Pseudo filesystems

Pseudo filesystems, as the name suggests, are not actual files but a logical grouping of files. The following are some of the important pseudo filesystems in Android: 

  • The root filesystem (rootfs) is one of the main components of Android and contains all the information required to boot the device. When the device starts the boot process, it needs access to many core files, and thus, it mounts the root filesystem. As shown in the preceding mount command-line output, this filesystem is mounted at / (root folder). Hence, this is the filesystem on which all the other filesystems are slowly mounted. If this filesystem is corrupt, the device cannot be booted.
  • The sysfs filesystem mounts the /sys folder, which contains information about the configuration of the device. The following output shows various folders under the sys directory in an Android device:

Folders under /sys directory in Android

Since the data present in these folders is mostly related to configuration, this is not usually of much significance to a forensic investigator. But there can be some circumstances where we might want to check whether a particular setting was enabled on the phone, and analyzing this folder could be useful under such conditions.

Note that each folder consists of a large number of files. Capturing this data through forensic acquisition is the best method to ensure that this data is not changed during an examination.
  • The devpts filesystem presents an interface to the Terminal session on an Android device. It is mounted at /dev/pts. Whenever a Terminal connection is established—for instance, when an adb shell is connected to an Android device—a new node is created under /dev/pts. The following is the output showing this when the adb shell is connected to the device:
shell@Android:/ $ ls -l /dev/pts ls -l /dev/pts
crw------- shell shell 136, 0 2013-10-26 16:56 0
  • The cgroup filesystem stands for control groups. Android devices use this filesystem to track their job. They are responsible for aggregating the tasks and keeping track of them. This data is generally not very useful during forensic analysis.
  • The proc filesystem contains information about kernel data structures, processes, and other system-related information in the /proc directory. For instance, the /sys directory contains files related to kernel parameters. Similarly, /proc/filesystems displays the list of available filesystems on the device. The following command shows all the information about the central processing unit (CPU) of the device:

Output of the cpuinfo command on an Android device 

Similarly, there are many other useful files that provide valuable information when you traverse them.

  • The tmpfs filesystem is a temporary storage facility on the device that stores the files in RAM (volatile memory). The main advantage of using RAM is faster access and retrieval. But once the device is restarted or switched off, this data will not be accessible anymore. Hence, it's important for a forensic investigator to examine the data in RAM before a device reboot happens, or to extract the data via RAM acquisition methods.

Today's forensic tools can easily mount these filesystems and display the contents in a graphical user interface (GUI) screen, thereby enabling forensic investigators to easily navigate and parse through the files. In the initial days of Android forensics, an investigator had to typically run a set of Linux or Windows commands to format and view these filesystems.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.179.186