The primary motive of forensic analysis is to extract necessary data from the device. Hence, for effective forensic analysis, it is imperative to know what kind of data is stored on the device, where it is stored, how it is stored, and the details of the filesystems on which the data is stored. This knowledge is very important to a forensic analyst to take an informed decision about where to look for data and the techniques that can be used to extract the data. In this chapter, we will cover the following topics:
- Android partition layout and file hierarchy
- Application data storage on the device
- An overview of the Android filesystem
Partitions are logical storage units made inside the device's persistent storage memory. Partitioning allows you to logically divide the available space into sections that can be accessed independently of each other.
The partition layout varies between vendors and versions. However, a few partitions are present in all the Android devices. The following sections explain some of the common partitions found in most of the Android devices.
This partition stores the phone's boot loader program. This program takes care of initializing the low-level hardware when the phone boots. Thus, it is responsible for booting the Android kernel and booting into other boot modes, such as the recovery mode, download mode, and so on.
As the name suggests, this partition has the information and files required for the phone to boot. It contains the kernel and RAM disk. So, without this partition, the phone cannot start its processes.
Recovery partition allows the device to boot into the recovery console through which activities such as phone updates and other maintenance operations are performed. For this purpose, a minimal Android boot image is stored. This boot image serves as a failsafe.
This partition is usually called the data partition and is the device's internal storage for application data. A bulk of user data is stored here, and this is where most of our forensic evidence will reside. It stores all app data and standard communications as well.
All the major components other than kernel and RAM disk are present here. The Android system image here contains the Android framework, libraries, system binaries, and preinstalled applications. Without this partition, the device cannot boot into normal mode.
For a given Android device, partition layout can be determined in a number of ways. The partitions file under /proc gives us details about all the partitions available on the device. The following screenshot shows the contents of the partitions file:
Partitions file in Android
The entries in the preceding screenshot show only the block names. To get a mapping of these blocks to their logical functions, check the contents of the by-name directory present under /dev/block/platform/dw_mmc. The following screenshot shows the contents of this directory:
Mapping of blocks to their logical functions
As you can see in the preceding output, various partitions such as system, user data, and so on are present in the partition layout.