Android Cache Taxonomy and Forensic Process

Android is one of the most popular and widely used mobile operating systems and one of the most actively researched products in the field of mobile forensics. However, analysis of Android caches has been, to date, an understudied research topic, which limits its potential use in forensic investigations. Due to the diversity of cache formats on Android, we propose a cache taxonomy based on app usage. Using this taxonomy as a base, a systematic process, known as the Android Cache Forensic Process, is proposed to forensically classify, extract and analyze Android caches. Various cache formats utilized by 11 popular Android apps are analyzed. As part of this analysis, a number of cache formats are decoded and several cache formats commonly used by Android apps are documented from a forensic perspective. Based on our technical findings, an Android Cache Viewer prototype was also developed. This prototype is able to decode a number of Android cache formats and display the contents in an accessible manner.