I work for a research oriented company as Security operations centre analyst. I was asked to define a procedure to be followed by level 1 analysts for monitoring users who are testing rooted android devices by connecting them to their work stations. Can any one help me with any suggestion. Please try to explain me or point me towards right sources where I can get more information. Thank you.