0PricingLogin
Cyber Security Academy · Lesson

Android Acquisition and Analysis

Extracting and analyzing Android data.

Android Storage Architecture

To extract Android data effectively, you must know where it lives.

  • /data/data/<package>/ — each app sandbox: databases, shared_prefs, files, cache.
  • /data/media/0/ — user storage (photos, downloads).
  • /data/system/ — accounts, lock settings, usage stats.

Most app evidence sits in SQLite databases and XML preference files inside the per-app sandbox, which is unreadable without root or a backup mechanism.

ADB and Debugging Prerequisites

The Android Debug Bridge (ADB) is the primary logical-acquisition channel. It requires USB debugging to be enabled and the host key authorized.

  • Without debugging enabled and the screen unlocked, ADB access is blocked.
  • The authorization prompt itself alters device state — document it.

Verify connectivity and capture device properties first:

adb devices -l
adb shell getprop ro.build.version.release   # Android version
adb shell getprop ro.product.model           # Device model
adb shell getprop ro.crypto.state            # encrypted / unencrypted

All lessons in this course

  1. Mobile Forensics Fundamentals
  2. Android Acquisition and Analysis
  3. iOS Acquisition and Analysis
  4. Apps, Artifacts and Reporting
← Back to Cyber Security Academy