With Android Studio you can create an Android virtual device (AVD), also called an emulator, which is often used by developers when creating new applications; however, an emulator has significance from a forensic perspective, too. Emulators are useful when trying to understand how applications behave and execute on a device. This could be helpful in confirming certain findings that are unearthed during a forensic investigation.
Also, while working on a device that is running on an older platform, you can design an emulator for the same platform. Furthermore, before installing a forensic tool on a real device, the emulator can be used to find out how a forensic tool works and changes the content on an Android device. To create a new AVD (on the Windows workstation), go through the following steps:
- Open Android Studio and navigate to Tools | AVD Manager. The Android Virtual Device Manager window is shown in the following screenshot:
- Click on Create Virtual Device to create a new virtual device. In the screens that follow, select the appropriate hardware, system image, API level, AVD name, and so on, and proceed further. For example, the following screenshot shows Android Pie being selected:
- A confirmation message is shown once the device is successfully created. Now, select the AVD and click on the Play button.
- This should launch the emulator. Note that this could take a few minutes, or even longer, depending on the workstation's CPU and RAM. The emulator does consume a significant amount of resources on the system. After a successful launch, the AVD will run, as shown in the following screenshot:
From a forensic perspective, analysts and security researchers can leverage the functionality of an emulator to understand the file system, data storage, and so on. The data created when working on an emulator is stored in your home directory in a folder named android. For instance, in our example, the details about the Pixel_XL_API_28 emulator that we created earlier are stored under C:UsersRohit.androidavdPixel_XL_API_28.avd.
Among the various files present under this directory, the following are those that are of interest to a forensic analyst:
- cache.img: This is the disk image of the /cache partition (remember that we discussed the /cache partition of an Android device in Chapter 7, Understanding Android).
- sdcard.img: This is the disk image of the SD card partition.
- Userdata-qemu.img: This is the disk image of the /data partition. The /data partition contains valuable information about the device user.
Now that we have understood the steps to set up the environment, let's connect the Android device to a forensic workstation.