🤖 Part 3 of 6

Android Forensics

🕑 120-150 minutes 📖 Intermediate Level 📱 Module 2

Introduction

Android is the world's most popular mobile operating system, powering approximately 70% of smartphones globally, including a dominant market share in India. Understanding Android's architecture, file system, and data storage mechanisms is essential for effective mobile forensics.

📚 Learning Objectives

By the end of this part, you will understand Android's layered architecture, navigate the Android file system structure, analyze SQLite databases common in Android apps, and use ADB commands for forensic data extraction.

Android Architecture

Android is built on a modified Linux kernel and consists of multiple layers, each with forensic significance.

Android System Architecture
Applications Layer
User apps, System apps (Phone, Contacts, Messages) | Each app runs in its own sandbox
Application Framework
Activity Manager, Content Providers, Package Manager, Telephony Manager, Location Manager
Android Runtime (ART)
Dalvik Executable (DEX) bytecode | Ahead-of-Time (AOT) compilation | Core Java libraries
Hardware Abstraction Layer (HAL)
Camera, Audio, Bluetooth, Sensors, Graphics | Vendor-specific implementations
Linux Kernel
Process management, Memory management, Security (SELinux), Drivers, Binder IPC

Key Forensic Implications

  • App Sandboxing: Each app has a unique UID and isolated storage at /data/data/<package>/
  • Content Providers: Inter-app data sharing mechanism - contacts, calendar, SMS are shared this way
  • SELinux: Security-Enhanced Linux enforces mandatory access control, affecting forensic access
  • Encryption: File-Based Encryption (FBE) encrypts user data with credentials-derived keys

Android File System Structure

Android uses a hierarchical file system based on Linux. Understanding the directory structure is crucial for locating forensic artifacts.

/ (root)
  /data -- User data partition (forensically critical)
    /data/data/ -- App private data directories
      /com.whatsapp/databases/ -- WhatsApp databases
      /com.android.providers.contacts/
      /com.android.providers.telephony/
    /data/system/ -- System databases (accounts, settings)
      accounts.db -- User accounts
      locksettings.db -- Lock screen settings
    /data/misc/ -- Wi-Fi, Bluetooth configs
      /wifi/WifiConfigStore.xml
      /bluedroid/
    /data/media/0/ -- Internal storage (emulated)
  /system -- Android OS files (read-only)
    /app/ -- Pre-installed system apps
    /priv-app/ -- Privileged system apps
  /sdcard -- Symlink to /data/media/0 (user files)
  /cache -- Temporary cache, OTA updates
  /vendor -- Vendor-specific files

Key Forensic Locations

Data Type Location File/Database
Contacts /data/data/com.android.providers.contacts/databases/ contacts2.db
SMS/MMS /data/data/com.android.providers.telephony/databases/ mmssms.db
Call Logs /data/data/com.android.providers.contacts/databases/ calllog.db or contacts2.db
Browser History /data/data/com.android.chrome/app_chrome/Default/ History
Wi-Fi Networks /data/misc/wifi/ WifiConfigStore.xml
User Accounts /data/system/ accounts_ce.db, accounts_de.db
WhatsApp /data/data/com.whatsapp/databases/ msgstore.db, wa.db

SQLite Database Analysis

SQLite is Android's primary database format. Most app data, system settings, and communication records are stored in SQLite databases.

🤖 SQLite in Android

SQLite databases in Android use the .db extension and can contain multiple tables. Key forensic data includes messages, contacts, call logs, browsing history, and app-specific data. Deleted records may still exist until the database is vacuumed.

SMS/MMS Database Schema (mmssms.db)

mmssms.db - SMS Messages Table Structure
sms
_id INTEGER PRIMARY KEY
thread_id INTEGER -- Conversation thread
address TEXT -- Phone number
date INTEGER -- Unix timestamp (milliseconds)
date_sent INTEGER -- Sent timestamp
read INTEGER -- 0=unread, 1=read
type INTEGER -- 1=received, 2=sent
body TEXT -- Message content
seen INTEGER -- Display status

Contacts Database Schema (contacts2.db)

contacts2.db - Key Tables
contacts
_id INTEGER PRIMARY KEY
name_raw_contact_id INTEGER
times_contacted INTEGER
last_time_contacted INTEGER
starred INTEGER -- Favorite status
raw_contacts
_id INTEGER PRIMARY KEY
contact_id INTEGER REFERENCES contacts
account_name TEXT
account_type TEXT
deleted INTEGER
data
_id INTEGER PRIMARY KEY
raw_contact_id INTEGER
mimetype_id INTEGER -- Type of data
data1 TEXT -- Name/Phone/Email
data2 TEXT -- Additional info

SQLite Analysis Commands

SQLite3 Forensic Commands
# Open database
sqlite3 mmssms.db
# List all tables
.tables
# Show table schema
.schema sms
# Extract all SMS messages with readable timestamps
SELECT _id, address, datetime(date/1000, 'unixepoch', 'localtime') as time,
CASE type WHEN 1 THEN 'Received' WHEN 2 THEN 'Sent' END as direction,
body FROM sms ORDER BY date;
# Search for deleted records (if WAL exists)
PRAGMA wal_checkpoint;
# Export to CSV
.mode csv
.output sms_export.csv
SELECT * FROM sms;
Timestamp Conversion

Android typically stores timestamps in Unix epoch format with millisecond precision. To convert: divide by 1000 for standard Unix time. Many SQLite tools and forensic software handle this automatically, but always verify timestamp interpretation.

ADB for Forensic Extraction

Android Debug Bridge (ADB) is a command-line tool for communicating with Android devices. It's essential for forensic data extraction when device access is available.

Enabling ADB Access

  • Developer Options: Settings > About Phone > Tap Build Number 7 times
  • USB Debugging: Settings > Developer Options > Enable USB Debugging
  • Authorization: Device must authorize the computer's RSA key
  • Connection: Connect via USB cable to forensic workstation

Essential ADB Forensic Commands

ADB Device Connection
# Check connected devices
adb devices
List of devices attached
RF8M12345XY device
# Get device info
adb shell getprop ro.product.model
adb shell getprop ro.build.version.release
adb shell getprop ro.serialno
ADB Data Extraction
# Create ADB backup (limited, deprecated in newer Android)
adb backup -apk -shared -all -f backup.ab
# Pull files (requires root or app debuggable)
adb pull /sdcard/DCIM/ ./extracted_photos/
adb pull /sdcard/Download/ ./extracted_downloads/
# With root access - extract databases
adb shell su -c "cp /data/data/com.whatsapp/databases/msgstore.db /sdcard/"
adb pull /sdcard/msgstore.db ./
# List installed packages
adb shell pm list packages -f
# Extract specific APK
adb shell pm path com.whatsapp
adb pull /data/app/com.whatsapp-xxx/base.apk ./whatsapp.apk
ADB Shell Navigation
# Open shell
adb shell
# List files with permissions
ls -la /sdcard/
# Check storage usage
df -h
# View running processes
ps -A
# Network connections
netstat -an
# View system logs
logcat -d > /sdcard/logcat.txt
ADB Backup Limitations

Starting with Android 12, adb backup functionality is heavily restricted. Many apps opt out of backup, and system data is excluded. For comprehensive extraction, forensic tools with exploit capabilities or root access are typically required.

Important Android Artifacts

Beyond databases, Android stores valuable forensic artifacts in various locations and formats.

Key Artifact Locations

  • Wi-Fi Networks: /data/misc/wifi/WifiConfigStore.xml - Contains saved network names, passwords (on older versions), and connection history
  • Bluetooth Pairings: /data/misc/bluedroid/bt_config.conf - Paired device MAC addresses and names
  • Location Cache: Various locations depending on apps - Google Maps timeline, photo EXIF data
  • User Dictionary: /data/data/com.android.providers.userdictionary/databases/ - Custom words added by user
  • Clipboard: Stored in memory, may persist in some custom keyboards
  • Notifications: /data/system/notification_policy.xml and app-specific logs

Media File Metadata

Images and videos on Android contain valuable EXIF metadata:

  • GPS coordinates (if location enabled when captured)
  • Timestamp of creation
  • Device make and model
  • Camera settings
  • Thumbnail images
💡 Forensic Tool Recommendations

For comprehensive Android forensics, consider using tools like Cellebrite UFED, Oxygen Forensic Detective, MSAB XRY, or Magnet AXIOM. Open-source options include Autopsy with the Android Analyzer module, and ADB-based scripted extractions for accessible data.

📚 Key Takeaways
  • Android architecture consists of five layers: Applications, Framework, Runtime, HAL, and Linux Kernel
  • User data is primarily stored in /data/data/ with each app in its own sandboxed directory
  • SQLite is the primary database format - master understanding of schema and query techniques
  • Key databases: mmssms.db (SMS), contacts2.db (contacts), and app-specific databases
  • ADB is essential for extraction but has limitations on modern Android versions
  • Timestamps are typically Unix epoch in milliseconds - always verify conversion
  • Root access significantly expands forensic capabilities but may raise legal questions
  • Consider media metadata, Wi-Fi logs, and Bluetooth pairings as valuable artifacts
Previous: Mobile Acquisition Methods Next: iOS Forensics