Information Technology Reference
In-Depth Information
•
External storage
: This stores data that is public in the device's external memory,
which does not usually enforce security mechanisms. This data is available under
the
/sdcard
directory.
•
SQLite database
: This data is available in the
/data/data/Pack-
ageName/
database. They are usually stored with a
.db
file extension. The data
present in a SQLite file can be viewed using a SQLite browser (
ht-
tp://sourceforge.net/projects/SQLitebrowser/
)
or by executing the necessary
SQLite commands on the respective files.
Every Android application stores the data on the device using any of the preceding data
storage options. So, the
Contacts
application would store all the information about the
contact details in the
/data/data
folder under its package name. Note that
/data/
data
is a part of your device's internal storage where all the apps are installed under nor-
mal circumstances. Some application data will reside on the SD card and in the
/data/
data
partition. Using adb, we can pull the data present in this partition for further analys-
is using the adb pull command. Once again, it's important to note that this directory is ac-
cessible only on a rooted phone.
Extracting the /data directory on a rooted device
On a rooted phone, a pull command on
/data
can be executed as follows:
C:\android-sdk-windows\platform-tools>adb.exe pull /data
C:\temp
pull: /data/data/com.kiloo.subwaysurf/app_sslcache/
www.chartboost.com.443 -> C:\temp/data/com.kiloo.subwaysurf/
app_sslcache/www.chartboost.com.443
pull: /data/data/com.mymobiler.android/lib/libpng2.so ->
C:\temp/data/com.mymobiler.android/lib/libpng2.so
pull: /data/system.notfirstrun -> C:\temp/system.notfirstrun
732 files pulled. 0 files skipped.
2436 KB/s (242711369 bytes in 97.267s)
As shown in the following screenshot, the complete
/data
directory on the Android
device was copied to the local directory on the machine. The entire data directory was ex-
tracted in 97 seconds. The extraction time will vary depending on the amount of data
residing in
/data
.
