Features of Forensic Examination of Mobile Devices Running on the Android Operating System
DOI:
https://doi.org/10.32631/v.2025.4.30Keywords:
digital forensics, mobile forensics, Android OS, electronic evidence, data extraction, encryption, forensic analysis.Abstract
This article is devoted to a comprehensive analysis of modern methods, challenges, and prospects for forensic examination of mobile devices running on the Android operating system. The architecture of the Android operating system is studied in detail as a fundamental factor determining the examination methodology. The evolution of file systems (from YAFFS2 to F2FS) and the application isolation mechanism (Application Sandbox) are considered. Particular attention is paid to the multi-level security system of the Android operating system, which combines protection at the application level, the operating system level (using SEAndroid mandatory control) and the hardware level through TrustZone technologies.
Particular attention is paid to the analysis of the main challenges facing digital forensics specialists. One of them is data encryption at both the disk level (FDE) and the file level (FBE), which makes data virtually inaccessible without the appropriate decryption keys. In addition, the spread of biometric authentication, whose templates are stored in the isolated TrustZone environment, is a significant obstacle, as it also complicates access to data. An important technical problem is the TrustZone technology itself, which acts as a kind of “black box” for forensic experts. A classification of digital traces that may be available on mobile devices is provided, ranging from system artefacts and user data to information from messengers and network evidence.
A comparative analysis of the tools used by experts in the field of digital forensics has been carried out. It is concluded that the choice of tool depends on the specific conditions of the investigation, as there is no universal method that would be effective in all cases. Attention is drawn to the need for clear regulation of the process of investigating digital evidence within the framework of current legislation, as well as the importance of ensuring appropriate standards for data storage and processing.
Promising areas for development in the field are outlined, including the integration of artificial intelligence technologies for analysing large amounts of data, expanding research to new segments (in particular, the IoT), and the need for international cooperation to standardise forensic investigation methods and train qualified specialists. It is concluded that forensic examination of devices running on the Android operating system is a dynamic interdisciplinary field, the success of which requires in-depth technical knowledge, constant updating of methods, and a clearly structured systematic approach.
Downloads
References
1. Ayers, R., Brothers, S., & Jansen, W. (2014). NIST Special Publication 800-101 Rev. 1. Guidelines on Mobile Device Forensics. https://doi.org/10.6028/NIST.SP.800-101r1.
2. Kurman, O. V. (2023). Mobile telecommunication devices as carriers of important evidentiary information: prospects and research problems. Analytical and Comparative Jurisprudence, 5, 532–536. https://doi.org/10.24144/2788-6018.2023.05.95.
3. Latysh, K. V. (2021, November 25). Forensic computer technical examination of mobile phones: aspects of purpose [Conference presentation abstract]. Interdepartmental scientific and practical conference “Innovations in Forensic Science and Forensic Science”, Kyiv, Ukraine.
4. Khakhanovskyi, V. H., & Hutsaliuk, M. V. (2019). Peculiarities of the use of electronic (digital) evidence in criminal proceedings. Forensic Herald, 1(31), 13–18. https://doi.org/10.37025/1992-4437/2019-31-1-13.
Downloads
Published
Issue
Section
License
Copyright (c) 2025 V. S. Makarov
This work is licensed under a Creative Commons Attribution 4.0 International License.
