Mobile Forensics
Mobile Forensics
Mobile Forensics
  • Introduction
  • Preparations
    • Knowledge
    • Safety
    • Trust
    • Backup
  • Methodology
  • Checking Windows Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Network Connections
    • Extract Data for Further Analysis
  • Checking Mac Computers
    • Review Programs Launching at Startup
    • Review Running Processes
    • Review Kernel Extensions
    • Review Network Connections
    • Review XProtect Logs
    • Extract Data for Further Analysis
  • Checking Smartphones
    • Note: curriculum
    • Smartphone System Architecture
    • Check Devices Linked to Chat Applications
    • Check for Suspicious Messages
    • Monitor Network Traffic
    • Note: Monitoring Network Traffic on Linux
  • Checking Android Devices Basic
    • Review Installed Applications
    • Check Storage
    • Check if the Phone is under Android Device Policy
    • Check if the Phone is Rooted
    • Check if Developer Options is Enabled
    • Analyze Applications
    • Extract Data for Further Analysis
    • Optional : Check for Indicators of Stalkerware Installation
  • Checking Android Devices Advanced
    • Wireshark
    • MVT
    • Other Tools
  • Checking iOS Devices
    • Review iCloud Accounts
    • Review Installed Applications
    • Check for Mobile Device Management Profiles
    • Check for Shortcuts
    • Check for Jailbreaks
    • Enable and Check App Privacy Report
    • Extract Data for Further Analysis
    • Analyzing Extracted Data
    • About Lockdown Mode
  • Checking Devices Remotely
    • Mac Computers
    • Android
  • Concluding a Forensic Gathering
  • References and Further Learning
  • License and Credits
Powered by GitBook
On this page
  • Search for APK Files
  • Search for Suspicious Files
  1. Checking Android Devices Basic

Check Storage

Instead of checking every file on the storage, there are a few shortcuts to check for suspicious files:

  1. Download history of the user-preferred browser

  2. "Recently used" section in the file manager

Search for APK Files

Sometimes users are tricked into downloading and installing APK files and the APK files were left in phone storage. By searching for APK files, we might find APK files that were installed in the past.

Search for Suspicious Files

Less sophisticated malware might leave a trace on the phone by writing files in the internal storage (or SD card).

Look for these kinds of files, and search their path in Google:

  • .log, .txt files: might be log files created by malware or spyware

  • Files containing copies or backup of sensitive user information, such as call logs, chat history, or contact lists. These information are usually kept only in app storage (storage area only accessible to an app), unless the user intentionally exports them. So any unintentional exports might be a sign of malware stealing data or apps malfunctioning. These files should be deleted quickly after use because the internal storage is less protected.

  • .so files: so stands for "shared object", which can be understood as an extension to an executable file. Existence of .so files might indicate that they were loaded and executed.

PreviousReview Installed ApplicationsNextCheck if the Phone is under Android Device Policy

Last updated 1 year ago