Each installed application should be triaged or quickly examined for relevance in the investigation. Remember that your forensic tool most likely does not parse all data from applications on the device. Your job is to ensure that data is not overlooked. The best way to do this is to examine the installed applications on the device. Often, a tool pulls the names of user-installed applications that are not custom to the device. This is a good starting point.

From there, examine the application folders on the SD card in the /mnt or NONAME partition, which contains a folder for each application. If the device cannot accept an SD card, examine the USERDATA/media directory. The device USERDATA/data directories must also be examined for relevance to the investigation. Consider applications used for communication and multimedia sharing as a starting point. The section on third-party applications delves deeper into this topic in Section 5 of this course.

A physical keyword search can be conducted for *.apk that provides hits for most applications present on the device. Most .apk files contain an AndroidManifest.xml file, which contains essential information about the application. This includes shared preferences, the unique application UID, GID, and more. The AndroidManifest.xml file can be examined by unpacking the .apk file, as you will learn in the Mobile Malware section (Section 4) of this course.