In order to perform forensic analysis on any system (desktop or mobile), it's important to understand the underlying file hierarchy. A basic understanding of how Android organizes its data in files and folders helps a forensic analyst narrow down their research to specific issues. Just as with any other operating system, Android uses several partitions. This chapter provides an insight into some of the most significant partitions and the content stored in them.

It's worth mentioning again that Android uses the Linux kernel. Hence, if you are familiar with Unix-like systems, you will understand the file hierarchy in Android very well. For those who are not very well acquainted with the Linux model, here is some basic information: in Linux, the file hierarchy is a single tree, with the top of the tree being denoted as / (called the root). This is different from the concept of organizing files in drives (as with Windows). Whether the filesystem is local or remote, it will be present under the root.

The Android file hierarchy is a customized version of this existing Linux hierarchy. Based on the device manufacturer and the underlying Linux version, the structure of this hierarchy may have a few insignificant changes. The following is a list of important folders that are common to most Android devices. Some of the folders listed are only visible through root access. Rooting is the process of gaining privileged access on an Android device. More details about rooting and executing the adb commands (which are shown in the following list) are covered in detail in Chapter 8, Android Forensic Setup and Pre-Data Extraction Techniques:

• /boot: As the name suggests, this partition has the information and files required for the phone to boot. It contains the kernel and Random Access Memory (RAM) disk, so without this partition, the phone cannot start its processes. Data residing in RAM is rich in value and should be captured during a forensic acquisition.
• /system: This partition contains system-related files other than the kernel and RAM disk. This folder should never be deleted as that will make the device unbootable. The contents of this partition can be viewed using the following command:

• * /recovery: This is designed for backup purposes and allows the device to boot into recovery mode. In recovery mode, you can find tools to repair your phone installation.
• /data: This is the partition that contains the data of each application. Most of the data belonging to the user—such as the contacts, SMS, and dialed numbers—is stored in this folder. This folder has significant importance from a forensic point of view as it holds valuable data. The contents of the data folder can be viewed using the following command:

• * /cache: This is the folder used to store the frequently accessed data and some of the logs for faster retrieval. The /cache partition is also important to a forensic investigation as the data residing here may no longer be present in the /data partition.
• * /misc: As the name suggests, this folder contains information about miscellaneous settings. These settings mostly define the state of the device—that is, on/off. Information about hardware settings, USB settings, and so on can be accessed from this folder.
• /sdcard: This is the partition that holds all the information present on the Secure Digital (SD) card. It is valuable as it can contain information such as pictures, videos, files, documents, and so on.

Now that we have understood the Android file hierarchy and looked at the important folders in it, let's have a look at the filesystem in the next section.