1

Android Forensics: Tools and Techniques for Manual Data

Extraction
Animesh Kumar Agrawal, Aman Sharma, Sumitra Ranjan Sinha,Pallavi
Khatri
ITM University, Gwalior, Madhya Pradesh 475001, India
Independent Researcher,New Delhi 110011,India

Abstract
With the world over shifting to mobile devices for both personal and official work, the
number of digital frauds is increasing exponentially. As the technology is advancing day by day,
innovative ways to commit crimes is also increasing. These days cyber criminals are focusing on
improvising their crime techniques so that minimal amount of data traces should be left on the
devices or system which they are using. In order to investigate the ever growing cyber- crime on
easily available and affordable computing devices, there is a need to develop manual techniques
which can help investigators in the near future and make them not to solely rely on forensic tools.
This paper brings out the methodology to analyze and examine an android mobile phone in an easy
and simple manner without the help of commercial tools by utilizing the concept of virtual android
device created on Genymotion emulator . Additionally this work also focuses on the analysis and
recovery of the data present in the cache memory of the installed applications like Facebook.

Keywords: Mobile Devices,Cyber Crimes,Virtualization,Android

Applications,GenymotionCache,Rooting,File Signature

1. Introduction
Forensics is a branch of science that deals with the evidences that can be
presented in the Court of Law. Its sub-domain that deals with acquiring and
analyzing data from computers, smartphones and other digital devices is known
as digital forensics. The Operating System (OS) used in Android smartphones is
derived from Linux OS used in computers. Due to the rapid growth in mobile
technology, new challenges have been introduced for forensic investigators. The
speed at which new models are being designed and launched makes the
application of old forensic procedures very difficult. Each case or investigation
of the new model needs to be considered differently and requires steps which
could be different and unique to the case. Android smartphones are the most
popular choice in the already crowded mobile phone market. They are gaining
even a higher market share with exponential growth rate. The reason for the
popularity of these devices is that they are feature rich, cost efficient and user
friendly. Android smartphones provide a number of features and data centric
information such as data files, contact details, running applications, games and
many more. The data from these devices can be extracted using various forensic
tools which are both open source and paid. However, there is no simple
universally accepted method which can be used with 100 % surety to fetch data
from Android smartphones in a forensically sound manner. The established
approach to digital forensics developed for personal computers is generally
inappropriate for Android smartphones. Consequently, recovering evidences
2
from the Android smartphones in accordance with established principles of
forensic evidence is complex and time consuming. The architecture of a
commercial mobile analysis tool is not open source, primarily to protect the
commercial interests of the manufactures. Hence, an investigator or a researcher
is unable to capture the data flow between the tool and the mobile device, the
memory map of the device and other finer details which can help him in
gathering the data from the point of carrying out forensics. In order to
understand the data communication, the android architecturewhich is Linux
based as given in Fig.1 and referenced in Android Architecture and Libraries
Every Android Developer Should Know - Elisha Chirchir
http://simpledeveloper.com/android-architecture/ , was studied in detail.In the
case of Mobile forensics, an investigator focuses on mainly two types of
acquisition- physical and logical. Logical acquisition encompasses acquiring the
file system of the device which includes the system files, user data and present
data. The physical acquisition includes the physical memory of the mobile
device including the deleted data. The general tendency is to delete the data
from the mobile after committing a crime. Hence, there is a lot of emphasis on
recovering deleted data from the mobile phone.

Fig. 1 Android Architecture

In this work, android debugging bridge (adb) commands have been used to extract
the data manually from the android phone. Using these commands the system
partition of the phone can be accessed thereby easing the process of forensic
analysis. For the purpose of this research, a two pronged approach has been
followed. First, the data extraction has been done using a virtual android device
created in an android emulator like Genymotion. Second, a real device having the
same or nearly matching android kernel version is taken and the process is repeated
to establish the authenticity of the research being done. Complete article is
organized as following. Section 2 briefs about the work done in the area by other
researchers. Section 3 gives the details of the proposed system and experimental
setup discussed in section 4. Section 5 summarizes the important findings of the
experiments with conclusion and future work being highlighted in section 6.
 3

2. Literature Survey

Research on android forensics is an ever evolving process. However, the research

done by various authors is summarized in this section to better understand the tools
and techniques used till now to extract data.
Authors (Ali & Bernard 2016) proposed a novel approach for recovering deleted or
hidden data from mobiles. Samsung Galaxy S2 i9100 having OS version 4.2.0 has
been used to carry out the experiments with both commercial and open source
tools. Logical and physical acquisition has been done using tools like FTK,
Foremost, AFlogical and Disk Digger. The research is concentrated on obtaining
data from the internal memory of the phone only.
The authors (Himanshu & Tapaswi 2015) have proposed a method to acquire live
data as well as internal data of an android phone. The authors have given a method
to get live RAM data along with logical acquisition of the Android mobile phone.
Also SD Card and eMMC storage imaging has been demonstrated by the authors.
The data comparison was done for Micromax A76 and Samsung Ace mobiles
against the Custom ROM developed by the authors. The tools compared were
AFLogical, viaExtract and the methodology developed by the authors. The work
has been done on Android versions 2.3.6 and 4.2. Authors in (Isak M. 2016)
present open source tools to forensically recover data from android based devices.
Data acquisition is carried out on an android device Alcatel one touch 6012x
having android version 4.2.2 through adb, dd (disk dump). Andriller is used for
extraction of data, pattern or pin bypassing, etc. Imaging of the /data partition was
done using dd command and raw image of the partition was mounted on an open
source tool Autopsy. Same device was analyzed through another tool MOBIledit
and also logical and physical extraction was done using NowSecure Forensic
Community Solution. Audio, images, videos, viber calls and messages, contacts
and call logs were extracted from the device.
In (Jadied,E., Lukito ,N. Y. P., &Yulianto 2016), the authors have attempted to
compare four methods of Logical Extraction of data from an unrooted Android
Device. These include AFLogical, SD Card Imaging, Android Backup Analysis
and Oxygen Forensics. The best technique has been inferred with the help of a case
study in which application data is recovered using each of the above mentioned
techniques. The authors have concluded that the Android Backup Analysis is the
best technique for capturing application data since it gives the maximum data. A
study of trial version of four widely used mobile forensics tools namely, Oxygen
Forensic Suite, Paraben Device Seizure, Mobile Internal Acquisition Tool and
MOBILedit Forensic was done by (Mohatasebi S. et.al 2011) and data extracted
from a Nokia E5-00 smartphone. It was observed that complete deleted data could
not be recovered from the phone by either of the tools. Also the tools could not
bypass the security mechanism like access code of the phone. Limitation of
extraction of complete deleted data could have been because of using the
trailversions of the tools since they have limited features enabled and meant for
evaluation only.
The technique of forensic acquisition using differential method has been introduced
by (Buttner, Grover, & Guido 2016). The concept of hash comparisons is used to
acquire the physical image from an android phone. The research is based on
prototype software called Hawkeye which uses the above technique to image a
phone. The biggest advantage of this method is that it images only a fraction of the
4
device storage which basically contains the user data. The authors have proved that
their method is 5 times faster than any of the commercial tools available like XRY,
Oxygen, etc and the actual data can be acquired in less than 7 minutes. The authors
(Murthy &Racioppo 2012) have explained how to carry out forensic analysis of an
Android based HTC phone having version 2.3. They have begun by describing the
underlying Linux architecture on which Android framework has been built.
Subsequently, imaging the SD card of the phone has been described using
AccessData FTK Imager. A technique for rooting the phone has been described,
which is required to image the phone and extract data. Linux commands have been
used to image the phone and scalpel software to analyse the phone's image. Various
directory structures have been explained which contain lot of user data. The
forensic challenges faced in analysing a relatively low penetration open source
mobile OS, Firefox OS has been presented by (Abdullah, Dehghantanha, &Yusoff,
2014). The authors have discussed the forensic techniques employed in different
mobile OS i.e. Windows, Symbian, iOS, Android and Blackberry. Since Firefox
OS is based on Linux kernel and Mozilla's Gecko technology which is a layout
engine to read web content like HTML, JavaScript and display it to the user. There
is no need of rooting the device in these types of phones. The authors (Grispos,G.,
Glisson,W.,&Storer,T., 2011) have tried to present the comparison of the different
methods by which information can Jbe extracted from a Windows mobile phone.
The HTC Touch Pro2 running Windows version 6.1 Professional OS was used for
testing the results. The paper mainly focuses on use of Cellebrite's UFED as an
acquisition tool. One important conclusion which the authors have drawn from the
comparison is that no single technique is able to recover all forensic data from a
Windows mobile device and in some cases there is a conflict between the results
obtained.
The authors (Agrawal A.K., Khatri P., Sinha S.R. 2018) have done a comparative
study of data acquisition techniques using various commercial mobile forensic
tools and manual method which also includes the recovery of the deleted data. This
study also shows that manual method for data acquisition is very effective in
extracting data from an android device and can be used to gather data in the
absence of expensive commercial tools.Similarly in another research for extracting
data from the Android devices, authors (A Sharma, A K Agrawal, B Kumar & P
Khatri 2019) have used the concept of virtualization by using an emulator called
Genymotion. The work proposed by them brings a novel method of extracting data
from a virtual android phone.
The authors (Timothy Vidas, Nicholas Christan, Chenaye Zhang, 2011) have
described a general idea of data acquisition from various Android handsets. In this
process they achieved the acquisition of data through a bootable image file through
which various Forensics artifacts such as contacts call logs, calendar info ,
locations, messages can be extracted.Authors ( Namheun Son, Yunho Lee, Dohyun
Kim, Joshua I James, Sangjin Lee, Kyungho Lee 2013) proposed a method of
maintaining the user data integrity using an indigenously developed acquisition tool
which utilizes recovery mode of an android to collect data. The study was
conducted using various android devices which confirmed that the integrity of the
user data can be preserved during the acquisition of data through recovery mode. It
also showed that this methodology also works on the data extraction from the file
systems such as YAFFS2 and Ext4.
The authors ( Xinfang Lee, Chunghuang Yang, Shijien Chen, JainShing Wu, 2009)
proposed a study based on the NIST guidelines which involved the forensics of
 5
Android devices with the integration of the open source digital forensics tools.
They utilized JAVA language as a main function to collect the data from an
Android device at the crime scene. The study also shows that the forensic evidence
can be collected in the SD card using their developed tool without bringing the
device to the forensics lab.

3. Proposed Methodology

The issue which needs to be addressed is that of extracting evidence from a

mobile device in the absence of a costly commercial tool as discussed by
(Agrawal A.K., Khatri P., Sinha S.R. 2018). None of the articles discussed
in literature survey have talked about analyzing the data manually through
android debug commands which come in handy in a situation where paid
mobile forensic tools are not available. This work tries to address this
challenge with the use of a virtual device and a real android device. The
concept of virtual android device for forensic analysis as given by (Sharma
A., Agrawal A.K., Kumar B., Khatri P. 2019) has been has been used for
ease of experimentation and to circumvent the requirement of having a
physical device for testing each android version. Using a virtual device
expedites the experiments and various scenarios can be created and tested
which may not be possible in a real device. Fig. 2 shows the complete
extraction process from a mobile.
6

Fig. 2 Extraction Process Flowchart.

4. Experimental Setup

In order to understand the data extraction techniques used in this work an

experimental setup was created. The experiment was conducted on i5 laptop
and a desktop machine with 8 GB RAM and 500 GB hard disk. Virtual
machine was created on the system to test in virtual environment and same
experiment was then repeated on a physical phone with android as an
operating system. Some of the advantages of using a Virtual Phone instead
 7
of a physical phone are:

● Easy availability of different android versions for testing

● The phone can be reused multiple times

● Multiple test environments can be created with ease

● Issue of rooting is not there

● No problem of phone bricking due to multiple config changes

A virtual phone with Android Version 4.4 that is an exact copy of a

physical phone is created on the emulator. Virtual phone uses the default
settings provided by the Genymotion emulator. The virtual phone has all the
functionalities of an actual Android phone having the same kernel version
and hence can be used to carry out all experiments except the non-supported
features like a physical SD card or any external storage. The work involved
establishing a connection between the Linux machine and the Android
emulator so that data from the phone could be pulled out. An advantage of
using this setup was that a physical phone could be connected to the Linux
machine instead of a virtual one and data could be extracted from it in a
similar manner. This would help in carrying the research done on a virtual
phone on to a real phone so that the concepts can be proven and utilized
practically for data extraction. The whole process was repeated for two
more Android versions 5.0, 6.0.

There are a large number of apps installed in any mobile device which store
plethora of information in the form of cache. Cache is a type of SRAM
(Static Random Access Memory) which the system can access faster than
RAM (Random Access Memory). The purpose is to store data and
processes that are used repeatedly by an application or program. Every app
has got its own cache folder and stores data in different file formats. These
files can give a broad idea about the data sent or received and can also be
used to derive forensic artifacts in any investigation. Since the extraction of
data was already done in android versions 4.4, 5.0 and 6.0, the app data
analysis was done on higher versions of android. Hence, virtual phones
created on ver 7.0 and 8.0 were used to extracted data from Facebook app.
The cached files were analyzed and .jpeg files which were transmitted and
subsequently deleted could be easily recovered following the manual
approach enumerated below.

5. Manual Analysis

After the dd raw dump was created as per the procedure outlined above, the
manual analysis commenced to extract the test data from the mobile. For
this the concept of file signature analysis as specified in
https://www.garykessler.net/library/file_sigs.html was utilized. Every file
extension or type has a unique file signature which consists of the header
8
and footer. The actual data of the file is stored in between the header and
footer for that particular file type. For e.g. for a .jpeg file the header and
footer are FF D8 FF and FF D9 respectively. All bytes stored in between
the header and footer when copied from the hex dump and pasted in a
separate file reproduces the desired file. This experiment was done with
non-deleted data first. A virtual android device having android version 4.4.4
was taken and a total of 10 files was stored into it. These include two each
of file types docx, jpeg, pdf, mp4 and zip. The same set of data was stored
in a real android device having same android version. Each phone was
connected separately to the Tamer VM and using adb commands described
above and a dd image or raw dump of the /data partition of the mobile was
created. The data partition contains the user data like contacts, messages,
installed apps, etc. The dd image was analysed manually in wxHexEditor
which displays the hex value of each byte. The desired files were extracted
using the concept of file header and footer described earlier.

A search was carried out for the header and footer in the hex dump as stated
above. All bytes stored in between the header and footer when copied from
the hex dump and pasted in a separate file with extension .jpeg would lead
to recovery of the original file. After extracting the required bytes and
creating a file with the desired extension, the hash of the file was calculated.
This process was repeated for another file having the same extension.
Subsequently, four more different file types were similarly extracted.

Case 1

The experiment was done for Android Version 4.4 (Kitkat) both for virtual
and real phone as described above. It was then repeated with two more
virtual and real devices with android versions (Version 5.0 and 6.0 -
Lollipop and Marshmallow respectively) each having five different file
types as test data. The results obtained have been discussed in the Result
section.

Case 2

The analysis was repeated for non-deleted data using commercial mobile
forensic tools namely XRY and MOBILedit. The mobile devices, both
virtual and physical were connected one by one to the Tamer VM and a dd
image was created and data was extracted for different versions of Android.

Case 3

Retrieving deleted data is the most challenging issue which every forensic
investigator faces in any given case. Case 1 and Case 2 considers only non-
deleted/present data of the device. In this case, concentration was on
retrieval of deleted data. To perform this, same test data was pushed to the
devices (real, virtual). Then the data was deleted from the device and same
was checked in FTK Imager if the files were actually deleted or not from
the device. Then, the dd image of data partition of the device was taken and
analysis was done.
 9
Case 4

The deleted test data was extracted using automated tools and results was
tabulated for further comparison and analysis. To check the authenticity of
the experiments and to show that the data was actually deleted the dd image
was mounted in FTK imager. Fig. 3 below shows the presence of test data
before deletion.

Fig. 3 - Test data before deletion

The data was then deleted from the device and the dd image was taken. Fig 4
shows that the test data actually got deleted and only the name of the file was
visible in the hex format. Successful extraction of each test data signifies that
any deleted data can be retrieved without using any commercial tool by the
manual method explained through the concept of header and footer analysis.
However, it is imperative that the authenticity of the extracted data is
established through hash verification. Therefore, MD5 hash was calculated
for each of the extracted files and verified with that of the original
file/automated tool extracted file as given in Fig 5 (a) and (b).
10
Fig. 4 - Test data after deletion

Fig. 5 - (a) Hash value of

the original file before deletion; (b) Hash value of the file after extraction

6. Extraction Process of a pdf File

The header and footer of a pdf file is as shown in Fig 6 and 7
respectively. The bytes between the given header and footer were
selected and were saved as pdf file. The output was a complete recovered
pdf file as shown in Fig 8. The hash of the file was verified and
compared with that of the original file.

25 50 44 46

Fig.6- Header of a pdf file

 11

25 45 4F 46

Fig.7- Footer of pdf file

Fig.8- Extracted pdf file

Similarly, this process was repeated for all the five file types on the
physical Android device as well as on the Virtual device. Results were
noted down and a comparative table was made to see the approach used
in this paper is effective or not.
Case 5
The methodology used in this section of the work mainly focuses on
retrieving data from the cache memory of the applications which are
installed on the device. Out of the plethora of applications available on
the play store, one of the most popular and commonly used app is
Facebook. Same has been used to carry out the experiment. The process
which is followed is given in Fig.9.
12

Fig.9-Experiment Flowchart

Facebook app was installed in the virtual phone created on

Genymotion for the Android ver 7.0 and 8.0 respectively. A test id was
created and Facebook Messenger was installed so that messages could be
exchanged through the test id created. Few of the file formats which have
been discussed in the paper earlier were used to exchange messages
between the test id and another genuine user. A .jpeg file was selected
and sent from the test id to the genuine user id. Subsequently, the file
was deleted from the source i.e. the virtual phone. The cache folder of
the app was extracted from the phone and an analysis of the same was
done. The processes involved have been brought out in Fig 10 (a) to (e).
Similar analysis was done in a physical phone but of lower version. Non-
availability of a real phone to carry out experiments was a major
impediment.
 13

Figure 10 (a)Android Ver 8.0 (b) Android Ver 7.0 (c)Test Facebook ID (d)
File sent from Test ID (e) Deleted file from test id (f) Recovered file from
cache
Analysis of the cache files which were extracted as mentioned in the
above section revealed that the .jpeg file that was sent and then deleted
from the source could be recovered from cache as shown in Fig 10(f).
Similarly the same experiment was repeated for four more .jpeg files and
they too were also recovered. This analysis shows that traces of the
multimedia data that is being transmitted using social media apps can be
found in the user device itself. The header and footer concept which has
been used in this paper to extract different file types has been highlighted
in Fig 11 and 12 for the image extracted above. Additionally the metadata
of the image is also obtained from the cache of the Facebook app
14

Fig.11- Header of the send image from facebook cache

Fig.12- Footer of the send image from facebook cache

Fig.13- Metadata info of the sent image extracted from facebook cache
 15

7. Results And Discussions

Hash verification confirmed that the data integrity was maintained in the
suggested methodology in this paper. The matching of hash value in any
evidence is very important to prove its authenticity in the court of law.
This experiment gives a clear picture that different file formats can be
recovered from the virtual and physical phone through a manual process.
However, difficulty is experienced when files are partially overwritten or
the phone memory undergoes a low level format. If the file is written in
split locations, then recovery becomes a challenge. The extraction of data
from mobiles is largely dependent on the available commercial mobile
forensics tools. In the absence of these expensive commercial tools, it
becomes difficult for a forensic investigator to extract data from the
mobiles. To overcome this problem, this research gives a novel method to
extract both present as well as deleted data, from a virtual device and a
physical phone in a forensically sound manner which can be produced as
evidence in the court of law. Table 1 brings out a comparative analysis of
the forensic data extracted from the commercially available tools and
through manual method which uses the Android SDK commands for three
different android version based virtual and real mobile phones.

File Extraction using Commercial Tools Manual Extraction

Formats
Virtual Physical Phone Virtual Device Physical Phone Virtual Device Physical Phone
Device
V V V V V V V V V V V V V V V V V V
4.4 5.0 6.0 4.4 5.0 6.0 4.4 5.0 6.0 4.4 5.0 6.0 4.4 5.0 6.0 4.4 5.0 6.0

PDF(2)                  

DOCX(2)                  

MP4(2)                  

ZIP(2)                  

JPEG(2)                  

Table 1- Comparative chart of extracted deleted data.

To check the efficacy of the proposed work, an android mobile Moto G
2nd Generation having version 5.0 was taken which had been used by a
user over a period of time. The phone was imaged as described above and
different file types extracted from it. Apart from pdf, docx, mp4, zip and
jpeg files, mp3 and png file extensions were attempted using the concepts
described. It was found that all the files could be successfully extracted.
Hash was also taken for the said files and same was verified between
manual method and forensic tools. This further corroborated the research
approach presented in this paper. Also the data extracted from the
Facebook app as has been brought out in Case 5 above reaffirms our
manual approach
 16

8. CONCLUSION AND FUTURE WORK

In this paper we present a novel method of data extraction from different android
virtual and physical phones using a manual method. The research done is
authenticated using commercial mobile tools and the hash of the recovered file is
matched with the original file to prove the fact that data can be recovered from
mobile phones even without using expensive tools. The methodology presented in
this paper is cumbersome and time consuming, in case a large data set has to be
extracted which is generally the case in any mobile. Hence, there is a need to
automate the process described in the paper, so that the background processing is
invisible to a novice investigator and he can obtain the desired results at the click of
a button. Also the mechanism of hash calculation of all the extracted files needs to
be automated. Fragmented files also pose a challenge and a framework needs to be
made for partial recovery of files since it can act as a vital source of evidence in
criminal investigation. A similar data extraction methodology can be developed for
Windows and iOS phones after detailed study of their architecture. Also,
compatibility of commercial forensic tools for analysis of dd image can be studied
so that a tool compatible format can be generated which would further strengthen
our analysis results. Availability of physical phones having different android
versions, commercial mobile forensic tools and hardware to carry out research
mobile analysis is a difficult preposition. Hence, it is easier to carry research on a
virtual device which has exactly the same features as a physical phone. The various
advantages of using a virtual phone as enlisted earlier aids in creating different
scenarios for experimentation thereby helping in examining the actual mobile
phones. This would not be possible in case of real phones due to manufacturer
imposed limitations, rooting issues, etc. With a simple to use data extraction setup,
the analysis becomes easy. Another advantage of this setup is that the latest versions
of the mobile can also be tested for different android kernels and develop new
methodologies to extract data. App data extraction as depicted through Facebook
app further corroborates our research approach through manual method. It clearly
brings out that large amount of data cached during the process of message exchange
can be recovered which can form a rich source of evidence.The present work has
huge potential which can be expanded to develop solutions for extracting data from
various brands of Android smartphones. Deleting data from a mobile device does
not remove the file from its memory. It only removes the visual indication of the
presence of the file to the user. The deleted file continues to reside in the phone
memory until the same is overwritten by another process. And with increasing
phone memory, the probability of file remanence after deletion is very high. This
aspect has been utilised in this research to propose a simple and cost effective
manual method of data extraction from android smartphone.
 17
References

[1] Abdullah,M., Dehghantanha,A., & Yusoff,M., (2014)Advances of

mobile forensic procedures in Firefox OS: International Journal
ofCyber-Security and Digital Forensics (IJCSDF), vol. 3, no. 4, pp.
183199.

[2] Agrawal A.K., Khatri P., Sinha S.R. (2018) Comparative Study of
Mobile Forensic Tools. In: Kolhe M., Trivedi M., Tiwari S., Singh
V. (eds) Advances in Data and Information Sciences. Lecture Notes
in Networks and Systems, vol 38. Springer, Singapore.

[3] Ali D., Bernard O., &Chukwuemeka,B.,(2016). Performance of

Android Forensics Data Recovery Tools: Contemporary Digital
Forensic Investigations of Cloud and Mobile Applications, Chapter
7, (Elsevier).Pages 91-110.

[4] Buttner,J., Grover,J., & Guido, M.,(2016,Aug). Rapid differential

forensic imaging of mobile devices: Digital Investigation, vol. 18,
pp. S46S54.

[5] Canlar,E., Conti,M., & Crispo.(2013).Windows Mobile LiveSD

Forensics: Journal of Network and Computer Applications,vol. 36,
no. 2, pp. 677684.

[6] Cellebrite UFED Touch manual.https://www.mcsira.com.

[7] Choi, J. H., Chang, T., Kim, K. B., & Yang, S. J(2015,Aug).New
acquisition method based on firmware update protocols for Android
smartphones, Digital Investigation, vol. 14, pp. S68S76.

[8] Choi,J., Kim, K., & Chang,T. (2015). New acquisition method
based on firmware update protocols for Android smartphones:
Digital Investigation, vol. 14, pp. S68S76.

[9] Chung, K., Hong, D. Kim, K & J.C. Ryou(2007).Data acquisition

from cell phone using logical approach: Proceedings of the World
Academy of Science, Engineering and Technology, vol. 26.

[10] G, Kessler, & J, Lessa. (2010). Android Forensics: Simplifying Cell

Phone Examinations.

[11] Grispos,G., Glisson,W., & Storer,T.,(2011,July). A comparison of

forensic evidence recovery techniques for a windows mobile smart
phone:Digital Investigation, vol. 8, no. 1, pp. 2336.

[12] Himanshu,S., & Tapaswi,S.(2015). Logical acquisition and analysis

18
of data from android mobile devices: Information and Computer
Security, vol. 23, no. 5, pp. 450475.

[13] https://en.wikipedia.org/wiki/android-operating-system.

[14] Isak,M,.(2016,Oct).Android Forensic Using Some Open Source

Tools, The Eighth International Conference on Business
Information Security,Belgrade, Serbia.

[15] Jadied,E., Lukito ,N. Y. P., & Yulianto., F.A.,(2016). Comparison

of Data Acquisition Technique using Logical Extraction Method on
Unrooted Android Device: 4th International Conference on
Information and Communication Technology (ICoICT).

[16] John,P., Lohiya,R.,& Shah,P.(2015). Survey on Mobile Forensics:

International Journal of Computer Applications, vol. 118, no. 16.

[17] Kessler,G.(2018) File signatures table. Retrieved from

https://www.garykessler.net/library/file_sigs.html.

[18] Meffert,S., Baggili,I,. & Breitinger, F.(2016). Deleting collected

digital evidence by exploiting a widely adopted hardware write
blocker: Digital Investigation, vol. 18, pp. S87S96.

[19] Mohtasebi,S., Dehghantanha,H., & Broujerdi,G.(2011). Smartphone

forensics: a case study with Nokia E5-00 mobile phone:
International Journal of Digital Information and Wireless
Communications (IJDIWC), vol. 1, no. 3, pp. 651655.

[20] Murthy,N., & Racioppo.(2012). Android forensics: a case study of

the HTC Incredible phone: Proceedings of Student-Faculty
Research Day, pp. 18.

[21] N, Son., Y, Lee., D, Kim., J,I,James.,S, Lee.,K, Lee., (2013)A study

of user data integrity during acquisition of Android devices. Digital
Investigation vol 10, s 3- s 15 2013.

[22] Sharma A., Agrawal A.K., Kumar B., Khatri P. (2019) Forensic
Analysis of a Virtual Android Phone. In: Verma S., Tomar R.,
Chaurasia B., Singh V., Abawajy J. (eds) Communication,
Networks and Computing. CNC 2018. Communications in
Computer and Information Science, vol 839. Springer, Singapore

[23] T,Vidas., N, Christan., C, Zhang., (2011) Towards a general

collection methodology for android Devices.Digital Investigation
vol 8 pp s14-s24
 19
[24] X, Lee., C,Yang., S,Chen., J,Wu., (2009) Design and
Implementation of Forensic system in Android Smartphone, 5th
joint workshop on Information security ,2009..