Information Technology Reference
In-Depth Information
Android file hierarchy
In order to perform forensic analysis on any system (desktop or mobile), it's important to
understand the underlying file hierarchy. A basic understanding of how Android organizes
its data in files and folders helps a forensic analyst narrow down their research to specific
issues. Just like any other operating system, Android uses several partitions. This chapter
provides an insight into some of the most significant partitions and the content stored in
them.
It's worth mentioning again that Android uses the Linux kernel. Hence, if you are familiar
with Unix-like systems, you will very well understand the file hierarchy in Android. For
those who are not very well acquainted with the Linux model, here is some basic informa-
tion: in Linux, the file hierarchy is a single tree with the top of the tree being denoted as
/
(called the "root"). This is different from the concept of organizing files in drives (as with
Windows). Whether the file system is local or remote, it will be present under the root. The
Android file hierarchy is a customized version of this existing Linux hierarchy. Based on
the device manufacturer and the underlying Linux version, the structure of this hierarchy
may have a few insignificant changes. The following is a list of important folders that are
common to most Android devices. Some of the folders listed are only visible through root
access.
•
/boot
: As the name suggests, this partition has the information and files required
for the phone to boot. It contains the kernel and RAM disk, and so without this par-
tition the phone cannot start its processes. Data residing in RAM is rich in value
and should be captured during a forensic acquisition.
•
/system
: This partition contains system-related files other than kernel and RAM
disk. This folder should never be deleted as that will make the device unbootable.
The contents of this partition can be viewed by using the following command:
shell@Android:/ $ cd /system
cd /system
shell@Android:/system $ ls
ls
CSCVersion.txt
SW_Configuration.xml
app
bin
build.prop
