Introduction

Mobile devices running the Android operating system occupy more than 80% of the mobile devices market. The variety of the operating system versions and the hardware platforms on which they are used provide a wide range of data extraction methods. There is no such range of data extraction methods for any group of the following mobile devices: iOS devices, Windows Phone devices, and BlackBerry devices.  

The most common methods of data extraction from Android devices are as follows:

• Logical extraction: This method allows to extract only certain types of logical data, such as Phonebook, Calls, Messages (SMS/MMS), and so on. As a rule, logical extraction requires the installation of an agent program that helps the mobile forensic software to extract data from a device. The installation of the program on the device is required by the hardware features of the memory structure and security policy of mobile devices.
• Backup: This method allows to extract only logical data from a device, such as Phonebook, Calls, Messages (SMS/MMS), video files, images, audio files, and so on. The information from applications (for example, from IM messengers) is transferred fully or partially into the created backup. It (whether the application data will be transferred or not) depends on the version of the operating system and the security settings of a mobile device. Often, there are situations where only the account information is transferred to the created backup from the installed application and it makes an expert think that the forensic software he uses does not support data extraction from this application, but if the expert extracts the file system or physical dump of the device instead of creating the backup, his forensic software will extract the application data (for example, chats).
• File system extraction: This method implies file system extraction from a device. All the files that are in the user’s partition (as a rule, this partition is called userdata) are extracted when you use this method.
• Physical dump: This method implies creating the full copy of a device memory, which contains all the partitions of the device, including service data, applications, and user’s data. Deleted files can be restored from the physical dump.
• Joint Test Action Group (JTAG): We will focus on this method in Chapter 11, JTAG and Chip-off Techniques. JTAG – this method is named after the name of industry standard. JTAG is a standard used for testing system boards. 
• Chip-off: We will focus on this method in Chapter 11, JTAG and Chip-off Techniques. Chip-off is a destructive method, which is based on the removing of memory chip from system board.

Despite the fact that Backup and file system extraction methods allow us to extract only logical data and files, it is possible for an expert to restore deleted records from SQLite data bases (such as Phonebook records, Calls, SMS messages, and mobile applications' data bases records).

In this chapter, we will cover the main methods of data extraction from the Android devices.