Android devices rely heavily on SQLite for application storage. The preference files for each application are often in the DAT or XML file formats. More so than an iOS device, examining applications on an Android device may be one of the most tedious tasks. This is due to the various locations where data may be stored. The best place to start is with a tool that will provide a listing of what is installed on the device. Next, go to the subdirectories off of the /Root directory. Remember, these applications may possess unique names and may be difficult to locate.

You may have to research the application to gain a better understanding of the filenames that are associated with each of them. The following screenshot is an example of application directories on an Android device:

Each of these application directories will contain a lot of data to examine. We recommend starting with the Databases and Cache directories and then expanding your analysis to other locations on the device. The next locations to examine include the Media and Cache partitions. If the data appears to be missing or is claimed to have been deleted, do not forget to examine the Downloads directory on the device and SD card.

Application data can exist in several locations in the Media directories. Using a tool, such as UFED Physical Analyzer, which provides keyword-searching capabilities spanning beyond parsed items, will really help to locate artifacts pertaining to specific applications. We are looking at the large amount of data stored in the Media directory on an Android device in the following screenshot. This data is unique from what is stored in the application directories that were discussed previously. Each location needs to be thoroughly examined to ensure that nothing is missed. It is important that you take what you learned in previous chapters to analyze Android application data:

We will now look at apps installed on Windows Phone and their acquisition.