Android Forensic Logical Acquisition

Introduction

The following is a demonstration of how we will create an Android Emulator; then we will go through needed steps to acquire a logical image of the system and how we can start forensically analyzing it.
In mobile forensic world (depending on the OS, the OS version, and the device) there are in general three main acquisition techniques:

• Direct acquisition
• Logical acquisition
• Physical acquisition

The direct acquisition technique can be performed if the seized device is either not locked or the PIN/Password/Pattern lock is known by the investigator, this way every data available to the user is available to the examiner via the usual user interface(UI). The only “disturbing” point is that if relying on only this method, system files, systems logs or system partition is not accessible.
The logical acquisition is a bit-by-bit copy of a given logical storage, (the storage may refer to user data partition as well as system data partition), and this acquisition method produces