With the Android SDK installed, you can create an AVD, which is an emulator that runs on the workstation. An emulator is often used by developers when creating new applications. However, an emulator is also considered helpful during forensic investigation as it allows the investigator to understand how certain applications behave and to understand how installation of an application affects the device. Another advantage is you can design an emulator with the desired version. This is especially helpful when working with devices running on older versions of Android. Also, AVD comes with root as default.

The following steps will guide you to create an AVD on the workstation:

1. Make sure you have the emulator subdirectory under sdk; if not, run the following command to install it: sdkmanager.bat "emulator".
2. We need a system image for our virtual device, for example, system-images;android-28;google_apis;x86; you can download it this way: sdkmanager.bat "system-images;android-28;google_apis;x86".
3. Now we can create an AVD using avdmanager: avdmanager.bat create avd -k "system-images;android-28;google_apis;x86" -n test. As you may have already guessed, the k switch allows you to choose a system image, and the n switch allows you to choose a name for the AVD.
4. It's time to launch it! Use emulator.exe to do it: emulator.exe -avd test. The following is a screenshot of an AVD after a successful launch:

An emulator can be used to configure email accounts, install applications, surf the internet, send text messages, and so on. Forensic analysts and security engineers can learn a great deal about Android and how it operates by leveraging the emulator and examining the network, filesystem, and data artifacts. The data created when working on an emulator is stored in your home directory, in a folder named .android. For instance, in our example, the details about the test AVD that we created earlier are stored in C:Users136.androidavd est.avd. There are several files present under this directory and the following are some of the files of interest for a forensic analyst:

• cache.img: This is the disk image of the /cache partition.
• sdcard.img: This is the disk image of the SD card partition.
• Userdata-qemu.img: This is the disk image of the /data partition. The /data partition contains valuable information about the device user.

• config.ini: This file contains information about the system image used.
• hardware-qemu.ini: This file contains the emulator's hardware options, such as architecture, RAM size, and screen type.