Autopsy
Should manual examination or file carving be required, it is best to use a forensic tool that provides access to the raw files on the Android device. Autopsy, the GUI-based upon the Sleuth Kit, runs on a Windows forensic workstation and can be downloaded from http://www.sleuthkit.org/autopsy/. Autopsy currently provides analytical support for Android devices. Both open source and Law Enforcement modules are available for Autopsy. These modules provide additional file carving and parsing support for applications and files found on Android devices and SD cards. For example, the open mobile forensics module provides mobile device parsing capabilities to pull out artifacts such as calls, SMS, chats, pictures, and more.
Analyzing an Android in Autopsy
In this example, we will be using a physical image of the Samsung Galaxy SIII. This device was physically extracted using Cellebrite UFED Touch. The following steps should be performed to correctly mount an Android image and to start your...
