In this chapter, we had a look at the Android architecture and its security models, how they are inherited and implemented; we saw how disk encryption has evolved through Android versions, and how Android deals with sandboxes, SELinux, and application signing; then we discussed various techniques for bypassing lock screens and how to crack PINs and passwords. This chapter tried to clarify the importance of rooting Android devices in order to help investigators gather the most evidence from it.
Having a sound knowledge of Android internals, security implementation, and lock screen bypasses lets us understand some techniques related to logical and physical acquisitions using different techniques. This chapter explained how we can acquire (logically and physically) an Android image and how we can analyze it using a free and open source tool (Autopsy), and introduced the JTAG and chip-off techniques, the differences between them, and how they are used in a forensic context.
This chapter...