Part 2 of 6 Estimated reading time: 25-30 minutes

Android Forensics

Master Android device forensics including file system architecture, app data locations, ADB (Android Debug Bridge) commands, and both logical and physical extraction methodologies.

Table of Contents

Android Architecture Overview

Android is an open-source mobile operating system based on a modified Linux kernel. Understanding its layered architecture is essential for effective forensic analysis. Each layer provides different access points and data sources for investigators.

Android Architecture Stack
Applications - User apps, System apps, Pre-installed apps | Browser, Contacts, Phone, Settings, Third-party apps Application Framework - Java API framework for app development | Activity Manager, Content Providers, Telephony Manager Native Libraries - C/C++ libraries | SQLite, WebKit, OpenGL, SSL, libc Android Runtime (ART) - Executes application code | Core Libraries, Dex Bytecode execution Hardware Abstraction Layer (HAL) - Hardware interface | Audio, Bluetooth, Camera, Sensors Linux Kernel - Foundation layer | Drivers, Power Management, Security, Memory Management

Security Model

Android implements a multi-layered security model that directly impacts forensic acquisition:

  • Application Sandboxing: Each app runs in its own Linux user context with unique UID
  • SELinux: Mandatory Access Control (MAC) restricting even root-level access
  • Verified Boot: Ensures device boots only authorized software
  • Full Disk Encryption (FDE): Encrypts entire /data partition (Android 5.0+)
  • File-Based Encryption (FBE): Encrypts individual files with different keys (Android 7.0+)
  • TrustZone: Hardware-isolated secure world for cryptographic operations
🤖 Android Version Considerations

Forensic capabilities vary significantly by Android version. Key milestones:

  • Android 5 (Lollipop): Introduced mandatory full disk encryption
  • Android 7 (Nougat): File-based encryption, Direct Boot
  • Android 10: Scoped storage restrictions
  • Android 11+: Enhanced privacy controls, one-time permissions

Android File System Structure

Android devices typically use ext4 or F2FS file systems for internal storage. Understanding the partition layout and directory structure is crucial for targeted evidence collection.

Primary Partitions

Partition Mount Point Purpose Forensic Value
boot N/A Kernel and ramdisk Low - System files only
system /system Android OS and pre-installed apps Medium - System app data
vendor /vendor Manufacturer customizations Low - Device-specific
data /data User data, app data, settings Critical - Primary evidence source
cache /cache Temporary files, OTA updates Medium - May contain deleted data
recovery N/A Recovery mode system Low - Recovery operations only

Key Directory Structure

/data Partition Structure (Primary Evidence Source)
/data /data/data/ - App-specific data directories /com.whatsapp/ - WhatsApp data /com.android.providers.contacts/ - Contacts database /com.android.providers.telephony/ - SMS/MMS database /data/user/0/ - Primary user data (symlink to /data/data) /data/system/ - System configuration and settings packages.xml - Installed apps list users/ - User account information /data/media/0/ - Internal storage (emulated) DCIM/ - Camera photos Download/ - Downloaded files WhatsApp/ - WhatsApp media /data/misc/ - Miscellaneous data wifi/ - WiFi configurations bluetooth/ - Bluetooth pairings /data/property/ - System properties /data/local/tmp/ - Temporary files (writable)

Application Data Locations

Each Android application stores data in specific locations based on the data type and sensitivity. Understanding these locations is essential for targeted evidence collection.

Private App Data

Located at /data/data/[package_name]/, this directory is accessible only to the app (without root):

Typical App Directory Structure Path 
/data/data/com.example.app/
    databases/    # SQLite databases - Primary data storage
    shared_prefs/ # XML preference files - Settings, tokens
    files/        # App-specific files
    cache/        # Temporary cached data
    lib/          # Native libraries
    no_backup/    # Data excluded from backups

Key Application Data Locations

💬

WhatsApp

/data/data/com.whatsapp/databases/msgstore.db - Messages
/data/media/0/WhatsApp/ - Media files

📞

Call Logs

/data/data/com.android.providers.contacts/databases/contacts2.db - Contains calls table

📩

SMS/MMS

/data/data/com.android.providers.telephony/databases/mmssms.db

🌐

Chrome Browser

/data/data/com.android.chrome/app_chrome/Default/ - History, Cookies, Login Data

📍

Location History

/data/data/com.google.android.gms/databases/ - Location cache and history

📷

Photos/Media

/data/media/0/DCIM/ - Camera photos
/data/media/0/Pictures/ - Screenshots, downloads

Android Debug Bridge (ADB)

ADB is a versatile command-line tool that enables communication with Android devices. For forensics, it provides a critical interface for logical acquisition and device examination.

⚠ Prerequisites for ADB Access

ADB access requires USB Debugging to be enabled on the device AND the forensic workstation to be authorized. If the device is locked without prior authorization, ADB may not be accessible.

Essential ADB Commands for Forensics

Device Connection and Status ADB 
# Check connected devices
adb devices -l
List of devices attached
XXXXXXXXX       device usb:1-1 product:device model:Pixel_6

# Get device information
adb shell getprop ro.product.model
adb shell getprop ro.build.version.release
adb shell getprop ro.serialno

# Check root status
adb shell su -c "id"
Data Extraction Commands ADB 
# Create full backup (requires user confirmation on device)
adb backup -apk -shared -all -f full_backup.ab

# Pull specific files/directories
adb pull /sdcard/DCIM/ ./extracted_photos/
adb pull /sdcard/Download/ ./extracted_downloads/

# Pull app data (requires root)
adb shell su -c "cp /data/data/com.whatsapp/databases/msgstore.db /sdcard/"
adb pull /sdcard/msgstore.db

# List installed packages
adb shell pm list packages -f

# Get package information
adb shell dumpsys package com.whatsapp
Forensic Data Collection ADB 
# Dump call log (requires permissions)
adb shell content query --uri content://call_log/calls

# Dump SMS messages
adb shell content query --uri content://sms

# Get contacts
adb shell content query --uri content://contacts/phones

# Capture screenshot
adb shell screencap /sdcard/screen.png
adb pull /sdcard/screen.png

# Record screen (Android 4.4+)
adb shell screenrecord /sdcard/recording.mp4

# Get system logs (for activity analysis)
adb logcat -d > device_logs.txt

# Dump bug report (comprehensive system state)
adb bugreport > bugreport.zip

Logical Extraction Methods

Logical extraction retrieves data through the Android operating system using standard APIs and interfaces. While less comprehensive than physical extraction, it's faster and works on more devices.

ADB Backup Method

1

Enable USB Debugging

Navigate to Settings > Developer Options > USB Debugging (must be enabled by user or have prior authorization)

2

Authorize Workstation

Connect device and accept RSA key fingerprint prompt on device screen

3

Execute Backup Command

Run: adb backup -apk -shared -all -f backup.ab (user must confirm on device)

4

Convert and Analyze

Use Android Backup Extractor (ABE) to convert .ab file to .tar for analysis

💡 ADB Backup Limitations

Many apps now set allowBackup="false" in their manifest, preventing data extraction via ADB backup. Critical apps like WhatsApp, banking apps, and many social media apps block this method. Always verify what data was actually captured.

Content Provider Extraction

Android Content Providers expose structured data through URIs. This method can retrieve contacts, SMS, call logs, and calendar data without root access:

Content Provider URIs for Common Data Reference 
# SMS Messages
content://sms
content://sms/inbox
content://sms/sent

# Call Log
content://call_log/calls

# Contacts
content://contacts/phones
content://com.android.contacts/contacts

# Calendar
content://calendar/events

# Browser Bookmarks (legacy)
content://browser/bookmarks

Physical Extraction Methods

Physical extraction creates a bit-by-bit image of the device storage, capturing all data including deleted files and unallocated space. This requires elevated access.

Root-Based Physical Extraction

If the device is rooted or can be temporarily rooted, the following methods are available:

DD Image Creation (Requires Root) ADB Shell 
# Identify partitions
adb shell su -c "ls -la /dev/block/by-name/"

# Create image of userdata partition
adb shell su -c "dd if=/dev/block/by-name/userdata of=/sdcard/userdata.img bs=4096"

# Pull the image
adb pull /sdcard/userdata.img

# Alternative: Stream directly to workstation (faster)
adb shell su -c "dd if=/dev/block/by-name/userdata bs=4096" > userdata.img

# Calculate hash for integrity
sha256sum userdata.img

Advanced Physical Methods

Method Requirements Data Access Risk Level
JTAG JTAG pins, specialized hardware Full memory access Medium - Non-destructive
Chip-off Desoldering equipment, chip readers Complete flash memory High - Destructive
ISP ISP pinout, specialized cables Full memory access Medium - Non-destructive
EDL Mode Qualcomm devices, firehose loaders Raw partition access Low - Non-destructive
Bootloader Exploits Device-specific vulnerabilities Varies by exploit Medium - May alter device
⚠ Encryption Considerations

Physical extraction of encrypted devices yields encrypted data. Without the decryption key (derived from user credentials), the data is unusable. On FBE devices, even with the key, some data remains encrypted until after first unlock (AFU state).

Key Forensic Artifacts

SQLite Databases

Most Android data is stored in SQLite databases. Key databases to examine:

💬

mmssms.db

SMS/MMS messages with timestamps, phone numbers, read status, and thread information

📞

contacts2.db

Contacts and call logs with duration, type (incoming/outgoing/missed), timestamps

🌐

History (Chrome)

Browsing history, search terms, download history, autofill data

📍

cache.db/gms

Location history, WiFi networks, significant locations visited

Other Important Artifacts

  • Shared Preferences (XML): App settings, authentication tokens, user preferences
  • accounts.db: Google and other account information
  • wifi/WifiConfigStore.xml: Saved WiFi networks with SSIDs (and sometimes passwords)
  • bluetooth/: Paired device information
  • Thumbnails: .thumbdata files may contain thumbnails of deleted images
  • Recents: Recent apps and activities
Key Takeaways
🎯 Key Takeaways
  • Android uses a layered architecture with the /data partition containing most forensic evidence
  • App data is stored in /data/data/[package_name]/ with SQLite databases as the primary storage format
  • ADB is essential for Android forensics but requires USB Debugging enabled and workstation authorization
  • Logical extraction via ADB backup has limitations - many apps block backup functionality
  • Content Providers allow extraction of contacts, SMS, and call logs without root access
  • Physical extraction requires root access or advanced hardware methods like JTAG/Chip-off
  • Encryption (FDE/FBE) on modern devices significantly complicates physical extraction
  • Always document device state, Android version, and extraction methods for court admissibility
Complete Section
Navigation