Android Digital Forensics Lab

Advanced PHP 8 and MySQL platform for Android forensic casework, acquisition planning, anti-forensics evaluation, volatile evidence triage, evidence integrity, and research-aligned reporting.

The lab is designed for examiners, researchers, and cybersecurity teams who need a structured way to compare Android forensic methods, document defensibility controls, evaluate file-wiping behavior, and preserve evidence integrity with repeatable outputs.

Core Capabilities

• Case readiness scoring across governance, acquisition, evidence integrity, malware, memory, anti-forensics, privacy, and reporting controls.
• Expert audit console that maps Android forensic field pain points to concrete lab capabilities and upgrade coverage.
• Acquisition feasibility planner for Android version, lock state, file-based encryption, USB debugging, bootloader state, root feasibility, work profiles, cloud authority, and first-hour preservation decisions.
• Artifact triage matrix for SQLite/WAL/SHM, WebView, notifications, E2EE apps, cloud records, media metadata, wiping residuals, package state, native code, work profiles, and removable storage.
• Command workbench that converts scenario signals into a mission profile, urgency tier, operational lanes, priority method stack, evidence constellation, and validation backlog.
• Context-aware method comparison for manual inspection, logical acquisition, file-system acquisition, physical imaging, cloud acquisition, memory acquisition, emulator dynamic analysis, static APK review, and dynamic application review.
• Tool discrepancy validator for comparing parser counts, hashes, confidence, and release-blocking disagreement before formal reporting.
• Artifact source confidence matrix for scoring provenance, integrity, parser reliability, timestamps, completeness, corroboration, anti-forensics exposure, and privacy minimization.
• Timeline fusion engine for mixed-source Android events, activity clustering, anomaly detection, confidence scoring, anchors, and reconstruction steps.
• Cloud backup correlation workflow for separating local artifacts, account/provider records, device binding, timestamp confidence, and privacy minimization.
• Android location evidence confidence workflow for GPS, Wi-Fi, cell, EXIF, app, cloud, BLE, and MDM artifacts with precision, timestamp, spoofing, corroboration, and minimization checks.
• Android app permission timeline workflow for reconstructing runtime grants, revocations, special access, app upgrades, MDM policy effects, and suspicious permission changes.
• Android notification evidence triage workflow for notification timelines, listener access, deleted-message previews, sensitive content, user interaction limits, and privacy minimization.
• Android WebView and browser artifact workflow for history, cookies, WebView stores, downloads, autofill, cache, embedded browsers, redirects, profile boundaries, and privacy minimization.
• Android Bluetooth and nearby-device artifact workflow for paired devices, BLE scans, Nearby Share, wearables, vehicles, companion apps, permissions, and privacy minimization.
• Work profile separation workflow for enterprise Android cases involving managed-profile boundaries, MDM evidence, app containers, account scope, and personal-data minimization.
• File-wiping evaluation workflow based on declared claims, implementation evidence, standards alignment, recoverability, execution traces, app artifacts, OS artifacts, and timeline consistency.
• Merkle-style SHA-256 evidence ledger for deterministic manifest integrity checkpoints.
• Report readiness pack for authority, scope, chain of custody, hashes, tool versions, validation matrix, timeline anchors, limitations, privacy minimization, peer review, and reproducible appendices.
• Research-source catalog with explicit alignment from Android forensic literature, stealth-attack detection work, method comparison research, file-wiping evaluation, and practical lab operations.
• MySQL schema for research sources, methods, evidence features, tool profiles, controls, case assessments, workbench runs, timeline fusions, wiping evaluations, custody events, ledger runs, and audit events.

Research Foundation

This project is informed by the following works:

1. Prince Kumar, Ritushree Narayan, and Ekbal Rasid, "Android Forensics: A Literature Review of Methodologies and Tool Efficacy," International Journal of Advanced Networking and Applications, 17(4), 7045-7054, 2026. DOI: 10.35444/IJANA.2025.17407
2. Silvialucia Sanna, "Artificial Intelligence for Android Stealth-Attack Detection: A Digital Forensics Approach," doctoral thesis, Sapienza University of Rome, 2026. Repository record
3. Ozge Gunay, Batuhan Gul, and Fatih Ertam, "Comparative Analysis of Digital Forensics Methods on Android Devices," Firat University Journal of Experimental and Computational Engineering, 5(1), 1-25, 2026. DOI: 10.62520/fujece.1600312
4. Dong Bin Oh, Somi Lim, Suji Lee, Yesong Jo, Gahyun Choi, Bumyun Kim, and Huy Kang Kim, "Forensic Analysis and Evaluation of File-Wiping Applications in Android OS," Journal of Forensic Sciences, 71(1), 338-352, 2026. DOI: 10.1111/1556-4029.70174
5. Akashdeep Bhardwaj and Keshav Kaushik, Practical Digital Forensics: Forensic Lab Setup, Evidence Analysis, and Structured Investigation Across Windows, Mobile, Browser, HDD, and Memory, BPB Publications, 2023. Book record

Application Routes

• / - dashboard and workflow overview
• /audit - expert field-pain-point audit
• /casework - forensic readiness assessment
• /acquisition - Android acquisition feasibility planner
• /artifacts - artifact triage matrix
• /workbench - scenario command workbench
• /validation - parser and tool discrepancy validator
• /report-readiness - defensible report release checklist
• /methods - acquisition and analysis method comparison
• /wiping - Android file-wiping evidence evaluation
• /timeline - timeline fusion and reconstruction
• /ledger - evidence manifest ledger root
• /research - research alignment and evidence feature model
• /health - service health check

JSON APIs

GET /api/summary
GET /api/expert-audit
POST /api/assess
POST /api/acquisition-readiness
POST /api/artifact-triage
POST /api/command-workbench
POST /api/tool-validation
POST /api/report-readiness
POST /api/method-compare
POST /api/timeline-fusion
POST /api/wiping-evaluation
POST /api/hash-ledger

Example method comparison request:

{
  "deleted_data_needed": true,
  "cloud_relevant": true,
  "malware_suspected": true,
  "wiping_suspected": true,
  "selected_features": ["deleted-unallocated", "malware-indicators", "browser-app-data"]
}

Example evidence ledger request:

{
  "case_name": "Android evidence manifest",
  "manifest": [
    {
      "path": "/extraction/data/com.example/app.db",
      "sha256": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
    }
  ]
}

Example command workbench request:

{
  "scenario_name": "Locked Android wiping and stealth review",
  "locked_device": true,
  "deleted_data_needed": true,
  "malware_suspected": true,
  "memory_needed": true,
  "wiping_suspected": true,
  "active_network": true,
  "time_sensitive": true
}

Example acquisition readiness request:

{
  "android_version": "14",
  "lock_state": "locked-before-first-unlock",
  "fbe_enabled": true,
  "usb_debugging": false,
  "cloud_authority": true,
  "wiping_suspected": true
}

Example tool validation request:

{
  "results": [
    {
      "tool": "Forensic Suite A",
      "artifact": "Messages database",
      "count": 128,
      "hash": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "confidence": "High"
    },
    {
      "tool": "Manual SQLite Review",
      "artifact": "Messages database",
      "count": 126,
      "hash": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
      "confidence": "Medium"
    }
  ]
}

Local Run

With PHP installed:

php -S 127.0.0.1:8098 -t public

With Docker:

docker compose up --build

Then open http://127.0.0.1:8098.

Configuration

Copy .env.example to .env and update database values if persistence is required. The platform works without a database for assessment and API calculations; database connectivity enables persistence and audit records.

Validation

php bin/lint.php
php bin/test.php

The test suite validates catalog integrity, expert audit coverage, acquisition feasibility, artifact triage, tool discrepancy validation, report readiness, command workbench behavior, timeline fusion, scoring behavior, method ranking, file-wiping classification, deterministic hash-ledger behavior, database migrations, seed data, and public-facing text hygiene.

Documentation

• Architecture
• Expert Audit
• Research Alignment
• Security and Privacy
• Evidence Integrity and Chain of Custody
• Artifact Source Confidence Matrix
• Android Cloud Backup Correlation Workflow
• Android Location Evidence Confidence Workflow
• Android App Permission Timeline Workflow
• Android Notification Evidence Triage Workflow
• Android WebView And Browser Artifact Workflow
• Android Bluetooth And Nearby-Device Artifact Workflow
• Android Work Profile Separation Workflow
• Database Model
• Testing
• Extension Guide

Portfolio and Professional Profile

This repository is part of the professional portfolio of Musaab Hasan, focused on cybersecurity, digital forensics, AI governance, EdTech, secure platforms, and research-driven digital transformation.

Digital Forensics and Security Research Labs

• Android Digital Forensics Lab - Advanced Android forensics workbench for acquisition planning, anti-forensics evaluation, memory triage, evidence integrity, and case reconstruction.
• Humanoid Robot Forensics Lab - PHP/MySQL forensic casework platform for humanoid robot, companion app, and IoT evidence triage.
• Smart Metering Security Lab - Research portal based on smart metering security analysis for cyber-physical and smart-grid environments.
• Drive-by Download ML Lab - Machine learning research portal for detecting drive-by download attacks and web-based malware delivery.
• SQL Injection ML Detection Lab - Research portal for SQL injection detection using machine learning and security telemetry.
• IoT Board SSH Hardening Lab - SSH exposure assessment and hardening portal for IoT development boards and embedded Linux systems.
• ZigBee WHAS Design Lab - Research portal for designing and evaluating ZigBee wireless home automation systems.
• Mammogram Fourier Analysis Lab - Medical image-processing research portal based on Fourier transform analysis for mammography.

Security Culture and Transformation Platforms

• Human Factors Risk Profiler - Human-centered security risk profiling portal for targeted interventions and behavior-aware controls.
• Security Champion Network Portal - Platform for managing security champion networks, missions, recognition, and measurable impact.
• Crisis Simulation Command Portal - Cyber crisis simulation planning, scoring, and improvement platform for resilience exercises.
• Behavioral Security Metrics Portal - Evidence-based security awareness metrics portal focused on behavior, culture, and intervention outcomes.
• Security Culture Heatmap Portal - Security culture maturity heatmap for norms, leadership signals, and organizational readiness.
• Emerging Technology Security Culture Portal - Adoption-readiness portal for emerging technology, governance, and security culture alignment.
• AI Use Case Evaluation Portal - Evaluation platform for AI use cases across value, feasibility, data readiness, privacy, ethics, and governance.
• Transformation Roadmap Portal - Roadmap platform for moving security culture programs from compliance orientation to resilience and measurable change.

Governance, Education, and Secure Enablement

• Professional Development Registration System Framework - Secure registration and Moodle enrollment automation framework for professional development programs.
• Multilingual Certificate Issuer - Arabic/English certificate design, PDF generation, and throttled SMTP distribution platform.
• AI Security Governance Toolkit - Practical AI security governance controls, templates, evidence registers, playbooks, and policy-as-code examples.

Professional profile and research portfolio: https://musaab.info