Thesis AbstractAndroid is the most popular and widely used mobile operating systems. Although Android is one of the most actively researched area in the field of mobile forensics, analysis of Android caches is an understudied research topic – the focus of this thesis. Due to the diversity of caches and the developer’s heavy reliance on third-party libraries, this thesis proposes a cache taxonomy based on its usage, as the key to investigating Android caches is to first classify and identify them. This helps to ensure the choice of appropriate tool(s) to extract potential evidential data. A systematic process to forensically extract, analyse and investigate Android caches is proposed, which is based on the widely accepted McKemmish (1995) forensic model. The proposed Android Cache Forensic Process, the primary contribution of this thesis, is validated using nearly 100 popular apps. Previously unknown cache formats are decoded and several undocumented cache formats used commonly by Android apps are documented. Based on the findings, an Android Cache Viewer prototype is developed which is the secondary contribution of this thesis. This working prototype, as demonstrated in this thesis, is able to successfully decode Android caches and display the contents in a user friendly manner.
Source Code at GitHub.