Demystifying Android Marshmallow Forensic Analysis
Android 6.0’s encryption, passwords, and adoptable storage—and the skills and tools you need to collect evidence from devices that use them.
With Android 6.0 or as it’s better known, Android Marshmallow on the brink of surpassing Lollipop as the platform’s single most popular OS, Android Marshmallow forensic analysis must be a priority. However, Marshmallow poses a few new challenges for digital forensic examiners: Android now follows in Apple’s footsteps with hardware-accelerated encryption; Marshmallow now stores passwords in entirely different and unexpected places, and new adoptable storage means you can no longer remove micro SD cards and examine them separately from the devices they came from.
Therefore, as Android Marshmallow increases market share with more mobile device manufacturers shipping it pre-installed on new devices, forensic examiners need to know how to obtain the data obscured within its file system—a process which requires the right approach from start to finish.
- Why Marshmallow’s built-in encryption isn’t necessarily the end of the forensic line
- How to bypass new and different levels of data obfuscation
- Where—and more importantly, how—to find the right data partition
- How adoptable storage changes your forensic process for micro SD cards
“Android 6.0’s encryption, passwords, and adoptable storage—and the skills and tools you need to collect evidence from devices that use them.”