Currently, mobile devices are widely used in various walks of life. The Android operating system has the highest market share of the mobile devices operating system market. Android can be installed in physical mobile devices; however, Android mobile operating system emulators are also available. Users can install applications (APPs) in an emulator for convenient use without physical mobile devices. There are several message hiding APPs (e.g., Wickr) that provide end-to-end encryption and message self-destruction mechanisms. Criminals can use these message hiding APPs, with their anti-forensic features, to send secret messages. These message-hiding APPs, installed in an Android emulator to evade criminal investigation, make digital forensics very challenging. Investigators need to know how criminals install and use such emulators in physical devices, how criminals install and use message-hiding APPs in the emulator, and how messages can be. This study explores applications of digital forensic tools and forensic procedures to identify and analyze four message hiding APPs installed in emulators: Wickr, Surespot, Cyber Dust, and ChatSecure. The emulators used in the study are AMIDuOS, Andy, BlueStacks App Player, Droid4X, Genymotion, KOPLAYER, Memu, Nox App Player, Windroy, Xamarin Android Player, and YouWave Android. Their forensic signatures and application characteristic values are sorted and summarized for digital forensics, so that digital forensic personnel can refer to this digital forensic method when analyzing criminal evidence using an Android emulator.