Android Data directories and their purpose

Jan-2017

Android Forensics: Investigation, Analysis and Mobile Security for Google ...
By Andrew Hoog

Android Data Directories

/data

The /data partition is where all the user's personal data resides. Providing a separate partition forthis provides several important advantages:

/data is decoupled from the underlying Android OS version. System upgrade and recovery can thus wipe and rewrite the entire /system partition, without affecting the user's data in any way. Conversely, the device can quickly be reset and all personal data wiped by formatting /data, which is exactly what happens during a "factory reset".
/data may be encrypted, if the user requires it. Encryption, however efficient, adds a degree of latency, since reading and writing involves decryption and encryption, respectively. Because, by design, /system contains no sensitive information, there is no need to encrypt it, and therefore this latency is avoided.
/data may also be made non-executable (i.e. mounted with the noexec option, or enforced with SELinux). As of KitKat, this isn't a default option. Doing so, however, would not onl ywould make it more true to its name, but would greatly mitigating an attack vector for malware, since the latter would have no writable partition that it can drop executables to. This would not affect legitimate Dalvik apps, because DEX runs in a virtual machine, but would likely impact rooting (for example, by requiring a remount, the same as it does with/system).

The /data partition is mounted with nosuid, which makes rooting the device a bit more of a cumbersome operation - assuming that root access is somehow obtained, the su binary (which makes for an efficient, persistent backdoor) must be placed in /system, which is read-only. In practice, this is only a minor obstacle, since it's a simple enough operation to remount /system in read-write mode. Nonetheless, this is an example of defense-in-depth, and could actually proveeffective when /system is cryptographically hashed, as with KitKat's dm-verity (q.v. Chapter 21).

Table fs-data shows the contents of the /data partition. Note vendors and carriers may place additional files or directories.

Directory	Notes
anr	Used by dumpstate to record stack traces of non-responsive Android Apps. Stack traces are recorded into traces.txt, as per the dalvik.vm.stack-trace-file property.
app	User-installed application .apk files.
app-asec	Application asec containers (described later in this chapter).
app-lib	JNI libraries of applications (both system and user-installed).
app-private	Provided for application private storage. In practice largely unused, since asec provides better security.
backup	Used by the backup service
bugreports	Used exclusively by bugreport for generated reports, which include a text file and screenshot (png), both named bugreport-yyyy-mm-dd-hh-mm-ss.
dalvik-cache	The optimized classes.dex of system and user applications. Each app's dex is preceded by the path to its apk, with "@" replacing the path separator (e.g. system@framework@bu.jar@classes.dex).
data	Data directories for installed applications, in reverse DNS format. Discussed next
dontpanic	Formerly used to store Android panic console and threads. Unused.
drm	Used by Android's Digital Rights Management
local	A readable/writable temporary directory for uid shell (usable in ADB sessions)
lost+found	Automatically generated directory for fsck operations on /data. Empty (unless the filesystem crashed, in which case it may contain unlinked inodes)
media	Used by the sdcard service for mounted media
mediadrm	Used by the Media DRM service
misc	"Miscellaneous" data and configuration directories for components. q.v. Table 2-dm.
nfc	Stores NFC parameters
property	Contains persistent properties (i.e. saved across device reboots). Each property is saved in its own file, with the property name serving as the file name
resource-cache	Resources cached by the AssetManager (described in Chapter 5).
security	commonly empty
ssh	For devices which provide the Secure Shell service. (Usually empty.
system	A multitude of system configuration files, shown in table f-datasysApplication crash reports generated by debuggerd. Due to limited filesystem space, full
tombstones	core dumps are not feasible. The debuggerd provides basic autopsy services in absenceof a core dump. Some vendors allocate a separate partition to this directory.
user	JB and later: provides "multi-user" capabilties, by symlinking user numbers (0,1..) to directories with installed applications and data for those users. In a single user system,0 links to /data/data.

/data/data

The somewhat redundantly named /data/data is the directory where all applications, both system and user-installed store their information. Each application gets its own subdirectory, in reverse DNS format, which is chmod 751 (rwxr-x--x), under the uid/gid of the owning application. The /data/data directory itself is chmod 771 system system, and therein lies a tenet of Android's security model: /data/data is executable (i.e. cd-able*) to all applications, but unreadable (so applications can't enumerate "neighbor" directories). The burden of securing specificapplication files, however, rests on each and every application, as the per-app directories are freely executable, though are unreadable by anyone other than the owner.

The /data/data per-app subdirectory is the only location in the entire filesystem which is writable by apps. Coupled with the fact that the stock applications for location, texting and calls can be found on every Android device, this makes several locations in it key for performing forensics. Subdirectories of particular interest are shown in table 2-appdata:

App subdirectory	Used by	Contains
com.android.providers.contacts	Phone Contacts	Virtually every tidbit of information which might be ofremote interest on the device, in databases/contacts2.db: a SQLite3 master contact database, including tables like contacts (All contacts stored on the device) and calls (Log of last calls).files/thumbnail_photo_xxxxx.png are individualthumbnails of contacts.
com.android.providers.calendar	Calendar	Calendar: databases/calendar.db (in the events table).
com.android.providers.telephony	Messaging	Multimedia(MMS)/text(SMS) message database: database/mmssms.db
com.google.android.apps.maps	Google Maps	Destinations looked up: gmm_myplaces.db, gmm_storage.db and log_events.db. cache/http contains map tiles.
com.google.android.gm	GMail	databases/mailstore.email.db: a SQLite3 databasecontaining all the user's mail which has been downloaded to the device, for each registered emailaddress (in the messages table). Viewed attachmentsare stored in cache/email.
com.android.chrome	Chrome browser	State of Chrome browser (which replaces the oldAndroid built-in com.android.browser). Files of interest include the cache/ directory (browser cache), and the app_chrome/Default/ directory, which contains many important SQLite3 databases, such as History andArchived History (browsing history in urls table), LoginData (saved credentials, in logins table) and Cookies.

* - The meaning of +x on a directory is slightly different than on a file: +x means you can cd into the directory. Note thatthis does not necessarily imply you can read the contents, which requires +r.