A comparison of forensic acquisition techniques for android devices: A case study investigation of orweb browsing sessions

Document Type

Conference Proceeding

Source of Publication

2014 6th International Conference on New Technologies, Mobility and Security - Proceedings of NTMS 2014 Conference and Workshops

Publication Date



The issue of whether to "root" a small scale digital device in order to be able to execute acquisition tools with kernel-level privileges is a vexing one. In the early research literature about Android forensics, and in the commercial forensic tools alike, the common wisdom was that "rooting" the device modified its memory only minimally, and enabled more complete acquisition of digital evidence, and thus was, on balance, an acceptable procedure. This wisdom has been subsequently challenged, and alternative approaches to complete acquisition without "rooting" the device have been proposed. In this work, we address the issue of forensic acquisition techniques for Android devices through a case study we conducted to reconstruct browser sessions carried out using the Orweb private web browser. Orweb is an Android browser which uses Onion Routing to anonymize web traffic, and which records no browsing history. Physical and logical examinations were performed on both rooted and non-rooted Samsung Galaxy S2 smartphones running Android 4.1.1. The results indicate that for investigations of Orweb browsing history, there is no advantage to rooting the device. We conclude that, at least for similar investigations, rooting the device is unnecessary and thus should be avoided. © 2014 IEEE.




IEEE Computer Society

Last Page



Computer Sciences


acquisition, Android, Orweb, root, rooting

Scopus ID


Indexed in Scopus


Open Access