Home > Digital Forensics

Android File Structure

Android devices store enormous amounts of forensic evidence, and understanding the file structure is the first step in any mobile forensic investigation. Android’s architecture is built on Linux, but Google’s modifications and manufacturer customizations introduce unique directories, partitions, and data storage locations. Investigators must know where user data, system logs, app files, media, and configuration settings are stored in order to properly extract and analyze evidence.

This chapter explains the core components of the Android file system, common partitions, crucial evidence locations, and how data is organized across different Android versions.

Android File System Overview

Android uses a Linux-based filesystem with multiple partitions, each holding specific types of data such as system files, apps, user data, and temporary information. Evidence can be found in:

  • System partitions

  • User data directories

  • Application sandboxes

  • External storage

  • Logs and cached data

  • Databases

  • Configuration files

Understanding where each type of information lives is essential for forensic acquisition.

Core Android Partitions

Android devices commonly include the following partitions:

1. /system (Read-Only)

Contains:

  • OS files

  • System apps

  • Frameworks

  • Device libraries

This partition is normally read-only and rarely modified by users. Malware targeting /system typically requires root access.

2. /data (User Data Partition)

Most important forensic partition.

Contains:

  • Installed apps

  • App databases

  • App configuration files

  • User accounts

  • SMS, call logs, contacts

  • Authentication tokens

  • Photos (sometimes previews)

  • App caches

  • Encryption keys (device-dependent)

  • Clipboard data

Path:

/data/data/

Each app has its own sandboxed directory.

This partition holds the majority of user-related evidence.

3. /cache

Contains:

  • Temporary system files

  • OTA update files

  • App cache (legacy versions)

Not as valuable but can contain residual evidence.

4. /sdcard or /storage/emulated/0 (Internal Storage)

Contains:

  • Photos

  • Videos

  • WhatsApp Media

  • Downloaded files

  • App folders (public storage)

  • Browser downloads

  • Screenshots

Although called SD card, this is usually internal memory emulated as external storage.

5. /sdcard1 or External SD Card (If Present)

Contains:

  • Media files

  • App backup folders

  • Offline maps

  • Downloaded content

External SD cards often contain deleted or hidden evidence.

6. /vendor

Manufacturers store:

  • Drivers

  • Vendor-specific apps

  • Hardware-related configs

Useful when investigating device-specific vulnerabilities.

7. /boot

Contains:

  • Kernel

  • Ramdisk

Useful for low-level forensic extraction or analyzing rootkits.

8. /recovery

Stores:

  • Recovery mode system

  • Logs used by recovery operations

9. /persist and /efs (Samsung, Qualcomm Devices)

Stores:

  • IMEI

  • Baseband configs

  • WiFi MAC address

  • Bluetooth MAC

  • Radio configuration

Critical for device identity verification.

Important Evidence Locations (Folder Breakdown)

1. User Accounts & Authentication

/data/system/users/
/data/system/locksettings.db

Contains:

  • PIN, pattern, password hashes

  • Fingerprint data references

  • Authentication settings

2. Contacts, SMS, Call Logs

Databases often stored under:

/data/data/com.android.providers.contacts/databases/
/data/data/com.android.providers.telephony/databases/

Files include:

  • mmssms.db

  • contacts2.db

  • calllog.db

3. Browser Forensics

Chrome paths:

/data/data/com.android.chrome/app_chrome/

Contains:

  • History

  • Cookies

  • Login data

  • Favicons

  • Cache

WebView apps store similar data.

4. WhatsApp, Telegram, Signal Data

WhatsApp:

/data/data/com.whatsapp/
/sdcard/WhatsApp/Media/

Telegram:

/data/data/org.telegram.messenger/
/sdcard/Telegram/

Signal messages are stored encrypted but metadata may still be available.

5. Social Media Apps

Meta, Instagram, Snapchat, Twitter directories:

/data/data/com.facebook.katana/
/data/data/com.instagram.android/
/data/data/com.snapchat.android/

Contain:

  • Cached images

  • Messages (some encrypted)

  • Session tokens

  • Activity logs

6. File Downloads

/sdcard/Download/

Tracks user-downloaded files from browsers and apps.

7. Photos & Videos

/sdcard/DCIM/Camera/
/sdcard/Pictures/

Contains:

  • User-created media

  • Screenshots

  • App-specific images

Metadata (EXIF) provides timestamps, GPS, and device info.

8. System Logs

Android log data may exist under:

/data/log/
/data/system/dropbox/
/cache/recovery/last_log

Logs include:

  • Crash reports

  • System events

  • App failures

9. App Configuration & Databases

Every app directory contains:

/data/data/<package>/

Subfolders include:

  • shared_prefs (XML configs)

  • databases (SQLite)

  • cache

  • files

  • libs

These hold the bulk of app-specific evidence.

How Storage Is Structured Across Android Versions

Older Android versions (≤7):

  • More accessible internal storage

  • App data sometimes stored outside sandbox

  • Weaker encryption handling

Android 8–10:

  • Stronger file-based encryption (FBE)

  • Scoped storage introduced

Android 11–14:

  • Full sandbox isolation

  • Stricter access to app data

  • More restrictive external storage

  • File-based encryption with per-user keys

Newer Android versions significantly limit what can be extracted without root.

File System Types Used in Android

Common file systems:

  • ext4 — most common for internal partitions

  • f2fs — flash-optimized filesystem for /data

  • exFAT/FAT32 — external SD cards

  • squashfs — read-only system partitions

Investigators must understand each filesystem’s impact on timestamp handling and file recovery.

Key Forensic Considerations

  • File-based encryption may prevent access without device unlock

  • App sandboxes require root or full physical extraction

  • External storage is less protected and often rich in evidence

  • Vendor partitions contain sensitive radio identifiers

  • Deleted files may be recoverable depending on filesystem

  • Cloud sync (Google Photos, Drive, WhatsApp Backup) introduces additional evidence sources

Intel Dump

  • Android uses Linux-based partitions: /system, /data, /cache, /vendor, /boot, /recovery, /sdcard, and sometimes /efs or /persist.

  • The most valuable forensic evidence lives under /data (app databases, accounts, messages) and /sdcard (media, downloads, app files).

  • App directories contain SQLite databases, shared_prefs XML files, cached media, authentication tokens, and logs.

  • Forensic hotspots include SMS databases, call logs, contacts, browser history, WhatsApp/Telegram folders, social media caches, and camera media.

  • Newer Android versions use file-based encryption and strict sandboxing, making access harder without physical extraction or root privileges.

HOME COMMUNITY CAREERS DASHBOARD