Android File System

Android File System Deep Dive: A Forensic Perspective 

During my recent forensics certification and first year working on mobile forensics, I've discovered that understanding Android's file system structure is essential for successful investigations. While the basics seem straightforward, there's a lot of nuance that isn't covered in standard documentation. Here's what I've learned so far. 

File System Structure: The Real Deal


The Android file system isn't just a single entity - it's a collection of partitions, each serving specific purposes. Here's what I typically encounter:


/data Partition

This is where most of our evidence lives. I found crucial evidence in these locations:


Quick tip: When you're looking at messaging apps, check both /data/data/[app]/databases/ AND /data/data/[app]/shared_prefs/. I recently found message attachments referenced in shared preferences that weren't in the main database.


/system Partition 

While this is mounted read-only during normal operation, examining it can reveal:


/cache Partition

Don't skip this! Last week, I recovered deleted browser data from /cache that wasn't available anywhere else. Cache often contains:

File Systems in Use:


Modern Android devices typically use either ext4 or f2fs. During training, I learned that Samsung often uses f2fs for better flash memory performance. This matters because:


! I made the mistake of using ext4 tools on an f2fs partition - complete waste of time. Always verify the file system type first!

Encryption:


Every device I've examined in the past six months has had either:


Tip: With FBE, look for DirectBoot storage. Some apps store data there that's accessible before the user unlocks the device.

Practical File Recovery


Here's what actually works when recovering deleted files:


Common issues I've run into:

File Timestamps:


Something they don't teach in training: Android's timestamp handling varies by manufacturer. I've seen:


! Document the time settings before starting analysis. Trust me, explaining timestamp inconsistencies in court isn't fun.

Tips:


1. Always check /data/misc/wifi/ for network details

2. /data/system/packages.xml reveals installed app history

3. /data/system/sync/ shows what accounts were syncing

4. Look for backup files with .bak extension

Moving Forward


I'm still learning new aspects of Android forensics every day. Currently studying up on:


The field keeps changing, but solid understanding of file system basics has helped me adapt. Would love to hear thoughts from other analysts about their experiences with newer Android versions.


Note: This reflects my experience level as a newer analyst - always verify current best practices for your specific case requirements.



Author:

Hasan Hashim

Cyber Security and Digital Forensics