The first step in acquiring an Android device is to determine if USB Debugging is enabled. If the device is locked, this may not be possible to manually determine. If the device is locked, simply try to acquire the Android. If USB Debugging is enabled, you can bypass any lock on the device. All communications must be disabled on the device. Make sure that you are aware of the forensic acquisition tool you choose to acquire the device and understand the actions taken against the device to obtain the acquisition. (For example, will the tool root the device? Will the root be permanent?).

The preferred acquisition order is normally physical, followed by a file system should the physical fail. However, if you conduct covert operations, a physical may leave the largest footprint and you may want to avoid that.  A logical acquisition should be performed every time if you are worried about encryption! The logical acquisition provides examiners with pointers for parsing and decoding raw images that aren't supported by the tool. Finally, the SD card and SIM card(s) should be removed and acquired using a standard forensic tool. FTK Imager is free and works well. Acquiring the SD card through the device creates longer acquisition times and may update the Last Accessed timestamps for the files resident on the SD card. The larger the SD card, the longer the acquisition. For more information on recommended steps, check out the blog posts by Heather Mahalik on smarterforensics.com/blogs.