Data residing on an Android device may be an integral part of civil, criminal, or internal investigations done as part of a corporate company's internal probe. While dealing with investigations involving Android devices, you, as the forensic examiner, need to be mindful of the issues that need to be taken care of during the forensic process; this includes determining whether root access is permitted (via consent or legal authority) and what data can be extracted and analyzed during the investigation. For example, in a criminal case involving stalking, the court may only allow SMS, call logs, and photos to be extracted and analyzed on the Android device belonging to the suspect. In this case, it may make the most sense to logically capture only those specific items. However, it is best to obtain a full physical data extraction from the device and only examine the areas admissible by the court. You never know where your investigation may lead and it is best to obtain as much data from the device as possible immediately, rather than wishing you had a full image should the scope of consent change. Data extraction techniques on an Android device can be classified into three types:

• Manual data extraction
• Logical data extraction
• Physical data extraction

As described in Chapter 1, Introduction to Mobile Forensics, manual extraction involves browsing through the device normally and capturing any valuable information, while logical extraction deals with accessing the filesystem, and physical extraction is about extracting a bit-by-bit image of the device. The extraction methods for each of these types will be described in detail in the following sections.