Introduction
Android is the dominant mobile operating system in India, powering approximately 95% of all smartphones. Understanding Android forensics is essential for any cyber crime investigator. This part covers the Android architecture, key data locations, ADB tools, SQLite database analysis, and techniques for examining rooted devices.
By the end of this part, you will understand Android architecture, locate important forensic data, use ADB for data extraction, analyze SQLite databases, and handle rooted device examinations.
Android Architecture
Android is built on a layered architecture based on the Linux kernel. Understanding this architecture helps investigators know where to find evidence and how Android secures data.
Architecture Layers
Linux Kernel
Base layer providing hardware abstraction, security, memory management, process management, and drivers.
Hardware Abstraction Layer (HAL)
Standard interfaces for hardware capabilities like camera, Bluetooth, sensors to higher-level Java API framework.
Android Runtime (ART)
Executes DEX (Dalvik Executable) bytecode. Replaced Dalvik VM from Android 5.0 with ahead-of-time compilation.
Native Libraries
C/C++ libraries for graphics (OpenGL), database (SQLite), media, and other core functionalities.
Java API Framework
Android APIs for building applications - Activity Manager, Content Providers, Resource Manager, etc.
Applications
User-facing applications - both system apps (Phone, Contacts) and third-party apps (WhatsApp, Chrome).
Android Security Model
- Application Sandbox: Each app runs in its own process with unique Linux user ID
- Permissions System: Apps must request permissions for sensitive operations
- SELinux: Mandatory access control enforcing security policies
- Verified Boot: Ensures device boots with trusted software
- Encryption: Full Disk Encryption (FDE) or File-Based Encryption (FBE)
Android 7.0+ devices typically use File-Based Encryption (FBE) which encrypts files with different keys. Direct credential-encrypted storage remains encrypted until user unlocks device, making cold forensic extraction extremely challenging.
Important Data Locations
Knowing where Android stores different types of data is crucial for forensic examination. Data is primarily stored in internal storage, with some data on external SD cards.
Key Directory Structure
| Path | Description | Forensic Value |
|---|---|---|
| /data/data/ | App private data directories | App databases, preferences, files |
| /data/user/0/ | Primary user app data (symlinked) | Same as /data/data for user 0 |
| /data/system/ | System configuration | Accounts, packages, sync settings |
| /data/media/0/ | User media storage | Photos, videos, downloads |
| /sdcard/ | External storage (emulated) | User files, downloads, media |
| /data/misc/wifi/ | WiFi configuration | Saved networks, connection history |
| /data/property/ | System properties | Device configuration data |
Critical App Data Locations
# WhatsApp Data
/data/data/com.whatsapp/databases/msgstore.db
/data/data/com.whatsapp/databases/wa.db
# SMS/MMS Messages
/data/data/com.android.providers.telephony/databases/mmssms.db
# Contacts
/data/data/com.android.providers.contacts/databases/contacts2.db
# Call History
/data/data/com.android.providers.contacts/databases/calllog.db
# Chrome Browser
/data/data/com.android.chrome/app_chrome/Default/History
/data/data/com.android.chrome/app_chrome/Default/Cookies
# Gmail
/data/data/com.google.android.gm/databases/
# Google Maps Location History
/data/data/com.google.android.apps.maps/databases/
External Storage Locations
- /sdcard/DCIM/: Camera photos and videos
- /sdcard/Download/: Downloaded files
- /sdcard/WhatsApp/Media/: WhatsApp shared media
- /sdcard/Pictures/: Screenshots and saved images
- /sdcard/Documents/: User documents
ADB (Android Debug Bridge)
ADB is a versatile command-line tool that allows communication with Android devices. It's essential for logical extraction when USB debugging is enabled.
Setting Up ADB
# Install Android SDK Platform Tools (contains ADB)
# Download from: https://developer.android.com/studio/releases/platform-tools
# Verify ADB installation
adb version
# Check connected devices
adb devices
# If device shows "unauthorized", accept prompt on device
Essential ADB Commands for Forensics
# Get device information
adb shell getprop ro.product.model
adb shell getprop ro.build.version.release
adb shell getprop ro.serialno
# Get IMEI (requires root on newer Android)
adb shell service call iphonesubinfo 1
# List installed packages
adb shell pm list packages
adb shell pm list packages -3 # Third-party only
# Get package info
adb shell dumpsys package com.whatsapp
# List running processes
adb shell ps
# Get accounts on device
adb shell dumpsys account
Data Extraction Commands
# Create full backup (Android 4.0+)
adb backup -apk -shared -all -f backup.ab
# Backup specific app
adb backup -apk com.whatsapp -f whatsapp_backup.ab
# Pull files from device (requires appropriate permissions)
adb pull /sdcard/DCIM/ ./evidence/DCIM/
adb pull /sdcard/Download/ ./evidence/Download/
# With root access - pull app data
adb shell su -c "cp /data/data/com.whatsapp/databases/msgstore.db /sdcard/"
adb pull /sdcard/msgstore.db ./evidence/
# Screen capture
adb shell screencap -p /sdcard/screenshot.png
adb pull /sdcard/screenshot.png ./evidence/
# Record screen activity
adb shell screenrecord /sdcard/recording.mp4
ADB backup (adb backup command) has been deprecated in newer Android versions (11+). Many apps also set android:allowBackup="false" preventing backup. For comprehensive extraction, commercial tools or root access may be necessary.
SQLite Database Analysis
Android extensively uses SQLite databases for storing application data. Understanding SQLite analysis is fundamental to mobile forensics.
SQLite Basics
- File Extension: Typically .db, .sqlite, or no extension
- Header: First 16 bytes contain "SQLite format 3\000"
- Structure: Tables, indexes, triggers stored in single file
- WAL Mode: Write-Ahead Logging creates .db-wal and .db-shm files
SQLite Tools
| Tool | Type | Features |
|---|---|---|
| DB Browser for SQLite | GUI | Free, cross-platform, browse and query databases |
| SQLite3 | CLI | Command-line interface bundled with SQLite |
| Autopsy | Forensic | Integrated SQLite viewer in forensic platform |
| SQLite Forensic Toolkit | Forensic | Recovery of deleted records, WAL analysis |
Common SQL Queries for Forensics
-- List all tables in database
SELECT name FROM sqlite_master WHERE type='table';
-- Get table schema
.schema table_name
-- SMS Messages (mmssms.db)
SELECT address, body, date, type FROM sms ORDER BY date DESC;
-- Call Logs (calllog.db)
SELECT number, name, duration, date, type FROM calls ORDER BY date DESC;
-- Contacts (contacts2.db)
SELECT display_name, data1 FROM raw_contacts
JOIN data ON raw_contacts._id = data.raw_contact_id
WHERE mimetype_id = 5;
-- WhatsApp Messages (msgstore.db)
SELECT key_remote_jid, data, timestamp, received_timestamp
FROM messages ORDER BY timestamp DESC;
-- Convert Unix timestamp to readable date
SELECT datetime(timestamp/1000, 'unixepoch', 'localtime') as date,
data FROM messages;
Recovering Deleted Records
SQLite doesn't immediately overwrite deleted records. They remain in "free pages" until overwritten.
- Freeblocks: Space within pages marked as free
- Unallocated Pages: Pages removed from the database
- WAL File: Write-Ahead Log may contain deleted data
- Journal File: Rollback journal may have older data
Tools like Oxygen SQLite Viewer, Belkasoft Evidence Center, and specialized scripts can recover deleted SQLite records by analyzing free pages and unallocated space within the database file.
Rooted Devices
Rooting is the process of obtaining superuser (root) access on Android devices. This bypasses security restrictions and provides full access to the file system.
What is Rooting?
- Definition: Gaining root (superuser) privileges on Android
- Purpose: Remove manufacturer restrictions, install custom ROMs, full system access
- Methods: Exploits, unlocked bootloader, custom recovery
- Common Tools: Magisk, SuperSU, KingRoot (historical)
Forensic Advantages of Rooted Devices
Full File System Access
Access all directories including /data/data/ where app private data is stored.
Physical Acquisition
Create bit-by-bit images of partitions using dd or similar tools.
Deleted Data Recovery
Access raw storage for carving deleted files and recovering evidence.
Bypass Restrictions
Access encrypted app data and bypass certain security measures.
Detecting Rooted Devices
# Check for su binary
adb shell which su
adb shell ls /system/xbin/su
adb shell ls /system/bin/su
# Check for Magisk
adb shell pm list packages | grep magisk
adb shell ls /data/adb/magisk
# Check for SuperSU
adb shell pm list packages | grep supersu
# Check build properties
adb shell getprop ro.build.tags
# "test-keys" may indicate custom ROM
# Check for custom recovery
adb shell ls /cache/recovery
Acquisition from Rooted Devices
# Physical acquisition using dd (with root)
adb shell su -c "dd if=/dev/block/mmcblk0 of=/sdcard/full_image.dd bs=4096"
# Copy specific partition
adb shell su -c "dd if=/dev/block/by-name/userdata of=/sdcard/userdata.dd bs=4096"
# Pull the image
adb pull /sdcard/full_image.dd ./evidence/
# Copy app databases directly
adb shell su -c "cp -r /data/data/com.whatsapp/ /sdcard/whatsapp_data/"
adb pull /sdcard/whatsapp_data/ ./evidence/
# Access WiFi passwords
adb shell su -c "cat /data/misc/wifi/wpa_supplicant.conf"
# Or on newer devices
adb shell su -c "cat /data/misc/wifi/WifiConfigStore.xml"
If the device is not already rooted, DO NOT root it for forensic purposes. Rooting modifies the device and can compromise evidence integrity. Document whether the device was rooted when seized. If rooted, leverage it for better acquisition but note this in your report.
Android Extraction Tools
Various tools are available for Android forensic extraction, ranging from free open-source tools to commercial solutions.
Open Source Tools
| Tool | Purpose | Features |
|---|---|---|
| ALEAPP | Log Parser | Android Logs Events And Protobuf Parser - comprehensive artifact extraction |
| Andriller | Extraction | Collection of forensic tools for Android |
| ADB | Communication | Android Debug Bridge for device interaction |
| Autopsy | Analysis | Android analyzer module for comprehensive analysis |
Commercial Tools
| Tool | Developer | Key Features |
|---|---|---|
| Cellebrite UFED | Cellebrite | Physical, logical, file system extraction; wide device support; advanced decryption |
| Oxygen Forensic Detective | Oxygen | Deep extraction, cloud data, social media analysis, timeline |
| MSAB XRY | MSAB | Mobile forensics, chip-off support, physical extraction |
| Magnet AXIOM | Magnet | Mobile + computer forensics, cloud acquisition, AI analysis |
- Android architecture is layered: Linux Kernel > HAL > ART/Native Libraries > Java Framework > Apps
- Critical data locations: /data/data/ (app data), /data/system/ (system config), /sdcard/ (user files)
- ADB is essential for logical extraction when USB debugging is enabled
- SQLite databases store most app data - master common forensic queries
- WAL files (.db-wal) often contain recent and deleted records
- Rooted devices provide full file system access but never root a device for forensic purposes
- Modern Android encryption (FBE) makes cold extraction challenging without credentials
- Document device state (rooted/unrooted) and all extraction methods used