Similar to iOS devices, Android makes extensive use of SQLite databases for application data storage. The Android file system structure is conducive to thorough application examinations. Each application is stored in its own sub-folder on the root of the device. That application sub-folder may contain other supporting application files, such as .xml files, which are stored in their own directory. Most often, a folder labeled “Databases” contains the bulk of the user data in an SQLite database.

Similar to iOS, it is also a good idea to review the list of Installed Applications provided by your forensic tool. Many times, this assists in narrowing the search for data of interest.

These mobile device platforms should be treated akin to the Program Files Directory on a Windows PC. As you scroll through the list of software (or in the case of our smart devices, applications), any unknown software/applications should be researched to determine their functionality. As most forensic examiners would scroll through a long list of common program files and gloss over Microsoft Office and Adobe (because they are undoubtedly familiar with these programs), if they came across a program such as “Daum PotPlayer” (or any other unrecognized program), they wouldn’t hesitate to look it up to see what kind of functions it performs. Mobile examinations of applications are no different. There are roughly 300 new mobile applications created each day. It would be impossible to stay on top of every application across every mobile platform.