[Go Back]


Android Forensics: Investigation, Analysis and Mobile Security for Google ...
By Andrew Hoog

PDF version of excerpt of book

Android Data Directories


The /data partition is where all the user's personal data resides. Providing a separate partition forthis provides several important advantages:

The /data partition is mounted with nosuid, which makes rooting the device a bit more of a cumbersome operation - assuming that root access is somehow obtained, the su binary (which makes for an efficient, persistent backdoor) must be placed in /system, which is read-only. In practice, this is only a minor obstacle, since it's a simple enough operation to remount /system in read-write mode. Nonetheless, this is an example of defense-in-depth, and could actually proveeffective when /system is cryptographically hashed, as with KitKat's dm-verity (q.v. Chapter 21).

Table fs-data shows the contents of the /data partition. Note vendors and carriers may place additional files or directories.

Directory Notes
anr Used by dumpstate to record stack traces of non-responsive Android Apps. Stack traces are recorded into traces.txt, as per the dalvik.vm.stack-trace-file property.
app User-installed application .apk files.
app-asec Application asec containers (described later in this chapter).
app-lib JNI libraries of applications (both system and user-installed).
app-private Provided for application private storage. In practice largely unused, since asec provides better security.
backup Used by the backup service
bugreports Used exclusively by bugreport for generated reports, which include a text file and screenshot (png), both named bugreport-yyyy-mm-dd-hh-mm-ss.
dalvik-cache The optimized classes.dex of system and user applications. Each app's dex is preceded by the path to its apk, with "@" replacing the path separator (e.g. system@framework@bu.jar@classes.dex).
data Data directories for installed applications, in reverse DNS format. Discussed next
dontpanic Formerly used to store Android panic console and threads. Unused.
drm Used by Android's Digital Rights Management
local A readable/writable temporary directory for uid shell (usable in ADB sessions)
lost+found Automatically generated directory for fsck operations on /data. Empty (unless the filesystem crashed, in which case it may contain unlinked inodes)
media Used by the sdcard service for mounted media
mediadrm Used by the Media DRM service
misc "Miscellaneous" data and configuration directories for components. q.v. Table 2-dm.
nfc Stores NFC parameters
property Contains persistent properties (i.e. saved across device reboots). Each property is saved in its own file, with the property name serving as the file name
resource-cache Resources cached by the AssetManager (described in Chapter 5).
security commonly empty
ssh For devices which provide the Secure Shell service. (Usually empty.
system A multitude of system configuration files, shown in table f-datasysApplication crash reports generated by debuggerd. Due to limited filesystem space, full
tombstones core dumps are not feasible. The debuggerd provides basic autopsy services in absenceof a core dump. Some vendors allocate a separate partition to this directory.
user JB and later: provides "multi-user" capabilties, by symlinking user numbers (0,1..) to directories with installed applications and data for those users. In a single user system,0 links to /data/data.


The somewhat redundantly named /data/data is the directory where all applications, both system and user-installed store their information. Each application gets its own subdirectory, in reverse DNS format, which is chmod 751 (rwxr-x--x), under the uid/gid of the owning application. The /data/data directory itself is chmod 771 system system, and therein lies a tenet of Android's security model: /data/data is executable (i.e. cd-able*) to all applications, but unreadable (so applications can't enumerate "neighbor" directories). The burden of securing specificapplication files, however, rests on each and every application, as the per-app directories are freely executable, though are unreadable by anyone other than the owner.

The /data/data per-app subdirectory is the only location in the entire filesystem which is writable by apps. Coupled with the fact that the stock applications for location, texting and calls can be found on every Android device, this makes several locations in it key for performing forensics. Subdirectories of particular interest are shown in table 2-appdata:

App subdirectoryUsed byContains
com.android.providers.contacts Phone Contacts Virtually every tidbit of information which might be ofremote interest on the device, in databases/contacts2.db: a SQLite3 master contact database, including tables like contacts (All contacts stored on the device) and calls (Log of last calls).files/thumbnail_photo_xxxxx.png are individualthumbnails of contacts.
com.android.providers.calendar Calendar Calendar: databases/calendar.db (in the events table).
com.android.providers.telephony Messaging Multimedia(MMS)/text(SMS) message database: database/mmssms.db
com.google.android.apps.maps Google Maps Destinations looked up: gmm_myplaces.db, gmm_storage.db and log_events.db. cache/http contains map tiles.
com.google.android.gm GMail databases/mailstore.email.db: a SQLite3 databasecontaining all the user's mail which has been downloaded to the device, for each registered emailaddress (in the messages table). Viewed attachmentsare stored in cache/email.
com.android.chrome Chrome browser State of Chrome browser (which replaces the oldAndroid built-in com.android.browser). Files of interest include the cache/ directory (browser cache), and the app_chrome/Default/ directory, which contains many important SQLite3 databases, such as History andArchived History (browsing history in urls table), LoginData (saved credentials, in logins table) and Cookies.
* - The meaning of +x on a directory is slightly different than on a file: +x means you can cd into the directory. Note thatthis does not necessarily imply you can read the contents, which requires +r.