Rooting is often performed by many people with the goal of overcoming limitations that carriers and hardware manufacturers put on Android devices. By rooting an Android device you can alter or replace system applications and settings, run specialized apps that require administrator-level permissions, or perform operations that are otherwise inaccessible to a normal Android user, such as uninstalling the default apps (especially the bloatware) that come along with the phone. Rooting is also done for extreme customization; for instance, new, customized ROMs could be downloaded and installed. However, from a forensic analysis point of view, the main reason for rooting is to gain access to those parts of the system that are normally not accessible. Most of the public root tools will result in a permanent root where the changes persist even after rebooting the device. In the temporary root, the changes are lost once the device reboots. Temporary roots should always be preferred in forensic cases.

As explained in Chapter 1, Introducing Android Forensics, in Linux systems, each user is assigned a unique User ID (UID) and users are segregated so that one user does not access the data of another user. Similarly, in Android each application is assigned a UID and is run as a separate process. App UIDs are usually assigned in the order that they are installed, starting from 10001. These IDs are stored in the packages.xml file in /data/system. This file, in addition to storing UIDs, stores the Android permissions of each program as described in its manifest file. The private data of each application is stored in the /data/data location and is accessible only to that application. Hence, during the course of an investigation, data present under this location cannot be accessed. But rooting a phone would allow you to access the data present in any location. It is important to keep in mind that rooting a phone has several implications, as described in the following:

• Security risk: Rooting a phone might expose the device to security risks. For instance, imagine a malicious app that has access to the entire operating system and to the data of all of the other apps installed on the device.
• Bricking of your device: If rooting is not done in the proper manner it might result in bricking your device. Bricking is a word commonly used with those phones that are dead or cannot be turned on in any way.
• Voiding your warranty: Depending on the manufacturer and carrier, rooting a device may void your warranty since it exposes the device to several threats.
• Forensic implications: Rooting an Android device will allow an investigator to access a larger set of data, but it involves the alteration of certain portions of the device. Hence, a device should be rooted only when it is absolutely necessary.