The most common evidentiary locations found on Android devices are listed in this slide. Again, depending on the device and version of Android, variations may occur, and you may see information that isnt listed in this slide. The list below contains more directories than the screenshot above. The most important areas to examine are highlighted here (bold).1 The circled items represent locations that may be used by malware. Examine these locations extensively if you are working a malware investigation. While these locations are common, malware may exist in other locations on the device.
NOTE: Depending on your forensic tool or method for examining the file system, the paths may vary. A simple keyword search will get you to the correct location if you find you are getting lost in the file system. Below, the true path is reflected as if the data were pulled directly from the device and not normalized by a forensic tool. Keep in mind that all partitions may not be available for examination.
/(Root)
/CACHE -> contains Gmail attachments, downloads, browser data, and OTA updates (may not exist on devices)
/EFS -> (Encrypted File System) contains files needed for the device to function in case of failure (Bluetooth address, IMEI and KNOX (Workspace))
/USERDATA
/data -> (MOST IMPORTANT AREA TO EXAMINE) all application and smartphone data stored here
/anr -> contains debugging information
/app -> contains Android Marketplace .apk files. *Malware may be found here
/backup -> stores backup API for developers; user backup data is not stored here
/dalvik-cache -> stores code required for apps to function
/media -> the internal storage locations equivalent to an SD card. *Malware may be found here
/misc -> files related to Bluetooth, dhcp, vpn, Wi-Fi, and more are stored here
/property -> contains system properties, including time zone, language settings, and more
/system -> contains key files such as gesture.key and passwords.key; the accounts.db file contains usernames and passwords for file authentication purposes and more
/MNT or /NONAME (SD Card) *Malware may be found here
/asec -> stores unencrypted app data
/DCIM -> stores album thumbnails
/Pictures -> stores application and camera images
/Multimedia -> videos, audio, music files
/downloads -> downloaded files
/secure/asec -> stores encrypted app data
/<App directories> -> application data
/SYSTEM
/app -> contains .apk files. *Malware may be found here
/priv-app -> contains /apk files with system level permissions. *Malware may be found here
Reference:
[1] Andrew Hoog, Android Forensics: Investigation, Analysis and Mobile Security for Google Android (Waltham, MA: Elsevier, 2011).