Handling an Android device in a proper manner prior to the forensic investigation is a very important task. Care should be taken to make sure that our unintentional actions don't result in data modification or any other unwanted happenings. The following sections throw light on certain issues that need to be considered while handling the device in the initial stages of a forensic investigation.

With improvements in technology, the concept of device locking has effectively changed over the last few years. Most users now have a passcode locking mechanism enabled on their device because of the increase in general security awareness. Before we look at some of the techniques used to bypass locked Android devices, it is important for us not to miss an opportunity to disable the passcode when there is a chance.

When an Android device that is to be analyzed is first accessed, check whether the device is still active (unlocked). If so, change the settings of the device to enable greater access to the device. When the device is still active, consider performing the following tasks:

• Enabling USB debugging: Once the USB debugging option is enabled, it gives greater access to the device through the adb connection. This is of great significance when it comes to extracting data from the device. The location of the option to enable USB debugging might change from device to device, but it's usually under Developer Options in Settings. Most methods for physically acquiring Android devices require USB debugging to be enabled.
• Enabling the Stay awake setting: If the Stay awake option is selected and the device is connected for charging, then the device never locks. Again, if the device locks, the acquisition can be halted.
• Increasing screen timeout: This is the time for which the device will be effectively active once it is unlocked. The location to access this setting varies depending upon the model of the device. On a Samsung Galaxy S3 phone, you can access this setting by navigating to Settings | Display | ScreenTimeout.

Apart from these, as mentioned in Chapter 1, Introduction to Mobile Forensics, the device needs to be isolated from the network to make sure that remote wipe options do not work on the device. The Android Device Manager allows the phone to be remotely wiped or locked. This can be done by signing in to the Google account, which is configured on the mobile. More details about this are supplied in the following section. If the Android device is not set up to allow remote wiping, the device can only be locked using the Android Device Manager. There are also several mobile device management (MDM) software products available on the market, which allow users to remotely lock or wipe the Android device. Some of these may not require specific settings to be enabled on the device.

Using the available remote wipe software, it is possible to delete all the data, including emails, applications, photos, contacts, and other files, as well as those found on the SD card. To isolate the device from the network, you can put the device in airplane mode and disable Wi-Fi as an extra precaution. Enabling airplane mode and disabling Wi-Fi works well, as the device will not be able to communicate over a cellular network and cannot be accessed via Wi-Fi. Removing the SIM card from the phone is also an option, but that does not effectively stop the device from communicating over Wi-Fi or other cellular networks. To place the device in airplane mode, press and hold the Power Off button and select Airplane mode.

All these steps can be done when the Android device is not locked; however, during the investigation, we commonly encounter devices that are locked. Therefore, it's important to understand how to bypass the lock code if it is enabled on an Android device.