Information Technology Reference
In-Depth Information
Android file system
Understanding the file system is one essential part of forensic methodologies. Knowledge
about properties and the structure of a file system proves to be useful during forensic ana-
lysis. File system refers to the way data is stored, organized, and retrieved from a volume.
A basic installation may be based on one volume split into several partitions; here each par-
tition can be managed by a different file system. As is true in Linux, Android utilizes
mount points and not drives (that is
C:
or
E:
). Each file system defines its own rules for
managing the files on the volume. Depending on these rules, each file system offers a dif-
ferent speed for file retrieval, security, size, and so on. Linux uses several file systems, and
so does Android. From a forensic point of view, it's important to understand what file sys-
tems are used by Android and to identify the file systems that are of significance to the in-
vestigation. For example, the file system that stores the user's data is of primary concern to
us as against a file system used to boot the device.
