The introduction of the Android operating system in mobile devices is growing at a overwhelming speed. Latest data point shows that 1.3 million Android devices are activated every day (Spanish). If Android maintains this pace, in just 4 years there will be more Google systems in operation than Windows systems. Therefore, the study of the security of Android is necessary and in security, an interesting and important area is the forensic study.
A forensic analyst must be able to extract the maximum available information from the device. Depending on the purpose of the research, s/he will focus on extracting different types of data. For example, a researcher who analyzes a possible malware-infected smartphone need processes in memory, active connections, the inbound and outbound traffic, while in the analysis of a mobile phone whose owner is suspected of a crime, it will look for data that could help the investigation to provide evidence, such as calls, emails, GPS position, photos, chat history, etc.
There area several methods to extract information from an android device: RAM memory dump, NAND memory image, external memory SD-card data and hot extraction data. Today’s post focuses on recovering data by using the Android system’s own commands, and more specifically, the logs generated by the system.