Abstract

Android forensics is one of the most studied topics in the mobile forensics literature, partly due to the popularity of Android devices and apps. However, there does not appear to have a formal model that captures the activities undertaken during a forensic investigation. In this paper, we adapt a widely used adversary model from the cryptographic literature to formally capture a forensic investigator's capabilities during the collection and analysis of evidentiary materials from mobile devices. We demonstrate the utility of the model using five popular Android social apps (Twitter, POF Dating, Snapchat, Fling and Pinterest). We recover various information of forensic interest, such as databases, user account information, sent-received images, profile pictures, contact lists, unviewed text messages. We are also able to determine when a notification was sent, a tweet was posted, as well as identifying the Facebook authentication token string used in the apps.