Recovering files deleted from Android's internal memory, such as app data and so on, is not supported by most analytical tools. This is for two main reasons. First, unlike the common filesystems used in SD cards, the filesystems used by internal memory may not be recognized and mounted by forensic tools. Second, the examiner cannot get access to the raw partitions of the internal memory of an Android phone, unless the phone is rooted. The following are some of the other issues the examiner may face when attempting to recover data from the internal memory on Android devices:
To get access to the internal memory, you can try to root the phone. However, the rooting process might involve writing some data to the
/datapartition. This process could overwrite valuable data on the device.
Unlike SD cards, the internal filesystem here is not FAT32 (which is widely supported by forensic tools). The internal filesystem could be YAFFS2 (in older devices),...