Sign in Subscribe

Android Cell Phone Rapid Response Guide

Lars Daniel

Lars Daniel

3 min read
Android Cell Phone Rapid Response Guide

This guide outlines best practices for preserving Android devices after a collision to protect forensic data. Due to frequent software updates and manufacturer variations, steps may vary. Consult a cell phone forensic expert for up-to-date guidance. If any step cannot be completed, place the device in a Faraday bag (available online) to isolate it from radio signals.

Preservation Checklist

[ ] Backup completed (Samsung Cloud or Google)

[ ] Credentials obtained and documented

[ ] Airplane Mode enabled

[ ] Wi-Fi disabled (including auto-reconnect)

[ ] Bluetooth disabled (all related settings)

[ ] SIM card removed (if applicable)

[ ] Automatic updates disabled

[ ] Developer Mode enabled and auto-update disabled

[ ] Auto Blocker disabled (if applicable)

[ ] Device powered off

[ ] Device and SIM card (if applicable) placed in Faraday bag

[ ] Chain of custody documented

1. Background

Preserving a device immediately after a collision is critical because:

  • Android devices store perishable data (e.g., call logs, messages, app usage) in databases with overwrite periods of 7 to 30 days.
  • These databases contain granular user interactions that may indicate whether device use contributed to the incident.
  • Proper preservation prevents data alteration, remote wiping, or automatic updates that could hinder forensic analysis.

2. Backing Up the Device

Backing up allows the client to preserve selected content (e.g., contacts, photos, settings) for transfer to a new device. Do not factory reset or remote wipe the device, as this will destroy forensic evidence.

Option 1: Samsung Devices (Temporary Cloud Backup)

  • Navigate: Settings → General Management → Reset → Temporary Cloud Backup
  • Tap "Backup Data" (data retained for 30 days)
  • Wait for backup to complete

Option 2: Google Backup (Requires Gmail Account)

  • Navigate: Settings → Accounts and Backup → Back Up Data
  • Ensure "Backup by Google One" is toggled on (limited to 15 GB free storage)
  • Tap "Back Up Now"
  • Wait for backup to complete

Note: For larger backups, a paid Google One plan may be required

Important: Backups may not include all app or system data. Confirm backup completion before proceeding.

3. Preservation Steps

Follow these steps to isolate the device from networks and prevent data alteration. Document all actions for the forensic examiner.

3.1 Obtain Credentials

  • Request the client's PIN, passcode, or pattern to unlock the device
  • Document credentials securely for the forensic examiner

Note: Biometric data (fingerprint, face unlock) cannot be used for forensic access

3.2 Enable Airplane Mode

  • Navigate: Settings → Network and Internet → Airplane Mode → Toggle ON

Note: Menu paths may vary by manufacturer (Samsung, Google, OnePlus, etc.)

3.3 Disable Wi-Fi

  • Navigate: Settings → Network and Internet → Internet → Wi-Fi → Toggle OFF
  • Additional Step: Navigate: Settings → Network and Internet → Internet → Network Preferences → Turn Wi-Fi On Automatically → Toggle OFF

3.4 Disable Bluetooth

  • Navigate: Settings → Connected Devices → Connection Preferences → Bluetooth → Use Bluetooth → Toggle OFF
  • **Additional Steps:** Navigate: Settings → Location → Location Services → Bluetooth Scanning → Toggle OFF
  • Navigate: Settings → Connected Devices → Connection Preferences → Bluetooth → Automatically Turn On Tomorrow → Toggle OFF

3.5 Remove SIM Card (If Applicable)

  • Inspect the device's outer perimeter for a SIM tray
  • If present, use a SIM card removal tool or paperclip to eject the SIM card
  • Keep the SIM card with the device for submission to the forensic examiner

Note: Some newer Android models use eSIM technology with no physical SIM card. Airplane Mode is sufficient for isolation in these cases.

3.6 Disable Automatic Updates

Preventing software updates ensures forensic tools can access the device, as updates may introduce new security features.

Basic Settings:

  • Navigate: Settings → Software Update → Auto Download Over Wi-Fi → Toggle OFF

Enable Developer Mode and Disable System Updates:

  • Navigate: Settings → About Phone → Software Information → Build Number
  • Tap "Build Number" 7 times to enable Developer Mode
  • You'll see "Developer Mode has been enabled"
  • Navigate: Settings → Developer Options → Auto Update System → Toggle OFF

Note: Developer Mode steps may vary slightly by manufacturer. Avoid altering other settings.

3.7 Disable Auto Blocker (Samsung Devices)

This feature may limit forensic access and should be disabled if present.

  • Navigate: Settings → Security and Privacy → Auto Blocker → Toggle OFF

Note: Not all Android devices have Auto Blocker. Skip if not applicable.

3.8 Power Off the Device

After completing all steps, power off the device to prevent further activity

  • Press and hold the power button, then tap "Power Off"
  • Place the powered-off device and SIM card (if applicable) in a Faraday bag for transport

4. Chain of Custody

Document the device's details:

  • Make and model (e.g., Samsung Galaxy S24, Google Pixel 8)
  • Serial number (Settings → About Phone)
  • IMEI number (if available)
  • Time of collection
  • Name of custodian
  • Maintain a secure chain of custody to ensure forensic admissibility
  • Submit the device, SIM card (if applicable), credentials, and documentation to the forensic examiner

5. Additional Resources

  • Android Help: support.google.com/android
  • Samsung Support: www.samsung.com/support (for Samsung devices)
  • Google Support: support.google.com/pixelphone (for Pixel devices)
  • Consult a forensic expert for device-specific guidance or troubleshooting

Read more