Accessing Application Databases
As discussed earlier in the chapter, applications
can store structured data in SQLite databases. Each
application can create DB files under the /data/
data/<appname>/databases folder. Although we
can root a device and analyze databases through
the sqlite3 command line utility, it is convenient to
image the device and analyze it using workstation
tools such as yaffey and the SQLite browser. Below
are steps to retrieve the database files and view
them in SQLite:
1. Root and image the /data partition on your
phone (as shown in the previous section).
2. Download and install SQLite browser from
3. Browse to the SQL database of an application
through yaffey and pull the application database
onto your workstation or execute the command
below: adb pull /mnt/sdcard/tmp/twitter.db.
4. Open twitter.db in the SQLlite database
Extracting Data from Android Devices
In the previous section, we showed how to root
an Android device and obtain useful information
stored on it. While we can certainly do this piece-
by-piece, there are tools that can help us to do this
more efficiently—for example, the MOBILedit ap-
plication. On a rooted device, MOBILedit allows us
to extract all kinds of information from the device
(contact information, SMS messages, databases
from different applications, and so forth). Below are
steps to extract information from a device using this
In this chapter we described different file systems
used by Android. We reviewed relevant partitions
and mount points that would be of interest to security professionals to analyze a device or applications.
We reviewed different mechanisms through which
an application can store persistent data (databases,
preferences, files, and so forth) and how to obtain
and analyze these bits. We covered steps to root an
Android device (though this will be different from
release to release) and how to use third-party applications to retrieve data from Android devices.
Read the full chapter and view images at
Service provider records may contain other
visited sites of interest, such as file-sharing sites like
“Dropbox can be of investigative value, because
suspects sometimes store information on Dropbox
they don’t want found on their
personal computers,” Henry says.
E-mails can be obtained from
Web–based e-mail servers or
from the computer itself if applications such as Outlook are used.
Third party servers, such as
proxy servers, can be helpful in
tracking a suspect that does not
want to be tracked, but some
investigations can prove more
challenging. Owner policy and
proxy servers located in other
countries can impede investiga-
Figure 4: This closeup of a hard drive
circuit board reveals a badly burned IC
chip. The owner had used the wrong
power adapter on the drive which was
housed in an external enclosure.
continued from page 21
tions, Asthappan said.
“Although evidence from third party servers
can be helpful, it cannot be relied upon to create a
strong case,” Asthappan said.
One big issue in the U.S. is lack of legislation re-
garding service provider and Web site log retention,
which are generally controlled
by company internal policy.
“This is why it’s important
to get the preservation order in
place immediately, so potential
evidence is not lost due to the
normal business practices of the
service provider,” Henry said.
Douglas Page writes about forensic science and medicine from Pine