The Android operating system on a mobile phone includes various cache directories and files that are designed to store data for future use so that when a file is reopened it can be loaded more quickly.
This can cause storage space issues as most user data is not only stored within the handset as chosen by the user, the operating system it is also stored as a backup within other hidden system files, effectively meaning that the files are doubled up on a device.
How Images are Stored within com.sec.android.gallery3d
For example, an image is captured using the device. It is automatically stored to the DCIM folder on an Android phone.
In order to access that image within the DCIM folder, the Gallery application is used to browse them.
This application is available on Android phones by default and allows the user to scroll through the content of the DCIM folder with the images present being displayed as a smaller thumbnail type image.
The application allows the user to view the content of each of the images within the DCIM folder, those stored to the handset, without the need to open each of the images individually.
Those smaller thumbnail versions of the images displayed to the user whilst they scroll through the content of the DCIM folder using the Gallery application are retained by the Android operating system so that, if the user decides to do the same thing again tomorrow and scroll through the images on the handset the smaller images being displayed will not have to be created again, meaning that the phone has less to do to show them.
The Importance of com.sec.android.gallery3d in a Mobile Phone Forensic Examination
An issue of this is that those small images are stored to the handset within a file named com.sec.android.gallery3d in the data directory on the device.
Whilst storing 1 image within that file in this way is not a significant issue, when the user may have hundreds of images stored to their phone, that com.sec.android.gallery3d file becomes large in size and occupies a high proportion of the storage space of the handset.
In addition to this, when the original version of the image is deleted, the copy of it within the com.sec.android.gallery3d is not removed.
The user also cannot normally see or access the com.sec.android.gallery3d file, making it useful to consider as part of a mobile phone forensic investigation as it often contains files that were stored to the device previously, whilst the original version of it has been removed, the copy still remains making the content of it often including images that the user believed that they had removed or deleted.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.