There are different types of root access available for Android devices. Most commercial forensic tools offer a temporary root, which allows temporary superuser access to the device. These temporary roots are supposed to “go away” upon reboot. However, traces are left behind for both temporary and full roots, and we look at this further later in this section. Temporary roots are also called shell and soft roots. NOTE, if you conduct covert operations, you should not root the device if you are worried about leaving a footprint behind. You will leave permanent traces on the phone.

A full root provides persistent root access to the device. This means that, even when the device is rebooted, the device remains rooted. However, how persistent are these roots? Even if a root is removed, traces will be left behind. As expected, traces of a full root are commonly the easiest to detect.  For modern devices, it is almost impossible to fully root a device without losing some form of data.

Use caution when downloading and installing roots on the device, as you may lose all user data, be forced to restore the original ROM on the device and be left with nothing. Before rooting a device for physical access, make sure you have acquired the data in all other ways possible. This way, should the device become damaged, or the user data get wiped, you know you acquired all data possible for that device and Android version. If you are trying to find a root in the wild, we have had the best success with https://desktop.firmware.mobi/. Co-author Domenica Crognale did a webcast on root access, using Android emulators and creating test data for application testing. It can be found here: https://www.sans.org/webcasts/building-android-application-testing-toolbox-106515.