Book Image

Learning Android Forensics

By : Rohit Tamma, Donnie Tindall
Book Image

Learning Android Forensics

By: Rohit Tamma, Donnie Tindall

Overview of this book

Table of Contents (15 chapters)
Learning Android Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Preface
Index

Recovering data deleted from internal memory


Recovering files deleted from Android's internal memory, such as app data and so on, is not supported by most analytical tools. This is for two main reasons. First, unlike the common filesystems used in SD cards, the filesystems used by internal memory may not be recognized and mounted by forensic tools. Second, the examiner cannot get access to the raw partitions of the internal memory of an Android phone, unless the phone is rooted. The following are some of the other issues the examiner may face when attempting to recover data from the internal memory on Android devices:

  • To get access to the internal memory, you can try to root the phone. However, the rooting process might involve writing some data to the /data partition. This process could overwrite valuable data on the device.

  • Unlike SD cards, the internal filesystem here is not FAT32 (which is widely supported by forensic tools). The internal filesystem could be YAFFS2 (in older devices),...