics is a community, and collaboration is key to any community. I would like this blog to be a place where anyone can ask Android forensics questions, and if I cannot answer, I hope somebody else out there can.

Now for my posting regulations. I do not like policing comments and do not intend to do so, but if I must, I will. I'm a tech enthusiast and spend a lot of time on tech message boards searching for answers to specific problems, so I know how us tech people can be online.  So I only ask one rule:
Be nice and courteous to everybody.

All right! The basics are all out of the way. My first technical blog post will be on picking a forensic toolkit!

Questions, comments, suggestions, or experiences?  I do my best to keep up with the Android forensics community and am happy to chat with others in the field or anybody looking for some help in this field.  Leave a comment below, or send me an email.


  1. This is AWESOME stuff !!! Thank you soooo much for doing this :-) :-) :-)

  2. How can you find out if your phone is tampered with?? Some applications on my phone that I've shut down pops back up.. I disable the app only for it to pop back up then it makes it to where I can't disable it anymore...

  3. OK I think you have it posted. Just need to keep reading and digging!! Thanks for the page and info!!!

  4. OK I think you have it posted. Just need to keep reading and digging!! Thanks for the page and info!!!

  5. How can you find out if your phone is tampered with?? Some applications on my phone that I've shut down pops back up.. I disable the app only for it to pop back up then it makes it to where I can't disable it anymore...

  6. I have rsynced mmssms.db and contacts2.db over to my Fedora Linux workstation and I want to create an SMS archive DB but I am having a lot of difficulty working out how to get contact names working back from the text messages into the new, simple DB - do you have time to help?

    1. contacts2.db is a bit of a bear to crawl through ... lots of manual work. Let me check, there may be some good scripts to do this for you ...

    2. OK here's a possible solution. Load NowSecure's (was ViaForensics) basic forensics apk to the phone and pull data. It will grab your contacts. Note: I'm not sure this project is still active, so if your OS is newer than the last source update, it may not be perfect.) Source here: ... and there is a link there to grab just the apk. Worth a try. It will read content - including sms and contacts - and save them to csvs on the sd card.

  7. Using Sqlite Db browser Bookmarks were created in June however using FTK imager the browser slack file contains the following information:
    30" Charge="80">

    Is it possible that bookmarks were transferred to the phone?

  8. This comment has been removed by the author.

    1. RsocInfo Date= 2016/05/22 Charge=80 is missing

  9. This is an awesome site! You write so perfect. Easy to follow.

  10. Congrats for this Blog, always reading yours article, learning more and more!