7bit PDU | 7bit PDU (GSM-7) |
ABX file format | Android ABX - Binary XML |
Android | Android version without the build.props file |
Android | Identifying the Android Operating System Version thru UsageStats |
Android | Corroboration. That Is All. |
Android - Accounts | Investigating Android Accounts |
Android - Bluetooth | How Android Bluetooth Connections Can Determine If The Hands of a Driver Were On The Wheel During An Accident |
Android - Bluetooth | Turbo Strikes Again - Tracking Bluetooth Device Battery |
Android - Bluetooth | Android Bluetooth Connection Configuration |
Android - cast.db | An Android Casting (Device) Story: "cast.db" |
Android - Contacts | Investigating Android Contacts |
Android - Deleted Samsung Apps | Android - Samsung Traces of Deleted Apps |
Android - Device Health Services | Turbo Pt. 3 - Device Health Services Application Usage |
Android - Device Migration | Android - Tracking Device Migration |
Android - Device Personalization Services | Walking the Android (time)line Part 2 – Using Android’s Device Personalization Services to timeline user activity |
Android - Digital Wellbeing | Walking the Android (time)line. Using Android’s Digital Wellbeing to timeline Android activity. |
Android - Digital Wellbeing | Investigating Android Digital Wellbeing |
Android - Downloads | Investigating Android Downloads |
Android - external.db | Android’s external.db – Everything Old Is New Again |
Android - Factory Resets | Wipeout! Detecting Android Factory Resets |
Android - Gallery Imgcache | A Timestamp Seeking Monkey Dives Into Android Gallery Imgcache |
Android - IMO | Investigating Android IMO |
Android - Installed Applications | Investigating Android Installed Applications |
Android - Mobile Telephony | Geodata & Mobile Telephony Artifacts in 3rd-Party Android Apps: Recreating User Travel Patterns |
Android - Nearby Share | Nearby Share – AirDrop for Android (Return of the Unsolicited Richard Photograph) |
Android - Now Playing History | Google Pixel Now Playing History |
Android - Permissions | Android - Roles and Permissions (Android 10/11) |
Android - Permissions | Android’s “Dangerous” Permissions |
Android - Playstore | Investigating Android Playstore Search History |
Android - Recent Tasks | Android Recent Tasks XML Parser |
Android - Samsung Predictive Text | Android - Predictive text exclusions in Samsung devices |
Android - SMS | Investigating Android SMS |
Android - Turbo.db | Charging Battery with Turbo DB |
Android - Unsupported Artifacts | Mobile Forensics: Discovering the Undiscovered |
Android - Usagestats XML | Android Usagestats XML Parser |
Android - Video Thumbnails | Video Thumbnails ".lvl" Found on Android Devices |
Android 10 | Android 10 Image - The Binary Hick/DigitalCorpora |
Android 10 - Usagestats | Usagestats on Android 10 (Q) |
Android 11 | Android 11 Image with Documentation - The Binary Hick |
Android 12 | Android 12 Image Now Available! - The Binary Hick |
Android 13 Image | Android 13 Image Now Available - Binary Hick |
Android 7, 8, and 9 | Public Android Images - The Binary Hick |
Android Acquisition | Data Extraction Cheatsheet |
Android Acquisition | The Investigator’s Guide to Android Acquisition Methods. Part I: Device |
Android Acquisition | How to Acquire Digital Evidence with Android Screen Capturer in Belkasoft X |
Android Acquisition | Mobile Forensic Images and Acquisition Priorities |
Android Forensic Methodology | Android Analysis Quickstart - Vishal Thakur |
Android Health Data | The State of Android Health Data (Part 1) – Garmin - Binary Hick and Part 2 - Google Fit |
Android Malware | Examining A Malware-Infected Android Phone. This Android Is Not Alright. - The Binary Hick |
Android Reset | Wipeout! Detecting Android Factory Resets - Joshua Hickman |
Android Unlocking | Android: Unlock and Rooting |
Android Versions/Flavors | Different Android Flavors and Forensic Processing - Paraben Corporation |
APK Downgrade | Manually APK Downgrade for split APKs - Pieces0310 and The impact of Android 12 |
Application Execution | Has the user ever used the XYZ application? aka traces of application execution on mobile devices |
ARTEMIS | ARTEMIS - Android support for APOLLO |
AVG Photo Vault | Decrypting the 'AVG' Photo Vault - The Incidental Chew Toy |
Badoo | Finding Badoo chats in Android using SQL queries and the MAGNET App Simulator |
Bumble | The Bots are Buzzing - Bumble on Android - Stark4N6 |
Calculator Photo Vault | App Review of Calculator Photo Vault |
Calculator Vault Apps | Decrypting the ‘Calculator’ App(s) and Decrypting ‘LOCKED Secret Calculator Vault’ |
CCleaner | Quick DFIR review - CCleaner for Android |
Chess.com | Decoding Chess.com - Kibaffo33 |
Citymapper | Forensic Analysis of Citymapper for Android - Andy Smith |
Device Health Services | Turbo Speed: Parsing Device Health Services from Google - Kevin Pagano |
Discord | Discord Android App Review - DFIR |
Discord | Discord Forensics |
DJI Fly | Android - DJI Fly & The Pesky Problem of Preferences |
Dual SIM Phones | Mo’ SIMs, Mo’ Problems. Examining Phones with Dual SIMs - Binary Hick |
Facebook Messenger | Investigating Android Facebook Messenger |
Files By Google | Files By Google: More Mobile Explorer Artifacts |
Firefox Focus | Local Storage - Firefox Focus Privacy Browser Artifacts in Android |
Flud Torrent Downloader | Torrent Applications in Android - Flud Torrent Downloader |
Forensic References | Android Forensics References - Mattia Epifani |
Garmin | The State of Android Health Data (Part 1) – Garmin |
Garmin Connect | Gabbing about Garmin Connect for Android - Stark4n6 |
Gboard & Clipboard | Gboard and Clipboard History - Stark4N6 |
Gboard Session Data | OMGboard - Kibaffo |
Gmail | Investigating Android Gmail |
Google Assistant | Google Assistant Butt Dials (aka Accidental & Canceled Invocations) |
Google Assistant | Google Search & Personal Assistant data on Android |
Google Call Screen | May I Ask Who's Calling - Google Call Screen |
Google Docs | Google Docs - Cello & DocList DBs |
Google Duo | Google Duo - Android & iOS Forensic Analysis |
Google Fit | The State of Android Health Data (Part 2) – Google Fit - Binary Hick |
Google Keep | Google Keep - Notes and Lists: Mobile Artifacts |
Google Maps | Finding Phones With Google Maps Part 1 (Android) |
Google Maps - Android 12 | At the roundabout, take the second exit… |
Google Photos | Dumpster Diving in Google Photos Android App: "local_trash.db" |
Google Tasks | Google Tasks - Android Forensics analysis |
Google Voice Search (via Google Takeout) | Parsing Google Voice Search - Campaign Cybersecurity |
GroupMe | Investigating Android GroupMe - Forensafe |
HealthMate | App HealthMate on Android Part 1 - Users, Messages, Devices |
HealthMate | App HealthMate on Android Part 2 - Activities |
HealthMate | App HealthMate on Android Part 3 - Heart Rate, GPS, Steps |
Huawei - Extraction | Practical Guide to Huawei Device Extraction in UFED |
Instagram | Investigating Android Instagram |
Jami | Forensic Analysis of Jami for Android, a Peer-to-Peer Messaging Application - DFLim |
Kik Messenger | Mobile Forensics on Kik Messenger - Leahy Center for Digital Forensics and Cybersecurity |
LA Fitness | Quick DFIR review - LA Fitness Android app |
Last SIM | Investigating Android Last SIM |
Launcher.db | Recreate Android apps, folders, and widget screen positions from a forensic extraction |
LG - MPT | MPT – LG’s incognito version of KnowledgeC |
Life360 | Analyzing Life360 on Android |
Mastodon | Thawing the Ice Age - Mastodon on Android - Stark4N6 |
Mega's megapreferences | Decrypting Mega’s megaprefences Sqlite Database - AskClees |
Microsoft RDP | Android Remote Desktop Apps - Microsoft RDP |
Microsoft Surface Duo | Rooting Microsoft Surface Duo - CyberSocialHub |
Microsoft Translator | Microsoft Translator - Android DFIR App Review |
Mozilla Firefox | Web History, Visits, Bookmarks & Search Terms, Downloads, Top Sites & Recently Closed Tabs, and Cookies, Permissions & Form History - Stark4n6 |
Nanbox Messenger | App Nandbox Messenger on Android |
Nike Run | Android Nike Run app - Geolocation, SQLite views & self joins |
Privacy Dashboard - Android 12 | Snooping on Android 12’s Privacy Dashboard - The Binary Hick |
PrivateSpace | Not so private: extracting data from PrivateSpace |
Protobufs | Parsing unknown protobufs with python |
ProtonMail | ProtonMail |
Qualcomm - EDL Mode | Mastering EDL Mode |
Qualcomm - EDL Test Points | Mastering EDL Test Points |
QuickPic | QuickPic for Android - Don't forget external/emulated storage! |
Samsung Bluetooth Call Routes | Road Trippin’ – Exploring Bluetooth Call Routes on Samsung Phones |
Samsung Galaxy Smart Watch4 | Exploring The Samsung Galaxy Watch4 Smartwatch - Cyberspaghetti |
Samsung Gallery3d Trash | Mike & the Monkey Dumpster Dive Into Samsung Gallery3d App Trash |
Samsung My Files | Android - Samsung My Files App |
Samsung Power Events | DeRR.p. Investigating Power Events on Samsung Devices |
Samsung Power Off Reset Logs | Samsung Power Off Reset Logs |
Samsung Smart Switch | Android - Samsung Smart Switch // iOS Transfer Artifacts |
Secret Calculator Photo Vault | Decrypting 'Secret Calculator Photo Vault' - The Incidental Chew Toy |
Session | Session On Android – An App Wrapped in Signal - The Binary Hick |
SetupWizard | Wipeout! Part Deux – Determining How an Android Was Setup - The Binary Hick |
Shutdown Checkpoints | Shutdown Checkpoints in Android 12 |
Signal | Obtain a logical dump of Signal data on Android with signal-back |
Signal | Decrypting Signal DB for Android |
Signal | Investigating Signal with ArtiFast Signal |
SKOUT | App SKOUT on Android |
Skype | Android Call Logs |
Skype | Skype on Android - Images in Web Cache |
Slack | Finding Slack app messages in Android and using json_extract to do it. |
Snapchat | Snapchat Analysis to Discover Digital Forensic Artifacts on Android Smartphone |
Snapchat | Two Snaps and a Twist – An In-Depth (and Updated) Look at Snapchat on Android |
Snapchat | Investigating Android Snapchat App |
Snapseed | Mobile Forensics — Analyzing Snapseed on Android - Veeraj Modi |
Sygic | Investigating Android Sygic - Forensafe |
SystemPanel2 | Android SystemPanel2 - App usage tracking |
TeamViewer Remote Control | Android Remote Desktop Apps - TeamViewer Remote Control |
Telegram | Telegram Forensics: Getting Started |
TIA Portal | Investigating an engineering workstation - Part 1 - NVISO Labs and Part 2 |
TikTok | Finding TikTok messages in Android |
TikTok | Investigating Android TikTok - Forensafe |
Tile | Android - Locating Location Data: The Tile App |
Tor Thumbnails | Android Tor Browser Thumbnails. What? |
Tox | Analysis of Antox - Android Tox App |
Tusky (Mastodon Client) | Thawing the Ice Age Pt. 2 - Tusky on Android - Stark4N6 |
uTorrent | Investigating Android uTorrent Application - Forensafe |
Vaulty | Decoding Vaulty - Kibaffo33 |
Venmo | Venmo. The App for Virtual Ballers. |
Viber | Investigating Android Viber |
Video Player Apps (VLC, MX Player, Archos, Plex, LocalCast) | Was the video played? - Android video player apps |
Wear OS | Clockin’ In with Google’s Wear OS - The Binary Hick |
WhatsApp | WhatsApp - Images and Messages - An overview - BeBinary4n6 |
WhatsApp | WhatsApp messages in Non-Rooted Android Devices - gforce4n6 |
WhatsApp | New msgstore – Who ‘Dis? A Look At An Updated WhatsApp On Android - The Binary Hick |
WhatsApp | Forensic Duel: Exploring Deleted WhatsApp Messages—iOS vs Android |
WhatsApp | Investigating Android WhatsApp |
WhatsApp | Android WhatsApp Forensics. Part I: Acquisition |
WhatsApp | Android WhatsApp Forensics. Part II: Analysis |
Wickr | Wickr. Alright. We’ll Call It A Draw. - The Binary Hick |
Wi-Fi | Investigating Android Wi-Fi Information - Forensafe |
Yandex Mail | Investigating Android Yandex Mail - Forensafe |