The App folder contains downloaded .apk files for individual applications that are installed on the phone. The name of the path displayed depends on the tool you’re conducting your examination in, as the file system is normalized. There may be hundreds of .apk files within the Data/App and/or Root/App folder. You may find additional .apk files located in the Downloads folder and in other locations on the device or associated MicroSD card.

The above images show data from the exact same phone image displayed in Oxygen Forensics and in Cellebrite in order to illustrate the differences in how the path name is displayed as the tools normalize the data. This is an important example of why it’s so important to document what tools were used during examination. When viewing individual files in Cellebrite, hovering the mouse over the file shows the file dates and times, as well as other information, such as file size. Once you locate a suspicious .apk file, it can be exported from the image for further examination and evaluation.