My friend asked me why she could not find some important files in a physical image acquired from an Android phone. She took the evidence tree of an Android 6.0 physical image acquired from LG G3 for example as below, she’s used to see /data/data in a physical image.
I took a look at this phone. This phone is Huawei Mate 9 and its model is MHA-L29. The OS is Android 7.0 and it’s rooted already. She could retrieve some interesting files in /data/data/ , but the problem was she did not see those same files in the physical image. She’s just curious about what happened to the physical image. Let me show you what the image acquired from Mate 9 looks like.
Take a look at its log file activity_log.txt and some error messages draw my attention. It looks like that it’s not a full physical image…Maybe that’s the reason why she could not get those same files in /data/data. I will use another tools to acquire this phone and find out what's wrong with it.
Fotrunately UFED4PC solved this problem and extract those files in /data/data/ or /data/system/.
