Introduction
Android, Google's mobile device platform, is growing quickly in its share of the smart phone market share. For the period ending February 2010, Android grew 5.2% and now has a 9% share of the smart phone market. In October 2009, a report released by Gartner predicted that by 2012, Android will be the second largest smart phone provider (totaling 94.5 million units sold), second only to RIM.

And you will not only find Android in smart phones but in tablets, e-readers, net books, home appliances, and more. The first Android device was released in October 2008 and currently there are about 35 smart phones available on the market. There are also 6 tablets, 3 e-book readers, and one net book. In 2010, a large number of new devices will be released, including 20+ smart phones, 23 tablets, 2 e-books, and 4 net books. Clearly, forensic examiners need to prepare for Android devices now. Already, we receive weekly calls from law enforcement agencies seeking assistance on Android devices.

Android Overview
Android is an open source mobile device platform based on the Linux 2.6 kernel and managed by the Open Handset Alliance—a group of major mobile device, hardware, and software vendors. The open source nature of the project has not only established a new direction for the industry (forcing behemoths like Nokia/Symbian to open source their platform) but enables a developer or code savvy forensic analyst to understand the device at the most fundamental level. As the core platform is quickly maturing and is provided free of charge, carriers and hardware vendors alike can focus their efforts in customizations intended to retain their customers.

Applications for Android are developed in Java and run in a separate Dalvik virtual machine (DVM) with a unique user id and process which is a key mechanism used to enforce data security. Applications can only access the data within their DVM unless another application and the phone owner specifically allows the data to be shared. As a result of this secure architecture, forensic examiners do not have a built-in mechanism we can use on the phone to extract core user data. Instead, new techniques must be developed which require some interaction with the device.