Hi, today we will try to understand what is goin on in Android devices in terms of Digital forensics.

Overall, if we want to make some work in mobile forensics that is essential. As we know, we digital foreniscs engineering collect evidence from target devices that means we have to know how data is stored and how we can find. All of them actually related database and file system structure.

Let’s start with common android file systems, the file systems avaliable on Android fall into three main categories.

Flash memory filesystems: A flash file system is a file system designed for storing files on flash memory–based storage devices. While flash file systems are closely related to file systems in general, they are optimized for the nature and characteristics of flash memory, and for use in particular operating systems
Media-based filesystems: EXT2 / EXT3 / EXT4 – The EXTended file system is the standard Linux file system, with EXT4 being the current version.
Since 2010, EXT4 is often used in place of YAFFS2 or JFFS2 as the file system for internal flash memory on Android devices.

Pseudo filesystems: Pseudo file systems as logical groupings of files conceivable. Some of the important pseudo file systems found on an Android device are – control group (cgroup), rootfs, procfs, sysfs, tmpfs. The mount command can be used to view the different partitions and their file systems available on the device.

Logically Extracting Data from Android Devices

The term logical subtraction means extracting data that does not recover deleted data or contains a bit-by-bit copy of the evidence. Using this method, a forensic expert cannot be sure whether it is recovering all possible data, as the operating system chooses what data the auditor allows access to. In simple words, logical extraction is like copying and pasting a folder to extract data from a system. This process will only copy the files that the user can access and view. If there are any hidden or deleted files in the copied folder, they will not be in the pasted version of the folder.

What Sort of Data Might be Recover

Almost any type of data can be recovered through logical extraction. Much of this data is stored in SQLite databases, so it’s even possible to recover large amounts of deleted data through a logical extraction. The limiting factor when forensically analyzing an Android device is the forensic investigator’s android
It is whether it can access all the data on the phone, i.e. whether the researcher has root access. Since the majority of the data is stored in the / data / data folder, if the forensic investigator does not have root access, the application will not be able to access all of its data.

Android File System Structure: Sections

Android uses multiple file systems and multiple partitions to organize files and folders on the device. Partitions in the file system are represented by directories. There are six main parts used by Android devices. These are boot, system, recovery, data, cache, misc. Each of these divisions has its own functions. There may be other partitions such as sdcard, sd-ext which are different in each model.

1 / boot
This is the boot partition of the android device which contains android kernel and ramdisk. The device cannot boot without this partition. If we delete this partition, we need to install new ROM containing / boot partition to reboot the system.
2 / system
This section covers the entire operating system, including the Android GUI and pre-installed system applications. Even if we delete this partition, we can enter recovery or bootloader mode.
3 / recovery
This section is specially designed for backup purposes. It is considered an alternate boot partition that allows the device to boot into a recovery console.
4 / data
This section is for storing user data. It contains all user data such as sms, contacts, settings and all data related to installed applications. When you do a factory reset, it actually wipes the data partition.
5 / cache
The cache partition stores frequently accessed application and data components. Even if we delete this partition, it will automatically regenerate as you continue to use the device.
6 / misc
This section contains various system settings. Hardware settings, USB configuration etc. Contains. If we delete this partition, the device’s features will not work normally.
7 / sdcard
This section is for SD card, not internal memory. Media, document, ROM, etc. It is used to store all kinds of data. SD card can be internal or external SD card depending on the device.
8 / sd-ex
This partition is not a standard Android partition but commonly used by custom ROMs. It is an additional partition on the SD card that acts as a data partition in some custom ROMs with features like app2sd to get additional storage space to install their apps.

Databases Used for Android Devices

SQLite:
SQLite can be said to be the most established mobile database or even a single “built” mobile database. This may be because SQLite has been around since 2000 and has been embedded with iOS and Android from the very beginning. SQLite is a relational database. The reason why we are using sqlite is

Most of the project codes are reserved for library testing. And the library is structured to handle different types of system failures such as; disk errors, low storage memory, or power failure. It is ensured that a database is never left unrecoverable because it is essential for mobile phones.
All data is stored in a database file. Therefore, using Sqlite is a lucky step as it makes the mobile database susceptible to corruption that can easily occur. Otherwise, a database corruption occurs whenever the battery is discharged.

1 No installation. Moreover, Sqlite requires no administration as it works independently of a platform or administrator to manage or process it.
2 Cross platform. In addition, the database is created stably and backwards compatible, making it available in an older version as well.
3 A special database file is created. Sqlite, when used on a platform or for an application, creates a single database for all its input and information store.
4 Comparison of paper writing and static writing. Unlike the SQL database, the Sqlite data type is not a property of the column that stores the value, but the value itself. Therefore, any value of which data type can be stored in a random column regardless of the declared type of the column.

Android and other mobile operating systems come with Sqlite integrated into their environment and therefore used by apps designed for it. The primary data store for Android is Sqlite and all databases are located at the respective device location

Database files for each application are located in a sub-folder in its own part of the file system. An application DB is kept unique to the application itself and is protected by Linux’s File System permissions. However, the database is not in an encrypted state and can be opened and viewed in the correct environment. Basically the database file for each application is stored in the specified location (differs by Android version) and is named after the application name itself.

The database can be viewed using an emulator’s Dalvik Debug Monitoring Service. However, if a physical device is being used, browsing may not be possible until the device is routed or not.

A common database is assigned for all application data storage. This DB file consists of tables with related information, and each table has multiple pages and contains cells showing each entry. These pages are mostly structured in the form of a B-tree; where a page is a collection of a specified number of bytes with size 2. All pages in the database are the same size and structured by numbering starting from 1.

I hope you benefited from this article and you have made a good start to mobile forensics.