Android Memory Analysis and Acquisition

line 1: 1st Given Name Surname

line 2: dept. name of organization
(of Affiliation)
line 3: name of organization
(of Affiliation)
line 4: City, Country
line 5: email address or ORCID

Abstract—Use of android mobiles number of mobile phone subscriber goes

increasing rapidly. It has lot of benefits, into billions. Breakthrough of 5 billion
also some drawbacks as well. On various mobile phone subscribers achieved [11]. In
occasions android phone used in illegal 2019 only china had 851.15 million
activities by criminals, fraudulent and smartphone users, India had 345.92 billion
various others as well. Currently there is users and America had 260.24 billion
a need of cyber forensic. Analyst and smartphone users [1]. Out of 7.7 billion
various other stakeholders demands to world population approximately 45.4
analyze and acquire data from android percent has phones. It means four out of
memory. Various techniques and tools every ten people have smartphone [2].
developed for this purpose, but there is Smartphone really becomes the essential
always a debate about their accuracy need for mankind. With the growth of
performance and completeness. In this mobile phones Android operating system
study we will briefly look at some also gaining popularity. Android has leading
outstanding tools and techniques for operating system market share. Roughly
android memory analysis and acquisition 86.2 percent mobile devices have android
as well as why various techniques didn’t operating system [3]. As on 2019 there were
worked in different situations. 2.5 billion active android users [4]. Without
any doubt, this technology also has its
Keyword—Cyber forensic, Android
darkest side as well. Which may affect the
Forensic, Memory Forensic, Physical
stakeholders of android phone at worst level.
Acquisition, Logical acquisition
A. Research Problem
I. INTRODUCTION
Information security issues
With the passage of time world
multiplying day by day. In the era of
depending too much on technology.
technological advancement biggest market
Through mobiles, tablets and personal
share in mobiles operating systems put some
computers people doing transactions, selling
challenges for android and its stakeholders
goods, or learning via online education.
specifically for users. Privacy and security
Today smartphone provides the facility to
matters a lot for users, also they want to
perform almost all the tasks people done
perform there day to day task through
through PCs. This ease leads to the growth
mobile phones because of facility they
of smartphone business. Figures regarding
entertain. Breaching of users privacy
through mobiles can affect them at extreme non-volatile memory analysis and
level. That’s the reason android attracting acquisition.
various attackers as well as security
B. DEGREE OF INTRESTINGNESS
professionals because of their own interest.
Cyber Forensic is a scientific field
If the perspective of investigation
to acquire and investigate digital evidence.
will carried out then different issues required
There are various reasons of interest in
to face. There are various situations when it
memory analysis and acquisition.
reveals that different methods and tools
Applications of memory analysis and
provides different level of detail when it
acquisition range from investigating
comes to memory analysis and acquisition in
assassination, deception to assisting law
android. Level of detail also depends upon
enforcement officials in various
either data is acquired through volatile
examinations. It really helpful to evaluate
memory or non-volatile memory. Level of
potentially harmful applications which will
detail and accuracy of android memory
effect user’s privacy at greater level.
analysis and acquisition is important for all
Through memory analysis and acquisition
stakeholders relevant to this forensic
forensic investigator can play his role in
investigation. Different tools and methods
wellbeing of society. From Time to time
already presented for this purpose, these
forensic investigator needs to perform
tools and methods are effective in different
memory acquisition. Data gathering through
situations. Suppose if there will be any need
memory analysis and acquisition can be
to analyze phone memory for legal case. Is
utilized in multiple ways. It assist in
technology developed enough that we can
decision making also helps to resolve
rely on Cyber forensic? How it can be
various disputes or legal cases.
evaluated that data acquired through cyber
forensic will be accurate, complete and C. RESEARCH NEED
enough for decision making. Is there any
possibility that investigator may acquire Number of researches already
corrupt or altered image of data? Which conducted on android forensic particularly
techniques and tools will be useful for this on android memory analysis and acquisition,
purpose? Memory analysis and acquisition these researches elaborate how different
is complex task, the report of this this task methods and tools work. There is a need for
may influence various decisions and it may researches to understand which technique
influence at extreme level. Number of should be choose in which situation. Which
researches already conducted on android tools works best when it comes to volatile
forensic particularly on android memory memory analysis and acquisition versus
analysis and acquisition, these researches non-volatile memory analysis and
elaborate how different methods and tools acquisition. What factors should be
work. There is a need for researches to considered when they need to perform cyber
understand which technique should be forensic.
choose in which situation. Which tools D. Aim and Objectives
works best when it comes to volatile
memory analysis and acquisition versus Forensic investigator should choose
wisely and professionally to which
technique will be used to analyze and study was laptop, Samsung glaxy s2, FTK
acquire data. Which tools will be preferred imager, FTK toolkit, Micro USB cable,
one and how those tools will help out to Micro SD card and various other.
perform this analysis in an accurate and Experiment result obtained through Rootkit
professional way? It will be the acquisition methods and data recovery
responsibility of investigator to choose most method. A comparison of results has been
effective tools and methods for data analysis made. After experiment it proved that
and acquisition because if care not taken android cyber forensic can be performed
during memory analysis and acquisition its without rooting device, also the complete
consequences will be worst. Forensic and accurate acquisition can be performed
memory analysis and acquisition is a without rooting android device. Furthermore
concern all across the globe anywhere rebooting android phone can be disruptive
android phone used and where there is a for volatile memory. This study only
need to perform cyber forensic. considered acquisition from Secondary
memory its result cannot be applied for live
The intention of proposed research is
memory RAM.
to better understand the suitable methods
and tools that can be used for android Wachter and Gruhn proposed a study
memory analysis and acquisition as well in 2015 about how practical the research,
why various techniques didn’t worked in when it comes to android memory analysis
some sivertuations. and acquisition [6]. This research was
particular to volatile memory. Research
E. Research Question
applied strategies explained in different
1) How forensic tools and
researches to 8 android mobile phones and
techniques play role in gathering
found that full analysis and acquisition can
forensic data?
only be conducted against 1 device. All 8
a) Why some forensic tools
devices was in stock configuration. First of
preferred over others?
all it has been tried to perform acquisition
via LiME and then via volatility.
I. RELATED WORK
Researchers face various hindrances during
Barghouthy & Marrington in 2014 this procedure.
elaborate why there is no need to root an
1. First of all there was the need to
Android device for memory analysis and
know the exact model of
acquisition [5]. It becomes a common myth
smartphone,
that rooting an android device help out to
analyze and acquire memory with the cost of in some cases there are almost
minimal memory alteration and it is an impossible to know mobile model
acceptable trade. This point of view has especially when the only way to know
been challenged, various other techniques the model is to remove which most of
proposed to perform analysis and acquisition the time will affect the content of
without the need of rooting. Proposed case volatile memory.
study included private web browsing using
2. Circumventing Lock Screen is
orweb application. Instruments used in case
another issue.
 In some scenarios USB Debugging is internal working of this tool was also not
required. There are ways to known. Samsung Galaxy S III mini was the
Circumventing Lock Screen of android phone that was available in different
phone like android device manager, but versions some well-known versions was
it also has some prerequisites like GT-I8190 which was produced in 2012 and
Google account or android device GT-I82000N which was produced in 2014.
manager should be enabled. One cannot differentiate both versions
because they almost same interface model
3. Gaining Root Access is another
can only be acquired after removal of
hindrances.
battery. Battery removal is not acceptable
LiMe cannot be loaded until investigator because volatile memory affects by it. Chips
should have root access. There are two well- difference was also an issue so memory
known ways to gain root access in android, analysis and acquisition cannot be
unlocking bootloader and reflash and second performed on this device. Study concluded
way is to find and exploit vulnerability of that advancement in architecture and
android. security of android operating system hinders
for forensic analysis and acquisition.
4. Availability of kernel source which Investigator should need to prepared device
might not be available always. before performing forensic analysis. There
Availability of kernel configuration, should be need to test the practicality of
availability of kernel compiler and evidence android forensic investigation tools and
erosion are also some hurdles that techniques. This required more time cost
investigator might face. There are following and dedication.
smartphones was chosen for experiment. Rao & S. provided a survey on
“Google Nexus S”, “HTC Magic”, “Sony android forensic tools and methodologies
Xperia Mini Pro” and “Samsung Galaxy S [7]. They take into account that android
III mini GT-I8190 vs GT-I8200N” result of devices used in various crimes. Explained
experiment shows that forensic analysis and the Android operating system, File System
acquisition cannot be performed on Google and Linux kernel then they thoroughly
Nexus S phone because there is a need to present various methodologies and tools
root android phone which must require about logical data acquisition and physical
phone to reboot. If phone rebooted it data acquisition both may require at
automatically lost all contents of volatile different stages of investigation. Existing
memory. On “HTC Magic” volatile memory tools that are available in market both open
analysis and acquisition cannot be source and commercial discussed. Various
completed because unavailability of the tools like SAFT, AFLogical, Open Source
kernel source code. Kernel source of Android Forensic Toolkit etc. are discussed
operating system was not available at that for logical data acquisition. For Physical
time on HTC official website. Sony Xperia data acquisition JTAG Forensics and some
Mini Pro was the device on which full other tools are discussed. At the end this
analysis and acquisition performed via survey conclude that which tools are
“Eroot” tool. At that time this tool interface effective or capable to perform cyber
was only available in Chinese language also forensic. These tools can be utilized for
memory analysis and acquisition and these commonly utilized to attack android mobile
tools are also valid for court of law. one is frequency based attack and second
Different tools utilized at different situations one is application based attack in proposed
and on different devices but there is need for study they discussed and experimented
a standard framework which will be greatly frequency based attack to acquire data from
helpful in the domain of cyber forensic. android. Data that has been acquired mainly
consist of images and messages. They also
Nisioti, Mylonas, katos &
claimed that through this attack they
Chryssanthou presented a paper in 2017
controlled mobile phone camera and took
regarding extraction of data relevant to
pictures using it. Later pictures downloaded
internet messaging applications [3]. Various
into computer. Furthermore study elaborate
tools and techniques commonly extract data
through this attack attacker might secretly
from database when performing memory
listen to conversation of victim. Study put a
acquisition, drawback of this method is what
stress on frequency based attacks, Following
if database altered or damaged, it may
steps required to launch frequency based
influence the wholeness of data. Research
attack on an android.
recommended a way to acquire data from
Random Access Memory. Methodology to 1. Recognition of operation steps
acquire data from random access memory
This step comprises of
mainly consist of acquisition of data
available in memory dumps, identification a. Temporary Mobile subscriber
of patterns relevant to data, use of regular Identity (TMSI)
expression for pattern identification, b. Encryption via secret key
decoding of data already retrieved. Results 2. Required way to acquire control
of this method shows that it can acquire not 3. Required way to Block control
only the most recent messages, also
messages dated from past times. Researchers Study concluded that via program controlled
also applied proposed technique on four radio circuit android phone can exploited.
experiments of a presented study. They further added that though skills and
Researchers concluded that purposed device of few dollars anyone can breach the
methodology is very helpful for data security and privacy of android user and it
acquisition from volatile memory. might damage the victim at extreme level.
Technique can also recovered data after the Sathe & Dongre presented a research
removal of battery. Further there is a plan to in 2018 on different forensic investigation
update regular expression for the sake of techniques for android [9]. Research
different patterns. Also to include different explained that there should be following
messaging applications. Study confirms that steps in mobile forensic, “Identification” to
there is a possibility to recovered data from identify the hardware device. “Preservation”
memory even after the power loss by using to preserve particular device in isolation so
android analysis and acquisition technique. next step of data retrieval can be started out.
Varol, Aydogan & Varol conducted “Acquisition” in this step measures taken to
a sudy in 2017 about android mobile cyber- ensure the safety of data so data cannot be
attack [8]. Study explained two techniques lost at any cost. “Analysis” step used to
critically examine the retrieved data of AFLogical can be a better choice for logical
previous step so meaningful information can data acquisition and for physical data
be derived from it. “Documentation” aims to acquisition software based should be
prepare a document for all activates and preferred because it didn’t damaged device.
associated results. “Presentation” in this last Moreover software based physical
step evidence can be presented to legal acquisition is less complex, affordable and
authority. This paper also elaborate both required minimum training as compared to
logical and physical data retrieval hardware based technique. An examination
techniques being use by different forensic performed on Samsung mobile using
investigators, also compared both memory Wondershare Dr. Fone and some other
acquisition techniques in detail. This paper related tools. It’s an attempt to acquire data
used existing techniques for both logical and through memory analysis and acquisition.
physical memory analysis. For logical These tools recovered maximum data. This
acquisition techniques like ADB Pull, study conclude that there might be different
Backup Analysis and AFLogical used. Some tools utilized for different forensic
commercial tools e.g. Cellebrite UFED, examinations. This study contribute for the
Compelson MOBILedit and viaForensic’s understanding of Forensic analysis of
viaExtract also utilized for this purpose. For android Mobiles.
physical data acquisition two categories
Htun, Thwin & San propsed a study
hardware and software based acquisition
in 2018 regarding forensic investigation on
defined, acquisition technique JTAG and
android mobile [10]. They explain that
Chip-off utilized for hardware based data
forensic investigator should be prepared
retrieval. However Cellebrite UFED,
enough so they can face any situation and
Oxygen Forensic Suite and Wondershare Dr.
perform as demand of field. Study elaborate
Fone for Android utilized for physical
forensic investigation tool name
acquisition through software. A comparison
ANDROSICS to perform digital analysis
performed between different acquisitions
and acquisition. A great motivation behind
techniques. Logical comparison based on
this work are forensic investigators,
items like root, data access, integrity, cost
organizations and countries that are not
etc. Items root, USB debugging, time, cost
technically equipped enough to perform
etc. utilized for physical acquisition. This
forensic analysis in an efficient way because
was really an informative comparison. As a
high prices of forensic tools these tools
result of comparison AFLogical and Backup
might not be available for all. The propsed
Analysis are easier, economical for logical
forensic tool can perform variety of tasks
data retrieval. For physical data retrieval
e.g. extracting data from android,
software based retrieval is feasible one.
performing data backup and restore,
Although commercial acquisition tools can
performing forensic when power is on.
be utilized for optimum performance. After
Other related features that this tool provides
the result of case study it proved AFLogical
contain Dead Analysis, cryptography,
performing better in respect of time and
removal of screen lock, performing reboot,
Wondershare Dr.Fone is better where time is
deep analysis and few others as well. Study
not an issue so it can retrieve wealth of
concluded that there is a need to update this
information. Study concluded that
tool ANDROSICS according to the
technological demands and techniques like has been suggested to improve the proposed
stagenography, study of cypher, cypher text technique by introducing new methods like
and cypher system named cryptanalysis. All Artificial Intelligence to process different
this devotion are for stakeholders of forensic events etc. It concludes that this paper
analysis field. explained how these different tools worked
for data acquisition and how cyber forensic
Dian & Hudec wrote a paper in 2019
investigation can be improved.
about Data Gathering through Cyber
forensic particularly by memory analysis Tayeb & Varol proposed a review
and acquisition [11]. This paper explained paper in 2019 regarding Cyber forensic of
types of data that can be gathered through Android operating system [12]. It’s not a
cyber forensic it also address the issues comprehensive review but its enough to
relevant to this domain. It explains how accumulate the base of most influential
different tools gather data from digital studies. They collected data from 49 sources
device (android). Data that can be gathered and explain the findings of different
through Memory analysis and acquisition researchers. Research also elaborate there
are device relevant information, SIM are steps “identification”, “preservation”,
relevant information, contact details, call “acquisition”, “examination” and
logs, data regarding different messaging “presentation” should be considered for
applications, user account details e.g. android forensic. “File system acquisition”,
(Google account, online banking account) “Memory acquisition” and “Environmental
and data that deleted from android phone. acquisition” may be the main source of
Study suggest that there are five main steps evidence in addition with possible way of
to perform android memory analysis and digital acquisition. Study concluded that
acquisition, “Collection”, “identification”, performing cyber forensic on android
“preservation”, “examination” and devices required good understanding of
“reporting”. It also discussed about android smartphone structure as well in depth
operating system architecture because it’s knowledge of forensic analysis and
necessary to understand android architecture acquisition. In spite the popularity of cyber
for forensic analysis and acquisition and forensic analysis, android forensic analysis
different freely available memory still demands a lot of work. There is not too
acquisition tools. Study divided data much work available in this area particularly
acquisition tools into two categories, logical the social applications are good domain to
data acquisition tools and physical data explore in context of cyber forensic.
acquisition tool. ADB Backup, QtADB, Because these social media applications
AFLogical and Oxygen Forensics Detective contain vast amount of data that can serve
used for logical data retrieval. For physical the purpose of forensic analysis.
data retrieval Cellebrite Universal Forensic Furthermore there is still a lack of standard
Extraction and Paraben’s Device Seizure framework for android forensic analysis.
used. Then a technique is proposed for data Different techniques and tools worked in
retrieval. But there are also various different scenarios. There should be need of
prerequisites to this proposed technique as more effort and dedication regarding this
well. Other forensic data gathering issue so we may got a standard framework
techniques also discussed. Furthermore it
which will lead the forensic analysis for II. RESEARCH
future. METHODOLOGY
Lwin, Aung & Lin conducted a There is always a confusion about
relative research on android acquisition tools forensic investigation tools and techniques.
and techniques [13]. Study elaborate there Which technique can be suitable for which
are various reasons that create a hurdle in situation? The aim was to understand these
android forensic analysis and acquisition. tools and techniques in a better way.
From time to time new versions of android Research question choose was “How
introduced. It’s a challenge for forensic forensic tools and techniques play role in
investigators also for forensic tools and gathering complete and accurate forensic
techniques how they go parallel with this data”. Research on this topic is performed in
evolution. This paper utilized various freely a qualitative way. Reason behind the
available analysis and acquisition tools, selection of qualitative strategy is the
because there is limitation in different tools research problem and question required in
due to diversity in mobile phone and android depth understanding of topic. It helped to
operating system versions. Tools utilized gain background knowledge on topic,
different techniques to accomplish the goal comparing new ideas with existing ideas of
of forensic analysis and acquisition. For other researchers.
gathering data study utilized DD imaging
A. Data Gathering and Sampling
tool and ADB Backup. Furthermore
Procedure
Belkasoft and magnet acquire also utilized.
Through these tools techniques of logical In order to gain better insight about
and physical acquisition has been applied. topic, qualitative data obtained through
Belkasoft acquired data in a speedy manner secondary sources like online researches,
also its an easy to use software because it journals, academic books, encyclopedias
has graphical user interface as compared to reviews and articles. Non-probability
and DD imaging tool and ADB backup sampling method purposive sampling used
which utilized CLI command line interface. for this purpose. Purposive sampling
Various other tools also utilized for forensic completely based upon the judgment of
analysis. e.g. Belkasoft evidence center and researcher. Data only relevant to android
Autopsy. Study concluded that all forensic analysis particularly related to
mentioned tools worked in one or another android memory analysis and acquisition
situation. Some tools worked for well for methods and tools gathered. Qualitative
logical data acquisition other perform better research strategy always utilized when there
when there is need for physical data is a need to understand complex ideas, or
acquisition. Forensic investigator should not researcher’s wants to explain an in-depth
rely on one tool or technique. Investigator understanding of particular topic. So
should be proactive to utilized combination qualitative research was the most suitable
of tools and techniques for android forensic approach to dig deep the knowledge of this
analysis and acquisition so most effective research problem [14], [15].
result could be obtained. This approach will
enhance the accuracy and wholeness of data, B. Data Analysis
which will help in decision making.
 Data Analysis performed through n Models,
thematic way. An inductive approach used customization,
Architecture
based on gathered data. Thematic analysis is Characteristics Potential,
one on the widely used data analysis method flexible,
for researches. If care taken during thematic economical
Investigation Short, lengthy
data analysis it provides most key findings time
and accurate results. This approach always Human view Inter-related Database,
been utilized when there is an aim to closely skills hardware,
examine the data to evaluate broad concepts. software
Legitimate Legislation,
At start categorization of data have been Factors statute
performed. Themes was generated and Domain view
Market Difficulty,
reviewed. In next step I define and name all growth
derived themes. At the end write up have Table 1: Thematic Analysis: [16]
been performed. There was fairly enough The theme “Technical view” deals
data available on above mentioned research with the potential of tool and technique how
topic but still this research area demands much different tools and techniques helps
attention from researcher [16]. the investigator to acquire required data or
III. ETHICAL ISSUES results. Moreover in technical view three
categories established “capability”,
In this qualitative research, all ethical “standardization” and “characteristics”.
considerations relevant to this research was Additionally “capability” category contain
keenly performed. Procedure of data codes that describes the ability of a tool and
collection was not biased at all, data technique to perform desired operation.
gathered through different sources, there Category “standardization” contain codes
was fair evaluation when comparing data that elaborate the technical aspect relevant to
from different sources. Confidentiality standardization of tools and techniques.
maintained across all stages of research. The Category “characteristics” contain codes that
only purpose regarding gathering and shows the particular feature and qualities of
utilization of data from different sources is tools and techniques. After an in-depth
the understanding of cyber forensic through analysis of data it showed that almost all
research. Proprietorship of data techniques and tool works well to gather
acknowledged during this study. [17]. data but some tools and techniques perform
IV. SOLUTION/RESULTS better as compared to others [7], [8].

After investigation different themes, The Theme Human view deals with
categories and code found out. These the forensic investigators ability and interest
themes, categories and code purely to work with particular tool and technique.
dependent on data previously gathered. How much comfortable an investigator feels
during the utilization of forensic analysis
Themes Category Code
tools and techniques. In “Human view”
Capability Recovery,
theme two categories established
Technical Fault tolerant,
view accessibility “Investigation time” and “inter-related
Standardizatio Mobile skills”. Furthermore “investigation time”
contain codes that explain the time required more than one factors to consider for choice.
by tools and techniques to fulfill particular Result indicated that various factors come
operation of an investigator. The code into consideration when its need to decide
“inter-related skills” elaborate skills needed about forensic analysis tools and techniques
by an investigator to successfully perform [9], [14]; Investigator should take into
desired forensic operation. After data account technical, human and domain view
observation it elaborate it always a before choosing particular technique or tool.
preference for forensic investigator to done These findings are similar to Rao & S.
its task in an efficient manner. Forensic (2016) [7]. These all aspects are important.
investigators also preferred tools that These tools and techniques might recovered
demands little inter-related skills from data but there are also other aspects to
investigator side and performing most of the consider. This study contributes clearly, how
task by automated way [7]. tools and techniques can play a vital role in
forensic investigation. It will help to
The theme “Domain view” consider
understand how suitable techniques and
different aspects of particular domain. It
tools can be considered. Study strongly
shows the external entities that may
recommended the need for establishment of
influence mobile phone forensic
standardized way to perform android
investigation. It comprise of two categories
forensic analysis and acquisition. These
“Legitimate Factor” and “Market”. Category
results are also supported by Dian & Hudec
“Legitimate Factor” explain different
(2019), Tayeb & varol [11], [12];
aspects of law. Category “Market” draws
from literature where it points out how VI. DELIMITATIONS AND
innovation in mobile phones can affect the LIMITATIONS
procedure of forensic analysis. As observed
Qualitative approach has been
various investigator feels little awkwardness
choose for this research. Proposed research
when they need to carve themselves
put focus on depth of memory analysis and
according to the rules and regulations law
acquisition. This study is constrained by
apposing on them. Also diversity demand
amount of data gathered due to pandemic
from them to be an active learner to keep up
issue. It didn’t included all existing material
with this field. It’s also a concern how
available about forensic memory analysis
different mobile manufacturers switching
and acquisition.
towards a cloud perspective [11], [12].
VII. FUTURE WORK
V. DISCUSSION
Future studies should take into
There are too many tools and
account various ways of data gathering and
techniques available in market for android
an exhaustive study should be conducted on
forensic analysis but it always a confusion
this topic. It will help to understand hidden
which technique will works best. The
aspects of memory analysis and acquisition.
research question established was how
forensic tools and techniques play role in VIII. REFERENCES
gathering forensic data & why some forensic
tools preferred over others. There are always [1]"Smartphone users by country 2019 |
Statista", Statista, 2020.
[2]"How Many People Have Smartphones in [10]N. L. Htun, M. M. S. Thwin, and C. C.
2020 | Oberlo", Oberlo, 2020. San, “Evidence Data Collection with
ANDROSICS Tool for Android Forensics,”
[3] A. Nisioti, A. Mylonas, V. Katos, P. D.
2018 10th International Conference on
Yoo, and A. Chryssanthou, “You can run
Information Technology and Electrical
but you cannot hide from memory:
Engineering (ICITEE), 2018.
Extracting IM evidence of Android apps,”
2017 IEEE Symposium on Computers and [11] F. Dian and J. Hudec, “Efficient
Communications (ISCC), 2017. Sensitive Data Gathering with Forensic
Analysis of Android Operating System,”
[4]L. Tung, "Bigger than Windows, bigger
2019 17th International Conference on
than iOS: Google now has 2.5 billion active
Emerging eLearning Technologies and
Android devices | ZDNet", ZDNet, 2020.
Applications (ICETA), 2019.
[5] N. A. Barghouthy and A. Marrington, “A
[12] H. F. Tayeb and C. Varol, “Android
Comparison of Forensic Acquisition
Mobile Device Forensics: A Review,” 2019
Techniques for Android Devices: A Case
7th International Symposium on Digital
Study Investigation of Orweb Browsing
Forensics and Security (ISDFS), 2019.
Sessions,” 2014 6th International
Conference on New Technologies, Mobility [13]H. H. Lwin, W. P. Aung, and K. K. Lin,
and Security (NTMS), 2014. “Comparative Analysis of Android Mobile
Forensics Tools,” 2020 IEEE Conference on
[6]P. Wachter and M. Gruhn, “Practicability
Computer Applications (ICCA), 2020.
study of android volatile memory forensic
research,” 2015 IEEE International [14] “Non-probability sampling: Lærd
Workshop on Information Forensics and Dissertation,” Non-probability sampling |
Security (WIFS), 2015. Lærd Dissertation. [Online]. Available:
http://dissertation.laerd.com/non-
[7]V. Rao and A. S., "Survey on Android
probability-sampling.php. [Accessed: 27-
Forensic Tools and Methodologies",
Jun-2020].
International Journal of Computer
Applications, vol. 154, no. 8, pp. 17-21, [15]J. Brannen, “Mixing Methods: The
2016. Available: 10.5120/ijca2016912182. Entry of Qualitative and Quantitative
Approaches into the Research Process,”
[8]N. Varol, A. F. Aydogan, and A. Varol,
International Journal of Social Research
“Cyber attacks targeting Android
Methodology, vol. 8, no. 3, pp. 173–184,
cellphones,” 2017 5th International
2005.
Symposium on Digital Forensic and
Security (ISDFS), 2017. [16]L. S. Nowell, J. M. Norris, D. E. White,
and N. J. Moules, “Thematic Analysis,”
[9] S. C. Sathe and N. M. Dongre, “Data
International Journal of Qualitative
acquisition techniques in mobile forensics,”
Methods, vol. 16, no. 1, p.
2018 2nd International Conference on
160940691773384, 2017.
Inventive Systems and Control (ICISC),
2018. [17]D. Peters, "Qualitative Methods in
Monitoring and Evaluation: Ethical
Considerations in Qualitative Research",
American University Online, 2020.