What is logical extraction in Android forensics?

Logical extraction accesses data through the Android operating system's standard APIs and content providers. It retrieves files and database records that the OS makes available to applications with appropriate permissions. Unlike physical extraction, it does not create a bit-for-bit copy of the storage media and cannot recover deleted data that the OS has released. Logical extraction is the standard method for consent-based examinations.

What is the difference between logical and physical extraction?

Physical extraction creates a bit-for-bit image of the device's storage, including deleted files and unallocated space. It typically requires root access, bootloader exploits or specialized hardware. Logical extraction accesses only data available through the operating system's APIs, similar to what a user-installed application can access. Physical extraction recovers more data but requires elevated privileges. Logical extraction is legally simpler and works without exploiting vulnerabilities.

Is ADB extraction forensically sound?

ADB extraction is forensically sound when performed with proper documentation and artifact-level hashing. The method accesses data through documented Android APIs without modifying the source data on the device. NIST SP 800-101 Rev 1 recognizes logical acquisition as a valid forensic method. The key requirement is per-artifact integrity verification through cryptographic hashing, which allows independent confirmation that extracted data matches source data.

Can deleted data be recovered with logical extraction?

Generally no. Logical extraction accesses data through Android's content provider APIs, which only expose data that the operating system considers active. Once a file or database record is deleted and the OS releases the storage space, logical extraction cannot reach it. Recovering deleted data requires physical extraction or file system level access, which typically requires root privileges or exploitation of device vulnerabilities.

What chain of custody documentation is required for mobile forensics?

Chain of custody documentation should include device identification (make, model, serial, IMEI), examiner identification and credentials, date and time of acquisition, consent documentation reference, acquisition method and tool version, artifact inventory with individual hash values, storage location and access controls for extracted data, and any anomalies observed during extraction. This documentation supports admissibility under Daubert and similar evidentiary standards.

Android Forensics Guide 2026 | Sherlock Forensics

Introduction to Android Forensics

Android devices contain some of the most revealing digital evidence available to forensic examiners. Text messages, call logs, photos with GPS coordinates, application data, browsing history, Wi-Fi connection records and location data all reside on a single device that most people carry every waking hour.

The challenge is extracting that data in a forensically sound manner. Unlike traditional disk forensics where you create a bit-for-bit image of a hard drive, Android forensics involves a mobile operating system with encryption, permission controls and hardware-backed security. The extraction method you choose depends on the device, the Android version, the security configuration and the legal authority under which you are operating.

This guide covers the practical methods available to forensic examiners in 2026 with a focus on logical extraction, which is the method applicable to the majority of consent-based examinations in corporate and civil contexts.

Logical Extraction vs. Physical Extraction

The two primary categories of Android forensic acquisition are logical extraction and physical extraction. Understanding the distinction is critical for selecting the appropriate method and for testifying about the limitations of your examination.

Logical extraction: Accesses data through the Android operating system's content provider APIs. Retrieves files, database records and metadata that the OS makes available to authorized applications. Does not require root access or exploitation of vulnerabilities. Cannot recover data that the OS has deleted and released from storage. Suitable for consent-based examinations.
Physical extraction: Creates a complete bit-for-bit image of the device's storage including unallocated space, deleted files and system partitions. Requires root access, bootloader exploitation or specialized hardware interfaces. Can recover deleted data if the storage has not been overwritten. Required for examinations involving non-cooperative device owners or when recovery of deleted evidence is necessary.
File system extraction: A middle ground that accesses the file system with elevated privileges (typically root) but does not image unallocated space. Provides access to application databases, system logs and configuration files that logical extraction cannot reach. Requires root access but not hardware-level interaction.

For corporate investigations, HR matters, civil litigation and family law, logical extraction is typically sufficient and legally appropriate. Physical extraction is primarily used by law enforcement under warrant authority when deleted data recovery is necessary or when the device owner does not consent.

The ADB Method

Android Debug Bridge (ADB) is Google's official command-line tool for communicating with Android devices. It provides a USB or network connection between a workstation and a device with USB debugging enabled. ADB is the foundation of most logical extraction tools.

Raw ADB commands can extract some data directly. The adb pull command copies files from the device to the workstation. The adb backup command (deprecated in newer Android versions) creates a backup of application data. The adb shell command provides access to the device's command line for querying content providers and system properties.

However, raw ADB has significant limitations for forensic work. It cannot access most application data without root access. It does not provide structured access to SMS, contacts or call logs. It does not hash artifacts during extraction. Using raw ADB for forensic acquisition requires extensive scripting, careful documentation and manual hash verification.

The Helper APK Approach

The helper APK method solves the limitations of raw ADB by installing a purpose-built application on the device. This application requests standard Android permissions (contacts, SMS, call logs, storage access) through the normal Android consent dialog. Once permissions are granted, the APK accesses data through Android's content provider APIs and makes it available for extraction via ADB.

This approach has several advantages for forensic work:

Access to SMS, MMS, contacts and call logs that raw ADB cannot reach without root
Structured data output that can be parsed and hashed programmatically
Standard Android permissions that are legally defensible as consent-based access
Compatibility across Android versions since content provider APIs are stable
No modification of existing data on the device

The Sherlock Android Acquirer uses this method. The helper APK is installed with the device owner's consent. It requests permissions through Android's standard dialog. The device owner reviews and grants each permission individually. This creates a clear record that the data access was authorized.

Step-by-Step Acquisition Process

The following procedure describes a complete forensic logical acquisition of an Android device using the ADB and helper APK method. This process is designed for consent-based examinations where the device owner cooperates.

Step 1: Document the Device

Before touching the device, document its condition. Record the manufacturer, model number, Android version, serial number and IMEI. Photograph the device showing its physical condition. Note the battery level, whether the screen is locked, whether the device is powered on and any visible damage. This documentation becomes part of the chain of custody record.

Step 2: Obtain Informed Consent

The device owner must sign a consent form before any data extraction begins. The consent form should specify what categories of data will be extracted, how the data will be stored and secured, who will have access to the extracted data, how long the data will be retained and the owner's right to withdraw consent. Retain the signed consent form. It is the legal foundation for the entire acquisition.

Step 3: Enable USB Debugging

The device owner should navigate to Settings, About Phone and tap the Build Number entry seven times to activate Developer Options. Then navigate to Settings, Developer Options and toggle USB Debugging to the on position. The device owner should perform these actions to demonstrate voluntary cooperation.

Step 4: Connect and Authorize

Connect the device to the forensic workstation via USB. The device will display an RSA key fingerprint authorization prompt. The device owner should accept this prompt. On the workstation, verify the connection by running the adb devices command. The device serial number should appear with "device" status.

Step 5: Install the Helper APK

Install the forensic helper APK on the device. The APK will prompt for permissions including access to contacts, SMS, call logs, media storage and files. The device owner should review each permission request and grant it individually. Document which permissions were granted.

Step 6: Execute the Acquisition

Run the acquisition tool on the workstation. The tool communicates with the helper APK to extract artifacts through Android's content provider APIs. Each artifact is individually hashed with SHA-256 at the point of extraction. Monitor the extraction log for errors, permission denials or incomplete transfers.

Step 7: Verify and Generate Reports

Review the extraction log. Verify that artifact counts are reasonable for the device usage profile. Generate the forensic PDF report including the chain of custody header, device identification, artifact inventory with individual SHA-256 hashes and the hash manifest summary.

Step 8: Clean Up and Secure

Uninstall the helper APK from the device using the acquisition tool or adb uninstall. Disable USB debugging on the device. Return the device to the owner. Store extracted data and reports on encrypted media with documented access controls. Record the storage location in the chain of custody log.

Chain of Custody Requirements

Chain of custody documentation for mobile forensics must establish an unbroken record of who handled the evidence and what actions were taken. For Android forensic acquisitions, the documentation should include:

Element	Details
Device identification	Manufacturer, model, serial number, IMEI, Android version, build fingerprint
Examiner identification	Name, credentials (e.g. CISSP, ISSAP, ISSMP), organization, contact information
Consent documentation	Signed consent form reference, date signed, permissions granted by device owner
Acquisition metadata	Date and time of extraction, tool name and version, acquisition parameters
Artifact inventory	Count of artifacts by category, individual SHA-256 hashes for each artifact
Evidence storage	Storage media identification, encryption method, physical location, access controls
Transfer records	Date, time, parties involved and reason for each transfer of evidence custody

This documentation supports admissibility under the Daubert standard and similar evidentiary frameworks used in Canadian and international courts.

Android Security Evolution

Android's security model has evolved significantly over the past decade. Each major version has introduced restrictions that affect forensic acquisition methods.

Android 7 (Nougat) introduced file-based encryption, replacing full-disk encryption with per-file encryption keys. Android 10 introduced scoped storage, restricting application access to external storage. Android 11 further restricted background access to device sensors and location. Android 12 introduced approximate location permissions and Bluetooth scanning restrictions. Android 13 added per-app notification permissions and restricted access to media files by type. Android 14 and 15 continued tightening restrictions on background processes and data access.

These changes mean that forensic tools must adapt with each Android version. Physical extraction methods that relied on specific vulnerabilities in older versions may not work on newer devices. Logical extraction through content provider APIs remains the most stable method because these APIs are maintained for application compatibility.

Tool Comparison Overview

The Android forensics tool market ranges from free open-source tools to enterprise platforms costing tens of thousands of dollars per year. The appropriate tool depends on your use case, budget and the types of examinations you perform.

For a detailed comparison of specific tools with pricing, features and court-readiness evaluation, see our 2026 Android forensics tool comparison.

For consent-based logical extraction with forensic-grade documentation, Sherlock Android Acquirer provides the capability at a fraction of the cost of enterprise tools. Read the launch announcement for the full story behind the tool.

Legal Considerations

Mobile forensic acquisition raises legal issues that disk forensics does not. The device contains personal data protected by privacy legislation in most jurisdictions. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection and handling of personal information. In the EU, the General Data Protection Regulation (GDPR) applies. In the United States, the Fourth Amendment and various state privacy laws create a complex landscape.

Consent-based acquisition simplifies the legal analysis significantly. When the device owner provides informed written consent to the examination, the legal basis for data collection is established directly. The consent form becomes the authorizing document. The examiner's obligation is to operate within the scope of the consent and to protect the extracted data appropriately.

For non-consent examinations under warrant or court order, the legal authority must be carefully documented and the extraction scope must match the authority granted. These examinations typically require physical extraction tools with broader capabilities.