With the increasing use of Android devices, forensic investigations have become crucial in uncovering cybercrimes involving mobile malware. Android devices, as one of the mobile device types, can be easily exploited due to weaknesses in the Android operating system and security vulnerabilities in the application store. While existing studies primarily focus on malware detection using machine learning models, there is a gap in the literature regarding the effectiveness of examination tools in analyzing harmful applications. This study evaluates forensic methods used to extract and analyze digital evidence from compromised Android devices. We compare manual inspection, logical imaging, and physical imaging in retrieving nine key evidentiary features. Our findings indicate that while manual and logical imaging recovered 55.56% of these indicators, physical imaging offered broader access (66.67%), particularly facilitating the recovery of deleted data and data from unallocated space. Using the Magnet AXIOM tool and manual analysis methods, we conducted static and dynamic analyses of malicious softwares. The results demonstrate the utility of specialized analysis tools in both identifying malicious activity and recovering critical information, offering guidance to practitioners in choosing the most effective approach for Android-related casework.
Günay et al. (Fri,) studied this question.