WARD is a modular, open-source tool for behavioural mobile forensics, Android artefact acquisition, and self-service device triage. It is developed by BARGHEST to make threat research and forensic capability more accessible to civil society, journalists, researchers, and public-interest defenders, particularly in majority world contexts where access to specialist forensic labs is limited.

WARD is inspired by the practical utility of AndroidQF, but extends the workflow toward behavioural analysis. Rather than relying only on vendor telemetry, malware signatures, or preloaded indicators of compromise, WARD collects live-state Android artefacts and applies heuristics that help surface patterns consistent with spyware, unwanted monitoring, exploitation attempts, or suspicious post-compromise activity.

The goal is not to replace expert forensic review. The goal is to lower the first barrier: preserve useful evidence, give frontline teams a structured triage path, and help decide when a case should be escalated for deeper analysis.

What WARD collects

WARD focuses on Android data that can be collected through consent-based, ADB-accessible workflows. Depending on the device state and collection mode, this may include:

• Android bug reports and diagnostic output
• Crash logs, tombstones, ANRs, and exploitation-adjacent crash patterns
• Process and thread listings
• Installed applications, package metadata, and permission state
• System service state and configuration
• Wi-Fi manager logs and selected network artefacts
• Shell-accessible logs and live-state forensic artefacts

Behavioural analysis

WARD uses heuristic analysis to identify patterns that may deserve further review. Current and planned analysis areas include:

• Memory analysis: suspicious in-memory DEX loading, secondary DEX files, shell-initiated code compilation, and other signs of dynamic code execution.
• System security: persistence mechanisms, unusual services, suspicious app behaviour, and malware-like activity across system logs.
• Permission analysis: dangerous permission combinations, privilege escalation attempts, and apps requesting access that appears excessive for their role.
• Crash analysis: crash patterns that may indicate exploitation attempts, memory corruption, targeted parser attacks, or repeated failure around high-risk components.
• Memory exploitation analysis: temporal clustering around native crashes, heap exploitation patterns, kernel-adjacent abuse, media parser crashes, WebView instability, and post-exploitation artefacts such as HPROF dumps or log tampering.
• User and interaction analysis: anomalous device interaction patterns that may indicate abuse, remote control, or compromise.
• System and process anomalies: optional checks for irregular process creation, unexpected runtime behaviour, and other suspicious system-level patterns.

Google Pixel Intrusion Logging

WARD is being extended to support analysis of Google Pixel Intrusion Logging data from Android Advanced Protection Mode. Intrusion Logging can provide a stronger source of consensual forensic evidence when it has been enabled before a suspicious event or high-risk period.

This data can help investigators review security-relevant events such as:

• Device unlocks and lock-state transitions
• ADB shell usage and file transfer activity
• Package installation and removal
• Application process starts
• DNS lookups and network connection events
• Potential command-and-control or suspicious browsing activity

Intrusion Logging is not retroactive, and it is currently most relevant to supported Pixel devices running Android 16 or later with Advanced Protection Mode and Intrusion Logging enabled. Because these logs may include sensitive network and browsing history, WARD treats them as sensitive forensic artefacts and expects encrypted, consent-based handling.

When combined with a bug report or other Android artefacts, Intrusion Logging can help build a more complete timeline of device activity and improve confidence during triage.