The best and most comprehensive search should be conducted within the raw image file. The Memory Ranges or partitions are comprised of the USERDATA, EFS, system, SD card, CACHE, and other partitions in their raw form, while the File System shows a normalized version of the same partitions, including a folder structure for each. Autopsy places the name of the partition next to the volume label. Each tool may differ with their methods, so it’s important that you know where to look to ensure you don’t miss any data of forensic value. The File System area of the data shown in Physical Analyzer is the reconstructed file system, as interpreted by the tool. Data is stored natively within the partitions and can be manually examined and decoded for relevance, which is discussed later in this section.

The Analyzed Data section in Physical Analyzer shows all the data that Physical Analyzer knows how to parse. Again, one must use caution here and verify their findings rather than just trusting the tool. More details on how to verify your results and manually decode data will be covered in the analytical portion of this section. Commercial tools will not parse all forms of data available on the Android device. In this section, we will cover different tools and how the data will look in each. You will gain experience with this in your lab work. The examiner must dig deeper to recover the overlooked data. For your lab later in this section, you will have access to a newer device that was physically acquired.