Applications are not required to save and store data in the USERDATA/data directory, but most comply.¹ Again, the user can elect on where to save the application, which overrides the decision to keep the application information in the USERDATA/data directory.

Each application stored in the USERDATA/data directory has an application folder reflecting the application name. For example, the application Facebook is stored as USERDATA/data/com.facebook.katana. Within the application folder, several folders may exist. These include:

  •  Lib

  •  Files

  •  Cache

  •  Databases

  •  Shared Pref

The Cache and Databases folders contain most of the user content we want to examine. However, because Android devices are open source and applications are not restricted, each folder and file should be examined for relevance.

Reference:

[1] Andrew Hoog, Android Forensics: Investigation, Analysis and Mobile Security for Google Android (Waltham, MA: Elsevier, 2011).