User-accessible shared storage — holds user files, downloads, media, and app external data (no sandbox, accessible by many apps).
/data/media
| Artifact | What it contains | Typical Use Case |
|---|---|---|
0/Download/ | Downloaded files (APKs, docs, payloads) | Did user download malware or payloads? |
0/DCIM/ | Camera photos/videos | Timeline via EXIF, user activity |
0/Pictures/ | Screenshots/images | Evidence of activity, phishing screens |
0/Movies/ | Video files | User activity, possible exfil |
0/Music/ | Audio files | Rarely DFIR-critical |
0/Documents/ | User documents | Data exfiltration targets |
0/Android/data/<pkg>/ | App external storage | Malware configs, logs, dropped files |
0/Android/media/<pkg>/ | Scoped storage media | App-specific media artifacts |
0/Android/obb/ | App expansion files | Large app assets (less DFIR value) |
0/WhatsApp/ | WhatsApp media/backups | Chat artifacts, media exfil |
0/Telegram/ | Telegram media/cache | Messaging artifacts |
0/DCIM/.thumbnails/ | Cached image previews | Recover deleted images |
0/ (root) | Misc user files | General staging / loose artifacts |