Recovering files that are deleted from an Android device's internal memory (such as SMS, contacts, and app data) is not supported by all analytical tools and may require manual carving. Unlike some media containing common filesystems, such as SD cards, the filesystem may not be recognized and mounted by forensic tools. Also, you cannot get access to the raw partitions of the internal memory of an Android phone unless the phone is rooted. It is recommended to image the device before and after the rooting process happens. The following are some of the other issues that you may face when attempting to recover data from the internal memory on Android devices:

• To get access to the internal memory, you can try to root the phone. However, the rooting process might involve writing some data to the /data partition, and this process could overwrite the data of value on the device.
• Unlike SD cards, the internal filesystem here is not FAT32 (which is widely supported by forensic tools). The internal filesystem could be YAFFS2 (on older devices), EXT3, EXT4, RFS, or something proprietary built to run on Android. Therefore, many of the recovery tools designed for use with Windows filesystems won't work.
• Application data on Android devices is commonly stored in the SQLite format. While most forensic tools provide access to the database files, they may have to be exported and viewed in a native browser. You must examine the raw data to ensure that the deleted data is not overlooked by the forensic tool.

The discussed reasons make it difficult, but not impossible, to recover the deleted data from the internal memory. The internal memory of Android devices holds the bulk of the user data and the possible keys to your investigation. As previously mentioned, the device must be rooted to access the raw partitions. Most of the Android recovery tools on the market do not highlight the fact that they only work on rooted phones. Let's now take a look at how we can recover deleted data from an Android phone.