Please enable JavaScript.
Coggle requires JavaScript to display documents.
(Android 10 Forensics) - Coggle Diagram
Android 10 Forensics
File system in Android dd image
appex
(Android Pony EXpress )This format facilitates the updates of system components that don’t fit into the standard Android application model
data
Contains all android apps, native apps or 3rd party. All system config/log, all app generated data
metadata
product
sbin
binaries for several important daemons.
system
Android OS, exclude Google services
appex
(Android Pony EXpress )This format facilitates the updates of system components that don’t fit into the standard Android application model
app
Android OS pre-installed bloatware apps, often can’t uninstall
bin
executable binaries, daemons or bash
usr
all system-wide, read-only files installed by (or provided by) the OS
res
Resource, e.g., layout, color
lib
native libraries
framework
App Framework
res
Resource, e.g., layout, color
Investigating AOSP (Android Open Source Project)
com.android
ls 'Pixel 3/data/data/' | grep -i com.android
this command will show the file or directory with "com.android" string
Messaging service
com.android.providers.telephony
databases
mmssms.db
Use sqlitebrowser tool to see the database of message
shared_pref
Investigating contacts
com.android.providers.contacts
databases
calllog.db
Contains made/received calls along with timestamp and duration
calls
properties
voicemail status
android_metadata
contacts2.db
use sqlitebrowser to access database wheere you can find following information
metadata of each contacts info, e.g., times contacted, last time contacted
contacts info
fields of contacts
1 more item...
contact group information, e.g., family, friends
raw data is unprocessed data, which contains contacts and data tables
profile.db
Investigating calendar service
com.android.providers.calendar
To find the name of the application automatically
Send http request
curl --no-progress-meter
https://play.google.com/store/apps/details?id=com.twitter.android
| grep -Pio 'itemprop="name"><span>Twitter</span>’
Tools
sqllitebrowser
sqlite3
Commands
grep
cat
file
GMS apps
com.google.android
Google Messages
com.google.android.apps.messaging
apps_log
cache
databases
androidx.work.workdb
ndroidx.work.workdb-shm
google_app_measurement_local.db
growthkit.db
undelivered_messages
Use sqlitebrowser to access databases
files
shared_prefs
Google Maps
com.google.android.apps.maps
Google Phone Dialer App
com.google.android.dialer
app_phenotype_file
cache
databases
annotated_call_log.db
AND MORE
dialer.db
growthkit.db
suggest_contact_database
phone_lookup_history.db
List phone lookup history
files
shared_prefs
Investigating Third party apps
The apps other than AOSP and GMS are third party apps
i. e com.instagram.android
com.snapchat.android
com.spotify.music
com.twitter.android
databases
global.db
persistent_jobs.db
0-scribe.db
use sqlitebrowser to manage databases
files
shared_prefs
app_webview
lib-main
com.whatsapp
kik.android