# common image files userdata.img # /data partition — user data, apps, DBs system.img # /system — OS, pre-installed apps cache.img # /cache — OTA, temp files recovery.img # recovery partition # mount (read-only!) mkdir /mnt/android mount -o ro,loop userdata.img /mnt/android # if ext4 with simg (sparse image) simg2img userdata.img userdata.raw.img mount -o ro,loop userdata.raw.img /mnt/android # filesystem types: ext4 (most common), f2fs (newer)
# key directories inside /data /data/data/ # app private data (com.app.name/) /data/user/0/ # same as /data/data (symlinked) /data/system/ # system databases, packages.xml /data/misc/ # wifi, vpn, bluetooth configs /data/media/0/ # internal "sdcard" storage /data/app/ # installed APKs /data/property/ # system properties /data/local/tmp/ # temp files, adb push target # sdcard / external storage /sdcard/ # → /data/media/0/ /sdcard/DCIM/ # camera photos /sdcard/Download/ # downloads /sdcard/WhatsApp/ # WhatsApp media
| Data | Path (under /data/data/) | DB → Table(s) |
|---|---|---|
| SMS / MMS | com.android.providers.telephony/databases/ | mmssms.db → sms, threads, part (MMS attachments) |
| Contacts | com.android.providers.contacts/databases/ | contacts2.db → contacts, raw_contacts, data (phones, emails) |
| Call log | com.android.providers.contacts/databases/ | contacts2.db → calls (or calllog.db on some versions) |
| Calendar | com.android.providers.calendar/databases/ | calendar.db → Events, Attendees, Reminders |
| Downloads | com.android.providers.downloads/databases/ | downloads.db → downloads |
| Browser | com.android.browser/databases/ | browser2.db → bookmarks (title, url, visits, date) |
| Chrome | com.android.chrome/app_chrome/Default/ | History → urls, visits, downloads |
| WiFi | /data/misc/wifi/WifiConfigStore.xml (or wpa_supplicant.conf on older) | |
| Accounts | /data/system/users/0/ | accounts.db → accounts (name, type) |
| Settings | com.android.providers.settings/databases/ | settings.db → system, secure, global |
| Location | com.google.android.gms/databases/ | herrevad → location cache |
| Installed apps | /data/system/packages.xml (XML, lists all packages + permissions) | |
| Usage stats | /data/system/usagestats/ (per-user, app usage events) | |
# databases com.whatsapp/databases/ msgstore.db # → messages (text, timestamp, key_remote_jid) wa.db # → wa_contacts (display_name, number) axolotl.db # → Signal protocol keys # media /sdcard/WhatsApp/Media/ WhatsApp Images/ WhatsApp Video/ WhatsApp Voice Notes/ WhatsApp Documents/ # backup (if present) /sdcard/WhatsApp/Databases/ msgstore.db.crypt14 # encrypted backup # key: /data/data/com.whatsapp/files/key
# databases org.telegram.messenger/files/ cache4.db # → messages, users, dialogs, media # → enc_chats (secret chats) # cache org.telegram.messenger/cache/ # downloaded media, voice messages # shared_prefs org.telegram.messenger/shared_prefs/ userconfing.xml # user ID, phone number
# databases org.thoughtcrime.securesms/databases/ signal.db # → sms, mms, thread, recipient # messages, attachments, groups # keys & config org.thoughtcrime.securesms/shared_prefs/ # registration info, identity keys # note: Signal DB is encrypted with SQLCipher # key stored in shared_prefs or keystore
# Facebook Messenger com.facebook.orca/databases/ threads_db2 # → messages, threads # Discord com.discord/ databases/ # message cache cache/ # images, attachments shared_prefs/ # tokens! # Instagram com.instagram.android/databases/ direct.db # DMs # Snapchat com.snapchat.android/databases/ arroyo.db # → conversation_message main.db # → friends, snaps
sqlite3 database.db # list tables .tables .schema TABLE_NAME # output formatting .headers on .mode column .mode csv # dump entire table SELECT * FROM sms ORDER BY date DESC LIMIT 50; # search messages SELECT address, body, date FROM sms WHERE body LIKE '%flag%' OR body LIKE '%secret%'; # contacts with phone numbers SELECT c.display_name, d.data1 FROM contacts c JOIN raw_contacts rc ON c._id = rc.contact_id JOIN data d ON rc._id = d.raw_contact_id WHERE d.mimetype_id = 5; # phone number
# Android stores timestamps as Unix ms SELECT address, body, datetime(date/1000, 'unixepoch', 'localtime') AS time FROM sms ORDER BY date DESC; # Chrome timestamps: WebKit format (microseconds since 1601) SELECT url, title, datetime(last_visit_time/1000000-11644473600, 'unixepoch','localtime') AS visited FROM urls; # deleted record recovery undark -i database.db # recover deleted rows strings database.db | grep flag strings database.db-wal # WAL has uncommitted data! strings database.db-journal # journal = rollback data # freelist pages (deleted but not overwritten) PRAGMA freelist_count; # use sqlite-deleted-records or sqlparse for deep recovery
# shared_prefs/ — XML key-value stores per app # often contain tokens, session IDs, settings find /mnt/android/data/ -name "*.xml" -path "*/shared_prefs/*" | xargs grep -l "token\|key\|secret\|password\|flag" # app_webview/ — cached web content find /mnt/android/data/ -path "*/app_webview/*" # cache directories find /mnt/android/data/ -name "cache" -type d
# lock screen /data/system/gesture.key # pattern lock (SHA1) /data/system/password.key # PIN/password hash /data/system/locksettings.db # lock type, salt # newer: gatekeeper + keystore (harder) # timezone & locale /data/property/persist.sys.timezone /data/property/persist.sys.language # app usage /data/system/usagestats/ # app open/close events # notifications (Android 10+) /data/system/notification_log/ # recent tasks /data/system_ce/0/recent_tasks/ # XML files with app activity snapshots
# ADB (live device) adb shell su -c 'cp /data/data/com.app/databases/db.db /sdcard/' adb pull /sdcard/db.db ./ adb backup -all -shared -f backup.ab # convert: abe unpack backup.ab backup.tar # ALEAPP — Android Logs Events And Protobuf Parser # parses 100+ artifact types automatically python3 aleapp.py -t tar -i android_data.tar -o output/ # andriller — forensic data extraction # GUI tool, parses DBs, lockscreens, etc. # Autopsy — Android Analyzer module # handles disk images, extracts artifacts
# DB Browser for SQLite (GUI) sqlitebrowser database.db # command line sqlite3 database.db ".dump" | grep -i flag # quick search across ALL databases find /mnt/android -name "*.db" -exec sh -c ' echo "=== {} ==="; sqlite3 "{}" ".tables" 2>/dev/null; ' \; # grep all DBs for flag pattern find /mnt/android -name "*.db" -exec sh -c ' sqlite3 "{}" "SELECT * FROM sqlite_master;" 2>/dev/null | grep -qi flag && echo "HIT: {}" ' \; # strings on all DBs (catches deleted data too) find /mnt/android -name "*.db*" -exec strings {} \; | grep -iE "flag\{|ctf\{|secret"